Guide to FOIP-Chapter 2

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 15 Proactive Reporting of Privacy Breaches A privacy breach occurs when there is an unauthorized collection, use or disclosure of personal information.25 For more on what constitutes a privacy breach see Chapter 6, Protection of Privacy. When a government institution believes that a privacy breach may have occurred, it has the option to proactively report the matter to the IPC rather than wait for the IPC to learn about the breach through other sources such as the media or affected individuals. The IPC has a form titled, Proactively Reported Breach of Privacy Reporting Form: for Public Bodies. Government institutions should complete this form and submit it to intake@oipc.sk.ca. Some of the benefits of proactively reporting privacy breaches include: • May reduce the need for the IPC to issue a public report on the matter. • Receive timely, expert advice from the IPC - the IPC can help guide the government institution on what to consider, what questions to ask and what parts of FOIP or The Freedom of Information and Protection of Privacy Regulations may be applicable. • Should the media contact the government institution, the government institution can advise it has notified the IPC of the privacy breach and will seek assistance from the IPC with handling it. • Should affected individuals contact the IPC, the IPC can assure the individuals that the IPC is aware of the breach which may prevent a formal complaint to the IPC.26 When a government institution proactively reports a privacy breach to the IPC, a file will be opened. The government institution will be asked to complete and provide the IPC’s Privacy Breach Investigation Questionnaire (Questionnaire) and any other relevant material within 30 days. The Questionnaire takes government institutions through the four best practice steps of responding to a breach (see four steps below). The completed Questionnaire should provide the IPC with what is required to conduct an investigation. If further information is required, the IPC will advise. 25 SK OIPC Dictionary available at https://oipc.sk.ca/resources/dictionary/. 26 SK OIPC Resource, Privacy Breach Guidelines for Government Institutions and Local Authorities at p. 11.

RkJQdWJsaXNoZXIy MTgwMjYzOA==