Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 93 Written procedures should address collection, use and disclosure practices.286 4. Agreements Enter into agreements before sharing any personal information with a third party. Agreements protect employees and the organization by establishing the terms and conditions of providing personal information that it may receive from or share with others, including centralized databases and other government institutions. Agreements can also establish accountability between the government institution and electronic service providers, including network providers.287 If an information manager (computer support person, off-site storage company, etc.), has access to personal information, a written agreement should be in place whereby the information manager agrees to ensure confidentiality and limit access to the records.288 Where contracted services are used for storage, transportation, or destruction of records, including security provisions in the service contract, government institutions should require the contractors to provide a certificate of destruction.289 Government institutions should enforce contractual privacy provisions. A government institution’s responsibilities do not end after signing a contract with an agent (i.e., contractor or information management service provider). Rather, government institutions should monitor whether their agents are meeting the privacy requirements in their contracts. Effective monitoring entails setting dates for agents to report on their compliance, visiting agents’ sites to evaluate privacy protection, meeting with agents regularly to discuss how Implementing Electronic Medical Records – 2010 Guidelines for the Protection of Health Information Special Edition at p. 8. 286 SK OIPC Investigation Report H-2011-001 at [136]. 287 Adapted from SK OIPC Investigation Report H-2011-001 at [142]. Originates from Canada’s Health Informatics Association, Putting it into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records – 2010 Guidelines for the Protection of Health Information Special Edition at p. 8. 288 Adapted from SK OIPC Investigation Report H-2011-001 at [143]. Originates from College of Physicians and Surgeons of Saskatchewan, Checklist for Compliance with HIPA at p. 2. 289 British Columbia Government Services, FOIPPA Policy and Procedures Manual, Section 30 – Protection of personal information, available at https://www2.gov.bc.ca/gov/content/governments/services-for-government/policiesprocedures/foippa-manual/protection-personal-information#Unauthorized_access. Accessed June 11, 2020.

RkJQdWJsaXNoZXIy MTgwMjYzOA==