Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 101 IPC Findings In Investigation Report H-2007-001, the Commissioner investigated a breach of privacy involving Saskatchewan Health (now the Ministry of Health). The breach involved individuals receiving unsealed or improperly sealed envelopes. The envelopes contained letters that included the personal information and personal health information of the individuals. Following an investigation, the Commissioner found that Saskatchewan Health did not have adequate safeguards in place to protect personal information/personal health information externally processed for mailing by Saskatchewan Property Management (SPM). One of the Commissioner’s recommendations was for Saskatchewan Health to ensure that SPM’s mail processing systems and procedures were audited to determine why some envelopes would not seal properly. Further, that once this was completed, ensure that the necessary short- and long-term strategies identified through the process were implemented. In Investigation Report H-2010-001, the Commissioner investigated a privacy breach involving L & M Pharmacy and the unauthorized viewing of personal health information in the Pharmaceutical Information Program (PIP). The Commissioner found that L & M Pharmacy was responsible for the actions of its employee. The Commissioner further found that L & M Pharmacy breached The Health Information Protection Act (HIPA) in several respects, chiefly by failing to adopt policies and procedures to protect the personal health information in its custody or control as required by section 16 of HIPA (equivalent provision to section 24.1 of FOIP). The viewing of the drug profiles of individuals was a “collection” of personal health information under HIPA that was improper. The Commissioner recommended that the User privileges of the pharmacist be suspended until L & M Pharmacy implemented appropriate policy and procedures. Further, the Commissioner recommended that the pharmacist’s use of PIP, once User status is restored, be the subject of regular monthly audits by Health Information Solutions Center for one year to ensure HIPA compliance. Other recommendations were also made. Encryption Safeguarding personal data is essential to good information management. Not only is it essential, but it is also a legislative requirement in all access and privacy legislation throughout Canada. Personal data should be protected during all stages of collection, use