Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 117 • That officers and staff are aware and understand the policies and procedures; and • Are provided privacy training. Comply with means to act in accordance with or fulfil the requirements.355 If there is no documented policy, it will be difficult to communicate privacy and security practices to staff. On the other hand, with a written policy in place, a government institution is clearly demonstrating that it has done its due diligence with respect to privacy and security. This is crucial if the government institution’s practices are ever subject to a privacy audit, complaint, privacy breach or security incident.356 Every government institution should have a privacy policy that addresses the following: • Accountability for personal information. • Purpose for collecting personal information. • Consent for collecting, using, and disclosing personal information. • Accuracy and correction of personal information. • Retention and destruction of personal information. • Privacy breach management. • Use and disclosure audits. • Use and disclosure control. • Individual access to information. • Privacy complaint management. • Enforcement mechanisms.357 It should also have privacy procedures that provide staff with consistent steps for managing: • Complaints, breaches of privacy and security incidents. • Individual access to and correction of personal information. 355 British Columbia Government Services, FOIPPA Policy Definitions at Accessed April 23, 2020. 356 SK OIPC Investigation Report H-2011-001 at [115]. Originates from Canada’s Health Informatics Association, Putting it into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records – 2010 Guidelines for the Protection of Health Information Special Edition at p. 9. 357 Adapted from SK OIPC Investigation Report H-2011-001 at [116].