Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 129 Government institutions must take care to limit both the type and amount of personal information collected to that which is necessary to fulfill the identified purposes. Government institutions should also be specific about what kind of personal information it needs to collect.389 An example of over collection could be where an individual making an injury insurance claim following a motor vehicle accident is asked to disclose their entire personal health history in order to have their injury claim assessed even though the entire personal health history may not be relevant.390 Government institutions that over collect personal information run a higher risk of dealing with privacy breaches due to holding on to too much personal information on individuals. Large quantities of personal information require ongoing safe storage, secure access, proper destruction and continued compliance regarding use and disclosure. It is not in a government institution’s interest to over collect personal information. It also makes individuals more vulnerable to a complete loss of control over their personal information. For example, when identity theft occurs. Most importantly, it is not authorized under FOIP. The principle of data minimization must be abided by. For more on this, see Data Minimization earlier in this Chapter. IPC Findings In Investigation Report F-2013-002, the Commissioner investigated a complaint that related to the over collection of personal information and personal health information by Saskatchewan Government Insurance (SGI). The Complainant alleged the collection of personal information and personal health information by SGI for purposes of processing her injury claim was excessive. SGI collected the Complainant’s entire medical file from her physician instead of collecting only information pertaining to her neck and back from 2004 to 2008. When the Commissioner initiated an investigation, SGI took the position that the Commissioner did not have jurisdiction to investigate the matter as the matter concerned the collection of medical information under Part VIII of The Automobile Accident Insurance Act (AAIA). SGI also asserted that the collection of the Complainant’s personal information and personal health information was authorized pursuant to section 165 of The Automobile 389 Office of the Privacy Commissioner of Canada, Investigation into authentication and transfer practices used during Loblaw gift card offering, PIPEDA Report of Findings # 2019-003, October 16, 2019. 390 For the history of this example, see SK OIPC Investigation Reports H-2004-001, F-2010-001 and F2013-002.