Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 172 IPC Findings In Investigation Report F-2009-001, the Commissioner investigated a complaint involving the Saskatchewan Workers’ Compensation Board (WCB). An individual had concerns about the way WCB collected, used and disclosed his personal information. During the course of the Commissioner’s investigation, the Commissioner found evidence that raised whether the WCB met its duty to ensure accuracy in the personal information it uses for an administrative purpose and that such information be complete. The Commissioner found that WCB had appropriately developed a policy called Safety and Security Policy which included a number of checks and balances to ensure that decisions made under the policy would be evidence based and properly substantiated. However, the policy did not appear to have been followed in that case. Specially, the factual basis upon which WCB classified the complainant as a C4 and later a C5 risk was demonstrably incomplete. The Commissioner noted the high prejudice that attaches to anyone who was classified as a security risk by the WCB and therefore it was incumbent on WCB to have a clear policy and procedure and to scrupulously follow it. In Investigation Report F-2012-001, the Commissioner considered the over-collection of personal information by Saskatchewan Telecommunications (SaskTel). The Commissioner investigated SaskTel’s collection of unique identifiers when customers call into SaskTel to access their account information for the purpose of identity verification. This included having to provide a date of birth, telephone number, social insurance number and health services number. The Commissioner found that SaskTel was not meeting its duty under section 27 to collect accurate and complete information because SaskTel indicated that the information did not have to be accurate to verify identity. This appeared to serve the purpose of being a password rather than an accurate collection of personal information. As such, section 27 of FOIP was not met by SaskTel. SECTION 28: USE OF PERSONAL INFORMATION Use of personal information 28 No government institution shall use personal information under its control without the consent, given in the prescribed manner, of the individual to whom the information relates, except: (a) for the purpose for which the information was obtained or compiled, or for a use that is consistent with that purpose; or