Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 179 the Commissioner found that no further authority was required under subsection 28(a) of FOIP. Social Services was found to have authority under section 28 of FOIP because of the consent form. The tasks were also found to be used for a purpose consistent with the purpose for which the personal information was originally collected (i.e., to provide financial assistance). As such, although not needed, the Commissioner also found that Social Services would have had authority under subsection 28(a) of FOIP. In Investigation Report 034-2018, the Commissioner investigated a privacy complaint involving Saskatchewan Power Corporation (SaskPower). The complaint alleged that SaskPower was getting its employees to sign an Image Release form which gave consent to SaskPower to use and reproduce images, photographs, video recordings and/or voice recordings of its employees for an employee directory. Further, consent could not be revoked. The complainant expressed concern over the breadth of the wording of the consent form. SaskPower asserted that the original purpose for collecting employee photographs was for a photo identification (ID) badge that enabled employees and contractors to have access to SaskPower facilities. The Commissioner found that using the employee photographs for the employee directory would be for a secondary purpose so subsection 28(a) of FOIP would not apply. SaskPower also cited subsection 28(b) of FOIP for authority and asserted it had authority to disclose the personal information for purposes of this provision under subsection 29(2)(l) of FOIP which is disclosure for the purposes of management, audit or administration of personnel. The Commissioner found that using employees’ and contractors’ photographs in the employee directory for the purpose of improving functionality and enabling people to easily learn the names of co-workers, with a hope of increasing collaboration and efficiency did not fit the definitions of “management of personnel”, “audit” or “administration of personnel”. As such, subsection 28(b) of FOIP did not authorize SaskPower to use the employees’ photographs in the directory. The Commissioner recommended SaskPower rely on consent from the employees and contractors to use their photographs in the employee directory consistent with section 28 of FOIP. In Investigation Report 189-2015, the Commissioner investigated a privacy complaint involving Saskatchewan Government Insurance (SGI). The complaint alleged that an SGI employee had inappropriately accessed the complainant’s personal information in the Auto Fund database. Upon investigation, the Commissioner was unable to determine whether a privacy breach had occurred because it was unclear if the SGI employees’ accesses were for a legitimate business purpose or for personal reasons. To be compliant with section 28 of FOIP, SGI must be able to determine with more certainty that its employees’ accesses are for a purpose consistent with subsections 28(a) or (b) of FOIP. However, it was the employee’s
RkJQdWJsaXNoZXIy MTgwMjYzOA==