Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 18 The exercise of collecting, using, and disclosing personal information is always subject to the data minimization principle.38 Disclosure is occasionally mandatory, but most often is a discretion for the government institution to exercise dependent on the particular circumstances. It is subject to the requirement to disclose the least amount of identifying information necessary for the purpose.39 For a government institution to be able to rely on any provision in FOIP for its collection, use and/or disclosure of personal information, it must also abide by the need-to-know and data minimization principles. Authority to collect, use and disclose only exists when these principles are abided by. These two important principles underlie Part IV of FOIP.40 IPC Findings In Investigation Report LA-2010-001, the Commissioner found that a local authority disclosed more personal information than was necessary to the Canada Revenue Agency. As such, the Commissioner found that this constituted a breach of the complainant’s privacy. In Investigation Report 074-2018, 075-2018, the Commissioner found that the disclosure of a complainant’s personal information by a local authority was not appropriate because more personal information than was necessary for the purpose was disclosed. Even though the local authority had a provision to rely on and the discretion to disclose certain details, it did not adhere to the need-to-know and data minimization principles. Therefore, it did not have authority for the disclosures. DE-IDENTIFIED INFORMATION Information is the new currency of our economy. Since the dawn of the digital era, information has become increasingly available, and at a scale previously unimaginable. With technological advances, this information is also becoming easier to collect, retain, use, disclose and leverage for a wide range of secondary uses.41 38 Adapted from SK OIPC Investigation Report F-2009-001 at [47]. 39 SK OIPC Investigation Reports F-2007-001 at [82] and LA-2010-001 at [46]. See also Investigation Report 278-2017 at [22]. 40 SK OIPC Investigation Report 074-2018, 075-2018 at [38]. 41 ON IPC resource, De-identification Protocols: Essential for Protecting Privacy, June 25, 2014 at p. 1.