Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 272 Note: if personal information in the possession or control of a government institution is missing, even if there is no evidence that someone has viewed the personal information, it qualifies as a disclosure. The rules for disclosure are found in sections 29 and 30 of FOIP and sections 16, 17 and 17.1 of The Freedom of Information and Protection of Privacy Regulations. Accuracy: Government institutions have a duty to ensure personal information is as accurate and complete as possible. A privacy breach may occur when personal information is inaccurate (see section 27 of FOIP). Other sub-issues: Other issues that might arise during a privacy breach investigation could include failure to abide by the need-to-know and data minimization principles, and consent not received or issues with the form of consent. However, they would likely be tied to one of the other major issues.736 Privacy breaches can be very costly for organizations. The average total cost of data breach incidents for companies in Canada in 2016 was $6.03 million.737 The cost on average per lost or stolen record was $278.738 Privacy breaches can be costly for the organization and for affected individuals. FOIP includes an explicit duty on a government institution to protect personal information in its possession or control. See Section 24.1 earlier in this Chapter. There are also limits on collection, use and/or disclosure of personal information which helps protect the privacy of an individual’s personal information. For example, by only collecting what is necessary and legitimate, a government institution avoids over-collecting personal information that could ultimately be vulnerable to a breach. See Section 24, Section 26, Section 28, and Section 29, earlier in this Chapter. Despite every effort, privacy breaches may still occur. The following are the recommended steps to take when a government institution discovers a breach of privacy has occurred. These best practice steps and additional detail can be found in OIPC resource, Privacy Breach Guidelines for Government Institutions and Local Authorities. 736 SK OIPC resource, Privacy Breach Guidelines for Government Institutions and Local Authorities at pp. 1 to 2. Available at Privacy Breach Guidelines (oipc.sk.ca). Accessed December 16, 2022. 737 IBM and Ponemon Institute Research Report, 2016 Cost of Data Breach Study: Canada at p. 1. Number is based on 24 participating companies in the study. 738 IBM and Ponemon Institute Research Report, 2016 Cost of Data Breach Study: Canada at p. 1. Number is based on 24 participating companies in the study.

RkJQdWJsaXNoZXIy MTgwMjYzOA==