Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 274 Notify The following is a list of individuals or organizations that may need to be notified as soon as possible after learning of the incident: • Your organization’s privacy officer • The IPC (for more information see Process for Proactively Reported Breaches, later in this Chapter) • The police, if criminal activity is suspected (e.g., burglary) • The affected individuals (unless there are compelling reasons why this should not occur) It is important to note that FOIP requires that, if there is an unauthorized use or disclosure of personal information, the government institution must notify the affected individual if the incident creates a “real risk of significant harm” to the affected individual (see Section 29.1, earlier in this Chapter). Notification of individuals affected by the breach should occur as soon as possible after key facts about the breach have been established. It is best to contact affected individuals directly, such as by telephone, letter or in person. However, there may be circumstances where it is not possible, and an indirect method is necessary or more practical. Such situations would include where contact information is unknown or where there are a large number of affected individuals. An indirect method of notification could include a notice on a website, posted notices, media advisories and advertisements. Ensure the breach is not compounded when using indirect notification. Notifications to affected individuals should include the following: • A description of the breach (a general description of what happened). • A detailed description of the personal information involved (e.g., name, credit card numbers, medical records, financial information, etc.). • A description of possible types of harm that may come to the affected individual because of the privacy breach. • Steps taken and planned to mitigate the harm and prevent future breaches. • If necessary, advice on actions the individual can take to further mitigate the risk of harm and protect themselves (e.g., how to contact credit reporting agencies).

RkJQdWJsaXNoZXIy MTgwMjYzOA==