Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 281 Process for Proactively Reported Breaches Government institutions should consider proactively reporting privacy breaches to the IPC. This means that when a government institution learns of a breach, it reports it to the IPC. While not mandatory, the IPC does encourage government institutions to proactively report. To assist government institutions, the IPC has developed a reporting form to proactively report a privacy breach to the IPC: Proactively Reported Breach of Privacy Reporting Form for Public Bodies. Government institutions should complete this form and submit it to intake@oipc.sk.ca. Advantages of proactively reporting include: • May reduce the need for the IPC to issue a public report on the matter. • Receive timely, expert advice from the IPC - the IPC can help guide the government institution on what to consider, what questions to ask, and what parts of FOIP or The Freedom of Information and Protection of Privacy Regulations may be applicable. • Should the media contact the government institution, the government institution can advise it has notified the IPC of the privacy breach and will seek assistance from the IPC with handling it. • Should affected individuals contact the IPC, the IPC can assure the individuals that the IPC is aware of the breach which may prevent a formal complaint to the IPC. When a government institution proactively reports a privacy breach to the IPC, a file will be opened. The government institution will be asked to complete and provide the IPC’s Privacy Breach Investigation Questionnaire (Questionnaire) and any other relevant material within 30 days. The Questionnaire takes government institutions through the four best practice steps of responding to a breach (containment, notification, investigation, and prevention of future breaches). The completed Questionnaire should provide the IPC with what is required to conduct an investigation. If further information is required, the IPC will advise. Once the IPC receives the relevant material, it will review the file and make a decision. The possible outcomes are as follows:

RkJQdWJsaXNoZXIy MTgwMjYzOA==