Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 322 legal and RIM staff, review all existing requirements and how they have been implemented within your organization before considering new plans and RIM activities. 2. Develop safeguards The information maintained within records will vary significantly, and as a result, not all records will require the same degree of protection. For example, personal information or personal health information must be protected from any unauthorized collection, use or disclosure. As a result of the requirements to protect personal information and personal health information, records that contain such information may require greater safeguards than others. Personal information, however, is only one form of information that may require special measures. The government institution may maintain records that are sensitive for other reasons. Consider, for example, law enforcement records that form part of an active investigation. The disclosure of this information may impede an investigation. Another example is location information for species at risk. The disclosure of this information could result in harm to an endangered species. To effectively protect sensitive information, the government institution must know where that information is held, who may access it and under what circumstances. You can start by developing sensitivity classifications for your records and assign appropriate safeguards for each sensitivity level. When implementing RIM practices and policies, it is essential to develop accompanying safeguard requirements. Records that contain personal information require several security controls. FOIP requires that government institutions have administrative, technical, and physical safeguards in place to protect personal information (see Section 24.1, earlier in this Chapter). In addition to safeguards, consider data minimization and need-to-know at all stages of sensitive information handling (see Need-to-Know Principle and Data Minimization Principle earlier in this Chapter. For more on this best practice see SK OIPC resource, Improving Access and Privacy with Records and Information Management.
RkJQdWJsaXNoZXIy MTgwMjYzOA==