Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 90 • Ensure compliance with FOIP by its employees (24.1(c))273 A policy is a standard course of action that has been officially established by government.274 A procedure is an established or official way of doing something; a series of actions conducted in a certain order or manner.275 Government institutions should have written policies and procedures in place to guide employees with what is required by law concerning privacy protection for personal information. Without written policies and procedures, a government institution has not taken reasonable steps to safeguard personal information in its possession or control.276 The written policies and procedures should be: • Relevant and up to date • Deal with security, records management, and information management • Make administrative roles and responsibilities well-defined and easy to follow277 Safeguards Administrative, technical, and physical safeguards generally include administrative procedures, physical standards and technical security services and mechanisms.278 Section 24.1 of FOIP requires government institutions to have written policies and procedures that cover three areas: administrative, technical, and physical safeguards. All three are addressed below in more detail. 273 Section 24.1 of FOIP was added to FOIP following the amendments that were proclaimed in January 2018. However, The Health Information Protection Act (HIPA) has had a similarly worded provision since it first came into force in 2003 (section 16). Much of the guidance in this section of the Guide comes from over 15 years of work by the SK OIPC on establishing guidance on HIPA’s section 16. 274 Garner, Bryan A., 2019. Black’s Law Dictionary, 11th Edition. St. Paul, Minn.: West Group at p. 1401. 275 Pearsall, Judy, Concise Oxford Dictionary, 10th Ed., (Oxford University Press) at p. 1139. 276 SK OIPC Investigation Reports H-2011-001 at [114], F-2007-001 at [48] and LA-2013-003 at [54] to 57]. 277 Government of Newfoundland and Labrador, ATIPP Office, Department of Justice and Public Safety, Protection of Privacy Policy and Procedures Manual, June 2015, at p. 72. 278 Government of Alberta, Health Information Act, Guidelines and Practices Manual, March 2011 at p. 134. Available at Accessed June 18, 2020.