11 Office of the Saskatchewan Information and Privacy Commissioner. Guide to Faxing: Preventing Breaches with Safeguards and Responding to a Privacy Breach. 5 Feb. 2026. If you send a misdirected fax Have you contacted your organization’s privacy officer for guidance and support? For guidance, you may also consult OIPC’s resource, Privacy Breach Guidelines for Government Institutions and Local Authorities and Privacy Breach Guidelines for Health Trustees. Have you taken steps to contain the breach? This includes: • Immediately contacting the organization where you sent the misdirected fax and confirming that they received it. • Explaining that the fax was sent in error and contains PI/PHI. • If you have the original document, asking the recipient if they can securely destroy the misdirected fax (e.g., by using a cross-cut shredder), and ask them to confirm destruction. • If they can’t destroy it, asking them to return it by mail or bring to you, or letting them know you will physically retrieve it (e.g., send a courier or a staff member). • Asking the recipient not to keep copies of the misdirected fax and confirming that they haven’t. • Informing the recipient of OIPC’s role and mandate if they have questions or concerns. • Documenting the conversation. If you re-send the fax, have you ensured you are sending it to the correct recipient’s fax number? Have you notified the affected individuals as soon as possible about the breach? Notification is mandatory (FOIP and LA FOIP) if the incident creates a real risk of significant harm to the individual, such as if there is a possibility for identity theft.8 Contact OIPC if you are unsure about this step. Have you investigated why the breach occurred, or determined the root cause? What actions led to the breach occurring? • Did you review policies and procedures to ensure best practices were followed? Are policies and procedures adequate? • Have you determined if employees involved in the breach are aware of the policies and procedures, and properly trained? • Have you analyzed the breach and determined what the associated risks are for the affected individual and the organization? • Have you completed an investigation report that includes ways to make sure the same type of breach doesn’t happen again? 8 See section 28.1 of LA FOIP or section 29.1 of FOIP; HIPA does not have a comparable provision.
RkJQdWJsaXNoZXIy MTgwMjYzOA==