Guide to LA FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 235 Disclosure: A privacy breach occurs when an unauthorized disclosure of personal information transpires (e.g., when personal information is missing or when a local authority shares personal information with another organization without authority). Note: if personal information in the possession or control of a local authority is missing, even if there is no evidence that someone has viewed the personal information, it qualifies as a disclosure. The rules for disclosure are found in sections 28 and 29 of LA FOIP and sections 10, 10.1 and 10.2 of The Local Authority Freedom of Information and Protection of Privacy Regulations. Accuracy: Local authorities have a duty to ensure personal information is as accurate and complete as possible. A privacy breach may occur when personal information is inaccurate (see section 26 of LA FOIP). Other sub-issues: Other issues that might arise during a privacy breach investigation could include failure to abide by the need-to-know and data minimization principles, and consent not received or issues with the form of consent. However, they would likely be tied to one of the other major issues.619 Privacy breaches can be very costly for organizations. The average total cost of data breach incidents for companies in Canada in 2016 was $6.03 million.620 The cost on average per lost or stolen record was $278.621 Privacy breaches can be costly for the organization and for affected individuals. LA FOIP includes an explicit duty on a local authority to protect personal information in its possession or control. See Section 23.1 earlier in this Chapter. There are also limits on collection, use and/or disclosure of personal information which helps protect the privacy of an individual’s personal information. For example, by only collecting what is necessary and legitimate, a local authority avoids over-collecting personal information that could ultimately be vulnerable to a breach. See Section 23, Section 24, Section 27, and Section 28, earlier in this Chapter. 619 SK OIPC resource, Privacy Breach Guidelines for Government Institutions and Local Authorities at pp. 1 to 2. Available at Privacy Breach Guidelines (oipc.sk.ca). Accessed December 16, 2022. 620 IBM and Ponemon Institute Research Report, 2016 Cost of Data Breach Study: Canada at p. 1. Number is based on 24 participating companies in the study. 621 IBM and Ponemon Institute Research Report, 2016 Cost of Data Breach Study: Canada at p. 1. Number is based on 24 participating companies in the study.

RkJQdWJsaXNoZXIy MTgwMjYzOA==