Privacy Protective Survey Guidance

Office of the Saskatchewan Information and Privacy Commissioner. Privacy Protective Survey Guidance. 14 March 2024. 12 Section 24.2 of FOIP (23.2 of LA FOIP) permits public bodies to provide personal information to an IMSP for the purposes of having the IMSP process the information or enabling the provision of technology services. Subsection 24.2(2) of FOIP (subsection 23.2(2) of LA FOIP) requires that public bodies enter into a written agreement with the service provider that governs the access to and use, protection of the personal information and meets the requirements of the acts. Additional requirements for the agreements are set out in section 13.1 of the FOIP Regulations (section 8.2 of the LA FOIP Regulations). Pursuant to subsection 24.2(4) of FOIP (subsection 23.2(4) of LA FOIP), an IMSP is required to comply with the terms and conditions of the agreement. Therefore, if your survey provider qualifies as an IMSP, you will need to ensure that the terms of service comply with this provision. Self-Hosting an Online Survey There are some software programs or applications that are available if you want to host your own online survey. Hosting your own survey will mitigate the risks of using a third party. It will also avoid the risks that arise when data is stored outside Canada. If you decide to host the online survey yourself, consult technical experts to ensure that the application you use to conduct the survey will operate in a way you expect it to and that it does not collect, use or disclose personal information in a manner that is not planned. Safeguards Public bodies have a duty to protect personal information. This requirement is set out in section 24.1 of FOIP (section 23.1 of LA FOIP). It includes requirements to protect the integrity, accuracy and confidentiality of personal information. It also includes requirements to protect against any reasonably anticipated loss of personal information and unauthorized use, disclosure or modification. Public bodies must then establish administrative, technical and physical safeguards to protect personal information. For example, survey results containing information about identifiable individuals must be stored in a secure location. If you plan to store any personal information collected as part of your survey on mobile devices such as a laptop,

RkJQdWJsaXNoZXIy MTgwMjYzOA==