Privacy of Personal Information

The protection that your personal information receives depends on the type of organization you are dealing with. Different laws apply if the information relates to a governmental or private organization. It is important to determine what type of organization you are dealing with so that you know which laws apply.

The Saskatchewan Information and Privacy Commissioner is responsible for provincial privacy laws. These laws protect your personal information where it is held by:

• the provincial government and crown corporations, such as SaskTel and SGI
• libraries, schools and universities
• municipalities, such as cities, towns and RMs
• hospitals, doctors and other healthcare institutions and personnel

The Privacy Commissioner of Canada oversees privacy laws that apply across Canada. These laws protect your personal information where it is:

• held by most federal institutions, such as the Canada Revenue Agency and the Department of Health
• related to an employee, or an applicant for a job, at a federally regulated employer, such as railways, airlines and banks
• held by a business for commercial purposes

Privacy laws generally do not apply to:

• individuals who collect, use or disclose personal information for personal or domestic purposes
• organizations which collect, use or disclose personal information for journalistic, artistic or literary purposes
• business contact information of an individual that an organization collects, uses or discloses to communicate with the individual
• non-commercial activities of non-profits and charities
• political parties
• the House of Commons, the Senate, the Prime Minister’s Office or Members of Parliament
• courts

Privacy laws only protect your information if it is personal information. Personal information is information about an identifiable individual. If the information can be linked to an individual then it will usually be personal information. Personal information can be paper or electronic records.

This includes information about your:

• race
• national or ethnic origin
• religion
• age
• marital status
• education or employment history
• finances
• identifying numbers, such as your social insurance number or driver’s licence

Examples of personal information a government might collect include a person's:

• criminal history
• address
• fingerprints
• personal opinions or views unless they are about another individual
• private or confidential correspondence sent to a government institution

Examples of personal information a business might collect include a person's:

• e-mail address and messages
• IP (internet protocol) address
• income information
• purchases and spending habits
• banking information
• credit or debit card data
• loan or credit reports
• tax returns

Examples of personal information an employer might collect include an employee's:

• performance appraisals
• internal investigation files
• complaints against an employee
• employee number
• recording of an employee’s voice
• image, such as through photos and live or recorded video footage
• salary and benefits
• personnel files

Information that is not personal information includes information:

• about government employee's salaries, benefits and employment responsibilities
• about a licence, permit or other similar benefit government has given an individual
• that is not about an individual, such as a postal code on its own which covers a wide area with many homes
• about an organization such as a business
• that has been made anonymous
• about a government

There are rules about when and how organizations can collect personal information.

Government and government institutions cannot collect your personal information unless they need it for one of their programs or activities. Generally, any personal information must be collected directly from you. You can also consent to having your personal information collected in another way.

Businesses and employers cannot collect personal information unless it is for a purpose that a reasonable person would consider appropriate in the circumstances. Examples of things that may be considered inappropriate are:

• tracking personal activities or conversations through a leased laptop's audio or video functions
• publishing someone’s personal information online with the intent of charging them to remove it

In most situations, businesses and employers must:

• identify the reasons for collecting your personal information before collecting it
• have your consent before they collect your personal information
• limit the amount and type of the information gathered to what is necessary

Organizations covered by privacy laws must protect your personal information once they have collected it.

The government and its institutions must take steps to prevent personal information they have collected from being accessed, used, disclosed or modified by anyone unauthorized to do so.

Personal information must be protected from being stolen or destroyed by things like fire or floods. Electronic information must be protected with passwords and firewalls. Policies must be in place to protect personal information, including training of staff that handles personal information.

All businesses and those employers covered by privacy laws must keep your personal information only as long as necessary. They must also protect your personal information against improper access or use. This should include physical measures such as locks, organizational methods such as security clearance and technological measures such as passwords and encryption.

Under privacy laws, organizations can only use your personal information for the reason it was collected. There are several exceptions to this, however, such as:

• if you consent
• for police investigations
• to comply with a subpoena or warrant
• to collect a debt you owe
• in an emergency

You can apply for access to your personal information by contacting the organization that has the information. Remember, not all government institutions, businesses and employers are covered by privacy laws.

The first step is to determine the information you want and the name of the organization that has the information. To make a request for access:

• for a federal government institution that is covered by privacy laws, use the Online Request Portal or a Personal Information Request Form
• for a provincial government institution, use an Access to Information Request Form and send it to the government institution
• for a business or employer, you can make the request in writing

A government institution, business or employer generally has 30 days to respond to an access request.

There is no charge for accessing your personal information held by the federal government. Provincial government institutions, businesses and employers can only charge you a minimal fee. You must be told the approximate cost up front and agree to proceed with that cost.

You do not have the right to paper copies in all cases. Sometimes, you may have to go to an office and look at your information there.

If you have accessed your personal information, you can request that it be corrected if any of the information is incorrect. The government institution can make the correction or make a note on the file that a correction was requested but denied.

Businesses must correct your personal information if you can prove that what they have is incorrect. If the business and you cannot agree, your concerns must be recorded.

If you are concerned about privacy or access to your personal information, you should start by trying to resolve your issue directly with the organization that has the information.

If you still have an issue with privacy or were denied access to your personal information and:

• it relates to a provincial government institution or municipality, you can file a complaint with the Saskatchewan Information and Privacy Commissioner
• it relates to a federal government institution, an employer covered by privacy laws or a business, you can file a complaint with the Privacy Commissioner of Canada

The commissioner will try to resolve the complaint. If it cannot be resolved, they will investigate and may make recommendations. If the organization does not follow the recommendations, the matter can be brought to court. The court may then make orders forcing the organization to comply.