Data Breach Reporting Obligations in Saskatchewan
David Krebs and Jacey Safnuk of Miller Thomson LLP write:
… Data breach reporting obligations in Saskatchewan are influenced by a total of four relevant pieces of legislation, covering both public and private sectors. These laws will not all apply to every potential breach, of course, but it is crucial for organizations to understand that more than one of them may apply depending on the specific circumstances of the data breach:
- The Freedom of Information and Protection of Privacy Act (“FOIP”) applies to Government Institutions, such as ministries, Crown corporations, agencies, boards and commissions.
- The Local Authority Freedom of Information and Protection of Privacy Act (“LA FOIP”) applies to Local Authorities, such as school boards, post-secondary institutions, rural municipalities and regional health authorities.
- The Health Information Protection Act (“HIPA”) applies to wide range of organizations listed under 2(t) of HIPA who have custody or control over Personal Health Information.
- Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to any organization that collects, uses, or discloses personal information in a “commercial activity.” Saskatchewan does not have “substantially similar” privacy legislation, and, therefore, in Saskatchewan PIPEDA applies to all personal information used, collected, or disclosed in commercial activities and all personal information processed by “federal undertakings,” which then includes personal employee information of those organizations. Personal information of employees in the private sector is not governed by a provincial or federal law.
Read more on Lexology.