Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Saskatchewan - Data Protection Overview
Back

Saskatchewan - Data Protection Overview

October 2022

1. Governing Texts

In Saskatchewan, public sector organisations are subject to specific privacy statutes administered by a provincial independent body of the Legislative Assembly of Saskatchewan ('the Legislative Assembly'). In addition, private-sector organisations engaging in commercial activities are subject to federal privacy legislation administered by an independent federal body.

Below is an overview of Saskatchewan's data protection landscape including the applicable law, its scope, existing regulatory authority, key definitions, available legal basis, principles, obligations on organisations, rights of individuals, and penalties for non-compliance.

1.1. Key acts, regulations, directives, bills

The Office of the Saskatchewan Information and Privacy Commissioner ('OIPC') oversees three Saskatchewan privacy statutes, including:

The Office of the Privacy Commissioner of Canada ('OPC') administers the two federal privacy statutes applicable in Saskatchewan:

The Federal Privacy Act and its associated regulations apply to a person's right to access and correct personal information held by the Government of Canada.

In Saskatchewan, since there is no substantially similar private-sector privacy legislation, PIPEDA applies to personal information held by private-sector organisations and federally-regulated organisations (banks, airlines, telecommunications, etc.). PIPEDA also applies to employee personal information held by federally-regulated organisations. While PIPEDA does not apply to employee personal information held by other private-sector organisations, the Saskatchewan Office of the Information and Privacy Commissioner ('OIPC') has recommended that private-sector organisations adhere to PIPEDA when it comes to employee personal information on a best practices basis.

Changes have been proposed to PIPEDA but are not yet in effect. Therefore, this summary focuses on the version of PIPEDA in effect as of the date of this overview stated above.

Saskatchewan also has a separate privacy statute not administered by either the OIPC or OPC that creates a tort of violation of privacy (Privacy Act, RSS 1978, c P-24 ('the Saskatchewan Privacy Act')).

This summary will focus on the FOIP, the LAFOIP, HIPA, and PIPEDA, with limited comment on the Federal Privacy Act and the Saskatchewan Privacy Act.

1.2. Guidelines

Both the OIPC and the OPC publish guidance materials on their websites to inform organisations and the public about their rights and responsibilities under Saskatchewan's and Canada's privacy laws.

1.3. Case law

The OIPC and OPC will, from time to time, publish reports related to their enforcement actions on their website. Such enforcement reports are complemented by case law in order to provide direction to organisations and individuals with respect to privacy compliance requirements.

A recent notable Saskatchewan decision is the decision of the Saskatchewan Court of Queen's Bench Bierman v Haidish, 2021 SKQB 44 ('Bierman'). In Bierman, the plaintiff brought an action for violation of privacy under the Saskatchewan Privacy Act on the basis the plaintiff violated her privacy when he accessed her personal medical records without proper authorisation (the defendant was a doctor). This decision is notable given the infrequent use of the Saskatchewan Privacy Act and the lack of existing case law interpreting its provisions.

In finding that the defendant violated the plaintiff's reasonable expectation of privacy, Justice Layh provided the following summary of the legal test for violation of privacy under the [Saskatchewan Privacy] Act:

  • the defendant must have acted 'wilfully';
  • the defendant must have acted without 'claim of right'; and
  • the plaintiff must have had a reasonable expectation of privacy that the defendant violated.

In this case, the defendant acknowledged in a previously written statement to the Saskatchewan College of Physicians and Surgeons that he accessed personal health information without a legitimate need to know the information and without consent. Justice Layh viewed this admission on its own as a violation of the plaintiff's privacy.

While finding that the tort was made out, Justice Layh declined to order any damages other than nominal damages in the amount CAD 7,500 (approx. €5,714) It remains to be seen whether we will see more frequent use of this legislation in Saskatchewan.

2. Scope of Application

2.1. Personal scope

The FOIP applies to government institutions. These are defined in Section 2(1)(d) of the FOIP and examples of 'government institutions' include Ministries, Crown Corporations, the Labour Relations Board, and the Saskatchewan Human Rights Commission.

The LAFOIP applies to local authorities. These are defined in Section 2(f) of the LAFOIP and include, inter alia, cities, municipalities, the provincial health authority, universities and colleges, boards of education, and libraries.

HIPA applies to trustees that have custody or control of personal health information. Trustees are defined in Section 2(t) of HIPA as including, inter alia, government institutions, the provincial health authority, the Saskatchewan Cancer Agency, physicians, dentists, chiropractors, nurses, pharmacies, personal care homes, ambulance operators, and community clinics.

Determining who 'the' trustee of personal health information is, compared to just 'a' trustee under HIPA, depends on who has custody or control of the personal health information. Custody is the physical possession of a record by a trustee, while control connotes authority. A record is under the control of a trustee when the trustee has the authority to manage the record, including restricting, regulating, and administering its use, disclosure, or disposition.

PIPEDA applies to organisations including associations, partnerships, persons, and trade unions. Organisations captured under PIPEDA include those that collect, use, or disclose personal information in the course of commercial activities. A commercial activity is defined as 'any particular transaction, act, or conduct or any regular course of conduct that is of a commercial character.'

Sections 2 and 4 of PIPEDA provide that it applies to personal information about an employee that the organisation collects, uses, or discloses in connection with the operation of a federal work or a federal undertaking or business.

Given that Saskatchewan does not have substantially similar legislation to PIPEDA, PIPEDA applies to federally regulated private-sector organisations (with respect to all personal information including relating to employees) and other private-sector organisations (with respect to their customer and client information) operating in Saskatchewan.

Section 3 of the Federal Privacy Act defines the federal government institutions that it applies to.

2.2. Territorial scope

The FOIP, the LAFOIP, and HIPA are limited to the government institutions, local authorities, and trustees as defined within those acts. See the definitions of government institution, local authority, and trustee outlined in the section on personal scope.

PIPEDA applies to personal information collected, used, and disclosed by organisations engaged in 'commercial activities', which take place within a province that does not otherwise have 'substantially similar' legislation.

2.3. Material scope

Per Section 24 of the FOIP and Section 23 of the LAFOIP, personal information means personal information about an identifiable individual that is recorded in any form and includes the specific types of information set out in Sections 24(1) and 23(1) of the FOIP and the LAFOIP respectively. Some examples include, ethnicity, age, sex, marital status, education, employment history, identifying numbers, address, personal opinions, or criminal history. However, personal information does not include the specific types of information set out in Sections 24(2) and 23(2) of the FOIP and the LAFOIP respectively.

Section 2(m) of HIPA defines personal health information as information with respect to the physical or mental health of an individual, information with respect to any health service provided to an individual, information regarding any donation of a body part or bodily substance, information that is collected in the course of providing health services to an individual or incidentally to the provision of health services to an individual, or registration information (information that is collected for the purpose of registering an individual for the provision of health services).

Per Section 2 of PIPEDA, personal information means information about an identifiable individual, whether factual or subjective, recorded or not, which includes age, name, identification numbers, ethnicity, social status, employee files, loan records, medical records, or evaluations.

Per Section 3 of the Federal Privacy Act, personal information means information about an identifiable individual that is recorded in any form. Examples include race, religion, age, marital status, medical history, criminal history, address, fingerprints, or opinions.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The OIPC is an independent office of the Legislative Assembly tasked with overseeing the FOIP, the LAFOIP, and HIPA. The OIPC's mandate is to ensure that public bodies (i.e. government institutions, local authorities, and trustees) respect the privacy and access rights of the citizens of Saskatchewan.

The OPC was established in 1983 following the passing of the Federal Privacy Act. The mission of the OPC is to protect and promote privacy rights, and the mandate of the OPC is to oversee compliance with the Federal Privacy Act and PIPEDA. The OPC is independent of government and reports directly to the Parliament of Canada.

3.2. Main powers, duties and responsibilities

Apart from overseeing Saskatchewan's access and privacy laws, the OIPC also informs members of the public of their information rights, resolves access and privacy disputes between individuals and public bodies, makes recommendations on appeals from access to information decisions by public bodies, investigates and resolves privacy complaints, issues recommendations on public bodies' policies and practices, and comments on proposed laws and policies.

In addition to enforcing PIPEDA and the Federal Privacy Act, the OPC provides advice and information for individuals about protecting personal information. The OPC carries out its mandate and mission by investigating privacy complaints, conducting audits, pursuing court actions under PIPEDA and the Federal Privacy Act, publicly reporting on the personal information handling practices of public and private-sector organisations, supporting and publishing research into privacy issues, and promoting public awareness and understanding of privacy issues.

4. Key Definitions

Data controller: 'Data controller' is not a term explicitly defined under Canadian and Saskatchewan privacy statutes. Instead, the FOIP refers to government institutions, the LAFOIP refers to local authorities, HIPA refers to trustees, PIPEDA refers to organisations, and the Federal Privacy Act refers to government institutions. See section on personal scope above for a further description of these terms.

Data processor: 'Data processor' is not a term explicitly defined under Canadian and Saskatchewan privacy statutes. However, Saskatchewan privacy statutes do refer to information management service providers ('IMSPs'). The FOIP, the LAFOIP, and HIPA define an IMSP as a person or body that processes, stores, archives, or destroys records containing personal (or personal health) information or provides information management or information technology services with respect to records containing personal (or personal health) information. See Sections 24.2 of the FOIP, 23.2 of the LAFOIP, 18 of HIPA and each Act's associated regulations for the specific rules and provisions that address IMSPs.

Personal data: 'Personal information' is defined slightly differently under Saskatchewan and federal Canadian privacy laws, but generally means information about an identifiable individual (in some statutes, specified as recorded information). Examples include race, ethnicity, age, sex, family status, criminal or employment history, address, telephone numbers, and opinions of the individual. See section on territorial scope above for additional details on each statute.

Sensitive data: Saskatchewan and federal Canadian privacy statutes do not generally differentiate between different levels of personal information. However, under Section 10.1(8) of PIPEDA, one of the factors to take into consideration when determining whether a breach of security safeguards creates a real risk of significant harm to the individual affected includes the sensitivity of personal information involved in the breach. Principle 4.3.3 of PIPEDA provides that while any type of information can be considered sensitive; generally, medical records and income information are almost always considered to be sensitive.

Health data: Information with respect to the physical or mental health of an individual, information with respect to any health service provided to an individual, information regarding any donation of a body part or bodily substance, information that is collected in the course of providing health services to an individual or incidentally to the provision of health services to an individual, or registration information (information that is collected for the purpose of registering an individual for the provision of health services).

Biometric data: Saskatchewan and Canadian privacy statutes do not provide for a specific definition of 'biometric data'. However, depending on the nature of such information biometric data could be considered personal or personal health information.

Pseudonymisation: 'Pseudonymisation' is not defined in Saskatchewan and Canadian privacy statutes; however, the OIPC and OPC have previously found where personal information is properly de-identified or anonymised, such that the information can no longer be used to identify an individual, the information will no longer be considered 'personal information' within the meaning of the applicable act.

De-identified personal health information: Is 'personal health information from which any information that may reasonably be expected to identify an individual has been removed.' As per Section 3(2) of HIPA, de-identified personal health information does not fall within the scope of the act.

5. Legal Bases

5.1. Consent

In general, Saskatchewan and Canadian privacy statutes require organisations to obtain consent for the collection, use, and disclosure of personal information.

As per Section 6.1 of PIPEDA, for consent to be valid the individual consenting must understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting.

As per Sections 28 and 27 of the FOIP and the LAFOIP respectively, no government institution or local authority can use personal information under its control without consent, unless it is being used for the purpose for which it was obtained or for one of the enumerated exceptions set out in the applicable act. The FOIP and the LAFOIP associated regulations also provide that for consent to be valid it must:

  • relate to the purpose for which the information is required;
  • be informed;
  • must be given voluntarily; and
  • must not be obtained through misrepresentation, fraud, or coercion.

The regulations also provide that an individual's consent can be for a limited period of time.

Similar consent requirements apply to trustees under HIPA with the additional requirement, as per Section 7 of HIPA, that an individual may revoke their consent at any time.

5.2. Contract with the data subject

This concept is generally not provided for in Saskatchewan and Canadian privacy statutes. 

5.3. Legal obligations

The FOIP, the LAFOIP, and HIPA provide for a number of exceptions to the general rule against the disclosure of personal information without consent. A number of these exceptions relate to different legal obligations of the government institution, local authority, or trustee. Some examples include:

  • complying with subpoenas and other court or government orders;
  • providing personal information to lawyers representing the organisation in legal actions;
  • disclosing, under a public requirement, personal information to appropriate authorities in matters of significant public interest;
  • where the individual is a minor, seriously ill, or mentally incapacitated, and seeking consent is impossible or inappropriate; and
  • in order to comply with an act or regulation.

As per Section 3(i) of PIPEDA, an organisation may disclose personal information without consent where the disclosure is required by law.

5.4. Interests of the data subject

As per Sections 29(2)(o) and 28(2)(n) of the FOIP and the LAFOIP respectively, a government institution or local authority may disclose personal information where the public interest in disclosure clearly outweighs any invasion of privacy that could result from disclosure or where disclosure would clearly benefit the individual to whom the information relates.

As per Section 27(4) of HIPA, a trustee is permitted to disclose personal health information without consent where the trustee believes on reasonable grounds the disclosure will avoid or minimise a danger to the health or safety of any person.

Section 7(3) of PIPEDA describes a number of circumstances where disclosure of personal information is permitted without the consent of the individual to whom the information relates. One of these exceptions allows for the disclosure of information where the disclosure is because of an emergency that threatens the life, health, or security of an individual.

5.5. Public interest

See section on interests of the data subject above.

5.6. Legitimate interests of the data controller

Under the FOIP and the LAFOIP, a government institution or local authority is permitted to disclose personal information for the purpose for which the information was obtained or compiled by the government institution or local authority or for a use consistent with that purpose.

As per Section 23(1) of HIPA, a trustee shall only collect, use, or disclose personal information that is reasonably necessary for the purpose for which it is being collected. Furthermore, a trustee may collect personal health information for a secondary purpose if the secondary purpose is consistent with any of the permitted disclosures of personal health information under the act.

5.7. Legal bases in other instances

Under the FOIP, a government institution is permitted to collect and disclose personal information for the purpose of management, audit, and or administration of personnel of the government institution.

6. Principles

PIPEDA

Schedule 1 of PIPEDA includes the following ten principles organisations must follow for the protection of personal information:

  • accountability;
  • identifying purposes;
  • consent;
  • limiting collection;
  • limiting use, disclosure, and retention;
  • accuracy;
  • safeguards;
  • openness;
  • individual access; and
  • challenging compliance.

To comply with accountability requirements under PIPEDA, organisations are required to appoint an individual responsible for the organisation's compliance with PIPEDA and develop personal information policies and practices. Further, under the accountability principle, an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.

To comply with identifying purposes requirements under PIPEDA, organisations are to identify and document why personal information is needed and notify individuals of the purposes for collection. Under the consent principle, organisations are to obtain the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where inappropriate. Under the limiting collection principle, organisations are not to collect personal information indiscriminately or deceive individuals about the reasons for collection.

To limit use, disclosure, and retention under PIPEDA, organisations are to only disclose personal information for the purpose for which it was collected (unless the individual consents), keep personal information for a reasonable time to allow the individual to access it but only as long as needed, and destroy information that is no longer required for an identified purpose or legal requirement. Under the accuracy principle, organisations are to minimise the possibility of using incorrect personal information. Under the safeguard principle, organisations are to protect personal information against loss or theft and safeguard it against unauthorised access or disclosure.

To ensure openness, organisations are to inform customers, clients, and employees of their policies for managing personal information and make these policies easy to understand in accordance with PIPEDA. Under the individual access principle, organisations are to allow individuals access to their personal information and correct or amend inaccuracies or deficiencies. Under the challenging compliance principle, organisations are to develop simple accessible complaint procedures, inform individuals of their avenues for recourse, and investigate all complaints received.

Saskatchewan privacy statutes

Per Section 25 of the FOIP and Section 24 of the LAFOIP, no government institution or local authority shall collect personal information unless the information is collected for a purpose that relates to an existing or proposed program or activity of the government institution or local authority.

Under Section 23 of HIPA, trustees are required to only collect, use, or disclose personal information that is reasonably necessary for the purpose for which it is being collected, used, or disclosed. The OIPC has interpreted this provision as placing a requirement on trustees and employees of trustees to only collect, use, and disclose personal information on a need-to-know basis.

Per Section 27 of the FOIP and Section 26 the LAFOIP, government institutions and local authorities are required to ensure personal information being used for an administrative purpose is as accurate and complete as reasonably possible. Section 19 of HIPA imposes a similar duty on trustees and per Section 23(4) of HIPA, trustees must, where practicable, use or disclose only de-identified personal health information.

Per Section 26 of the FOIP and Section 25 of the LAFOIP, a government institution or local authority is required to, where reasonable, collect information directly from the individuals to whom the information relates to, unless the collection falls into one of the enumerated exceptions.

Per Section 24.1 of the FOIP and Section 23.1 of the LAFOIP, government institutions and local authorities are required to establish policies and procedures to maintain administrative, technical, and physical safeguards that protect the integrity, accuracy, and confidentiality of personal information in its possession of control.

Per Section 16 of HIPA, trustees have a duty to protect the integrity, accuracy, and confidentiality of personal health information. Under Section 17 of HIPA, trustees must ensure personal health information is stored in a format that is retrievable, readable, and usable for the purpose it was collected, and personal health information must be destroyed in a secure manner.

7. Controller and Processor Obligations

7.1. Data processing notification

Government institutions, local authorities and trustees under the FOIP, the LAFOIP and HIPA respectively are generally not required to notify the OIPC about their data collection, use, or disclosure activities.

Under PIPEDA, organisations do not generally have a requirement to notify the OPC about the collection, use, or disclosure of personal information. However, Section 7(2) of PIPEDA provides that organisations who wish to use personal information for statistical, scholarly study, or research purposes where it is impractical to obtain the consent of individuals must inform the OPC before the information is used. Also, organisations are required to report to the OPC any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm.

7.2. Data transfers

While PIPEDA does not prohibit the transfer of personal information outside of Canada, it does establish rules and principles that ensure organisations remain accountable for personal information when it has been transferred to a third party or to a location outside of Canada. Principle 4.1.3 of PIPEDA states:

'An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.'

The OPC has provided further guidance on the phrase 'comparable level of protection' stating that this requires an organisation to ensure that, 'the third-party processor must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred'. This is in line with the Processing Personal Data Across Borders Guidelines the OPC has released on the trans-border flow of data.

Under the FOIP and the LAFOIP, a government institution or local authority is permitted to transfer data to an IMSP (as discussed above in the section on key definitions above) so long as the government institution or local authority enters into a written agreement with the IMSP that contains provisions providing for the following:

  • governing the access to and use, disclosure, storage, archiving, modification, and destruction of the personal information;
  • the protection of the personal information;
  • a description of the specific service the IMSP will deliver;
  • the obligations of the IMSP respecting the security and safeguarding of personal information; and
  • the destruction of the personal information.

As per Section 18 of HIPA, trustees are also permitted to transfer personal health information to IMSPs and HIPA's associated regulations contain similar requirements for agreements between trustees and IMSPs.

7.3. Data processing records

Processing is not explicitly defined in Saskatchewan or federal privacy statutes. However, there is a requirement under PIPEDA for organisations to maintain the record of every breach of security safeguards involving personal information under its control. Furthermore, organisations are required to document the purposes for which personal information is collected.

As per Section 17 of HIPA, trustees are required to ensure that personal health information stored in any format is retrievable, readable, and usable for the purpose for which it was collected.

7.4. Data protection impact assessment

Saskatchewan privacy statutes and PIPEDA do not mandate or require the use of Data Protection Impact Assessments ('DPIA'). Although, federal public-sector institutions are required to conduct Privacy Impact Assessments ('PIAs') pursuant to the Directive on Privacy Impact Assessment.

7.5. Data protection officer appointment

Under PIPEDA, an organisation is required to designate an individual or individuals who are accountable for the organisation's compliance with the privacy principles set out in PIPEDA. In addition, organisations must make available to individuals the name or title, and the address, of the person who is accountable for the organisation's policies and practices and to whom complaints or inquiries can be forwarded.

7.6. Data breach notification

Per Section 10.1(3) of PIPEDA, an individual has a right to be informed by an organisation of any breach of security safeguards involving the individual's personal information if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. In addition, organisations are required to report to the OPC any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach created a real risk of significant harm. Significant harm includes, 'bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property'.

The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual affected by the breach include the sensitivity of the personal information involved in the breach and the probability the personal information will be misused. The OPC has provided guidance on what constitutes 'real risk of significant harm'.

Similar notification requirements apply to government institutions and local authorities pursuant to Section 29.1 of the FOIP and 28.1 of the LAFOIP. Once it is confirmed that a privacy breach has occurred, a government institution or local authority must consider if, as a result of the breach, there is a real risk of significant harm that may come to the affected individual. If it is determined there is a real risk of significant harm, the government institution or local authority must notify the affected individual.

7.7. Data retention

Under PIPEDA, organisations are required to retain personal information only as long as necessary for the fulfilment of the purpose for which it was collected.

Per Section 10.3(1) of PIPEDA, an organisation is required to keep and maintain a record of every breach of security safeguards involving personal information under its control.

7.8. Children's data

Under the FOIP, the LAFOIP, and HIPA, (with minor variances) where an individual is less than 18 years of age, any right or power conferred on that individual is exercisable by their legal custodian, so long as the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual. While the acts do not generally differentiate between adults and children, for consent to valid it must be meaningful and informed, which suggests that a child's consent may not be valid in every circumstance.

Similar to the Saskatchewan privacy statutes, PIPEDA provides that consent for the collection, use, and disclosure of personal information must be meaningful, and that user expectations should be taken into consideration in determining the proper form of consent. See the discussion above in section on consent. Further to these requirements, the OPC has released guidance on the collection of personal information from children that recommends limiting, or avoiding altogether, the collection of personal information from children.

7.9. Special categories of personal data

Generally, Saskatchewan and Canadian federal privacy statutes do not differentiate between different types of personal information. However, as mentioned above in section on key definitions, when assessing the real risk of significant harm under PIPEDA, the sensitivity of the information involved is one factor to consider.

7.10. Controller and processor contracts

See the discussion above in section on data transfers. 

8. Data Subject Rights

8.1. Right to be informed

Under PIPEDA, individuals are entitled to be informed of the existence, use, and disclosure of their personal information.

Under HIPA, individuals have a right to be informed about the anticipated uses and disclosures of their personal health information.

While the FOIP and the LAFOIP do not contain a specific right to be informed, as noted above, in order to obtain valid consent under either Act, the consent of the individual must be informed.

8.2. Right to access

Individuals under PIPEDA, HIPA, the FOIP, and the LAFOIP are entitled to a right of access to their personal information (or in the case of HIPA their personal health information).

8.3. Right to rectification

Organisations subject to PIPEDA are expected to allow individuals to challenge the accuracy and completeness of their personal information and have it amended as appropriate.

Government institutions and local authorities, as per the FOIP and the LAFOIP, are required to provide individuals with a right of correction; whereby, individuals who are given access to a record that contains personal information about themselves are entitled to request the correction of the personal information in the record they believe contains an error or omission.

Individuals who are given access to a record containing personal health information are entitled, under HIPA, to request an amendment to the information.

8.4. Right to erasure

While PIPEDA affords individuals the right to withdraw consent and challenge the accuracy, completeness, and currency of their personal data, it does not grant a specific right to require organisations to erase or delete their personal information.

Saskatchewan privacy statutes also do not provide a right of erasure or deletion to individuals.

8.5. Right to object/opt-out

PIPEDA, the FOIP, the LAFOIP, and HIPA do not provide a right to object or opt-out of processing. However, HIPA and PIPEDA specifically provide that an individual may withdraw their consent at any time and the regulations associated with the FOIP and the LAFOIP state that an individual may give a consent that is only effective for a limited time.

8.6. Right to data portability

Saskatchewan and Canadian federal privacy statutes do not provide for a right of data portability.

8.7. Right not to be subject to automated decision-making

Saskatchewan and Canadian federal privacy statutes do not provide for a right to not be subject to automated decision making.

8.8. Other rights

Additional rights under Saskatchewan and Canadian federal privacy statutes include an individual's right to make a complaint to the relevant data protection authority. In the case of the FOIP, the LAFOIP, and HIPA, the relevant authority is the OIPC, while under PIPEDA it is the OPC.

Per Section 10.1(3) of PIPEDA, an individual has a right to be informed by an organisation of any breach of security safeguards involving the individual's personal information if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. Similar notification requirements apply to government institutions and local authorities pursuant to Section 29.1 of the FOIP and 28.1 of the LAFOIP respectively. See section on breach notification above for further details on these rights and reporting requirements. 

9. Penalties

Per Section 68 of the FOIP and Section 56 of the LAFOIP, every person who knowingly collects, uses, or discloses personal information in contravention of the Act or its associated regulations is guilty of an offence and liable to a fine of not more than CAD 50,000 (approx. €37,276), to imprisonment for not more than one year, or both. A number of more specific offences are provided for in each act; however, each offence carries the same maximum punishment set out above.

Per Section 64 of HIPA, every person who knowingly contravenes any provision of HIPA or its associated regulations is guilty of an offence and liable to a fine of not more than CAD 50,000 (approx. €37,276), to imprisonment for not more than one year, or to both and in the case of a corporation to a fine of not more than CAD 500,000 (approx. €372,760). There are a number of other offences outlined in Section 64 of the Act that carry the same maximum penalty set out above.

Per Section 28 of PIPEDA, organisations that knowingly contravene certain sections (a failure to retain personal information long enough for individuals to access and correct it, a failure to report security breaches, a failure to maintain records of security breaches, and disciplining or disadvantaging whistleblowers) or obstruct the OPC's investigation of a complaint are guilty of a summary conviction offence and liable to a fine of up to CAD 10,000 (approx. €7,455) or an indictable offence and liable for a fine of up to CAD 10,000 (approx. €7,455).

It is an offence under the Federal Privacy Act to obstruct the OPC in their performance of duties and functions under the Act, and each person who commits this offence is liable on summary conviction to a fine of up to CAD 1,000 (approx. €745).

9.1 Enforcement decisions

While it is rare for an individual, organisation, or government institution to receive a fine or penalty under Saskatchewan or Canadian federal privacy statutes, the Competition Bureau of Canada ('the Bureau') has recently exercised its powers under its own governing legislation to penalise a social media company for making false or misleading claims to the public about the privacy of individual's personal information. As a result of its findings, the social media company and the Bureau entered a consent agreement requiring the company to pay a CAD 9 million (approx. €6.7 million) penalty, plus an additional CAD 500,000 (approx. €372,760) for the costs of the investigation.

Generally, the main consequence of non-compliance with privacy legislation in Saskatchewan is reputational damage, although there is also the potential for litigation exposure including the risk of individual lawsuits and class actions, as well as unionised employees taking action to access remedies available under the applicable collective bargaining agreement and labour legislation.