Yukon Information and Privacy Commissioner
Resources for Custodians
This advisory is intended for anyone with responsibility for the operation or content of IT systems containing personal health information or personal information for custodians under the Yukon’s Health Information Privacy and Management Act and public bodies under the Yukon’s Access to Information and Protection of Privacy Act.
Public bodies and custodians in the Yukon have an obligation to perform logging and auditing on their electronic systems that contain personal information (PI) or personal health information (PHI). This guidance was issued to assist them in meeting this obligation.
This advisory was issued to inform custodians and public bodies about the risk of the Log4j vulnerability and about actions that can be taken to mitigate the risk of a breach of PHI or PI that could occur as a result of the vulnerability.
Ideas for individuals, businesses & public organizations - how to manage the risk of ransomware
This special report was developed by the Offices of the Yukon Ombudsman and Privacy Commissioner, together with the BC Ombudsperson and the BC Privacy Commissioner. Released on June 17, 2021, it highlights fairness and privacy concerns related to the use of artificial intelligence in the public sector and makes recommendations for steps governments should take to use AI in a responsible manner.
This infographic summarizes key points of the special joint report on use of artificial intelligence in the public sector, Getting Ahead of the Curve: Meeting the Challenges to Privacy and Fairness Arising from the Use of Artificial Intelligence in the Public Sector.
This toolkit for small custodians is designed to assist custodians in understanding their obligations under HIPMA and ensuring they are compliant.
The Yukon Information and Privacy Commissioner has issued guidance for custodians, as set out in the Health Information Privacy and Management Act (HIPMA), to assist them in managing their obligations under HIPMA while COVID-19 emergency management measures are in effect, with a focus on managing access to information requests during this time.
Canadian privacy laws all contain provisions that allow for the disclosure of personal information or personal health information in the event of an emergency. This document provides guidance on the provisions in Yukon's privacy laws.
The Yukon Information and Privacy Commissioner (IPC) is reminding public bodies and custodians to ensure the protection of personal information and personal health information when employees working from home use this information. This document provides guidance on how to do so.
This document was created by the Office of the Information and Privacy Commissioner to help custodians learn about their responsibilities under HIPMA. The document highlights some responsibilities that custodians will be required to manage daily, and references the applicable sections in HIPMA for ease of cross reference. This document is intended to be used as an educational tool only. Please view the Act and Regulations for all the requirements that a custodian must follow in HIPMA. It is up to each custodian to understand their obligations in HIPMA and to comply with them.
This tool was developed by the Office of the Information and Privacy Commissioner to assist custodians in meeting the audit requirements of the Health Information Privacy and Management Act (HIPMA) and the Health Information General Regulation.
The COVID-19 pandemic has led to the development and use of new variations of cybercrime. In particular, texting, email, phone calls and social media are being used to trick people into giving out personal or financial information, often by playing on fears and concerns about COVID-19. This advisory is meant to create additional awareness of these problems and provide advice about what to do.
The Yukon Information and Privacy Commissioner (IPC) is issuing this advisory to inform Yukoners about a recent cyber security incident involving the Zoom videoconferencing application, and to provide information about how to reduce risks to privacy.
The Yukon Information and Privacy Commissioner provides advice to government, public organizations, businesses, employees and the public in regard to protecting personal information while working from home or other remote locations, in particular in regard to applications that support remote work and the potential privacy risks of using them.
Please view this resource to review the specific requirements that custodians must follow when a privacy breach occurs.
- Can my clients or patients request their personal health information from me?
Yes. Your clients or your patients have the right to examine or receive a copy of their personal health information that is in your custody or control. They can make this request under HIPMA but they must make it in writing unless you agree otherwise.
If you receive an application that is incomplete, you are required to offer assistance to the client or patient in completing it. This includes asking for more details to identify the personal health information requested.
If, after having made a request under HIPMA, you don’t reply or the client or patient is not satisfied with your reply, they can file a complaint with our Office.
- How much time do I have to provide a response to a request for personal health information?
You are required to process the request within 30 days unless meeting that timeline would seriously interfere with your operations or you need to consult with someone about the request. You can take more time but no more than an additional 60 days. In that case, you must give the client or your patient reasons for the delay and let them know when they can expect a response. You must also inform them that they can make a complaint to our Office.
If you do not respond to a request within the time limit, this is considered as a refusal to provide the information and the client or patient can file a complaint with us.
- Can I charge a fee for providing access to personal health information?
Yes. You may charge $9 for each 15 minutes spent processing an access to personal health information request made by an individual. However, HIPMA restricts you from charging this fee to the individual for the first two hours each calendar year.
You may charge $0.25 for each photocopy you make or the actual cost of using another medium, such as a removable storage device, on which you provide a copy. You may also charge the actual cost of shipping the records to the person who requested them. You must provide an estimate of the fees if you are requested to do so.
You cannot charge for a record containing information about who has accessed personal health information that you have stored in an electronic information system. This record is referred to in HIPMA as a ‘record of user activity’.
You cannot charge for transferring an individual’s personal health information to a new health care provider who performs substantially similar functions as you if it is reasonable to expect you will no longer be providing health care to this individual.