Yukon Information and Privacy Commissioner
Section 42 Request for Comment
The Information and Privacy Commissioner (IPC) is responsible for monitoring how the ATIPP Act is administered to ensure that its purposes are achieved and may comment on the implications for access to information or for protection of privacy of existing or proposed legislative schemes or programs of public bodies.
As part of exercising this authority the IPC also provides comments on privacy impact assessments and privacy breaches.

Click here to download a copy of the Request for Comment Form.
Privacy Impact Assessment
The only way for a public body to effectively assess and manage privacy risks for any project involving personal information is to conduct a privacy impact assessment (PIA). Completing a PIA enables a public body to identify any risks associated with the collection, use or disclosure of personal information and ensure the information is properly managed in compliance with the Access to Information and Protection of Privacy Act (ATIPP Act).
The value of having the Office of the Information and Privacy Commissioner (OIPC) review a PIA is as follows:
- A public body is able to draw on the experience of the OIPC in interpreting and applying the ATIPP Act.
- It enables the public body to receive feedback from the OIPC about whether the project poses risks to the privacy of information.
- It demonstrates the public body's accountability for ensuring the risks to privacy associated with projects involving personal information are being appropriately managed.

Here you will find the OIPC's guidance material on PIA's.

Once you've completed a PIA and you would like the OIPC to provide feedback, complete a Request for Comment Form.
To complete a PIA, the ATIPP Office with the department of Highways and Public Works has created a PIA Tool. Contact Jeff Sunstrum, at 867-667-3510 to obtain this template.
Privacy Breach

A privacy breach is not defined in the ATIPP Act. A privacy breach occurs when there is unauthorized collection, use or disclosure of personal information. The most common privacy breach happens when personal information of an individual, in the hands of a public body, is mistakenly disclosed, lost or stolen. For example, when a laptop or memory stick containing personal information is stolen or personal information is mistakenly emailed to the wrong person. A privacy breach may also be the consequence of faulty business procedure or operational breakdown.
Here you will find a Best Practice written by the IPC on Responding to a Privacy Breach.

This Privacy Breach Checklist was created by the OIPC to assist public bodies in evaluating privacy breaches. This Checklist should be used in conjunction with the public bodies' privacy management program. Contact our Office for more information about breaches and notifications.

While notifying and/or reporting a privacy breach to the IPC is not mandatory, the IPC has expertise and experience to assist a public body in professionally and efficiently responding to a privacy breach. Complete this form to report a breach.

The IPC has issued a series of Best Practices to assist in understanding the obligations of the ATIPP Act and the expectatations of the IPC. This Best Practice is designed to help ensure responses to access requests are based on fair and consistent administrative decisions and to ensure that individuals' privacy is protected.
Relevant FAQs
- Is the Information and Privacy Commissioner part of government?
No, the Information and Privacy Commissioner (IPC) is an independent officer of the Yukon Legislative Assembly and is, therefore, not part of the Yukon government.
In Yukon, the IPC is the same person as the Ombudsman and the Public Interest Disclosure Commissioner. For more information about these roles, our website at: http://www.yukonombudsman.ca.
The IPC is responsible for monitoring compliance with HIPMA and the Access to Information and Protection of Privacy Act (ATIPP).
ATIPP applies to Yukon public bodies, such as Yukon government departments. HIPMA applies to custodians (see ‘What is a custodian?’).
The IPC has a number of responsibilities under these Acts and has broad authority to investigate complaints made, including the power to compel production of records and witnesses. Under HIPMA, the IPC has adjudicative authority. This means she can make findings of fact and law that are binding on custodians. At the conclusion of an adjudication, called a ‘consideration’ under HIPMA, she has the authority to recommend any remedy that she determines appropriate.
- When does the IPC hold inquiries?
Most requests for review initially proceed to mediation to try to settle the issues for review. Where a request for review is not completely settled during mediation, a party can ask the IPC to conduct an inquiry. The IPC has discretion to decide whether to proceed to inquiry.
- What happens in an inquiry?
An inquiry is the final stage in the request for review process. An inquiry is a formal adjudicative process conducted by the IPC. The parties to an inquiry are entitled to make representations * to the IPC about the issues identified for inquiry. In most inquiries, the representations are made in writing and the parties do not appear before the IPC.
If the IPC decides to proceed to inquiry, a notice of inquiry is issued to the parties. The notice of inquiry outlines the next steps in the inquiry. The notice of inquiry will confirm:
- the parties to the inquiry,
- the sections of the ATIPP Act that will be considered,
- the issues for inquiry,
- the timeline for notifying the IPC of any preliminary objections to the inquiry,
- the schedule for delivery and exchange of initial and reply submissions from the parties, and
- a deadline for requesting the IPC’s approval for “in camera”* submission material.
At the inquiry, the IPC considers the Fact Report prepared by the mediator, the representations received from the parties, reviews any records in dispute, and decides how each issue should be resolved and makes her recommendation(s) *. The IPC issues a written report to the parties setting out her findings, recommendation(s) and reasons for the findings and recommendation(s). Some of the things the IPC can recommend are:
- the release of some or all of the information in a record
- the modification of a fee waiver
- the correction of personal information