Yukon Information and Privacy Commissioner
Resources for Public Bodies
This advisory is intended for anyone with responsibility for the operation or content of IT systems containing personal health information or personal information for custodians under the Yukon’s Health Information Privacy and Management Act and public bodies under the Yukon’s Access to Information and Protection of Privacy Act.
Public bodies and custodians in the Yukon have an obligation to perform logging and auditing on their electronic systems that contain personal information (PI) or personal health information (PHI). This guidance was issued to assist them in meeting this obligation.
This advisory was issued to inform custodians and public bodies about the risk of the Log4j vulnerability and about actions that can be taken to mitigate the risk of a breach of PHI or PI that could occur as a result of the vulnerability.
Ideas for individuals, businesses & public organizations - how to manage the risk of ransomware
This special report was developed by the Offices of the Yukon Ombudsman and Privacy Commissioner, together with the BC Ombudsperson and the BC Privacy Commissioner. Released on June 17, 2021, it highlights fairness and privacy concerns related to the use of artificial intelligence in the public sector and makes recommendations for steps governments should take to use AI in a responsible manner.
This infographic summarizes key points of the special joint report on use of artificial intelligence in the public sector, Getting Ahead of the Curve: Meeting the Challenges to Privacy and Fairness Arising from the Use of Artificial Intelligence in the Public Sector.
Guidance for Public Bodies on Time Extension Request to the OIPC under s.63 of the ATIPP Act (2018).
This guide is written for public bodies who have received a request for review under the Access to Information and Protection of Privacy Act (ATIPP Act).
Public bodies are often called upon to undertake searches for records in response to access requests made under the Access to Information and Protection of Privacy Act. This guidance document offers suggestions and outlines steps that public body employees should consider when conducting a search for records in response to an access to information request.
Canadian privacy laws all contain provisions that allow for the disclosure of personal information or personal health information in the event of an emergency. This document provides guidance on the provisions in Yukon's privacy laws.
The Yukon Information and Privacy Commissioner is reminding public bodies and custodians to ensure the protection of personal information and personal health information when employees working from home use this information. This document provides guidance on how to do so.
The purpose of these guidelines is to assist public bodies identify when it is appropriate to use video surveillance and evaluate whether in using video surveillance involving the collection, use and disclosure of personal information the requirements of the ATIPP Act can be met.
The only way for a public body to effectively assess and manage privacy risks for any project involving personal information is to conduct a privacy impact assessment (PIA). Completing a PIA enables a public body to identify any risks associated with the collection, use or disclosure of personal information and ensure the information is properly managed in compliance with the ATIPP Act.
This document provides step-by-step guidance for Yukon's public bodies on how to implement an effective privacy management program.
This tool is designed as a resource for public bodies to ‘self-evaluate’ the maturity of their privacy management program.
The COVID-19 pandemic has led to the development and use of new variations of cybercrime. In particular, texting, email, phone calls and social media are being used to trick people into giving out personal or financial information, often by playing on fears and concerns about COVID-19. This advisory is meant to create additional awareness of these problems and provide advice about what to do.
The Yukon Information and Privacy Commissioner (IPC) is issuing this advisory to inform Yukoners about a recent cyber security incident involving the Zoom videoconferencing application and to provide information about how to reduce risks to privacy.
The Yukon Information and Privacy Commissioner provides advice to government, public organizations, businesses, employees and the public in regard to protecting personal information while working from home or other remote locations, in particular in regard to applications that support remote work and the potential privacy risks of using them.
- Is the Information and Privacy Commissioner part of government?
No, the Information and Privacy Commissioner (IPC) is an independent officer of the Yukon Legislative Assembly and is, therefore, not part of the Yukon government.
In Yukon, the IPC is the same person as the Ombudsman and the Public Interest Disclosure Commissioner. Click on each role for more information.
The IPC is responsible for monitoring compliance with the Health Information Privacy and Management Act (HIPMA) and the Access to Information and Protection of Privacy Act (ATIPP).
ATIPP applies to Yukon public bodies, such as Yukon government departments. HIPMA applies to custodians (see ‘What is a custodian?’). For more information about HIPMA see the HIPMA FAQ section.
The IPC has a number of responsibilities under these Acts and has broad authority to investigate complaints made, including the power to compel production of records and witnesses. Under ATIPP and HIPMA, the IPC also has adjudicative authority which means her office can make findings of fact and law that are binding on public bodies and custodians subject to the Acts.
- When does the IPC hold an Adjudication under ATIPP?
Most complaints initially proceed to Informal Case Resolution (ICR) to try to settle the issues for review. Where a complaint is not completely settled during informal case resolution, a party can ask the IPC to conduct an adjudication. The IPC has discretion to decide whether to proceed to adjudication.
The IPC may initiate her own investigation, known as an own motion investigation, on a decision or matter that the commissioner reasonably believes could be the subject of a complaint.
- What happens in an adjudication?
An adjudication is the final stage in a complaint investigation and is a formal process conducted by the IPC. The parties to an adjudication are entitled to make representations to the IPC about the issues identified for adjudication. In most inquiries, the representations are made in writing and the parties do not appear before the IPC.
If the IPC decides to proceed to adjudication, a notice of adjudication is issued to the parties. The notice of adjudication outlines the next steps in the adjudication. The notice of adjudication will confirm:
- the parties to the adjudication,
- the sections of the ATIPP Act that will be considered,
- the issues for adjudication,
- the timeline for notifying the IPC of any preliminary objections to the adjudication,
- the schedule for delivery and exchange of initial and reply submissions from the parties, and
- a deadline for requesting the IPC’s approval for “in camera” submission material.
At the adjudication, the IPC considers the Fact Report prepared by the Investigation and Compliance Review Officer from the Informal Case Resolution (ICR) team, the representations received from the parties, reviews any records in dispute, and decides how each issue should be resolved and makes her recommendation(s) . The IPC issues a written report to the parties setting out her findings, recommendation(s) and reasons for the findings and recommendation(s).
Some of the things the IPC can recommend are:
- the release of some or all of the information in a record
- the modification of a fee waiver
- the correction of personal information