Compliance

Our office handles several types of compliance files under the Access to Information and Protection of Privacy Act (ATIPPA). These files include privacy impact assessments, privacy breach evaluations, and security threat risk assessments.

Privacy Impact Assessment

The only way for a public body to effectively assess and manage privacy risks for any project involving personal information is to conduct a privacy impact assessment (PIA). Completing a PIA enables a public body to identify any risks associated with the collection, use or disclosure of personal information and ensure the information is properly managed in compliance with the Access to Information and Protection of Privacy Act (ATIPPA).

The value of having the Office of the Information and Privacy Commissioner (IPC) review a PIA is as follows:

A public body is able to draw on the experience of the IPC in interpreting and applying the ATIPP Act.
It enables the public body to receive feedback from the IPC about whether the project poses risks to the privacy of information.
It demonstrates the public body's accountability for ensuring the risks to privacy associated with projects involving personal information are being appropriately managed.

PIA checklist.pdf

This checklist is to be used by public bodies when submitting privacy impact assessments to our office.

The Government of Yukon has a PIA Tool that can be used to complete a PIA. Contact the ATIPP Office for additional information.

Privacy Breach

A privacy breach, as defined in the ATIPPA, means the theft or loss of, or unauthorized use, disclosure or disposal of personal information. The most common privacy breach happens when personal information of an individual, in the hands of a public body, is mistakenly disclosed, lost or stolen. For example, when a laptop or memory stick containing personal information is stolen or personal information is mistakenly emailed to the wrong person. A privacy breach may also be the consequence of faulty business procedure or operational breakdown.

Best Practice Privacy Breach Response

The IPC has issued a series of Best Practices to assist in understanding the obligations of the ATIPP Act and the expectatations of the IPC. This Best Practice is designed to help ensure responses to access requests are based on fair and consistent administrative decisions and to ensure that individuals' privacy is protected.

Security Threat Risk Assessment

A security threat risk assessment (STRA) is the overall activity of assessing and reporting security risks for a given information system to make risk-based decisions. Like a PIA, a STRA maps out the data flows for a given information system to identify security risks, but with a particular lens on technical vulnerabilities.

Examples might include risks to the confidentiality, integrity and availability of information stored in a system, as well as vulnerabilities related to malware, ransomware attacks, hacking, etc. The ATIPPA makes it mandatory for public bodies to conduct a STRA and submit it to our office for review before carrying out personal identity services (also known as digital ID), integrated services, data-linking activities, information management services, or a significant change to any of the above noted types of information systems. Evaluating STRAs requires a certain level of technical expertise.

For more information, contact our office.

Top

Relevant FAQs

Is the Information and Privacy Commissioner part of government?

No, the Information and Privacy Commissioner (IPC) is an independent officer of the Yukon Legislative Assembly and is, therefore, not part of the Yukon government.

In Yukon, the IPC is the same person as the Ombudsman and the Public Interest Disclosure Commissioner. Click on each role for more information.

The IPC is responsible for monitoring compliance with the Health Information Privacy and Management Act (HIPMA) and the Access to Information and Protection of Privacy Act (ATIPP).

ATIPP applies to Yukon public bodies, such as Yukon government departments. HIPMA applies to custodians (see ‘What is a custodian?’). For more information about HIPMA see the HIPMA FAQ section.

The IPC has a number of responsibilities under these Acts and has broad authority to investigate complaints made, including the power to compel production of records and witnesses. Under ATIPP and HIPMA, the IPC also has adjudicative authority which means her office can make findings of fact and law that are binding on public bodies and custodians subject to the Acts.

When does the IPC hold an Adjudication under ATIPP?

Most complaints initially proceed to Informal Case Resolution (ICR) to try to settle the issues for review. Where a complaint is not completely settled during informal case resolution, a party can ask the IPC to conduct an adjudication. The IPC has discretion to decide whether to proceed to adjudication.

The IPC may initiate her own investigation, known as an own motion investigation, on a decision or matter that the commissioner reasonably believes could be the subject of a complaint.

What happens in an adjudication?

An adjudication is the final stage in a complaint investigation and is a formal process conducted by the IPC. The parties to an adjudication are entitled to make representations to the IPC about the issues identified for adjudication. In most inquiries, the representations are made in writing and the parties do not appear before the IPC.

If the IPC decides to proceed to adjudication, a notice of adjudication is issued to the parties. The notice of adjudication outlines the next steps in the adjudication. The notice of adjudication will confirm:

the parties to the adjudication,
the sections of the ATIPP Act that will be considered,
the issues for adjudication,
the timeline for notifying the IPC of any preliminary objections to the adjudication,
the schedule for delivery and exchange of initial and reply submissions from the parties, and
a deadline for requesting the IPC’s approval for “in camera” submission material.

At the adjudication, the IPC considers the Fact Report prepared by the Investigation and Compliance Review Officer from the Informal Case Resolution (ICR) team, the representations received from the parties, reviews any records in dispute, and decides how each issue should be resolved and makes her recommendation(s) . The IPC issues a written report to the parties setting out her findings, recommendation(s) and reasons for the findings and recommendation(s).

Some of the things the IPC can recommend are:

the release of some or all of the information in a record
the modification of a fee waiver
the correction of personal information

All FAQs

Contact Us

We're here to help!

3162 Third Avenue, Main Floor
(corner of Third Avenue & Alexander Street)
Whitehorse, Yukon, Y1A 1G3

With the continued presence of COVID-19 in our community, our office continues to encourage the wearing of masks by all visitors to our office. If you do not have a mask, our office can provide you with a disposable one.

For general inquiries:

Phone: 867-667-8468
Toll free in the Yukon:
1-800-661-0408 (ext. 8468)

Email*: info@yukonombudsman.ca

*Email is not a secure method of communication. Email containing personal information should not be sent to our office unless sent securely. If you wish to send us a completed form or other personal details, you can request a Secure File Transfer link from our office.

To submit a complaint or a request for review (access request) form:

Phone: 867-667-8468
Toll free in the Yukon:
1-800-661-0408 (ext. 8468)

Email*: intake@yukonombudsman.ca

For media inquiries:

Phone:867-332-4555

Email*: communications@yukonombudsman.ca