An individual can submit a privacy complaint to our office based on the following:

• Collection: there are rules that govern who can collect personal information, how they can collect it, and when and how the individual is informed about the collection.
• Use: there are rules that govern how public bodies and health custodians can use personal information with or without consent.
• Disclosure: there are rules about when a public body or health custodian can disclose personal information with or without consent.
• Information practices: there are rules that require public bodies and health custodians to implement effective information management practices to guard against a breach of personal information.
• Security breaches: there are rules a public body or health custodian must follow, including that an individual must be notified when their personal information is breached and they are at risk of significant harm as a result. A security breach (sometimes called a privacy breach in HIPMA) means the theft, loss or disposition, or disclosure or access of personal information contrary to the requirements of the Acts.

In addition to the above, HIPMA also includes the following:

• Consent: there are rules a health custodian must follow when obtaining consent under HIPMA to ensure the consent is valid, including rules about who can be a substitute decision maker.
• Yukon Health Information Network (YHIN): there are rules custodians must follow in establishing and accessing the YHIN, including rules about the masking of an individual’s personal health information to prevent unauthorized access to it.

Complaints can also be made to the IPC if there is a concern that someone's personal health information has been accessed in an electronic information system inappropriately. Before filing a complaint, the complainant may wish to request a ‘record of user activity’ from the custodian that shows who accessed their information. Contact the custodian for information about how to request a record of user activity. A custodian is not allowed to charge for providing a copy of this record.  

The office of the IPC can review or investigate the following decisions regarding a request for information under the Access to Information and Protection of Privacy Act (ATIPPA) and the Health Information Privacy and Management Act (HIPMA). Public bodies are public organizations under ATIPPA and custodians are health providers under HIPMA.

A public body or custodian’s:

• refusal to grant access to a record or records,
• redaction of information from a record, (ATIPPA only),
• release of personal or business information to a third party who made an access to information request (ATIPPA only), and
• refusal, or no reply, to correct information in a record.

We can also investigate an Access and Privacy Officer (APO) or custodian’s:

• refusal to process an access request,
• granting of a time extension to respond to an access request,
• declaration that the access request has been abandoned (ATIPPA only),
• denial of an application to waive some or all the costs associated with processing the access request, and
• a missed deadline. 

Public bodies or custodians are required to respond to an access request within 30 business days from the date of activation (or by the updated response date if there was a time extension granted by either the APO or the IPC). Failure to meet this deadline is considered a refusal to provide access to the records. 

If an access request is refused, partially refused, or not answered in time, a complaint can be filed with our office.

We can also receive complaints about a public body or custodian’s improper administration of the Acts - if it is believed they did not properly search for records, failed to locate records, a custodian charged the wrong fee, or any other concerns about how an access request was handled.

Complaints can be made by filling out an ATIPPA complaint form or a HIPMA complaint form and submitting it to our office.

The following documents should be included in the submission:

• the complainants request for access to records that they submitted to the ATIPP Office or custodian,
• the Access and Privacy Officer’s (APO) or custodian’s response to the request (if there was one), and
• any correspondence with the APO, public body, or custodian related to the request for access to records.

If an individual believes that a custodian has refused access by incorrectly applying HIPMA - therefore making them non-compliant with the Act - the applicant has 60 days from the date of the alleged non-compliance to file a complaint with our office.