Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

Privacy Commissioner of Canada and UK Information Commissioner’s Office issue a joint letter regarding 23andMe’s bankruptcy proceedings

Instagram still posing serious risks to children, campaigners say

English Information Commissioner issues statement on police use of facial recognition technology (FRT)

BC OIPC provides instruction to delete a user account and DNA on 23andMe

Alberta, update to access and privacy legislation, passed in December and in force this spring

Federal Privacy Commissioner launches new online privacy breach risk self-assessment tool

Law Society – Bite Size video – cloud computing guide

Ontario IPC commissions report on workplace surveillance technologies

Australian IPC releases new Privacy Basics e-Learning module

Responding to access to information requests during an election

Responding to access to information requests during an election

As Saskatchewan prepares for both a provincial and municipal election this fall, it is a good time to remind everyone about their obligations under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA). This includes the importance of responding to access to information requests during election periods.

Civil servants can be nervous about responding to access to information requests during the writ period, especially requests that may relate to “hot topic” issues. Our office also recognizes that there are specific communication directives during the writ period that civil servants must follow.

However, during the writ period, your obligations under FOIP, LA FOIP and HIPA do not change.

Public bodies and trustees must respond to formal access to information requests during a writ period as they would any other time during the year. This means, you must respond to the request in writing within 30 days of receiving the request. You may extend the response time an additional 30 days only if a limited and specific circumstance exists as provided for in section 12 of FOIP, section 12 of LA FOIP and section 37 of HIPA. One of the reasons to extend a response time does not include a provision that covers elections or the writ period.

So, before the writ drops, our office would suggest having these internal conversations about FOIP, LA FOIP and HIPA obligations. That way, if you receive a “hot topic” request during the writ period, everyone is on the same page and you can carry on business as usual with your day to day FOIP, LA FOIP and HIPA obligations – before, during and after an election.

For further background, please see Review Report 064-2016 to 076-2016 where the Information and Privacy Commissioner, in part, looked at the issue of responding to access to information requests during an election.

Was this page helpful?

UPDATED – Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan to Teachers, School Boards, Parents and Students

The pandemic initially resulted in classes being suspended and students staying at home. Now that September is here, schools are reopening, but schools are also offering students the option to learn remotely from home. School Divisions and teachers have been planning during August, selecting the online learning platforms and preparing to use those platforms for those students and parents who select online learning. There are many platforms from which a school division can choose and I expect each school division may select a different platform. Each platform comes with its privacy settings and each school division will have to make decisions as to which settings are selected. In analyzing each platform a school division needs to, among other things, apply a privacy lens and ensure they are protecting the privacy of a student.

Zoom, and other video conference platforms, have received a lot of publicity. I expect every platform has over the last six months examined its privacy settings. School divisions and teachers need to think through the privacy risks for students in using video conferencing or virtual meeting platforms.

There are many educational offerings through the web that teachers will be tempted to use to help instruct and fill the day. Again, school divisions and individual teachers need to know the privacy protections afforded their students by The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), which should cause school divisions to monitor closely what products are being used. This issue existed before the pandemic, but because of the current situation, the pressure to have online tools has increased. Teachers should only use the educational tools approved by their school divisions and should carefully review the privacy settings they can control, so as to reduce the risk of privacy breaches.

Before the pandemic, school divisions may have had a list of authorized or approved apps and educational products that the school division considered safe to use. I encourage school divisions to revisit the tools they have approved in the past to double check on privacy protections. Teachers should ensure that they are checking with the division with regard to any guidelines or restrictions on products they might want to use. Teachers need to consider which products are safe for use.

If school divisions have authorized virtual meeting/classroom platforms, they need to consider what information is collected and disclosed by use of the platform. For example, is the teacher seeing an image of the student and are all the students seeing images of the other students. As an individual’s image is personal information, displaying the images of students to other students is a disclosure of personal information. School divisions need to determine whether that disclosure is authorized.

To determine whether a disclosure is authorized, a school division needs to review LA FOIP. If the authority is not clear in LA FOIP, the best thing to do is obtain a consent from each student or parent. School divisions may have already obtained a written consent at the beginning of the school year and school divisions should review that consent to determine whether it is a consent that covers the streaming or broadcasting of a student’s image. Consent forms should be specific enough that parents or students know what they are consenting to.

I need to distinguish between the teachers seeing an image of each student in the class versus all students seeing the images of one another. The teacher seeing an image of a student is close to what the teacher would see if in a normal classroom. All students seeing the image of one another is a somewhat different issue because when this occurs, the images may be viewed by not only other students, but parents of the students, family members of the students, or caregivers of the students who are in the home. The streaming or broadcasting is potentially much broader than the teacher and other students in the class. Again, consent of a student or a parent can deal with this.

There are many questions for school divisions to consider in an online learning environment. What if a parent or student does not consent to the streaming or broadcasting of the student’s image to other students? Has the school division made provisions for students/parents to not consent to the streaming or broadcasting of the student’s image? Does the selected platform allow for students/parents opting out of streaming or broadcasting images? What if the student or parent turns off the camera on the home device? What if the student or parent puts masking tape over the lens of the camera? Should or does the school division encourage staff to advise students to turn off the camera and only turn on the microphone when a student is speaking?

The pandemic has given rise to many new privacy issues but, when one reflects, the principles that existed before the pandemic still apply. Does a school division have the authority to collect personal information? How will the school division/teacher use the personal information (student image)? Does the school division/teacher have authority to disclose (stream or broadcast) student personal information? Has the school division/teacher taken steps to safeguard the student’s personal information? These were all relevant questions before the pandemic and the questions remain relevant today.

For parents that have chosen distant education or online learning for the time being, the pressure is there to search for and use educational apps. My office has no jurisdiction over what parents do, but I would encourage parents to do some research on educational tools and the impact on their child’s privacy and ask questions if needed. One would not want your child’s profile, pictures, art work, and essays to show up in unexpected places.

Finally, students, you have some responsibility in this area too. As you work with various educational tools, you can check in to see how well your privacy is protected. Where you have concerns, you should let your parent, your teacher, or your school division know.

I would recommend that school divisions, teachers and students check the privacy policies, terms of use, and privacy settings of every educational app that they are considering using.

If any staff member has questions, I would suggest the staff member call the designated access and privacy officer for the school division.

For an advisory that looks at similar issues from a different point of view, you can check out my advisory on virtual meetings.

If a school division is evaluating a particular platform, it should consider a privacy impact assessment (PIA). If there is no time to do this, the questions they would be asked during such an assessment should be asked by the director, superintendents, or the access and privacy officer. For details regarding a PIA, see Privacy Impact Assessment: A Guidance Document.

For information on back to school plans see Saskatchewan School Board Association and for detailed information of access and privacy check out Privacy and Access in Saskatchewan Schools.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media Contact
Kara Philip, kphilip@oipc.sk.ca

Was this page helpful?

Preparing and writing a submission

My office works with approximately 1,000 public bodies and trustees. Some are larger organizations and have many dealings with my office. These organizations have developed their procedures and precedents and make regular submissions to my office. Others maybe deal with my office once a year. It might be their first time having to respond to a complaint. I decided it was time to write about the best way to prepare for and write a submission to my office.

There is an old rule that when you write, you need to know your audience. In the case of submissions to my office, my office is the audience. I hope this Guide to Submissions will give the reader an idea of what my office is like and what is the best way of improving your chances of success.

As usual, this guide is a work in progress and any suggestions for clarifications or improvement are always appreciated.

 

Was this page helpful?

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on police collecting personal information through bodycams

The Prime Minister on June 9, 2020, stated he supported the use of bodycams by police forces. He indicated bodycams were an idea “that’s time has come”. The Minister of Public Safety, Bill Blair stated:

I believe that the presence of video evidence as can be made available under the right circumstances, following the appropriate policies respectful of Canadians’ privacy interests that that video evidence can provide the best possible evidence to help inform exactly what transpired.

There are arguments in favor of police forces using bodycams and there are arguments against them having bodycams. The decision as to whether a police force uses bodycams is not one that an information and privacy commissioner should or can make. This decision is up to police chiefs and boards of the police commissioners. Once a decision is made to use bodycams, access and privacy issues become important. In fact, prior to the decision being taken, there are access and privacy issues that should be taken into consideration in designing the bodycams’ program. The balance of this advisory deals with the questions that should be considered prior to and after the decision is made to use bodycams. This advisory outlines best practices for police forces when considering bodycams.

Can a police force use bodycams?

Webcams, bodycams, dash cams are all tools that exist in our society today. All tools can be used for good purposes or bad purposes. Police forces have the ability to inquire and use many different tools, bodycams are one such tool. The use of bodycams has been debated across our country. In fact police forces have undertaken pilot projects. Those opposed to the use of bodycams have made their position known. The cost to deploy body cams is known and is considerable. Keeping all this in mind, police forces and boards of police commissioners can decide whether they use this tool or not. Again, the balance of this advisory deals with the access and privacy issues that should be considered before and after the decision is made to utilize the tool of bodycams.

What access and privacy legislation might apply?

If a police force decides to deploy bodycams, police forces need to know what privacy legislation applies to that police force. The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities which include police forces in Saskatchewan. Part IV of LA FOIP deals with the collection, use, disclosure and protection of personal information.

What does The Police Act, 1990 say?

 A board of police commissioners and a police chief are governed by The Police Act, 1990 of Saskatchewan which provides:

31(1) Where a municipality has established a police service pursuant to section 26, the board is responsible:

(a) for the delivery of policing services within the municipality; and

(b) for:

(i) providing general direction, policy and priorities; and

(ii) developing long-term plans;

for the police service.

(2) For the purposes of this Act and Part VI of The Saskatchewan Employment Act:

(a) a board is deemed to be the employer of the personnel of the police service; and

(b) the chief and any person holding the position of deputy chief of police are deemed to be agents of the employer.

(3) Subject to subsection (4), a board may make directives that are not inconsistent with this Act or the regulations, setting general policy for the governing and administration of the police service.

The police chief’s responsibilities are set out as follows:

35(2) Subject to the general direction of the board and to this Act and the regulations, the chief is responsible for:

(a) the management, administration and operation of the police service;

(b) the maintenance of law and order in the municipality; and

(c) the maintenance of discipline within the police service.

(3) To carry out the responsibilities imposed on a chief of police by this Act and the regulations, the chief may:

(a) appoint any personnel to positions designated by the board and assign their duties;

(b) delegate to any member or civilian member any authority vested in the chief that, in the opinion of the chief, is required to properly manage the police service; and

(c) make directives necessary to carry out the daily administration and operations of the police service.

What is the purpose of police using bodycams?

Before embarking on a bodycam program, a police force needs to focus on the purpose for the bodycam program. LA FOIP provides:

24 No local authority shall collect personal information unless the information is collected for a purpose that relates to an existing or proposed program or activity of the local authority.

It is important that the police force define the purpose at this early stage. The purpose should not be expanded after the fact as this would be viewed as function creep and may not be authorized. Is the purpose to accurately depict interactions between a police officer and a citizen? Is the purpose to protect the police officer? Is the purpose to gather evidence for court? Is the purpose to assist Crown Prosecutors? Is the purpose to assist defendants and defense counsel? Or is the purpose for our society to have a fairer justice system? It is not for me to define that purpose, but one can see that a police force would be well advised to define that purpose early so that all involved in the justice system know why this is being done.

One of the best ways of defining the purpose is to do a privacy impact assessment (PIA). This allows the police force to spend time discussing the purpose and determining the impact the program will have on the collection, use, protection and disclosure of personal information.

How should police forces notify citizens of the purpose of bodycams?

Police forces should be open and transparent. At the time of launching the program, tell police officers the purpose of the bodycam, when the bodycam is to be used, what the officer does with the video footage at the end of the shift, where it is to be downloaded to, who will have access to it, whether LA FOIP applies to the video footage and how long the video footage will be stored. Since this will affect police officers directly, they need to know the rules.

Similarly, citizens will want to know the same things because it will be their images which will be captured in the video footage. Further those police officers will need to know when and if during a particular interaction whether the bodycam is operating or not. Police forces will have to decide whether they have bodycams operating all the time or whether the police officer has the discretion to turn the bodycam on or off.

Citizens and police officers will particularly want to know if the police force is sharing the personal information with other third parties and why.

What personal information will the police force collect?

Capturing a person’s image and voice is a collection of personal information. LA FOIP provides:

25(1) A local authority shall, where reasonably practicable, collect personal information directly from the individual to whom it relates.

(2) A local authority that collects personal information that is required by subsection (1) to be collected directly from an individual shall, where reasonably practicable, inform the individual of the purpose for which the information is collected.

(3) Subsections (1) and (2) do not apply where compliance with them might result in the collection of inaccurate information or defeat the purpose or prejudice the use for which the information is collected.

Police forces should collect the least amount of personal information necessary to achieve the purpose. This is referred to as the data minimization principle, that is, only collect what is needed to achieve the purpose.

Purpose becomes extremely important. The data minimization principle puts pressure on a police officer (data collector) to record the least amount of video footage. This clearly implies that police officers will have to make the decisions to turn the bodycam on and off. Giving a police officer this discretion runs the risk of allegations that a police officer manipulated the footage collected. There will be pressure, to avoid this criticism, to have a bodycam running from prior to the beginning of the interaction to well after the conclusion of the interaction. It would appear, depending on purpose, that it is in the interest of police forces and citizens that the entire, beginning to end, interaction be recorded.

Police forces will have to determine whether all interactions with citizens will have to be recorded. Are there categories of interactions where bodycams should be turned on or should be turned off? It will be an important part of policy development to determine whether there are categories of interaction where bodycams should be turned on or should be turned off.

Can the police force use the personal information for any other purpose?

The police force has defined a purpose, authority to collect and has collected personal information for that purpose. LA FOIP provides:

27 No local authority shall use personal information under its control without the consent, given in the prescribed manner, of the individual to whom the information relates, except:

(a) for the purpose for which the information was obtained or compiled, or for a use that is consistent with that purpose; or

(b) for a purpose for which the information may be disclosed to the local authority pursuant to subsection 28(2).

Definition of purpose becomes extremely important. Bodycam footage can be used for the purpose for which it was collected. If video footage might be used for other purposes, then the consent of the individual or individuals in the image would have to be obtained. That can be problematic when there are multiple individuals in the video footage, some of whom are not identified.

Who can the police force share the personal information with?

Since the police force has collected the video footage (personal information), the police force needs to determine who in the organization needs to know, in other words, who will have access to the video footage. LA FOIP provides:

28(1) No local authority shall disclose personal information in its possession or under its control without the consent, given in the prescribed manner, of the individual to whom the information relates except in accordance with this section or section 29.

(2) Subject to any other Act or regulation, personal information in the possession or under the control of a local authority may be disclosed:

(a) for the purpose for which the information was obtained or compiled by the local authority or for a use that is consistent with that purpose;

(b) for the purpose of complying with:

(i) a subpoena or warrant issued or order made by a court, person or body that has the authority to compel the production of information; or

(ii) rules of court that relate to the production of information;

(c) to the Attorney General for Saskatchewan or to his or her legal counsel for use in providing legal services to the Government of Saskatchewan or a government institution;

(d) to legal counsel for a local authority for use in providing legal services to the local authority;

(e) for the purpose of enforcing any legal right that the local authority has against any individual;

(g) to a prescribed law enforcement agency or a prescribed investigative body:

(i) on the request of the law enforcement agency or investigative body;

(ii) for the purpose of enforcing a law of Canada or a province or territory or carrying out a lawful investigation; and

(iii) if any prescribed requirements are met;

(h) pursuant to an agreement or arrangement between the local authority and:

(i) the Government of Canada or its agencies, Crown corporations or other institutions;

(ii) the Government of Saskatchewan or a government institution;

(iii) the government of another province or territory of Canada, or its agencies, Crown corporations or other institutions;

(iv) the government of a foreign jurisdiction or its institutions;

(v) an international organization of states or its institutions; or

(vi) another local authority;

for the purpose of administering or enforcing any law or carrying out a lawful investigation;

(h.1) for any purpose related to the detection, investigation or prevention of an act or omission that might constitute a terrorist activity as defined in the Criminal Code, to:

(i) a government institution;

(ii) the Government of Canada or its agencies, Crown corporations or other institutions;

(iii) the government of another province or territory of Canada, or its agencies, Crown corporations or other institutions;

(iv) the government of a foreign jurisdiction or its institutions;

(v) an international organization of states or its institutions; or

(vi) another local authority;

(i) for the purpose of complying with:

(i) an Act or a regulation;

(ii) an Act of the Parliament of Canada or a regulation made pursuant to an Act of the Parliament of Canada; or

(iii) a treaty, agreement or arrangement made pursuant to an Act or an Act of the Parliament of Canada;

(j) where disclosure is by a law enforcement agency:

(i) to a law enforcement agency in Canada; or

(ii) to a law enforcement agency in a foreign country;

pursuant to an arrangement, a written agreement or treaty or to legislative authority;

(k) to any person or body for research or statistical purposes if the head:

(i) is satisfied that the purpose for which the information is to be disclosed is not contrary to the public interest and cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates; and

(ii) obtains from the person or body a written agreement not to make a subsequent disclosure of the information in a form that could reasonably be expected to identify the individual to whom it relates;

(l) where necessary to protect the mental or physical health or safety of any individual;

(m) in compassionate circumstances, to facilitate contact with the next of kin or a friend of an individual who is injured, ill or deceased;

(n) for any purpose where, in the opinion of the head:

(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or

(ii) disclosure would clearly benefit the individual to whom the information relates;

(o) to the Government of Canada or the Government of Saskatchewan to facilitate the auditing of shared cost programs;

(p) if the information is publicly available, including information that is prescribed as publicly available;

(q) to the commissioner;

(r) for any purpose in accordance with any Act or regulation that authorizes disclosure; or

(s) as prescribed in the regulations.

The Local Authority Freedom of Information and Protection of Privacy Regulations (LA FOIP Regulations) provides:

10 Other disclosure of personal information 10 For the purposes of clause 28(2)(s) of the Act, personal information may be disclosed:

(b) to an individual or body providing consulting or other services to a local authority if the individual or body agrees not to make a subsequent disclosure of the information in a form that could reasonably be expected to identify the individual to whom it relates;

(c) where disclosure may reasonably be expected to assist in the provision of services for the benefit of the individual to whom the information relates;

(d) to a professional association or professional regulatory body for the purpose of carrying out the lawful activities of the association or body;

(f) for the purpose of commencing or conducting a proceeding or possible proceeding before a court or tribunal;

(h) with respect to health care information, in compassionate circumstances, unless the person to whom the information relates requests that the information not be disclosed;

(i) to another local authority or a third party in order to obtain information from that local authority or third party to respond to an inquiry from the individual to whom the information relates, to the extent necessary to respond to that inquiry;

(j) to another local authority or a government institution to enable that local authority or government institution to respond to an inquiry from the individual to whom the information relates, to the extent necessary to respond to that inquiry; or

(k) by forwarding to another local authority or government institution a correspondence received from an individual to enable that government institution or local authority to reply directly to the individual where a direct reply is considered more appropriate; or

(n) to the investigation observer appointed pursuant to section 91.1 of The Police Act, 1990.

When we talk about sharing, we are talking about sharing with other organizations. Section 28 lists many exceptions. It does allow police forces to share video footage containing personal information with other police forces under certain circumstances. When a police force receives a request from another police force, it needs to review section 28 to see if the request involves the circumstances where sharing is permitted. LA FOIP Regulations, section 9, lists those bodies that are law enforcement agencies including the RCMP, the Chief Coroners’ Office, the Special Investigations Unit of SGI, the Public Complaints Commission and the Saskatchewan Police Commission and board of commissioners under The Police Act, 1990.

Best practice would suggest that the bodycam policy developed by a police force indicate who, under normal circumstances, a police force might share video footage.

Best practice would suggest that a police force apply the data minimization rule. This rule says, provide the least amount of information (video footage) required to meet the request. Further, best practice would suggest that video images of persons other than those that are the subject matter of the request should be blurred or de-identified.

Is the police force obliged to protect the video footage?

The video footage with personal information the police force has collected must be protected. Once the police officer takes video footage with personal information, it is the police force’s obligation to ensure it is protected.  LA FOIP provides:

 23.1 Subject to the regulations, a local authority shall establish policies and procedures to maintain administrative, technical and physical safeguards that:

(a) protect the integrity, accuracy and confidentiality of the personal information in its possession or under its control;

(b) protect against any reasonably anticipated:

(i) threat or hazard to the security or integrity of the personal information in its possession or under its control;

(ii) loss of the personal information in its possession or under its control; or

(iii) unauthorized access to or use, disclosure or modification of the personal information in its possession or under its control; and

(c) otherwise ensure compliance with this Act by its employees.

Because we are talking about video and audio images, we are talking about electronic storage. This means storing the information on servers. A police force needs to make a decision as to whether servers are located in police force offices at an IT service provider in the province or Canada. This is generally referred to as the Cloud. Best practice would dictate a police service select the option that would give it the greatest amount of security and protection.

When should the police force destroy the video footage (personal information)?

How long is a police force going to keep bodycam footage which obviously contains personal information? Will it get destroyed in accordance with the destruction of records policy? Should it have a special destruction period, shorter or longer than the normal? Will the video footage be evidence in a Court case? Police forces will need to develop a policy which will specifically include destruction of video footage.

Do police forces need to be transparent about bodycams?

As with any tool used by an organization, it can have good effects and bad effects. The risk of bad effects creates fears of the misuse. Best practice would suggest to build trust and confidence. A police force should be transparent in its position on bodycams, their use and security of the information. The best way to do this is to provide information on its website about its bodycam program. Transparency would start with developing a policy on bodycams as discussed below.

Do police forces need to create a policy regarding bodycams?

Once a police force has made a decision, the police force should consider some documentation of the plan. Prior to a police force making its decision on bodycams, best practice would suggest they do a privacy impact assessment. This exercise will surface the privacy issues that a police force will encounter in designing the program, implementing the program, developing policies and communicating with the public.

One of the essential steps would be to develop and make public a policy on its bodycam program. The policy should contain:

  • a statement of the authority;
  • a statement of the purpose;
  • a statement on possible actions taken with video footage, its collection, storage, protection and use;
  • a statement on how and where video footage will be stored;
  • a statement as to who within the police force will have access to the video footage;
  • a statement that the video footage containing personal information will be shared will only those within the police force that need-to-know and will not be available within the police force;
  • a statement on how the video footage containing personal information will be protected;
  • a statement as to how and when it will be shared with other police forces and law enforcement agencies; and
  • a statement as to when the video footage containing personal information will be destroyed.

A policy should be made available to staff, and citizens and posted on the police forces’ website.

Can I request videos taken of me?

 30(1) Subject to Part III and subsections (2) and (3), an individual whose personal information is contained in a record in the possession or under the control of a local authority has a right to, and:

(a) on an application made in accordance with Part II; and

(b) on giving sufficient proof of his or her identity;

shall be given access to the record.

A citizen does have the right to request access to video footage concerning that citizen. There are exceptions to this rule and those exceptions can be found in Part III (sections 13-22) of LA FOIP. A citizen does not have the right to view images of other citizens that may be in the video footage. A video can easily capture multiple individuals and a citizen does not have the right to the images of other individuals. When an access request is made, a police force would have to carefully review the video footage, blur out the images and delete the audio track of others.

Conclusion

The principles are simple; establish the purpose, authority, and collect the least amount of personal information to meet the purpose, share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed. This is good advice for police forces or any other organization.

References

For more information on police and bodycams see:

 

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Was this page helpful?

Saskatchewan Information and Privacy Commissioner Tables 2019-2020 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has submitted his office’s 2019-2020 Annual Report: Issues in a Pandemic, to the Legislative Assembly. Kruzeniski stated:

In this pandemic, issues have arisen which have created considerable discussion and debate. Freedom of information and privacy legislation is not suspended during a pandemic and public bodies are still required to follow these statutes. At the same time, some public bodies are operating in extremely difficult and stressful times. The temptation can be to ignore access rules and privacy rules because we are fighting COVID-19. Ignoring the rules is not an option.

In terms of the issues of concern to navigate during and after a pandemic, the Commissioner highlighted and provided guidance on the following:

  • Processing access requests;
  • Transparency;
  • Sharing personal information and personal health information to prevent the spread of COVID-19;
  • How to balance the public interest and privacy;
  • Documenting decisions;
  • Health Care Consultation Apps, Contact Notification and Tracing Apps;
  • Virtual Meetings;
  • Tips for Working at Home;
  • Research: Post Pandemic;
  • Travel Restrictions and Checkpoints;
  • Questions, Screening or Testing by Employers Regarding COVID-19; and
  • Health Screening of Staff and Visitors in Care Homes.

As a final thought, the Commissioner noted:

In conclusion, maintaining a sense of balance during these difficult times can be done. It just takes a bit of thinking through the principles.

 

Was this page helpful?

Notifying affected individuals: What should I put in the letter?

Notifying affected individuals that their privacy has been breached is a very important step in responding to a privacy breach and should happen very quickly once you have identified who has been affected by the privacy breach.

In cases where the privacy breach is potentially very large, or you may not be able to identify the affected individuals, indirect notification may be more appropriate. Types of indirect notifications include notices on websites, posts on your organization’s social media accounts (Facebook, Twitter, Instagram), notices posted in public areas of your office, media advisories and advertisements. An indirect notification must not contain personal information or personal health information of an identifiable individual.

Just as important as getting notifications out quickly is what information is included in notifications. As outlined in The Rules of Procedure, if the Office of the Information and Privacy Commissioner (IPC) is investigating a breach, it will look to see if the following has been included in the notification:

  • a description of what happened, including the date, time, location and who was involved;
  • how the breach was contained;
  • a detailed description of the elements of personal information that was involved;
  • if known, a description of possible types of harm that may come to them as a result of the privacy breach;
  • steps that can be taken to mitigate harm;
  • steps the organization is taking to prevent the occurrence of similar privacy breaches in the future;
  • the contact information of an individual within the organization who can answer questions and provide further information regarding the breach;
  • a reference to the fact that individuals have a right to complain to the IPC;
  • the contact information of the IPC; and
  • where appropriate, recognition of the impact of the privacy breach on affected individuals and an apology.

Depending on the breach, it is also important to consider additional protections you are prepared to offer affected individuals in your notification to them. For example, the Commissioner has recommended five years of cyber security protection for affected individuals (Investigation Report 398-2019, 399-3019, 417-2019, 005-2020, 019-2019, 021-2020) and five years of credit monitoring for affected individuals (Investigation Report 103-2017).

If you have any questions about information to include in a specific notification, contact the Analyst that has been assigned to your file.

 

Was this page helpful?

Should you provide your child’s HSN to their school?

Have you ever filled out a form for your child’s school and wondered if they really need all the information they are asking for? Among other personal information, your child’s school might request their health services number (HSN). The Commissioner has not yet dealt with this issue in a formal report so this is just food for thought.

The Health Information Protection Act (HIPA) sets out the rules as to what is personal health information and when it can be collected, used, and disclosed by health organizations and health care workers. HIPA defines who is responsible under the Act and refers to these organizations and individuals as trustees; schools are not listed as a trustee.

An individual’s HSN is considered their personal health information and under HIPA also provides that an individual is not required to provide their HSN unless they are receiving a health care service or otherwise where required by another Act or regulation. An individual’s personal health information is considered more sensitive than other personal information and HIPA provides that personal health information shall be collected on a need-to-know basis. Does your child’s school have a need-to-know your child’s personal health information?

You may think that the school is requesting your child’s HSN in the event that your child is injured at school and requires a trip to the doctor’s office or hospital, the parent or guardian will be called to pick up the child or meet the child at the health care facility. Chances are, in an emergency, the school will not be searching through their records to find the child’s HSN. The health care facility will not refuse to treat your child and will collect personal information from the parent or guardian once you arrive at the facility. In another scenario, your child may be offered an immunization at school, but this service is not offered by the school and will be offered by a trustee. You also have the right to consent each time a health service might be offered to your child.  If you consent to the service, the trustee has a need to know and your child’s HSN can be collected by the trustee at that time.

Although you may have thought the school collects the HSN for health care purposes, on its Privacy and Access in Saskatchewan School’s website, the Saskatchewan School Boards Association (SSBA) identifies reasons why students’ HSN might be requested. For more information on the SSBA’s position, here is the link to its website: https://saskschoolsprivacy.com/central-adminstration/student-records/use-access-disclosure-of-student-records/disclosure-of-saskatchewan-health-numbers/. Although the HSN is a unique identifier, issued to all Saskatchewan residents, it is personal health information; it is not a form of identification that should be used broadly and is issued for the primary purpose of obtaining health care services.

If a school requests your child’s HSN and an individual refuses to provide the number, if the school continues to insist, you can submit your concerns to the school board’s privacy officer. If your concerns are not addressed to your satisfaction, you have the right to contact our office.

It is common for schools to request that parents provide their child’s HSN when enrolling the child, but parents do have the right to ask the school why they need it and have the choice whether they wish to provide it or not.

Was this page helpful?

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on health screening of staff and visitors in care homes

We have all heard the news telling us about the number of deaths of seniors in care homes related to COVID-19. Ontario and Quebec have particularly been impacted, but so has Saskatchewan. The Chief Medical Health Officer has ordered health screening to occur in care homes. The Public Health Order, dated June 13, 2020, provides as follows:

1. I hereby ORDER and DIRECT that in the Province of Saskatchewan effective June 13th, 2020:

(c)   Visitors to long-term care homes, hospitals, personal care homes, and group homes shall be restricted to family or designates visiting for compassionate reasons. All visitors shall undergo additional health screening prior to entry. Any visitors who display or disclose signs or symptoms of COVID-19 shall be denied entry to the facility.

2. I hereby ORDER and DIRECT that in the Province of Saskatchewan:

(a)   For the purposes of section 2 of this Order, “Licensee” refers to:

(i)    operator of a special-care home designated pursuant to The Provincial Health Authority Act;

(ii)   the licensee of a personal care home licensed pursuant to The Personal Care Homes Act;

(iii) an individual who, or corporation that, under a contract or subcontract with an operator of a special care-home or a licensee of a personal care home, provides or arranges for the provision of health care services or support services within the facility.

(b) For the purposes of section 2 of this Order, “Facility” refers to:

(i)    A special-care home designated pursuant to The Provincial Health Authority Act;

(ii)   A personal care home licensed pursuant to The Personal Care Homes Act.

3. I hereby ORDER and DIRECT that in the Province of Saskatchewan:

(a)   For the purposes of section 3 of this Order, “Facility” means the same as defined in section 2 above but is amended to include:

(i)    All facilities designated pursuant to The Provincial Health Authority Act operated by the Provincial Health Authority as defined in The Provincial Health Authority Act;

(ii)   Hospital as designated pursuant to The Provincial Health Authority Act operated by an affiliate prescribed in The Provincial Health Authority Administration Regulations;

(iii) The following facilities operated by the Saskatchewan Cancer Agency continued pursuant to The Cancer Agency Act:

i. Saskatoon Cancer Centre;

ii. Allan Blair Cancer Centre;

iii. The Hematology Clinic;

(b) For the purposes of section 3 of this Order, “Licensee” means the same as defined in section 2 above but is amended to include:

(i)    The Provincial Health Authority as defined in The Provincial Health Authority Act;

(ii)   The Saskatchewan Cancer Agency continued pursuant to The Cancer Agency Act.

(c)   For the purposes of Section 3 of this Order, “Staff Member” refers to:

(i)    any individual who is employed by, or provides services under a contract with, the Licensee of a Facility; and

(ii)   any volunteer or student that assists in the provision of services within the Facility.

(d) For the purposes of Section 3 of this Order, “Individual” means the same as Staff Member but also includes all individuals entering the Facility, except individuals entering for the purposes of receiving care.

(e) Health screening shall occur as follows:

(i)    Staff Members shall undergo health screening prior to or upon entry to the Facility, which must include a temperature check. Any Staff Members who display or disclose signs or symptoms of COVID-19 shall be denied entry to the Facility. All Staff Members shall undergo a temperature check prior to leaving the Facility. All exceedances temperatures shall be logged by the Licensee.

(ii)   Individuals who are not Staff Members shall undergo health screening, which must include a temperature check prior to or upon entry to the Facility. Any of these Individuals who display or disclose signs or symptoms of COVID-19 shall be denied entry to the Facility. All exceedances temperatures shall be logged by the Licensee.

The Minister of Health or the Chief Medical Health Officer have powers under The Public Health Act, 1994 (P.37.1). In particular, section 45 sets out the broad powers of the Minister and the Chief Medical Health Officer. Further, the Act contains mandatory reporting provisions of certain health care professionals in certain circumstances (e.g. section 32).

This advisory attempts to answer a number of questions related to collection, use, storage, safeguarding and destruction of personal health information involved in carrying out this order.

What privacy legislation might apply?

The Health Information Protection Act (HIPA) applies to health trustees which includes government institutions, the Saskatchewan Health Authority, health care organizations, a licensed personal care home, a health professional licensed under an Act, a pharmacy, and licensed medical laboratories. PARTS III and IV of HIPA deal with collection, use, disclosure, storage, and protection of personal health information.

To be sure, a care home should check HIPA to see if it has any application to it and if necessary, seek legal advice.

What information can be collected of personal health information?

The public health order requires heath screening including temperature checks of staff and visitors be taken and exceedance temperatures be logged. For staff and visitors, recording of a name, an exceedance temperature and answers to questions regarding COVID-19 symptoms is a collection. For visitors, due to the potential need to follow up, it would appear reasonable to ask which resident they were there to visit. It would not be reasonable to ask for the visitor’s Health Services Number (HSN) or other unrelated health information. To ask other unrelated questions and record answers, is going beyond the provisions of the public health order.

In collecting personal health information, the principle is to collect and record the least amount of personal health information necessary to carry out the purpose. The purpose here would be to comply with the public health order, which in turn is intended to keep care home staff and residents safe.

How should care homes notify staff and visitors of the collection? 

Care homes should be as open and transparent as possible. They should advise staff that they will be doing temperature checks as they arrive for work and leave work. Care homes should advise visitors that health screening, including temperature checks, will be conducted at their care home through posters at the front door, pamphlets and postings on their website. Care homes should protect the information they collect and let staff and visitors know that the personal health information they have provided will not be shared with other staff and residents at the care home. The care home should not give out names or identify the ones who have exceedance temperatures, as this may be considered a privacy breach.

Care homes should develop a policy on health screening, including temperature checks, share that policy with staff, residents and visitors and post on the care home’s website.

To support the advice and principles above, the Information Commissioner (ICO) of Great Britain has stated:

In order to not collect too much data, you must ensure that it is:

adequate – enough to properly fulfil your stated purpose;

relevant – has a rational link to that purpose; and

limited to what is necessary – you do not hold more than you need for that purpose.

Can the care home use the information for any other purpose?

The care home is subject to the public health order, and has authority to collect personal health information for that purpose. The care home cannot use that information for any other purpose without getting the consent of the staff member or visitor whose information was collected.

 If the staff member or visitor has an exceedance temperature, who can the care home share the information with?

Since the care home has collected the information that the staff member or visitor has an exceedance temperature, the care home needs to determine who in the organization needs to know. Once the staff member or visitor is refused entry, very few people need to know. If a staff member has an exceedance temperature, only the staff member’s supervisor or director of the care home needs to know. The rest of the staff do not need to know. If a visitor has an exceedance temperature, that visitor should be asked whether the information can be shared with the resident that the visitor came to visit and the information should not be shared with other staff.

Where does a care home store this personal health information?

The public health order requires exceedance temperatures to be logged. The log could be a separate sheet of paper for each person with an exceedance temperature, a log book where all the persons with an exceedance temperature are recorded or an electronic spreadsheet (such as excel) where all persons with an exceedance temperature are recorded. For visitors, there is no need to store the information anywhere else. For staff, a decision needs to be made whether a notation is made in the staff member’s HR file. Best practice would suggest that the care home only record on the HR file that the staff member is away on sick leave or another type of leave. There is no need to store it anywhere else.

Is a care home obliged to secure the information?

Under HIPA, section 16, there is an obligation for a care home to protect the personal health information collected and stored.

Once the care home collects personal health information about a staff member, it is the care home’s obligation to ensure it is protected. For example, leaving the log book at the front entrance would not be securing or protecting the personal health information and should not be accessible to all staff. Similarly, having a computer monitor at the front entrance, making the log accessible to all that pass by would be unacceptable.

Other resources detail suggestions on securing information and a few tips are given by the British Columbia Information and Privacy Commissioner:

Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.

When should the care home destroy the personal health information?

How long is a care home going to keep this information? Will it get destroyed in accordance with the destruction of documents policy of the care home? Should it have a special destruction period, shorter than the normal? Could it or should it be destroyed after 30 days after the public health order is rescinded or should it just be destroyed after 30 days? The care home should develop a policy including destruction guidelines.

Should care homes share the exceedance temperature information with the Medical Health Officer?

The Public Health Act, 1994 provides:

Responsibility to report

32(1) The following persons shall report to a medical health officer any cases of category I communicable diseases in the circumstances set out in this section:

(a) a physician or nurse who, while providing professional services to a person, forms the opinion that the person is infected with or is a carrier of a category I communicable disease;

(3) A report submitted pursuant to subsection (1) must include:

(a) the name, sex, age, address and telephone number of the person who has or is suspected to have, or who is or is suspected to be a carrier of, a category I communicable disease; and

(b) any prescribed information.

The Disease Control Regulations lists COVID-19 as a category 1 communicable disease.

If a doctor or nurse performing the health screening concludes that an individual may have COVID-19, the doctor or nurse will have to determine whether section 32 of The Public Health Act, 1994 applies. If the health screening is done by someone other than a doctor or nurse, section 32 would not apply. Since the exceedance temperature and answers to questions on COVID-19 symptoms may be an indication of COVID-19, best practice would suggest the care home request that the staff member or visitor call the healthline 811 or go to a testing centre.

Do care homes need to document their questions and testing plan?

Best practice would suggest that a care home develop a policy regarding its practices and procedures on temperature checking and make that policy available to staff, residents, and visitors. The policy should contain:

  • a statement of the purpose;
  • a statement that health screening will include, a temperature check and specific questions related to other symptoms of COVID-19;
  • a statement on possible actions taken based on the results of health screening;
  • a statement on how and where information will be stored;
  • a statement as to who will have access;
  • a statement that the information will be shared will only those that need-to-know and will not be shared with all staff and residents;
  • a statement on how the personal health information will be protected;
  • a statement as to who it will be shared with (public authorities or not); and
  • a statement as to when the information will be destroyed.

A policy should be made available to staff, residents and visitors including postings on the care home’s website.

Conclusion

The principles are simple; establish the purpose, authority, and collect the least amount of personal health information to meet the purpose. Share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed.

The Information Commissioner’s Office in Great Britain has issued a document regarding “Work Testing – Guidance for Employers”. Although British legislation is different from the legislation in Saskatchewan, the principles set out are good ones and may have some application to public bodies and health trustees in Saskatchewan.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Was this page helpful?

UPDATED – Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on Pandemic, Travel Restrictions and Checkpoints

On April 24, 2020, the Chief Medical Health Officer issued an Order restricting travel into and out of the Northern Saskatchewan Administration District (NSAD) to essential travel. On April 30, 2020, the Order was amended to restrict travel between communities in NSAD on May 6, 2020, the Order was further amended and on May 20, 2020, the Order was amended to only apply to the northwest region. The May 20, 2020 Order provides:

1. I hereby ORDER and DIRECT effective immediately:

a. Subject to subsection (c), no person shall travel to or out of the Northwest Region, whether from within the Province of Saskatchewan or otherwise.

b. Subject to subsection (c), no person within the Northwest Region shall travel outside the community in which their primary residence is located.

c. Travel is permitted as follows:

i. Persons may return to their primary residence;

ii. Employees of, and persons delivering, critical public services and allowable business services, a listing of which is found on the Government of Saskatchewan website: Saskatchewan.ca;

iii. Aboriginal persons engaging in activities such as exercising their constitutionally protected right to hunt, fish and trap for food or engaged in other traditional uses of lands such as gathering plants for food and medicinal purposes or carrying out ceremonial and spiritual observances and practices;

iv. Persons who are travelling for medical treatment;

v. Persons travelling for the purposes of attending court where legally required to do so; and

vi. Persons whose primary residence is within the Northwest Region may travel to the community closest to their community of primary residence within the Northwest Region taking the most direct route to obtain essential goods and services, when those goods or services are not available in their community of primary residence, a maximum of twice per week. Each household shall only utilize one vehicle and each vehicle must only contain household members.

vii. When persons are traveling outside the Northwest Region for medical treatment they may also stop to obtain essential goods and services outside of the Northwest Region. Only one person in the vehicle may enter a retail establishment outside of the Northwest Region to purchase such essential goods and services.

On June 7, 2020, the Chief Medical Health Officer issued a new Order which did not contain the travel restrictions as quoted above. To my knowledge, this is the first time such travel restrictions were imposed in Saskatchewan. With the Travel restrictions removed, the issues discussed below only become relevant if travel restrictions are imposed in the future (e.g. a second wave).

The Public Health Act, 1994, gives the Chief Medical Health Officer broad powers in emergencies and we all agree these are exceptional times.

The Saskatchewan Public Safety Agency is a government institution and subject to The Freedom of Information and Protection of Privacy Act (FOIP). That also makes the agency a trustee under The Health Information Protection Act (HIPA). Highway patrol officers and conservation officers would be employees of ministries which are government institutions and trustees.

If checkpoints are merely providing information to travelers into or out of a community, then no privacy issues arise. Checkpoints can provide information about COVID-19 regarding how many in the community have been diagnosed, related risks and best practices to help prevent the spread. If checkpoints are collecting personal information or personal health information from travelers, privacy legislation is applicable.

HIPA allows for the collection of personal health information for specified purposes. The purpose here is restricting travel according to Order 1(c). FOIP allows the collection of personal information for specified purposes.

The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) also allows for the collection of personal information by local authorities. Municipalities, villages and towns are local authorities. Local authorities can collect personal information for a specified purpose. The purpose here would be the restriction of travel into and out of a community according to Order 1(c).

The challenge will be to ensure the questions asked at checkpoints are limited to addressing the specific purpose set out by the Order. Questions such as:

  • Are you coming from or returning to your primary residence? If so, what community are you coming from or returning to? Order 1(c)(i)
  • Are you an employee of an organization providing critical public services or allowable business services? If so, what community are you coming from or returning to? Order 1(c)(ii)
  • Are you an employee of an organization delivering, critical public services or allowable business services, to this community? If so, what community are you coming from or returning to? Order 1(c)(ii)
  • Are you an Aboriginal person exercising your constitutional protected rights? Order 1(c)(iii)
  • Are you going to a medical appointment or coming from a medical appointment? If so, which community are you going to or coming from? Order 1(c)(iv)
  • Are you a person traveling to this community from your community of primary residence to obtain essential goods and services not available in your community of primary residence a maximum of two times per week? If so, what community are you coming from or returning to? Order 1(c)(iv)
  • Are you traveling to attend court? If so, what community are you coming from or returning to? Order 1(c)(v)

Other questions beyond these need to be analyzed as to whether they are necessary to restrict travel according to Order 1(c).

A further issue is that after the questions are asked, are the responses recorded? If so, by whom and for what purpose? If recorded, the record may be accessible under HIPA, FOIP or LA FOIP.

Once the questions are asked and answered, possibly recorded, does the information need to be shared with anyone? If so, who and for what purpose? Is there authority to share that information beyond the checkpoint? There is a principle known as “need-to-know”. Who needs to know or must know for the specified purpose? If you don’t need-to-know, then the information should not be given to you.

Finally, if personal information or personal health information is recorded, the trustee, government institution or local authority should make a decision as to how long the information is kept. The purpose here is to restrict travel according to Order 1(c). Now that travel restrictions are removed, the purpose for checkpoints are gone. I would recommend government institutions, local authorities and trustees make a decision now as to how long the information will be kept and then destroyed.

The pandemic has created unusual circumstances in our province and actions must be taken quickly, but in that process privacy legislation still exists and needs to be respected and followed to protect privacy to the extent possible. I believe we can do both, but it takes decision-makers carefully thinking through the actions they take.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Was this page helpful?

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on questions, screening or testing by employers regarding COVID-19

Our province is gradually phasing in our economy. Businesses, organizations and government offices are gradually opening up. Employers are contemplating the return of their employees to the workplace. Employers and employees will have questions. This advisory attempts to answer a number of those questions.

Can an employer test for COVID-19?

Some employers may be considering whether they will require all employees to answer questions, be screened or be tested for COVID-19. Employers have an obligation to make a workplace safe to work in within reasonable limits. The Saskatchewan Employment Act provides:

General duties of employer

3‑8 Every employer shall:

(a) ensure, insofar as is reasonably practicable, the health, safety and welfare at work of all of the employer’s workers;

(h) ensure, insofar as is reasonably practicable, that the activities of the employer’s workers at a place of employment do not negatively affect the health, safety or welfare at work of the employer, other workers or any self-employed person at the place of employment; and

Each employer will have to make a fundamental decision as to whether requiring all employees to answer questions, be screened or be tested would make the workplace safer.

Prior to considering what privacy legislation might apply, employers need to seriously consider whether they want to require employees to answer questions, be screened or be tested for COVID-19. This is a fundamental issue and can be controversial. It gets us into the issue of whether employers can or should require medical tests in the workplace. There has been considerable debate and court challenges over testing for drugs in the workplace. Employers need to know that requiring employees to answer questions, be screened or be tested for COVID-19 might result in a court challenge.

The Privacy Commissioner of Canada in “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century” stated:

Following the enactment of the Canadian Charter of Rights and Freedoms in 1982, the Supreme Court of Canada formulated a methodological test to determine whether the violation of a Charter right is nonetheless justifiable in a free and democratic society. Stemming from the case R. v. Oakes, this became known widely as the Oakes test. It requires:

    • Necessity: there must be a clearly defined necessity for the use of the measure, in relation to a pressing societal concern (in other words, some substantial, imminent problem that the security measure seeks to treat),
    • Proportionality: that the measure (or specific execution of an invasive power) be carefully targeted and suitably tailored, so as to be viewed as reasonably proportionate to the privacy (or any other rights) of the individual being curtailed,
    • Effectiveness: that the measure be shown to be empirically effective at treating the issue, and so clearly connected to solving the problem, and finally,
    • Minimal intrusiveness: that the measure be the least invasive alternative available (in other words, ensure that all other less intrusive avenues of investigation have been exhausted).

The balance of this advisory presumes an employer has made the decision and understands the legal risks of a challenge, but intends to proceed.

What privacy legislation might apply?

If an employer decides to ask questions, screen or test its employees for COVID-19, that employer needs to know what privacy legislation applies to that employer. The Freedom of Information and Protection of Privacy Act (FOIP) applies to government institutions which include Crown corporations, boards, agencies and other prescribed organizations. Part IV of FOIP deals with the collection, use, disclosure, storage and protection of personal information.

The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities which include cities, towns, villages, municipalities, universities and the Saskatchewan Health Authority. Part IV of LA FOIP deals with the collection, use, disclosure, storage and protection of personal information.

The Health Information Protection Act (HIPA) applies to health trustees which includes government institutions, the Saskatchewan Health Authority, a licenced personal care home, a health professional licenced under an Act, a pharmacy, and licenced medical laboratories. Parts III and IV of HIPA deal with collection, use, disclosure, storage and protection of personal health information.

If an employer falls into one of the above categories, then that particular statute will apply to the collection, use, disclosure, storage and protection of information. To be sure, an employer should check each of the Acts to see if it has any application.

Regulations under each of the Acts can also prescribe government institutions, local authorities or health trustees.

A further issue is that after the questions are asked, are the responses recorded? If so, by whom and for what purpose? If recorded, the record may be accessible under HIPA, FOIP or LA FOIP.

If an employer continues to be in doubt, you may want to obtain legal advice. If an employer does not fall under any of the three Acts, it is possible you, as an organization, may be bound by the Personal Information Protection and Electronics Documents Act (PIPEDA). For information on this, an employer can check the website of the Federal Privacy Commissioner. In some cases, PIPEDA provides rules and protection for employee personal information and in others, it does not. Whether an employer in Saskatchewan fits any of the above definitions, the advice below can be considered best practice and an employer can choose to follow it.

What is the purpose of doing the tests for COVID-19?

Before embarking on questioning or a testing program, an employer needs to define the purpose for collecting the Q&A and test information. Is it to keep the workplace safe? More specifically is it to prevent workers who test positive or have had COVID-19 from being in the workplace? Is it to prevent the spread of COVID-19 to other workers in the workplace? It is important that the employer define the purpose at this early stage and not expand after the fact as would be function creep and may not be authorized.

How should employers notify its employees of the purpose of collection? 

Employers should be open and transparent. They should advise staff that they will be asking questions, screening or testing employees as they arrive for work and inform them of the purpose. Later at the time of collection, tell employees the purpose of collection, what will be collected, who it will be shared with and how long the information will be stored. Employees will particularly want to know if the employer is sharing the information with other third parties and why. As discussed below, the employer should advise employees that positive tests for COVID-19 will be shared with the medical health officer.

If staff test positive or have COVID-19, the employer can provide other staff with statistical information, such as how many have been tested and how many tested positive. The employer should not give out names or identify the ones who tested positive as this may be considered a privacy breach. If very few employees test positive or have COVID-19, the employer needs to determine whether by giving the statistical information, the employee can be identified. If this might be the case, the employer can ask the consent of the employee affected, to release, postpone the release or provide less information that prevents identification.

What information will the employer collect?

Asking an employee a series of questions and obtaining the answers is collection of information. Screening by visual examination or temperature checks is collection of information. Requesting an employee to take a test and recording the results, is a collection of information. An employer needs to define the questions asked, the screening and the test required and ensure those questions, screening and test results are consistent with the purpose. Employers should collect the least amount of information necessary to achieve the purpose. This is referred to as the data minimization principle, that is, only collect what is needed to achieve the purpose.

For example, if an employee tests positive for COVID-19, what is an employer going to do? The assumption is an employer will require the employee to stay home and self-isolate. Thus, once an employer knows the person tested positive, there is no need to know anything more other than if the medical health officer’s follow up efforts will impact the employer. You are the employer, not the doctor. If the staff member indicates they already have COVID-19, an employer will need to consult the organization’s doctor to determine whether the staff member should be allowed to come to work or is required to stay home. Again, an employer should not collect more information, only tell the employee that they can or cannot work and they should go home. If the test comes back “negative” an employer still is obliged to comply with any requirements of the Chief Medical Health Officer in terms of taking protective procedures in the workplace.

The Information Commissioner (ICO) of Great Britain has stated:

In order to not collect too much data, you must ensure that it is:

adequate – enough to properly fulfil your stated purpose;

relevant – has a rational link to that purpose; and

limited to what is necessary – you do not hold more than you need for that purpose.

Can the employer use the information for any other purpose?

The employer has defined a purpose, authority to collect and has collected information for that purpose. The employee has provided the information for that purpose. The employer cannot use that information for any other purpose without getting the consent of the employee.

If an employee tests positive, who can the employer share the information with?

Since the employer has collected the information that the employee tested positive or has had COVID-19, the employer needs to determine who in the organization needs to know. If the employee is going home, very few people need to know. Just like other sensitive health information, it is confidential, the employer should prohibit the employee from sharing the information with other staff.

Where does an employer store this information?

The choices are storing on the employees HR personnel file or storing in a separate folder for all employees, containing all information regarding questions, screening and testing. There is probably no need to store it anywhere else.

The information the employer has collected, must be stored in a secure place. Once the employer collects personal information about an employee, it is the employer’s obligation to ensure it is protected.

Is an employer obliged to secure the information?

Under privacy legislation, there is an obligation for an employer to protect and secure the information collected and stored. If an employer is not subject to the privacy legislation, best practice would suggest the information be protected anyway. Other resources have made suggestions on securing information and a few tips are given by the British Columbia Information and Privacy Commissioner:

Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.

When should the employer destroy the information?

How long is an employer going to keep this information? Will it get destroyed in accordance with the destruction of documents policy? Should it have a special destruction period, shorter than the normal? Could it or should it be destroyed within 30 days? Employers need to decide whether they will develop a policy including destruction guidelines. There has been media coverage about people’s fear of having COVID-19 and the stigma that comes along with that. Maybe a year from now, there will be an approved treatment and vaccination, which might reduce the stigma and the fear. Maybe the information collected can be destroyed earlier than an employer’s standard procedure.

Should employers share information with the medical health officer?

The Public Health Act, 1994 provides:

Responsibility to report

32(1) The following persons shall report to a medical health officer any cases of category I communicable diseases in the circumstances set out in this section:

(a) a physician or nurse who, while providing professional services to a person, forms the opinion that the person is infected with or is a carrier of a category I communicable disease;

(b) the manager of a medical laboratory if the existence of a category I communicable disease is found or confirmed by examination of specimens submitted to the medical laboratory;

(c) a teacher or principal of a school who becomes aware that a pupil is infected with or is a carrier of a category I communicable disease;

(d) a person who operates or manages an establishment in which food is prepared or packaged for the purposes of sale, or is sold or offered for sale, for human consumption and who determines or suspects that a person in the establishment is infected with, or is a carrier of, a category I communicable disease.

(3) A report submitted pursuant to subsection (1) must include:

(a) the name, sex, age, address and telephone number of the person who has or is suspected to have, or who is or is suspected to be a carrier of, a category I communicable disease; and

(b) any prescribed information.

(4) In addition to the report required by subsection (1), the manager of a medical laboratory shall submit to the medical health officer or the co-ordinator of communicable disease control a copy of the laboratory report that identifies the disease.

The Disease Control Regulations lists COVID-19 as a category 1 communicable disease.

If an employer intends to ask a series of questions or do screening by a non-health professional section 32 above would not apply. In that case, if the questions result in their being indications of COVID-19, I would expect the employer would request that the employee be tested for COVID-19 at a nearby testing centre and the employee be advised to go home until testing is done and results are received.

If an employer has an examination done for a test taken by a doctor or nurse, it is clear that, pursuant to section 32, the doctor, nurse or manager of a medical lab must report a communicable disease such as COVID-19 to the medical health officer.

Thus, best practice would be for an employer to advise employees being examined or tested that if the test is positive for COVID-19, it will be reported to the medical health officer. The employer should indicate in their statement of purpose that they will comply with the requirements of The Public Health Act, 1994. Being transparent with staff and telling them at the beginning that their information will be shared with public health authorities is important.

Do employers need to document their questions and testing plan?

Once an employer has made a decision, the employer should consider some documentation of the plan. In normal times, my office would recommend a privacy impact assessment (PIA). In these unique times, an employer might move very quickly and my office would still recommend either a shortened version of a PIA or a policy statement regarding question asking, screening and testing plan. Whatever the form of the document, it should contain:

  • a statement of the purpose;
  • a listing of the questions to be asked;
  • a statement of the screening and the tests to be performed;
  • a statement on possible actions taken based on the test results;
  • a statement where information will be stored;
  • a statement as to who whom it will be shared with (with public authorities or not); and
  • a statement when the information will be destroyed.

Conclusion

The principles are simple, establish the purpose, authority, and collect the least amount of information to meet the purpose, share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed. This is good advice whether an employer is subject to access and privacy legislation or not.

The Information Commissioner’s Office in Great Britain has issued a document regarding “Work Testing – Guidance for Employers”. Although British legislation is different from the legislation in Saskatchewan, the principles set out are good ones and may have some application to public bodies and health trustees in Saskatchewan.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.