Federal Privacy Commissioner on Bill c-27 news release.

Report into the 2021 cyber attack on Newfoundland health information systems released.

Privacy Commissioner of Canada announced his office is launching a joint investigation into OpenAI

Federal Privacy Commissioner launches new guidance on workplace privacy

Cybersecurity: Best Practices for Setting Up a Security Operations Centre

Alberta IPC finds risk of significant harm from stolen server.

Updates to Chapter 3 for the Guide to FOIP and the Guide to LA FOIP are now available!

Steps for effectively deploying multi-factor authentication.

Concerns about AI

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on Contact Tracing and Privacy

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on Contact Tracing and Privacy

I read an interesting article in The Atlantic by Derek Thompson. I was aware that South Korea and Singapore and other Asian countries were applying technology to the issue of contact tracing. What is contact tracing? As I understand it, when someone is diagnosed with having COVID-19, they are asked who they had been in contact with in the last while. Then those individuals are contacted. The old way was to do that by interviews. The existence of smartphones and apps allows contact tracing to take place by using Global Position System (GPS) and Bluetooth technology. For example, in South Korea, GPS is enabling authorities to know where patients have been using information from CCTV footage, credit card records and GPS data from the patient’s smartphone. Singapore has taken a different approach by using a government developed app called “TraceTogether” that uses signals between mobile phones to record who you may have had close contact with.

Also, Asian countries are using technology to enforce quarantine. For example, Taiwan uses GPS to create an “electronic fence” for those who should be in quarantine. In Hong Kong, those who must quarantine themselves are given a wristband. They are to activate the wristband using a smartphone app.

Finally, technology is being used to enable movement in China as restrictions are being lifted.

European countries, including Germany and Italy, are also following Asia’s lead and are developing and using apps to assist with combating the spread of COVID-19.

It would appear that Asia has been successful in reducing infections and deaths because of their approach to contact tracing along with other measures taken. We in North America are interested in when self-isolation could end and when our economy might get going again but are worried about a second wave. I can see that authorities here in North America will look to the digital methods used in Asia for ways to start the economy and reduce the risk of a second wave. As they consider these issues, alternatives will be presented and no doubt, smartphones will be raised as an option. In fact, Google recently announced on its blog that it is partnering with Apple to use Bluetooth technology to assist governments and health agencies conduct contact-tracing to help reduce the spread of COVID-19.

Technology can help us combat the spread of COVID-19 but it also increases the surveillance citizens are put under. The Electronic Frontier Foundation (EFF) asserts that surveillance invades privacy, deters free speech, and unfairly burdens vulnerable groups.

As North America adjusts its strategies to combat this pandemic, we must consider the impact such initiatives have on our privacy and our democracy. Can these technologies be used in a way that maximizes its potential in combatting the spread of the virus while minimizing the impact it has on our privacy? I am sure they can. I recommend that authorities be transparent in the technology they use. They should consider technology that doesn’t collect and retain information unnecessarily. For example, it is being reported that Singapore’s “TraceTogether” app uses Bluetooth technology so that information is stored only on the users’ mobile phone for 21 days (the incubation period for COVID-19). If a person tests positive, it is only then that authorities will access the information on the patient’s phone so that authorities know who the patient has been in close contact with.

Another way for authorities to be transparent is letting the public know what information they are collecting, the purpose for the collection, and how the information will be used and/or disclosed. Individuals should have access to the information that is collected about them by authorities.

Furthermore, I recommend that authorities also consider how they can collect, use, and/or disclose the information that is necessary for the purpose of combating the spread of COVID-19 and to have processes in place to ensure such information is not used for other purposes, now or in the future. This includes setting a limit on how long information should be retained.

In Alberta, the provincial government has rolled out a contact-tracing app called “ABTraceTogether”. It has completed a privacy impact assessment (PIA) and submitted the PIA to Alberta’s Information and Privacy Commissioner. Once Alberta’s Information and Privacy Commissioner reviews and accepts the PIA, the provincial government will make a summary of the PIA available. I recommend that if any similar initiative is undertaken in Saskatchewan, that a PIA be completed and submitted to my office.

The information and privacy commissioner has issued a news release. In that news release the information and privacy commissioner stated:

Ensuring this app is voluntary, collects minimal information, uses decentralized storage of de-identified Bluetooth contact logs, and allows individuals to control their use of the app are positive components.

Alberta Health has issued a privacy statement that pertains to ABTraceTogether.

Whatever solutions are posed, my office is here to consult on the privacy implications in advance of any roll-out in Saskatchewan.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on Pandemic and Virtual Meetings

I read an article today saying over 7,000 Crown Corporation workers are working from home. In addition, thousands of executive government workers are doing the same. Many in businesses are also working from home. It is amazing how quickly this province was able to switch to an at home work environment.

Working at home requires workers to talk to one another and there is a need for meetings to occur. Zoom, over night, has become a way of holding a virtual meeting. There is other software such as Microsoft Teams, Skype video and Google’s Hangout to facilitate virtual meetings.

To get work done, we need to meet. We also will gravitate to the most convenient way of meeting, but decision-makers in public bodies need to consider privacy and security issues.

We have seen some headlines about hackers hacking into a Zoom meeting. Therefore, the first thing we need to consider, is our meeting restricted to just those authorized to be there? Organizers need to set things up to ensure the correct settings are in place to prevent intrusion by the unauthorized.

Zoom asks whether you want the session saved. Another decision, will the organizers have the meeting saved. If so, it is a record and at that point, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), The Health Information Protection Act (HIPA) and The Archives and Public Records Management Act come into play. If minutes of a similar meeting are normally kept, then I would suggest the minutes of the virtual meeting need to be kept. If meetings were previously recorded then organizers need to decide whether the virtual meeting will be recorded. If an ordinary meeting or virtual meeting is recorded, that recording becomes a record. Organizers from public bodies need to decide whether the recording is an official record or transitory record under The Archives and Public Records Management Act. If it is an official record, organizers need to arrange for storage and preservation in its electronic filing system. If it is a transitory record, decisions have to be made as to when it is destroyed. If any access request under FOIP, LA FOIP or HIPA is received and the recording of the virtual meeting exists, at that time the record may have to be disclosed under FOIP, LA FOIP or HIPA (subject to appropriate exemptions).

If you are recording the virtual meeting, the question is who is recording it? If it is the service provider, then is it being stored on the service provider’s server? Is that where you want it stored? How do you get that recorded meeting downloaded to your organization’s file records system? Does the provider routinely save/store copies of meeting recordings? Can you ensure that it is deleted off the service provider’s system?

If your meeting has discussion of issues which involve personal information or personal health information what additional precautions can you take to ensure that information is not being accessed by unauthorized persons?

As a practice, a public body might indicate you do not want the meeting recorded. Can an organization be sure the service provider is not saving a copy anyway? This is why it is also important to understand the risks of working with any particular service provider in advance of using that system. If you do not have the appropriate agreements in place or at least an intimate understanding of the risks and benefits, your meeting sessions could be hijacked, information kept and used for purposes that you did not anticipate, and privacy breaches could occur for which the public body would be responsible.

Organizers need to think carefully about the platform they select for virtual meetings. They will want the one that best protects their confidential information and the one that allows them to comply with FOIP, LA FOIP and HIPA. To assist organizers, here are some questions they should ask before selecting a platform:

  • Does the service provider offering the platform reside in Canada or the United States?
  • Where geographically is the virtual meeting stored? If so, where is the server located (Canada or the United States)?
  • Are virtual meetings going to be recorded and saved and if so, by whom?
  • Will your meeting involve possible confidential information? If so, do you want it recorded?
  • Who has possession/custody or control of the information?
  • If saved, can the organization download the recording into its file management system?
  • How long will the service provider retain the recording?
  • Can the organization request deletion of the recording at any time?
  • Does the service provider share the recording or other information with anyone else? If so, who and under what authority?
  • Does the service provider have end to end encryption?
  • Does the service provider have a privacy policy and a security policy?
  • What settings can the organization set to maximize privacy and security?
  • Does the organization consider the recording an official record or a transitory record?
  • Has a service provider had a privacy or security assessment done by an independent third party and, if so, request a copy?

The pandemic has forced many public bodies to embrace the virtual meeting. Once restrictions are lifted, I expect virtual meetings will continue to be a way of doing business. Public bodies should approach virtual meetings and platforms as both a short term matter and a long term change. Thus, establishing public body policies regarding virtual meetings is an important step that we should take now.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Statement from the Office of the Information and Privacy Commissioner on Documenting Decisions in a Pandemic

During this Pandemic, public officials, elected and appointed, have made and will make many decisions in an attempt to flatten the curve to help prevent our health care system from being overwhelmed and to save lives. As we all can see, things are moving very quickly so decisions have to be made very quickly. Citizens and the media look forward and appreciate the daily briefings.

In this pandemic with decisions being required quickly, there continues to be a need to document those decisions. The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) section 5 gives citizens the right to obtain records (with appropriate exceptions). Implicit in all of this is the duty to document the important decisions as they are being made. To be able to respond to that right, public bodies need to create the records. If there are no records, then citizens will never view records of decisions made during this pandemic. I would ask public officials, elected and appointed, to ensure the decisions made and actions taken are documented.

Under The Archives and Public Records Management Act, there is no need to retain transitory records. Guided by the Provincial Archives’ Transitory Records Guidelines, the initiator of the communication or the receiver should determine whether something is transitory. Because of the historical significance of the decisions being made during this pandemic, I would ask public officials, elected and appointed, to take a broader approach and treat more of the communications as official records rather than transitory. In other words, narrow what is considered a transitory record and broaden what is considered an official record.

When this pandemic is over, policy analysts, historians and researchers will and should reflect back on decisions and actions taken by officials in Saskatchewan. They will study what worked and what might not have worked. This analysis will better equip us for the next crisis that may come our way.

The Federal Information Commissioner, Caroline Maynard, in a News Release on April 2, 2020 stated:

Last week the Prime Minister told Canadians that transparency is crucial to being accountable to Parliament and in maintaining the public’s confidence.

When the time comes, and it will, for a full accounting of the measures taken and the vast financial resources committed by the government during this emergency, Canadians will expect a comprehensive picture of the data, deliberations and policy decisions that determined the Government’s overall response to COVID-19.

Canadians have a fundamental right to this information. They expect that it will be available to them, and that the government will provide it.

…ministers and deputy ministers must ensure that they and their officials generate, capture and keep track of records that document decisions and actions, and that information is being properly managed at all times.

Doing this is a matter of asking the right questions and then providing the information, tools and support employees need to meet their access to information and information management responsibilities.

For example, are minutes of meetings —even those taking place by teleconference or video conference—continuing to be taken and kept? Are all relevant records —such as decisions documented in a string of texts between co-workers—ultimately finding their way into government repositories? Do employees have a clear understanding of what constitutes “a record of business value” and that this record must be preserved for future access?

In conclusion, the best practice in order to fulfill what is outlined in section 5 of FOIP, LA FOIP and The Archives and Public Records Management Act, is for public officials, elected and appointed, to ensure their organizations are creating and maintaining the documents, emails and texts that relate to the decisions and actions being taken during this Pandemic.

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on Apps that Offer Health Care Consultations

Since the government has said stay home and self-isolate or quarantine and the temporary closure of offices, including those of some health professionals, has been mandated the question of how might I consult a health professional has arisen. The need for health professionals to be in contact with their patients continues during the pandemic and when the government created a temporary fee for telehealth consultations, the desire and need to create ways of consulting over the telephone, computer or device accelerated.

Media coverage has been given to apps that will facilitate health professional’s consultations with their patients. As health professionals and patients are approached to use such apps, they should be asking questions before agreeing to do so.

Health professionals should ask:

  • Does the organization offering the app (service provider) reside in Saskatchewan?
  • What personal health information is collected and stored by the app (service provider) and for how long?
  • Where geographically is the information stored?
  • Who is in custody and control of the stored information?
  • Can I get a copy of the stored information any time I ask?
  • Is the personal health information shared with any other company or individual?
  • What safeguards are in place to protect that information?
  • Can I see the contract I would have to sign to use the service?
  • Have you done a privacy impact assessment and could I have a copy?
  • Have you had a security assessment done by an independent third party and if so can I see a copy?
  • What recommendations have your professional association made?

The prospective patient before signing up should ask:

  • Does the organization offering the app (service provider) reside in Saskatchewan?
  • What personal health information about me is collected and stored by the app and for how long?
  • Where geographically is my information stored?
  • Can I get a copy of my stored information any time I ask?
  • Is there a fee for getting a copy of my personal health information?
  • Is my personal health information shared with any other company or individual?
  • What safeguards are in place to protect my personal health information?

The questions for the health professional and the patient are similar. Both need to know where personal health information is stored, who has access to it, how long is it stored and what steps are taken to protect personal health information.

The pandemic will continue to create privacy issues. I expect there will be many apps vying for loyalty of health professionals and patients. As always, it will be “buyer beware”. In other words, health professionals and patients, be careful for what you sign up for. However, in terms of health care providers, the ‘beware’ includes an expectation that you will do your homework and know whether or not by participating in the service you are or are not meeting your obligations under The Health Information Protection Act.

In the longer run, if telehealth is here to stay, health professionals and their governing bodies should establish rules governing the engagement of apps that provide a telehealth service.

Health professionals should insist on a contract with the app service provider, read it carefully and not sign on the dotted line unless satisfied all aspects of HIPA are addressed.

Patients should read the privacy policy on apps (service provider’s) website.

This may turn out to be a very convenient service for health professionals and patients. Let us make sure the service has appropriate privacy and data protection.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on Transparency in a Pandemic

As we all know, we are in the middle of a pandemic and many are working hard to protect Saskatchewan. Many are working long hours and assuming risks. All of us need a certain amount of information about the spread of COVID-19 in our province.

I have written earlier about a pandemic and privacy and there is a balancing act between public interest and privacy. There is a big gap between giving little to no information and giving all information. In the middle is an opportunity for decision-makers to determine how much information to provide to the public. Officials are always free to provide aggregate or statistical data or de-identified personal information or personal health information. They can provide information such as how many are sick or pass away in a city, town, municipality, area or region. I would encourage as much transparency as is possible while respecting privacy to the extent possible. More is better under the circumstances we are now in.

Of course, giving someone’s name and address as being affected would be going too far as this is there personal health information. Yes and maybe in small communities indicating one person is affected would identify a person. In those instances, there are work-a-rounds such as saying, “one person in the Ituna vicinity” or “one person north of White City”. The idea is that officials can be transparent and provide as much information as is possible, but still avoid identifying an individual.

As the number of cases rise in our province, officials will have more latitude in providing statistical information to citizens as they won’t be dealing with one person, but dealing with two, three or more persons in a community or area.

Individuals who are infected with COVID-19 may choose to divulge their personal health information in a public forum such as Facebook, Twitter or the media. They may choose to conduct interviews regarding their illness and recovery. That is their choice and we need to respect that they have voluntarily chosen to do so. If an individual does so, that does not give permission to the public body to release their name. A public body could, however, ask the individual to sign a consent agreeing to the release of name and details.

The Federal Information Commissioner, Caroline Maynard, in a News Release dated April 2, 2020 stated:

As Information Commissioner, I call upon heads of federal institutions to set the example in this regard, by providing clear direction and updating guidance on how information is to be managed in this new operating environment. Furthermore, I am of the firm view that institutions ought to display leadership by proactively disclosing information that is of fundamental interest to Canadians, particularly during this time of crisis when Canadians are looking for trust and reassurance from their government without undue delays.

The right of access is a means by which we not only hold our government to account, but determine how and why decisions were made and actions taken, in order to learn and find ways to do better in the future. It is only by being fully transparent, and respecting good information management practices and the right of access, that the government can build an open and complete public record of decisions and actions taken during this extraordinary period in our history—one that will inform future public policy decisions.

In conclusion, I ask public officials, elected and appointed, to continue to provide as much information as possible regarding our province and the Pandemic.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Updated Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on COVID-19

Privacy in the Context of COVID-19

Privacy laws are not a barrier to appropriate information sharing in an epidemic.

It is important that public bodies, health trustees and private sector organizations know how personal information or personal health information may be shared during an epidemic.

How Information May be Shared under Saskatchewan’s Privacy Laws

Saskatchewan has three privacy laws:

  • The Freedom of Information and Protection of Privacy Act (FOIP) applies to government institutions;
  • The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities such as municipalities, universities and school boards; and
  • The Health Information Protection Act (HIPA) applies to health trustees.

These Acts and accompanying Regulations govern the collection, use and disclosure of personal information or personal health information in most situations.

Each Act contains provisions to allow for the sharing of personal information or personal health information in the event of an emergency by public bodies and trustees.

All three Acts require that any collection, use or disclosure of personal information or personal health information be limited to that which is needed to achieve the purpose of the collection, use or disclosure. This is referred to as the “data minimization principle.”

FOIP

FOIP applies to government institutions or “public bodies”, which include provincial government ministries, Crown corporations, boards, agencies and commissions.

FOIP permits public bodies to collect personal information if the collection is expressly authorized by another statute or if the collection relates directly to and is necessary for an operating program or activity of the public body.

FOIP generally requires public bodies to collect personal information directly from the individual the information is about. Public bodies may collect information about an individual from other sources with the individual’s consent, or without consent in specific circumstances, such as when the collection is authorized by law or the individual is not able to provide the information directly in a health or safety emergency.

Public bodies may disclose personal information in emergency situations with the consent of the individual, or without consent in certain circumstances, including:

  • where necessary to protect the mental or physical health or safety of any individual; or
  • the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or
  • disclosure would clearly benefit the individual to whom the information relates; or
  • if the disclosure is authorized by a statute of Saskatchewan or Canada.

LA FOIP

LA FOIP applies to local authorities, including municipalities, universities and school boards. Basically, the same rules apply as outlined above for FOIP.

HIPA

HIPA applies to personal health information in the custody or control of health trustees. Trustees include the Saskatchewan Health Authority, nursing homes, ambulance operators, physicians, pharmacists and certain other health professionals with custody or control of personal health information. HIPA authorizes trustees to collect and use personal health information for the purposes of providing health services among others.

HIPA also allows trustees to disclose personal health information with the consent of the individual, or without consent in specific circumstances, including:

  • where the trustee believes, on reasonable grounds, that the disclosure will avoid or minimize a danger to the health or safety of any person; or
  • to family members or other individuals in a close relationship with the individual so they may be notified that the individual is ill, injured or deceased, providing the disclosure is not contrary to the expressed wishes of the individual; or
  • to another health trustee for the provision of health services; or
  • to a person responsible for continuing treatment and care for the individual; or
  • if the disclosure is authorized or required by a statute of Saskatchewan.

The Private Sector

Except for trustees under HIPA, Saskatchewan does not have legislation that applies to the private sector. Private sector organizations might be covered by federal legislation and should check the federal privacy commissioner’s website: https://www.priv.gc.ca/en/. If the private sector however is contracting with a public body or trustee (e.g. information management service provider), contractual agreements should be checked for language that might actually put personal information or personal health information that the private sector has in its physical possession instead in the control of the public body or trustee.

General Principles

The Canadian Privacy Commissioner, Daniel Therrien, has issued A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19. In that framework, he establishes key principles which can be applied by public bodies when making decisions on collection in Saskatchewan. He summarizes those principles in his News Release April 17, 2020. These principles should be applied in Saskatchewan. With some editing, these principles are:

  • legal authority: the proposed measures must have a clear legal basis;
  • the measures must be necessary and proportionate, and, therefore, be science-based and necessary to achieve a specific identified purpose;
  • purpose limitation: personal information and personal health information must be used to protect public health and for no other purpose;
  • use de-identified or aggregate data whenever possible;
  • exceptional measures should be time-limited and data collected during this period should be destroyed when the crisis ends; and
  • transparency and accountability: public bodies should be clear about the basis and the terms applicable to exceptional measures, and be accountable for them.

The Public Health Act, 1994

The Minister of Health or the Chief Medical Officer have powers under The Public Health Act, 1994 (P.37.1) which can be viewed here: https://publications.saskatchewan.ca/#/products/786. In particular, section 45 sets out the powers of the minister and the medical officer. Further, this Act contains mandatory reporting provisions of certain health care professionals in certain circumstances (e.g. sections 32, 34 and 36).

The Information and Privacy Commissioner

The Office will continue to work on matters during this time, but will be closed to the public. People seeking information can call 306-787-8350 or the toll free number 1-877-748-2298 or email us at webmaster@oipc.sk.ca.

There may be delays getting back to those who contact us, but we will get back to you.

My office usually requests that public bodies respond with information within certain timelines. We know other offices may be experiencing difficulties in getting back to us. Thus, we will be flexible regarding tight timelines. We do ask that you call us so that we can set a different timeline if one is required.

Ronald J. Kruzeniski, Q.C.
Saskatchewan Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Sample access request policy and checklist

In a number of reports issued by my office, we have recommended that the towns/villages/municipalities develop an operational policy regarding processing access to information requests. After a number of questions, it became clear that there didn’t seem to be a sample policy developed for small towns/villages/municipalities. Larger organizations have developed policies that are applicable to an organization that has many employees and probably legal staff. In fact, the policy that has been developed here was tailored from the City of Regina’s operational policy but for a smaller organization.

Anything that is labeled a “sample policy” should be treated as a starting point for drafting. In using this sample, one should feel free to delete language that isn’t applicable to their organization and add language that speaks specifically to them.

In The Local Authority Freedom of Information and Protection of Privacy Act, the “head” is the Mayor or Reeve in a town or village. It is a recommended practice to delegate the “head’s” responsibility to the administrator or city clerk.

Following the posting of the sample operational policy, we have had discussions with people about the need for an access request checklist. Something simple that the head, Reeve or administrators could follow when they receive an access request. So we developed a sample checklist. Again, the checklist is a “sample” or “guide”. Public bodies should adapt it to their needs: add things and delete things. We have also updated the sample policy to refer to the checklist.

You can find the sample policy link here. The Sample Access Request and Checklist can be found attached at the end of the Sample Operational Policy, Access to Information.

 

With a little help from our friends…

Our friends from oversight offices from other provinces and territories have developed some helpful guidance documents to work through issues that are arising from this outbreak of COVID-19. Below is a list of some of these resources.

These resources are a great starting point when working through some of the access and privacy issues we may be coming up against as we go through this pandemic. However, please keep in mind that while Saskatchewan’s access and privacy legislation is similar to the legislation in other provinces and territories, there are differences as well. Therefore, double-check with your organization’s Privacy Officer for Saskatchewan-specific requirements when working through these access and privacy issues!

Yukon Information and Privacy Commissioner

Alberta’s Office of the Information and Privacy Commissioner

British Columbia’s Office of the Information and Privacy Commissioner

Newfoundland’s Office of the Information and Privacy Commissioner

We are working on a Pandemic Binder which will have a collection of statements and blogs that have been issued by our office. We think it is important to have in one spot a collection of issues that are arising during this pandemic.

Research: post pandemic

As I listen to the news, my head keeps telling me there will be many opportunities and much interest in researching many and varied aspects of this world pandemic. I expect there will also be interest on the part of Saskatchewan researchers. Maybe some have started, but I expect as soon as things return to normal, researchers will ramp up research projects and be wanting personal information and personal health information.

The law is VERY CLEAR that researchers can ask public bodies for de-identified information. Each public body has to decide how much information it will provide; that is a policy decision. Those public bodies under privacy legislation are allowed to provide de-identified information.

What is de-identified information? It is the information without your or my name, address, or any unique identifier such as the individual’s Social Insurance Number (SIN) or Health Services Number (HSN). For example, subsection 3(2)(a) of The Health Information Protection Act (HIPA) states that it does not apply to statistical information or de-identified personal health information that cannot reasonably be expected, either by itself or when combined with other information available to the person who receives it, to enable the subject individuals to be identified. A public body can provide all the information that does not identify you or me.

If the health trustee or the researcher has the consent of the individuals to use their personal health information, then that is the best way to go. In many cases, that won’t be possible. Either the health trustee did not obtain consent to research or there are thousands and thousands of records and getting consent would not be possible.

If research is being done in such a way that it requires information from two sources and the name, SIN or HSN are sought to connect the information of an individual; that presents a challenge. The Data Matching Agreements Act is not yet proclaimed. Nonetheless, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and HIPA have always authorized use and disclosure of personal information or personal health information for legitimate research purposes in the public interest. The best case scenario, and for research at the population level, de-identified data should be used and should suffice for those purposes. However, those same laws provide for the use of identifiable data when appropriate, but I must emphasize the need for written agreements to ensure that data is protected. This rigour is necessary to ensure that if data is used from one or multiple sources that what is provided is used as intended and protected throughout the process.

I note section 29 of HIPA, requires all research projects where personal health information is used or disclosed by a trustee, must be approved by a research ethics committee that has been approved by the Saskatchewan Minister of Health. If a research ethics committee is small and nimble it should never be a barrier to good research.

I have heard that some say “privacy” is a barrier to research. I do not believe or accept that point of view. That is why I wrote this blog to show that good research can continue and the barriers to obtaining the data should be minimal. If public bodies are citing “privacy” as the problem, they are giving the wrong reason and it just might be they don’t want to provide the information or to cooperate. Privacy is not the barrier.

 

Phishing attacks: in ordinary times and during a pandemic

A combination of workers getting used to working-from-home and the anxiety and fears arising from the outbreak of COVID-19 may be leaving workers and organizations vulnerable to cyber attacks. For example, malicious actors may set up email accounts to impersonate supervisors and coworkers and trick workers into providing information about themselves or the organization. Such emails are called “phishing attacks” and the purpose of such attacks is to gain information that malicious attackers may use to gain access to systems. Organizations who have permitted employees to use personal email accounts are especially vulnerable to such an attack since workers will have a tougher time discerning legitimate email accounts from those of attackers’ email accounts.

The Canadian Centre for Cyber Security has provided the following guidelines to protect yourself:

Against Malicious Emails:

  • Make sure the address or attachment is relevant to the content of the email.
  • Make sure you know the sender of an email.
  • Look for typos.
  • Use anti-virus or anti-malware software on computers.

Against Malicious Attachments:

  • Make sure that the sender’s email address has a valid username and domain name.
  • Be extra cautious if the email tone is urgent.
  • If you were not expecting an attachment, verify with the sender.

Against Malicious Websites:

  • Make sure URLs are spelled correctly.
  • Directly type the URL in the search bar instead of clicking a provided link.
  • If you must click on a hyperlink, hover your mouse over the link to check if it directs to the right website.

For more information, check out the website for the Canadian Centre for Cyber Security.