Nunavut’s privacy commissioner investigates government’s mail practices

Alberta promises increased privacy protections

British Columbians facing longer wait times to access records from BC Government

Ontario IPC blog on AI and the public sector

England’s ICO issues Tech Horizons Report

Guidelines for use of AI by lawyers

Federal Privacy Commissioner issues report on RCMP collection of data from third parties

Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

Princess Kate-attempted breach of her personal information

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on health screening of staff and visitors in care homes

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on health screening of staff and visitors in care homes

We have all heard the news telling us about the number of deaths of seniors in care homes related to COVID-19. Ontario and Quebec have particularly been impacted, but so has Saskatchewan. The Chief Medical Health Officer has ordered health screening to occur in care homes. The Public Health Order, dated June 13, 2020, provides as follows:

1. I hereby ORDER and DIRECT that in the Province of Saskatchewan effective June 13th, 2020:

(c)   Visitors to long-term care homes, hospitals, personal care homes, and group homes shall be restricted to family or designates visiting for compassionate reasons. All visitors shall undergo additional health screening prior to entry. Any visitors who display or disclose signs or symptoms of COVID-19 shall be denied entry to the facility.

2. I hereby ORDER and DIRECT that in the Province of Saskatchewan:

(a)   For the purposes of section 2 of this Order, “Licensee” refers to:

(i)    operator of a special-care home designated pursuant to The Provincial Health Authority Act;

(ii)   the licensee of a personal care home licensed pursuant to The Personal Care Homes Act;

(iii) an individual who, or corporation that, under a contract or subcontract with an operator of a special care-home or a licensee of a personal care home, provides or arranges for the provision of health care services or support services within the facility.

(b) For the purposes of section 2 of this Order, “Facility” refers to:

(i)    A special-care home designated pursuant to The Provincial Health Authority Act;

(ii)   A personal care home licensed pursuant to The Personal Care Homes Act.

3. I hereby ORDER and DIRECT that in the Province of Saskatchewan:

(a)   For the purposes of section 3 of this Order, “Facility” means the same as defined in section 2 above but is amended to include:

(i)    All facilities designated pursuant to The Provincial Health Authority Act operated by the Provincial Health Authority as defined in The Provincial Health Authority Act;

(ii)   Hospital as designated pursuant to The Provincial Health Authority Act operated by an affiliate prescribed in The Provincial Health Authority Administration Regulations;

(iii) The following facilities operated by the Saskatchewan Cancer Agency continued pursuant to The Cancer Agency Act:

i. Saskatoon Cancer Centre;

ii. Allan Blair Cancer Centre;

iii. The Hematology Clinic;

(b) For the purposes of section 3 of this Order, “Licensee” means the same as defined in section 2 above but is amended to include:

(i)    The Provincial Health Authority as defined in The Provincial Health Authority Act;

(ii)   The Saskatchewan Cancer Agency continued pursuant to The Cancer Agency Act.

(c)   For the purposes of Section 3 of this Order, “Staff Member” refers to:

(i)    any individual who is employed by, or provides services under a contract with, the Licensee of a Facility; and

(ii)   any volunteer or student that assists in the provision of services within the Facility.

(d) For the purposes of Section 3 of this Order, “Individual” means the same as Staff Member but also includes all individuals entering the Facility, except individuals entering for the purposes of receiving care.

(e) Health screening shall occur as follows:

(i)    Staff Members shall undergo health screening prior to or upon entry to the Facility, which must include a temperature check. Any Staff Members who display or disclose signs or symptoms of COVID-19 shall be denied entry to the Facility. All Staff Members shall undergo a temperature check prior to leaving the Facility. All exceedances temperatures shall be logged by the Licensee.

(ii)   Individuals who are not Staff Members shall undergo health screening, which must include a temperature check prior to or upon entry to the Facility. Any of these Individuals who display or disclose signs or symptoms of COVID-19 shall be denied entry to the Facility. All exceedances temperatures shall be logged by the Licensee.

The Minister of Health or the Chief Medical Health Officer have powers under The Public Health Act, 1994 (P.37.1). In particular, section 45 sets out the broad powers of the Minister and the Chief Medical Health Officer. Further, the Act contains mandatory reporting provisions of certain health care professionals in certain circumstances (e.g. section 32).

This advisory attempts to answer a number of questions related to collection, use, storage, safeguarding and destruction of personal health information involved in carrying out this order.

What privacy legislation might apply?

The Health Information Protection Act (HIPA) applies to health trustees which includes government institutions, the Saskatchewan Health Authority, health care organizations, a licensed personal care home, a health professional licensed under an Act, a pharmacy, and licensed medical laboratories. PARTS III and IV of HIPA deal with collection, use, disclosure, storage, and protection of personal health information.

To be sure, a care home should check HIPA to see if it has any application to it and if necessary, seek legal advice.

What information can be collected of personal health information?

The public health order requires heath screening including temperature checks of staff and visitors be taken and exceedance temperatures be logged. For staff and visitors, recording of a name, an exceedance temperature and answers to questions regarding COVID-19 symptoms is a collection. For visitors, due to the potential need to follow up, it would appear reasonable to ask which resident they were there to visit. It would not be reasonable to ask for the visitor’s Health Services Number (HSN) or other unrelated health information. To ask other unrelated questions and record answers, is going beyond the provisions of the public health order.

In collecting personal health information, the principle is to collect and record the least amount of personal health information necessary to carry out the purpose. The purpose here would be to comply with the public health order, which in turn is intended to keep care home staff and residents safe.

How should care homes notify staff and visitors of the collection? 

Care homes should be as open and transparent as possible. They should advise staff that they will be doing temperature checks as they arrive for work and leave work. Care homes should advise visitors that health screening, including temperature checks, will be conducted at their care home through posters at the front door, pamphlets and postings on their website. Care homes should protect the information they collect and let staff and visitors know that the personal health information they have provided will not be shared with other staff and residents at the care home. The care home should not give out names or identify the ones who have exceedance temperatures, as this may be considered a privacy breach.

Care homes should develop a policy on health screening, including temperature checks, share that policy with staff, residents and visitors and post on the care home’s website.

To support the advice and principles above, the Information Commissioner (ICO) of Great Britain has stated:

In order to not collect too much data, you must ensure that it is:

adequate – enough to properly fulfil your stated purpose;

relevant – has a rational link to that purpose; and

limited to what is necessary – you do not hold more than you need for that purpose.

Can the care home use the information for any other purpose?

The care home is subject to the public health order, and has authority to collect personal health information for that purpose. The care home cannot use that information for any other purpose without getting the consent of the staff member or visitor whose information was collected.

 If the staff member or visitor has an exceedance temperature, who can the care home share the information with?

Since the care home has collected the information that the staff member or visitor has an exceedance temperature, the care home needs to determine who in the organization needs to know. Once the staff member or visitor is refused entry, very few people need to know. If a staff member has an exceedance temperature, only the staff member’s supervisor or director of the care home needs to know. The rest of the staff do not need to know. If a visitor has an exceedance temperature, that visitor should be asked whether the information can be shared with the resident that the visitor came to visit and the information should not be shared with other staff.

Where does a care home store this personal health information?

The public health order requires exceedance temperatures to be logged. The log could be a separate sheet of paper for each person with an exceedance temperature, a log book where all the persons with an exceedance temperature are recorded or an electronic spreadsheet (such as excel) where all persons with an exceedance temperature are recorded. For visitors, there is no need to store the information anywhere else. For staff, a decision needs to be made whether a notation is made in the staff member’s HR file. Best practice would suggest that the care home only record on the HR file that the staff member is away on sick leave or another type of leave. There is no need to store it anywhere else.

Is a care home obliged to secure the information?

Under HIPA, section 16, there is an obligation for a care home to protect the personal health information collected and stored.

Once the care home collects personal health information about a staff member, it is the care home’s obligation to ensure it is protected. For example, leaving the log book at the front entrance would not be securing or protecting the personal health information and should not be accessible to all staff. Similarly, having a computer monitor at the front entrance, making the log accessible to all that pass by would be unacceptable.

Other resources detail suggestions on securing information and a few tips are given by the British Columbia Information and Privacy Commissioner:

Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.

When should the care home destroy the personal health information?

How long is a care home going to keep this information? Will it get destroyed in accordance with the destruction of documents policy of the care home? Should it have a special destruction period, shorter than the normal? Could it or should it be destroyed after 30 days after the public health order is rescinded or should it just be destroyed after 30 days? The care home should develop a policy including destruction guidelines.

Should care homes share the exceedance temperature information with the Medical Health Officer?

The Public Health Act, 1994 provides:

Responsibility to report

32(1) The following persons shall report to a medical health officer any cases of category I communicable diseases in the circumstances set out in this section:

(a) a physician or nurse who, while providing professional services to a person, forms the opinion that the person is infected with or is a carrier of a category I communicable disease;

(3) A report submitted pursuant to subsection (1) must include:

(a) the name, sex, age, address and telephone number of the person who has or is suspected to have, or who is or is suspected to be a carrier of, a category I communicable disease; and

(b) any prescribed information.

The Disease Control Regulations lists COVID-19 as a category 1 communicable disease.

If a doctor or nurse performing the health screening concludes that an individual may have COVID-19, the doctor or nurse will have to determine whether section 32 of The Public Health Act, 1994 applies. If the health screening is done by someone other than a doctor or nurse, section 32 would not apply. Since the exceedance temperature and answers to questions on COVID-19 symptoms may be an indication of COVID-19, best practice would suggest the care home request that the staff member or visitor call the healthline 811 or go to a testing centre.

Do care homes need to document their questions and testing plan?

Best practice would suggest that a care home develop a policy regarding its practices and procedures on temperature checking and make that policy available to staff, residents, and visitors. The policy should contain:

  • a statement of the purpose;
  • a statement that health screening will include, a temperature check and specific questions related to other symptoms of COVID-19;
  • a statement on possible actions taken based on the results of health screening;
  • a statement on how and where information will be stored;
  • a statement as to who will have access;
  • a statement that the information will be shared will only those that need-to-know and will not be shared with all staff and residents;
  • a statement on how the personal health information will be protected;
  • a statement as to who it will be shared with (public authorities or not); and
  • a statement as to when the information will be destroyed.

A policy should be made available to staff, residents and visitors including postings on the care home’s website.

Conclusion

The principles are simple; establish the purpose, authority, and collect the least amount of personal health information to meet the purpose. Share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed.

The Information Commissioner’s Office in Great Britain has issued a document regarding “Work Testing – Guidance for Employers”. Although British legislation is different from the legislation in Saskatchewan, the principles set out are good ones and may have some application to public bodies and health trustees in Saskatchewan.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

UPDATED – Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on Pandemic, Travel Restrictions and Checkpoints

On April 24, 2020, the Chief Medical Health Officer issued an Order restricting travel into and out of the Northern Saskatchewan Administration District (NSAD) to essential travel. On April 30, 2020, the Order was amended to restrict travel between communities in NSAD on May 6, 2020, the Order was further amended and on May 20, 2020, the Order was amended to only apply to the northwest region. The May 20, 2020 Order provides:

1. I hereby ORDER and DIRECT effective immediately:

a. Subject to subsection (c), no person shall travel to or out of the Northwest Region, whether from within the Province of Saskatchewan or otherwise.

b. Subject to subsection (c), no person within the Northwest Region shall travel outside the community in which their primary residence is located.

c. Travel is permitted as follows:

i. Persons may return to their primary residence;

ii. Employees of, and persons delivering, critical public services and allowable business services, a listing of which is found on the Government of Saskatchewan website: Saskatchewan.ca;

iii. Aboriginal persons engaging in activities such as exercising their constitutionally protected right to hunt, fish and trap for food or engaged in other traditional uses of lands such as gathering plants for food and medicinal purposes or carrying out ceremonial and spiritual observances and practices;

iv. Persons who are travelling for medical treatment;

v. Persons travelling for the purposes of attending court where legally required to do so; and

vi. Persons whose primary residence is within the Northwest Region may travel to the community closest to their community of primary residence within the Northwest Region taking the most direct route to obtain essential goods and services, when those goods or services are not available in their community of primary residence, a maximum of twice per week. Each household shall only utilize one vehicle and each vehicle must only contain household members.

vii. When persons are traveling outside the Northwest Region for medical treatment they may also stop to obtain essential goods and services outside of the Northwest Region. Only one person in the vehicle may enter a retail establishment outside of the Northwest Region to purchase such essential goods and services.

On June 7, 2020, the Chief Medical Health Officer issued a new Order which did not contain the travel restrictions as quoted above. To my knowledge, this is the first time such travel restrictions were imposed in Saskatchewan. With the Travel restrictions removed, the issues discussed below only become relevant if travel restrictions are imposed in the future (e.g. a second wave).

The Public Health Act, 1994, gives the Chief Medical Health Officer broad powers in emergencies and we all agree these are exceptional times.

The Saskatchewan Public Safety Agency is a government institution and subject to The Freedom of Information and Protection of Privacy Act (FOIP). That also makes the agency a trustee under The Health Information Protection Act (HIPA). Highway patrol officers and conservation officers would be employees of ministries which are government institutions and trustees.

If checkpoints are merely providing information to travelers into or out of a community, then no privacy issues arise. Checkpoints can provide information about COVID-19 regarding how many in the community have been diagnosed, related risks and best practices to help prevent the spread. If checkpoints are collecting personal information or personal health information from travelers, privacy legislation is applicable.

HIPA allows for the collection of personal health information for specified purposes. The purpose here is restricting travel according to Order 1(c). FOIP allows the collection of personal information for specified purposes.

The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) also allows for the collection of personal information by local authorities. Municipalities, villages and towns are local authorities. Local authorities can collect personal information for a specified purpose. The purpose here would be the restriction of travel into and out of a community according to Order 1(c).

The challenge will be to ensure the questions asked at checkpoints are limited to addressing the specific purpose set out by the Order. Questions such as:

  • Are you coming from or returning to your primary residence? If so, what community are you coming from or returning to? Order 1(c)(i)
  • Are you an employee of an organization providing critical public services or allowable business services? If so, what community are you coming from or returning to? Order 1(c)(ii)
  • Are you an employee of an organization delivering, critical public services or allowable business services, to this community? If so, what community are you coming from or returning to? Order 1(c)(ii)
  • Are you an Aboriginal person exercising your constitutional protected rights? Order 1(c)(iii)
  • Are you going to a medical appointment or coming from a medical appointment? If so, which community are you going to or coming from? Order 1(c)(iv)
  • Are you a person traveling to this community from your community of primary residence to obtain essential goods and services not available in your community of primary residence a maximum of two times per week? If so, what community are you coming from or returning to? Order 1(c)(iv)
  • Are you traveling to attend court? If so, what community are you coming from or returning to? Order 1(c)(v)

Other questions beyond these need to be analyzed as to whether they are necessary to restrict travel according to Order 1(c).

A further issue is that after the questions are asked, are the responses recorded? If so, by whom and for what purpose? If recorded, the record may be accessible under HIPA, FOIP or LA FOIP.

Once the questions are asked and answered, possibly recorded, does the information need to be shared with anyone? If so, who and for what purpose? Is there authority to share that information beyond the checkpoint? There is a principle known as “need-to-know”. Who needs to know or must know for the specified purpose? If you don’t need-to-know, then the information should not be given to you.

Finally, if personal information or personal health information is recorded, the trustee, government institution or local authority should make a decision as to how long the information is kept. The purpose here is to restrict travel according to Order 1(c). Now that travel restrictions are removed, the purpose for checkpoints are gone. I would recommend government institutions, local authorities and trustees make a decision now as to how long the information will be kept and then destroyed.

The pandemic has created unusual circumstances in our province and actions must be taken quickly, but in that process privacy legislation still exists and needs to be respected and followed to protect privacy to the extent possible. I believe we can do both, but it takes decision-makers carefully thinking through the actions they take.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on questions, screening or testing by employers regarding COVID-19

Our province is gradually phasing in our economy. Businesses, organizations and government offices are gradually opening up. Employers are contemplating the return of their employees to the workplace. Employers and employees will have questions. This advisory attempts to answer a number of those questions.

Can an employer test for COVID-19?

Some employers may be considering whether they will require all employees to answer questions, be screened or be tested for COVID-19. Employers have an obligation to make a workplace safe to work in within reasonable limits. The Saskatchewan Employment Act provides:

General duties of employer

3‑8 Every employer shall:

(a) ensure, insofar as is reasonably practicable, the health, safety and welfare at work of all of the employer’s workers;

(h) ensure, insofar as is reasonably practicable, that the activities of the employer’s workers at a place of employment do not negatively affect the health, safety or welfare at work of the employer, other workers or any self-employed person at the place of employment; and

Each employer will have to make a fundamental decision as to whether requiring all employees to answer questions, be screened or be tested would make the workplace safer.

Prior to considering what privacy legislation might apply, employers need to seriously consider whether they want to require employees to answer questions, be screened or be tested for COVID-19. This is a fundamental issue and can be controversial. It gets us into the issue of whether employers can or should require medical tests in the workplace. There has been considerable debate and court challenges over testing for drugs in the workplace. Employers need to know that requiring employees to answer questions, be screened or be tested for COVID-19 might result in a court challenge.

The Privacy Commissioner of Canada in “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century” stated:

Following the enactment of the Canadian Charter of Rights and Freedoms in 1982, the Supreme Court of Canada formulated a methodological test to determine whether the violation of a Charter right is nonetheless justifiable in a free and democratic society. Stemming from the case R. v. Oakes, this became known widely as the Oakes test. It requires:

    • Necessity: there must be a clearly defined necessity for the use of the measure, in relation to a pressing societal concern (in other words, some substantial, imminent problem that the security measure seeks to treat),
    • Proportionality: that the measure (or specific execution of an invasive power) be carefully targeted and suitably tailored, so as to be viewed as reasonably proportionate to the privacy (or any other rights) of the individual being curtailed,
    • Effectiveness: that the measure be shown to be empirically effective at treating the issue, and so clearly connected to solving the problem, and finally,
    • Minimal intrusiveness: that the measure be the least invasive alternative available (in other words, ensure that all other less intrusive avenues of investigation have been exhausted).

The balance of this advisory presumes an employer has made the decision and understands the legal risks of a challenge, but intends to proceed.

What privacy legislation might apply?

If an employer decides to ask questions, screen or test its employees for COVID-19, that employer needs to know what privacy legislation applies to that employer. The Freedom of Information and Protection of Privacy Act (FOIP) applies to government institutions which include Crown corporations, boards, agencies and other prescribed organizations. Part IV of FOIP deals with the collection, use, disclosure, storage and protection of personal information.

The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities which include cities, towns, villages, municipalities, universities and the Saskatchewan Health Authority. Part IV of LA FOIP deals with the collection, use, disclosure, storage and protection of personal information.

The Health Information Protection Act (HIPA) applies to health trustees which includes government institutions, the Saskatchewan Health Authority, a licenced personal care home, a health professional licenced under an Act, a pharmacy, and licenced medical laboratories. Parts III and IV of HIPA deal with collection, use, disclosure, storage and protection of personal health information.

If an employer falls into one of the above categories, then that particular statute will apply to the collection, use, disclosure, storage and protection of information. To be sure, an employer should check each of the Acts to see if it has any application.

Regulations under each of the Acts can also prescribe government institutions, local authorities or health trustees.

A further issue is that after the questions are asked, are the responses recorded? If so, by whom and for what purpose? If recorded, the record may be accessible under HIPA, FOIP or LA FOIP.

If an employer continues to be in doubt, you may want to obtain legal advice. If an employer does not fall under any of the three Acts, it is possible you, as an organization, may be bound by the Personal Information Protection and Electronics Documents Act (PIPEDA). For information on this, an employer can check the website of the Federal Privacy Commissioner. In some cases, PIPEDA provides rules and protection for employee personal information and in others, it does not. Whether an employer in Saskatchewan fits any of the above definitions, the advice below can be considered best practice and an employer can choose to follow it.

What is the purpose of doing the tests for COVID-19?

Before embarking on questioning or a testing program, an employer needs to define the purpose for collecting the Q&A and test information. Is it to keep the workplace safe? More specifically is it to prevent workers who test positive or have had COVID-19 from being in the workplace? Is it to prevent the spread of COVID-19 to other workers in the workplace? It is important that the employer define the purpose at this early stage and not expand after the fact as would be function creep and may not be authorized.

How should employers notify its employees of the purpose of collection? 

Employers should be open and transparent. They should advise staff that they will be asking questions, screening or testing employees as they arrive for work and inform them of the purpose. Later at the time of collection, tell employees the purpose of collection, what will be collected, who it will be shared with and how long the information will be stored. Employees will particularly want to know if the employer is sharing the information with other third parties and why. As discussed below, the employer should advise employees that positive tests for COVID-19 will be shared with the medical health officer.

If staff test positive or have COVID-19, the employer can provide other staff with statistical information, such as how many have been tested and how many tested positive. The employer should not give out names or identify the ones who tested positive as this may be considered a privacy breach. If very few employees test positive or have COVID-19, the employer needs to determine whether by giving the statistical information, the employee can be identified. If this might be the case, the employer can ask the consent of the employee affected, to release, postpone the release or provide less information that prevents identification.

What information will the employer collect?

Asking an employee a series of questions and obtaining the answers is collection of information. Screening by visual examination or temperature checks is collection of information. Requesting an employee to take a test and recording the results, is a collection of information. An employer needs to define the questions asked, the screening and the test required and ensure those questions, screening and test results are consistent with the purpose. Employers should collect the least amount of information necessary to achieve the purpose. This is referred to as the data minimization principle, that is, only collect what is needed to achieve the purpose.

For example, if an employee tests positive for COVID-19, what is an employer going to do? The assumption is an employer will require the employee to stay home and self-isolate. Thus, once an employer knows the person tested positive, there is no need to know anything more other than if the medical health officer’s follow up efforts will impact the employer. You are the employer, not the doctor. If the staff member indicates they already have COVID-19, an employer will need to consult the organization’s doctor to determine whether the staff member should be allowed to come to work or is required to stay home. Again, an employer should not collect more information, only tell the employee that they can or cannot work and they should go home. If the test comes back “negative” an employer still is obliged to comply with any requirements of the Chief Medical Health Officer in terms of taking protective procedures in the workplace.

The Information Commissioner (ICO) of Great Britain has stated:

In order to not collect too much data, you must ensure that it is:

adequate – enough to properly fulfil your stated purpose;

relevant – has a rational link to that purpose; and

limited to what is necessary – you do not hold more than you need for that purpose.

Can the employer use the information for any other purpose?

The employer has defined a purpose, authority to collect and has collected information for that purpose. The employee has provided the information for that purpose. The employer cannot use that information for any other purpose without getting the consent of the employee.

If an employee tests positive, who can the employer share the information with?

Since the employer has collected the information that the employee tested positive or has had COVID-19, the employer needs to determine who in the organization needs to know. If the employee is going home, very few people need to know. Just like other sensitive health information, it is confidential, the employer should prohibit the employee from sharing the information with other staff.

Where does an employer store this information?

The choices are storing on the employees HR personnel file or storing in a separate folder for all employees, containing all information regarding questions, screening and testing. There is probably no need to store it anywhere else.

The information the employer has collected, must be stored in a secure place. Once the employer collects personal information about an employee, it is the employer’s obligation to ensure it is protected.

Is an employer obliged to secure the information?

Under privacy legislation, there is an obligation for an employer to protect and secure the information collected and stored. If an employer is not subject to the privacy legislation, best practice would suggest the information be protected anyway. Other resources have made suggestions on securing information and a few tips are given by the British Columbia Information and Privacy Commissioner:

Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.

When should the employer destroy the information?

How long is an employer going to keep this information? Will it get destroyed in accordance with the destruction of documents policy? Should it have a special destruction period, shorter than the normal? Could it or should it be destroyed within 30 days? Employers need to decide whether they will develop a policy including destruction guidelines. There has been media coverage about people’s fear of having COVID-19 and the stigma that comes along with that. Maybe a year from now, there will be an approved treatment and vaccination, which might reduce the stigma and the fear. Maybe the information collected can be destroyed earlier than an employer’s standard procedure.

Should employers share information with the medical health officer?

The Public Health Act, 1994 provides:

Responsibility to report

32(1) The following persons shall report to a medical health officer any cases of category I communicable diseases in the circumstances set out in this section:

(a) a physician or nurse who, while providing professional services to a person, forms the opinion that the person is infected with or is a carrier of a category I communicable disease;

(b) the manager of a medical laboratory if the existence of a category I communicable disease is found or confirmed by examination of specimens submitted to the medical laboratory;

(c) a teacher or principal of a school who becomes aware that a pupil is infected with or is a carrier of a category I communicable disease;

(d) a person who operates or manages an establishment in which food is prepared or packaged for the purposes of sale, or is sold or offered for sale, for human consumption and who determines or suspects that a person in the establishment is infected with, or is a carrier of, a category I communicable disease.

(3) A report submitted pursuant to subsection (1) must include:

(a) the name, sex, age, address and telephone number of the person who has or is suspected to have, or who is or is suspected to be a carrier of, a category I communicable disease; and

(b) any prescribed information.

(4) In addition to the report required by subsection (1), the manager of a medical laboratory shall submit to the medical health officer or the co-ordinator of communicable disease control a copy of the laboratory report that identifies the disease.

The Disease Control Regulations lists COVID-19 as a category 1 communicable disease.

If an employer intends to ask a series of questions or do screening by a non-health professional section 32 above would not apply. In that case, if the questions result in their being indications of COVID-19, I would expect the employer would request that the employee be tested for COVID-19 at a nearby testing centre and the employee be advised to go home until testing is done and results are received.

If an employer has an examination done for a test taken by a doctor or nurse, it is clear that, pursuant to section 32, the doctor, nurse or manager of a medical lab must report a communicable disease such as COVID-19 to the medical health officer.

Thus, best practice would be for an employer to advise employees being examined or tested that if the test is positive for COVID-19, it will be reported to the medical health officer. The employer should indicate in their statement of purpose that they will comply with the requirements of The Public Health Act, 1994. Being transparent with staff and telling them at the beginning that their information will be shared with public health authorities is important.

Do employers need to document their questions and testing plan?

Once an employer has made a decision, the employer should consider some documentation of the plan. In normal times, my office would recommend a privacy impact assessment (PIA). In these unique times, an employer might move very quickly and my office would still recommend either a shortened version of a PIA or a policy statement regarding question asking, screening and testing plan. Whatever the form of the document, it should contain:

  • a statement of the purpose;
  • a listing of the questions to be asked;
  • a statement of the screening and the tests to be performed;
  • a statement on possible actions taken based on the test results;
  • a statement where information will be stored;
  • a statement as to who whom it will be shared with (with public authorities or not); and
  • a statement when the information will be destroyed.

Conclusion

The principles are simple, establish the purpose, authority, and collect the least amount of information to meet the purpose, share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed. This is good advice whether an employer is subject to access and privacy legislation or not.

The Information Commissioner’s Office in Great Britain has issued a document regarding “Work Testing – Guidance for Employers”. Although British legislation is different from the legislation in Saskatchewan, the principles set out are good ones and may have some application to public bodies and health trustees in Saskatchewan.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Information and Privacy Commissioners from across Canada establish principles to be applied in consideration of contact notification and tracing apps

Information and Privacy Commissioners from across Canada have developed and issued a joint statement today regarding COVID-19 and contact tracing. The statement contains a series of principles that decision-makers should consider when deciding whether to launch a contact notification or tracing app. The principles are outlined under the following headings:

  • Consent and trust
  • Legal authority
  • Necessity and Proportionality
  • Purpose limitation
  • De-identification
  • Time-Limitation
  • Transparency
  • Accountability
  • Safeguards

The Commissioner recognized that COVID-19 has created unique circumstances and there are serious public health risks but privacy legislation continues to be in force and must be factored in when making decisions regarding the utilization of new tools in controlling the spread. With a careful consideration of contact notification and tracing apps, it is possible to protect public health and personal privacy at the same time.

“I hope this statement of principle will help decision-makers work through the complex issues of balancing protection of public health and privacy”, Kruzeniski said.

The Commissioner also encourages any public body that is considering the adoption of such tools in Saskatchewan to consult with his office as soon as possible to help ensure that balance is met.

The full joint statement can be viewed here: https://oipc.sk.ca/assets/FPT-joint-statement-on-contact-tracing.pdf

Media contact:
Kim Mignon-Stark: Kmignon-stark@oipc.sk.ca

Kara Philip: kphilip@oipc.sk.ca

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on Contact Tracing and Privacy

I read an interesting article in The Atlantic by Derek Thompson. I was aware that South Korea and Singapore and other Asian countries were applying technology to the issue of contact tracing. What is contact tracing? As I understand it, when someone is diagnosed with having COVID-19, they are asked who they had been in contact with in the last while. Then those individuals are contacted. The old way was to do that by interviews. The existence of smartphones and apps allows contact tracing to take place by using Global Position System (GPS) and Bluetooth technology. For example, in South Korea, GPS is enabling authorities to know where patients have been using information from CCTV footage, credit card records and GPS data from the patient’s smartphone. Singapore has taken a different approach by using a government developed app called “TraceTogether” that uses signals between mobile phones to record who you may have had close contact with.

Also, Asian countries are using technology to enforce quarantine. For example, Taiwan uses GPS to create an “electronic fence” for those who should be in quarantine. In Hong Kong, those who must quarantine themselves are given a wristband. They are to activate the wristband using a smartphone app.

Finally, technology is being used to enable movement in China as restrictions are being lifted.

European countries, including Germany and Italy, are also following Asia’s lead and are developing and using apps to assist with combating the spread of COVID-19.

It would appear that Asia has been successful in reducing infections and deaths because of their approach to contact tracing along with other measures taken. We in North America are interested in when self-isolation could end and when our economy might get going again but are worried about a second wave. I can see that authorities here in North America will look to the digital methods used in Asia for ways to start the economy and reduce the risk of a second wave. As they consider these issues, alternatives will be presented and no doubt, smartphones will be raised as an option. In fact, Google recently announced on its blog that it is partnering with Apple to use Bluetooth technology to assist governments and health agencies conduct contact-tracing to help reduce the spread of COVID-19.

Technology can help us combat the spread of COVID-19 but it also increases the surveillance citizens are put under. The Electronic Frontier Foundation (EFF) asserts that surveillance invades privacy, deters free speech, and unfairly burdens vulnerable groups.

As North America adjusts its strategies to combat this pandemic, we must consider the impact such initiatives have on our privacy and our democracy. Can these technologies be used in a way that maximizes its potential in combatting the spread of the virus while minimizing the impact it has on our privacy? I am sure they can. I recommend that authorities be transparent in the technology they use. They should consider technology that doesn’t collect and retain information unnecessarily. For example, it is being reported that Singapore’s “TraceTogether” app uses Bluetooth technology so that information is stored only on the users’ mobile phone for 21 days (the incubation period for COVID-19). If a person tests positive, it is only then that authorities will access the information on the patient’s phone so that authorities know who the patient has been in close contact with.

Another way for authorities to be transparent is letting the public know what information they are collecting, the purpose for the collection, and how the information will be used and/or disclosed. Individuals should have access to the information that is collected about them by authorities.

Furthermore, I recommend that authorities also consider how they can collect, use, and/or disclose the information that is necessary for the purpose of combating the spread of COVID-19 and to have processes in place to ensure such information is not used for other purposes, now or in the future. This includes setting a limit on how long information should be retained.

In Alberta, the provincial government has rolled out a contact-tracing app called “ABTraceTogether”. It has completed a privacy impact assessment (PIA) and submitted the PIA to Alberta’s Information and Privacy Commissioner. Once Alberta’s Information and Privacy Commissioner reviews and accepts the PIA, the provincial government will make a summary of the PIA available. I recommend that if any similar initiative is undertaken in Saskatchewan, that a PIA be completed and submitted to my office.

The information and privacy commissioner has issued a news release. In that news release the information and privacy commissioner stated:

Ensuring this app is voluntary, collects minimal information, uses decentralized storage of de-identified Bluetooth contact logs, and allows individuals to control their use of the app are positive components.

Alberta Health has issued a privacy statement that pertains to ABTraceTogether.

Whatever solutions are posed, my office is here to consult on the privacy implications in advance of any roll-out in Saskatchewan.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on Pandemic and Virtual Meetings

I read an article today saying over 7,000 Crown Corporation workers are working from home. In addition, thousands of executive government workers are doing the same. Many in businesses are also working from home. It is amazing how quickly this province was able to switch to an at home work environment.

Working at home requires workers to talk to one another and there is a need for meetings to occur. Zoom, over night, has become a way of holding a virtual meeting. There is other software such as Microsoft Teams, Skype video and Google’s Hangout to facilitate virtual meetings.

To get work done, we need to meet. We also will gravitate to the most convenient way of meeting, but decision-makers in public bodies need to consider privacy and security issues.

We have seen some headlines about hackers hacking into a Zoom meeting. Therefore, the first thing we need to consider, is our meeting restricted to just those authorized to be there? Organizers need to set things up to ensure the correct settings are in place to prevent intrusion by the unauthorized.

Zoom asks whether you want the session saved. Another decision, will the organizers have the meeting saved. If so, it is a record and at that point, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), The Health Information Protection Act (HIPA) and The Archives and Public Records Management Act come into play. If minutes of a similar meeting are normally kept, then I would suggest the minutes of the virtual meeting need to be kept. If meetings were previously recorded then organizers need to decide whether the virtual meeting will be recorded. If an ordinary meeting or virtual meeting is recorded, that recording becomes a record. Organizers from public bodies need to decide whether the recording is an official record or transitory record under The Archives and Public Records Management Act. If it is an official record, organizers need to arrange for storage and preservation in its electronic filing system. If it is a transitory record, decisions have to be made as to when it is destroyed. If any access request under FOIP, LA FOIP or HIPA is received and the recording of the virtual meeting exists, at that time the record may have to be disclosed under FOIP, LA FOIP or HIPA (subject to appropriate exemptions).

If you are recording the virtual meeting, the question is who is recording it? If it is the service provider, then is it being stored on the service provider’s server? Is that where you want it stored? How do you get that recorded meeting downloaded to your organization’s file records system? Does the provider routinely save/store copies of meeting recordings? Can you ensure that it is deleted off the service provider’s system?

If your meeting has discussion of issues which involve personal information or personal health information what additional precautions can you take to ensure that information is not being accessed by unauthorized persons?

As a practice, a public body might indicate you do not want the meeting recorded. Can an organization be sure the service provider is not saving a copy anyway? This is why it is also important to understand the risks of working with any particular service provider in advance of using that system. If you do not have the appropriate agreements in place or at least an intimate understanding of the risks and benefits, your meeting sessions could be hijacked, information kept and used for purposes that you did not anticipate, and privacy breaches could occur for which the public body would be responsible.

Organizers need to think carefully about the platform they select for virtual meetings. They will want the one that best protects their confidential information and the one that allows them to comply with FOIP, LA FOIP and HIPA. To assist organizers, here are some questions they should ask before selecting a platform:

  • Does the service provider offering the platform reside in Canada or the United States?
  • Where geographically is the virtual meeting stored? If so, where is the server located (Canada or the United States)?
  • Are virtual meetings going to be recorded and saved and if so, by whom?
  • Will your meeting involve possible confidential information? If so, do you want it recorded?
  • Who has possession/custody or control of the information?
  • If saved, can the organization download the recording into its file management system?
  • How long will the service provider retain the recording?
  • Can the organization request deletion of the recording at any time?
  • Does the service provider share the recording or other information with anyone else? If so, who and under what authority?
  • Does the service provider have end to end encryption?
  • Does the service provider have a privacy policy and a security policy?
  • What settings can the organization set to maximize privacy and security?
  • Does the organization consider the recording an official record or a transitory record?
  • Has a service provider had a privacy or security assessment done by an independent third party and, if so, request a copy?

The pandemic has forced many public bodies to embrace the virtual meeting. Once restrictions are lifted, I expect virtual meetings will continue to be a way of doing business. Public bodies should approach virtual meetings and platforms as both a short term matter and a long term change. Thus, establishing public body policies regarding virtual meetings is an important step that we should take now.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Statement from the Office of the Information and Privacy Commissioner on Documenting Decisions in a Pandemic

During this Pandemic, public officials, elected and appointed, have made and will make many decisions in an attempt to flatten the curve to help prevent our health care system from being overwhelmed and to save lives. As we all can see, things are moving very quickly so decisions have to be made very quickly. Citizens and the media look forward and appreciate the daily briefings.

In this pandemic with decisions being required quickly, there continues to be a need to document those decisions. The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) section 5 gives citizens the right to obtain records (with appropriate exceptions). Implicit in all of this is the duty to document the important decisions as they are being made. To be able to respond to that right, public bodies need to create the records. If there are no records, then citizens will never view records of decisions made during this pandemic. I would ask public officials, elected and appointed, to ensure the decisions made and actions taken are documented.

Under The Archives and Public Records Management Act, there is no need to retain transitory records. Guided by the Provincial Archives’ Transitory Records Guidelines, the initiator of the communication or the receiver should determine whether something is transitory. Because of the historical significance of the decisions being made during this pandemic, I would ask public officials, elected and appointed, to take a broader approach and treat more of the communications as official records rather than transitory. In other words, narrow what is considered a transitory record and broaden what is considered an official record.

When this pandemic is over, policy analysts, historians and researchers will and should reflect back on decisions and actions taken by officials in Saskatchewan. They will study what worked and what might not have worked. This analysis will better equip us for the next crisis that may come our way.

The Federal Information Commissioner, Caroline Maynard, in a News Release on April 2, 2020 stated:

Last week the Prime Minister told Canadians that transparency is crucial to being accountable to Parliament and in maintaining the public’s confidence.

When the time comes, and it will, for a full accounting of the measures taken and the vast financial resources committed by the government during this emergency, Canadians will expect a comprehensive picture of the data, deliberations and policy decisions that determined the Government’s overall response to COVID-19.

Canadians have a fundamental right to this information. They expect that it will be available to them, and that the government will provide it.

…ministers and deputy ministers must ensure that they and their officials generate, capture and keep track of records that document decisions and actions, and that information is being properly managed at all times.

Doing this is a matter of asking the right questions and then providing the information, tools and support employees need to meet their access to information and information management responsibilities.

For example, are minutes of meetings —even those taking place by teleconference or video conference—continuing to be taken and kept? Are all relevant records —such as decisions documented in a string of texts between co-workers—ultimately finding their way into government repositories? Do employees have a clear understanding of what constitutes “a record of business value” and that this record must be preserved for future access?

In conclusion, the best practice in order to fulfill what is outlined in section 5 of FOIP, LA FOIP and The Archives and Public Records Management Act, is for public officials, elected and appointed, to ensure their organizations are creating and maintaining the documents, emails and texts that relate to the decisions and actions being taken during this Pandemic.

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on Apps that Offer Health Care Consultations

Since the government has said stay home and self-isolate or quarantine and the temporary closure of offices, including those of some health professionals, has been mandated the question of how might I consult a health professional has arisen. The need for health professionals to be in contact with their patients continues during the pandemic and when the government created a temporary fee for telehealth consultations, the desire and need to create ways of consulting over the telephone, computer or device accelerated.

Media coverage has been given to apps that will facilitate health professional’s consultations with their patients. As health professionals and patients are approached to use such apps, they should be asking questions before agreeing to do so.

Health professionals should ask:

  • Does the organization offering the app (service provider) reside in Saskatchewan?
  • What personal health information is collected and stored by the app (service provider) and for how long?
  • Where geographically is the information stored?
  • Who is in custody and control of the stored information?
  • Can I get a copy of the stored information any time I ask?
  • Is the personal health information shared with any other company or individual?
  • What safeguards are in place to protect that information?
  • Can I see the contract I would have to sign to use the service?
  • Have you done a privacy impact assessment and could I have a copy?
  • Have you had a security assessment done by an independent third party and if so can I see a copy?
  • What recommendations have your professional association made?

The prospective patient before signing up should ask:

  • Does the organization offering the app (service provider) reside in Saskatchewan?
  • What personal health information about me is collected and stored by the app and for how long?
  • Where geographically is my information stored?
  • Can I get a copy of my stored information any time I ask?
  • Is there a fee for getting a copy of my personal health information?
  • Is my personal health information shared with any other company or individual?
  • What safeguards are in place to protect my personal health information?

The questions for the health professional and the patient are similar. Both need to know where personal health information is stored, who has access to it, how long is it stored and what steps are taken to protect personal health information.

The pandemic will continue to create privacy issues. I expect there will be many apps vying for loyalty of health professionals and patients. As always, it will be “buyer beware”. In other words, health professionals and patients, be careful for what you sign up for. However, in terms of health care providers, the ‘beware’ includes an expectation that you will do your homework and know whether or not by participating in the service you are or are not meeting your obligations under The Health Information Protection Act.

In the longer run, if telehealth is here to stay, health professionals and their governing bodies should establish rules governing the engagement of apps that provide a telehealth service.

Health professionals should insist on a contract with the app service provider, read it carefully and not sign on the dotted line unless satisfied all aspects of HIPA are addressed.

Patients should read the privacy policy on apps (service provider’s) website.

This may turn out to be a very convenient service for health professionals and patients. Let us make sure the service has appropriate privacy and data protection.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on Transparency in a Pandemic

As we all know, we are in the middle of a pandemic and many are working hard to protect Saskatchewan. Many are working long hours and assuming risks. All of us need a certain amount of information about the spread of COVID-19 in our province.

I have written earlier about a pandemic and privacy and there is a balancing act between public interest and privacy. There is a big gap between giving little to no information and giving all information. In the middle is an opportunity for decision-makers to determine how much information to provide to the public. Officials are always free to provide aggregate or statistical data or de-identified personal information or personal health information. They can provide information such as how many are sick or pass away in a city, town, municipality, area or region. I would encourage as much transparency as is possible while respecting privacy to the extent possible. More is better under the circumstances we are now in.

Of course, giving someone’s name and address as being affected would be going too far as this is there personal health information. Yes and maybe in small communities indicating one person is affected would identify a person. In those instances, there are work-a-rounds such as saying, “one person in the Ituna vicinity” or “one person north of White City”. The idea is that officials can be transparent and provide as much information as is possible, but still avoid identifying an individual.

As the number of cases rise in our province, officials will have more latitude in providing statistical information to citizens as they won’t be dealing with one person, but dealing with two, three or more persons in a community or area.

Individuals who are infected with COVID-19 may choose to divulge their personal health information in a public forum such as Facebook, Twitter or the media. They may choose to conduct interviews regarding their illness and recovery. That is their choice and we need to respect that they have voluntarily chosen to do so. If an individual does so, that does not give permission to the public body to release their name. A public body could, however, ask the individual to sign a consent agreeing to the release of name and details.

The Federal Information Commissioner, Caroline Maynard, in a News Release dated April 2, 2020 stated:

As Information Commissioner, I call upon heads of federal institutions to set the example in this regard, by providing clear direction and updating guidance on how information is to be managed in this new operating environment. Furthermore, I am of the firm view that institutions ought to display leadership by proactively disclosing information that is of fundamental interest to Canadians, particularly during this time of crisis when Canadians are looking for trust and reassurance from their government without undue delays.

The right of access is a means by which we not only hold our government to account, but determine how and why decisions were made and actions taken, in order to learn and find ways to do better in the future. It is only by being fully transparent, and respecting good information management practices and the right of access, that the government can build an open and complete public record of decisions and actions taken during this extraordinary period in our history—one that will inform future public policy decisions.

In conclusion, I ask public officials, elected and appointed, to continue to provide as much information as possible regarding our province and the Pandemic.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Updated Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on COVID-19

Privacy in the Context of COVID-19

Privacy laws are not a barrier to appropriate information sharing in an epidemic.

It is important that public bodies, health trustees and private sector organizations know how personal information or personal health information may be shared during an epidemic.

How Information May be Shared under Saskatchewan’s Privacy Laws

Saskatchewan has three privacy laws:

  • The Freedom of Information and Protection of Privacy Act (FOIP) applies to government institutions;
  • The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities such as municipalities, universities and school boards; and
  • The Health Information Protection Act (HIPA) applies to health trustees.

These Acts and accompanying Regulations govern the collection, use and disclosure of personal information or personal health information in most situations.

Each Act contains provisions to allow for the sharing of personal information or personal health information in the event of an emergency by public bodies and trustees.

All three Acts require that any collection, use or disclosure of personal information or personal health information be limited to that which is needed to achieve the purpose of the collection, use or disclosure. This is referred to as the “data minimization principle.”

FOIP

FOIP applies to government institutions or “public bodies”, which include provincial government ministries, Crown corporations, boards, agencies and commissions.

FOIP permits public bodies to collect personal information if the collection is expressly authorized by another statute or if the collection relates directly to and is necessary for an operating program or activity of the public body.

FOIP generally requires public bodies to collect personal information directly from the individual the information is about. Public bodies may collect information about an individual from other sources with the individual’s consent, or without consent in specific circumstances, such as when the collection is authorized by law or the individual is not able to provide the information directly in a health or safety emergency.

Public bodies may disclose personal information in emergency situations with the consent of the individual, or without consent in certain circumstances, including:

  • where necessary to protect the mental or physical health or safety of any individual; or
  • the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or
  • disclosure would clearly benefit the individual to whom the information relates; or
  • if the disclosure is authorized by a statute of Saskatchewan or Canada.

LA FOIP

LA FOIP applies to local authorities, including municipalities, universities and school boards. Basically, the same rules apply as outlined above for FOIP.

HIPA

HIPA applies to personal health information in the custody or control of health trustees. Trustees include the Saskatchewan Health Authority, nursing homes, ambulance operators, physicians, pharmacists and certain other health professionals with custody or control of personal health information. HIPA authorizes trustees to collect and use personal health information for the purposes of providing health services among others.

HIPA also allows trustees to disclose personal health information with the consent of the individual, or without consent in specific circumstances, including:

  • where the trustee believes, on reasonable grounds, that the disclosure will avoid or minimize a danger to the health or safety of any person; or
  • to family members or other individuals in a close relationship with the individual so they may be notified that the individual is ill, injured or deceased, providing the disclosure is not contrary to the expressed wishes of the individual; or
  • to another health trustee for the provision of health services; or
  • to a person responsible for continuing treatment and care for the individual; or
  • if the disclosure is authorized or required by a statute of Saskatchewan.

The Private Sector

Except for trustees under HIPA, Saskatchewan does not have legislation that applies to the private sector. Private sector organizations might be covered by federal legislation and should check the federal privacy commissioner’s website: https://www.priv.gc.ca/en/. If the private sector however is contracting with a public body or trustee (e.g. information management service provider), contractual agreements should be checked for language that might actually put personal information or personal health information that the private sector has in its physical possession instead in the control of the public body or trustee.

General Principles

The Canadian Privacy Commissioner, Daniel Therrien, has issued A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19. In that framework, he establishes key principles which can be applied by public bodies when making decisions on collection in Saskatchewan. He summarizes those principles in his News Release April 17, 2020. These principles should be applied in Saskatchewan. With some editing, these principles are:

  • legal authority: the proposed measures must have a clear legal basis;
  • the measures must be necessary and proportionate, and, therefore, be science-based and necessary to achieve a specific identified purpose;
  • purpose limitation: personal information and personal health information must be used to protect public health and for no other purpose;
  • use de-identified or aggregate data whenever possible;
  • exceptional measures should be time-limited and data collected during this period should be destroyed when the crisis ends; and
  • transparency and accountability: public bodies should be clear about the basis and the terms applicable to exceptional measures, and be accountable for them.

The Public Health Act, 1994

The Minister of Health or the Chief Medical Officer have powers under The Public Health Act, 1994 (P.37.1) which can be viewed here: https://publications.saskatchewan.ca/#/products/786. In particular, section 45 sets out the powers of the minister and the medical officer. Further, this Act contains mandatory reporting provisions of certain health care professionals in certain circumstances (e.g. sections 32, 34 and 36).

The Information and Privacy Commissioner

The Office will continue to work on matters during this time, but will be closed to the public. People seeking information can call 306-787-8350 or the toll free number 1-877-748-2298 or email us at webmaster@oipc.sk.ca.

There may be delays getting back to those who contact us, but we will get back to you.

My office usually requests that public bodies respond with information within certain timelines. We know other offices may be experiencing difficulties in getting back to us. Thus, we will be flexible regarding tight timelines. We do ask that you call us so that we can set a different timeline if one is required.

Ronald J. Kruzeniski, Q.C.
Saskatchewan Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca