Canada published draft guidelines on the use of medical devices powered by machine learning

RCMP plan to equip every Sask. Detachment

G20 leaders make privacy, AI declaration

Ontario: $988K settlement reached in Peterborough hospital

Three simple rules for managing your privacy

Global definitions for artificial intelligence

New guidance on sending bulk communications

The Essential Guide To Data Privacy

Federal, Provincial and Territorial Information and Privacy Commissioners and Ombudsman issue joint resolution about privacy and access to information rights during and after a pandemic

Federal, Provincial and Territorial Information and Privacy Commissioners and Ombudsman issue joint resolution about privacy and access to information rights during and after a pandemic

In a joint resolution, Canada’s Information and Privacy regulators called on their respective governments to respect Canadians’ quasi-constitutional rights to privacy and access to information. The regulators took note of the serious impact the COVID-19 pandemic has had on the right of access to information and privacy rights in Canada and called on governments to use the lessons learned during the pandemic to improve these rights.

The global pandemic has brought to the forefront the pressing need for strong access to information and privacy laws. The regulators noted that the pandemic has accelerated trends that were ongoing prior to March 2020, namely concerns among the public about increasing surveillance by public bodies and private corporations and the slowing down of processing access requests. The pandemic has also highlighted the need to modernize the access to information system by leveraging technology and innovation to advance transparency.

Saskatchewan’s Information and Privacy Commissioner, Ron Kruzeniski, Q.C., stated:

“There is no doubt that technology and digitization have been instrumental in the response to the pandemic. As we work towards recovery, I encourage authorities to consider the impact such initiatives have on our access and privacy rights. The lessons we have learned during this global crisis should be used to modernize our access and privacy legislation. Digitization is here to stay. It is time our legislation reflected that.”

The joint resolution adopted 11 access to information and privacy principles and called on Canada’s governments to show leadership by implementing them and making the modernization of legislative and governance regimes around freedom of information and protection of privacy a priority.

 

Related Document:
Joint Resolution: Reinforcing Privacy and Access to Information Rights During and After a Pandemic

Media Contact:
Kara Philip, Manager of Communication
Office of the Saskatchewan Information and Privacy Commissioner
Phone: 306-798-2260
Email: kphilip@oipc.sk.ca

 

PDF Version

Privacy Concerns with Video Surveillance

Our office quite often receives inquiries regarding the potential privacy implications associated with installing and operating video surveillance within an organization. As our office is an oversight body for The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA), we are unable to provide a formal opinion on whether any of the organization’s proposed or existing video surveillance practices would comply or not with the privacy provisions of the legislation, as doing so would constitute an advanced ruling. We must remain neutral and impartial until such time that we are asked to review a decision regarding access to information or investigate an alleged breach of privacy.

With that being said, we are able to provide you with additional information and resources in order to assist you with making the decision on whether or not to proceed with conducting video surveillance within your organization!

Our office has Video Surveillance Guidelines for Public Bodies which is a very helpful resource to refer to when considering the adoption of video surveillance practices. This includes different factors for public bodies to consider before implementing video surveillance and information to help determine if adequate safeguards are in place for the protection of the personal information or personal health information captured by the video surveillance.

The personal information or personal health information captured on the video surveillance would be in the possession or control of your organization, so it would be your responsibility to ensure that the privacy of the individuals captured in the surveillance is protected.

Part IV of FOIP and LA FOIP speak to the protection of privacy for personal information that would be under the government institution/ local authority’s possession and control. Section 24.1 of FOIP and 23. 1 of LA FOIP speak specifically to the creation of policies and procedures to maintain administrative, technical and physical safeguards. Section 16 of HIPA speaks to the duty of the trustee to protect personal health information and specifically requires the creation of policies and procedures to maintain administrative, technical and physical safeguards.

If your organization is not subject to the legislation this office oversees (FOIP, LA FOIP, HIPA), it is recommended that you should continue to assess potential risks and/or legal ramifications associated with implementing video surveillance. It would be the responsibility of your organization to protect the privacy of the information in your possession or control that is captured by video surveillance, and following best practices can be useful in minimizing potential risks.

The Privacy Commissioner of Canada oversees the Personal Information Protection and Electronic Documents Act (PIPEDA) which applies to private sector organizations engaged in commercial activities, as well as some trustees who are also captured under HIPA. The Office of the Privacy Commissioner of Canada has additional information on video surveillance that may be helpful and can be found here.

Although there is no legislative requirement to complete one, whether you are under our jurisdiction or not, our office recommends conducting a Privacy Impact Assessment (PIA) whenever a new policy, procedure or program that has privacy implications is being developed or revamped. This blog outlines the benefits of completing a privacy impact assessment: Privacy Impact Assessments.

We also have a Guidance Document for a Privacy Impact Assessment (PIA) that contains information that may assist you in determining whether to complete a PIA. If you decide to move forward with a PIA, we have documents for PIA Steps 1-4 that can be completed. These can be found in the Resource Directory on our website under the following names:

PIA Step 1 Preliminary Analysis

PIA Step 2 Define The Project

PIA Step 3 Privacy Analysis

PIA Step 4 PIA Report

Additionally, if you choose to complete a PIA and your organization is under our jurisdiction, you may also be interested in engaging our office in the consultation process. For more information on the consultation process email intake@oipc.sk.ca

Although we cannot provide you with a formal opinion regarding implementing video surveillance within your organization, I hope this information will be helpful in making your decision!

Vaccine passports must meet highest level of privacy protection

Privacy should be front and centre as governments and businesses consider COVID-19 vaccine passports as a tool to help Canadians return to normal life, say Canada’s privacy guardians.

Vaccine passports would allow people to travel and gather again and could support economic recovery while protecting public health. They would, however, require individuals to disclose personal health information about their vaccine or immunity status in exchange, potentially, for access to goods and services, for example, restaurants, sporting events and airline travel.

“While this may offer substantial public benefit, it is an encroachment on civil liberties that should be taken only after careful consideration,” federal, provincial and territorial privacy commissioners and the ombuds of Manitoba and New Brunswick say in a joint statement issued today.

“Vaccine passports must be developed and implemented in compliance with applicable privacy laws.  They should also incorporate privacy best practices in order to achieve the highest level of privacy protection commensurate with the sensitivity of the personal health information that will be collected, used or disclosed,” the statement says.

The statement was endorsed during the annual meeting of federal, provincial and territorial access to information and privacy guardians. The Manitoba Ombudsman hosted the meeting, which took place virtually given the pandemic.

This statement outlines fundamental privacy principles that should be adhered to in the development of vaccine passports.

In particular, it notes that, in light of the significant privacy risks involved, the necessity, effectiveness and proportionality of vaccine passports must be established for each specific context in which they will be used.

In other words, vaccine passports need to be shown to be necessary to achieve the intended public health purpose; they need to be effective in meeting that purpose; and the privacy risks must be proportionate to the purpose, i.e. the minimum necessary to achieve it.

Further, vaccine passports, whether introduced by governments or public bodies for public services, or by private organizations, need to have clear legal authority. In addition, organizations considering vaccine passports should consult with the privacy commissioners in their jurisdiction as part of the development process.

The statement also notes that any personal health information collected through vaccine passports should be destroyed and vaccine passports decommissioned when the pandemic is declared over by public health officials or when vaccine passports are determined not to be a necessary, effective or proportionate response to address their public health purposes. Vaccine passports should not be used for any purpose other than COVID-19.

 

Related Documents
Joint statement – Privacy and COVID-19 Vaccine Passports

For more information:
Office of the Privacy Commissioner of Canada
Manitoba Ombudsman
Provincial and territorial privacy Ombudspersons and Commissioners

Media Contact
Kim Mignon-Stark  |  Executive Assistant
kmignon-stark@oipc.sk.ca
306-798-0173

 

UPDATED – Advisory from the IPC on questions regarding vaccines for organizations, employers and health trustees

Announcements regarding the approval of vaccines for COVID-19 has been greeted with excitement. The roll out of vaccines is occurring in our province and in other provinces in Canada. As citizens receive the vaccine, questions arise as to how organizations, health trustees and employers will handle this new reality. In my Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on questions, screening or testing by employers regarding COVID-19, I attempted to answer many of the questions surrounding the issue of employers asking questions about screening or testing for COVID-19. This Advisory attempts to answer similar questions in regard to getting the vaccination for COVID-19.

Can organizations ask whether a customer or employee has received a vaccination for COVID-19?

Private sector businesses and other organizations engaged in commercial activities in Saskatchewan are not covered by The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), but are subject to orders made under The Public Health Act, 1994. Many organizations are covered by the Personal Information Protection and Electronic Documents Act (PIPEDA). I note that PIPEDA only protects personal information of employees of federally regulated businesses, works and undertakings (FWUBs). Those organizations, if they have questions, may have to contact the Federal Privacy Commissioner . It should be noted that the federal government has introduced Bill C-11, which introduces significant changes to PIPEDA. In some cases, PIPEDA provides rules and protection for employee personal information and in others, it does not. Whether an employer in Saskatchewan fits any of the following definitions, the advice below can be considered best practice and an employer can choose to follow it.

What organizations are covered by PIPEDA?

PIPEDA defines an “organization” in Part 1, section 2(1) as follows:

  1. “organization” includes an association, a partnership, a person and a trade union.

PIPEDA indicates that the “protection of personal information” applies as:

  1. (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or

PIPEDA defines “commercial activity” as follows:

  1. “commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

As one can see, an “organization” is broad and includes a business, community based organization and charity, if that organization carries on commercial activity. In the rest of this Advisory I will refer to them as “organizations” and they are covered by PIPEDA and not by FOIP or LA FOIP.

Let us now turn to discuss employers who are covered by FOIP, LA FOIP or The Health Information Protection Act (HIPA).

Can an employer ask an employee whether they have received the vaccination for COVID-19?

Some employers may be considering whether they will require their employees to receive the vaccine or provide a vaccination certificate for COVID-19. Employers have an obligation to make a workplace safe to work in within reasonable limits. The Saskatchewan Employment Act provides:

General duties of employer

3‑8 Every employer shall:

(a) ensure, insofar as is reasonably practicable, the health, safety and welfare at work of all of the employer’s workers;

(h) ensure, insofar as is reasonably practicable, that the activities of the employer’s workers at a place of employment do not negatively affect the health, safety or welfare at work of the employer, other workers or any self-employed person at the place of employment; and

Each employer will have to make a fundamental decision as to whether they need all employees to receive the vaccine or provide a vaccination certificate to make the workplace safer.

Prior to considering what privacy legislation might apply, employers need to seriously consider whether they want to require employees to receive the vaccine or provide a vaccination certificate. Because these vaccines are new, there will be questions about their use and effectiveness. There may be workplaces where social distancing, wearing masks and washing hands may be determined to be sufficient protection. These are considerations for the employer. Requiring employees to receive the vaccine is a fundamental issue and can be controversial. Requiring proof an employee has received the vaccine is less controversial, but does have privacy implications. It gets us into the issue of whether employers can or should require medical tests in the workplace. There has been considerable debate and court challenges over testing for drugs in the workplace. This particularly is a challenging issue for hospitals, medical clinics, long-term care and group homes. Employers need to know that requiring employees to receive the vaccine or provide a vaccination certificate, might result in a court challenge.

The OPC in “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century” stated:

Following the enactment of the Canadian Charter of Rights and Freedoms in 1982, the Supreme Court of Canada formulated a methodological test to determine whether the violation of a Charter right is nonetheless justifiable in a free and democratic society. Stemming from the case R. v. Oakes, this became known widely as the Oakes test. It requires:

  • Necessity: there must be a clearly defined necessity for the use of the measure, in relation to a pressing societal concern (in other words, some substantial, imminent problem that the security measure seeks to treat),
  • Proportionality: that the measure (or specific execution of an invasive power) be carefully targeted and suitably tailored, so as to be viewed as reasonably proportionate to the privacy (or any other rights) of the individual being curtailed,
  • Effectiveness: that the measure be shown to be empirically effective at treating the issue, and so clearly connected to solving the problem, and finally,
  • Minimal intrusiveness: that the measure be the least invasive alternative available (in other words, ensure that all other less intrusive avenues of investigation have been exhausted).

The balance of this Advisory presumes an employer has made the decision to require vaccinations and understands the legal risks of a challenge, but intends to proceed.

What questions might an employer ask?

If an employer decides to require vaccinations, what questions might the employer be asking? Possible questions include:

  • Are you planning to get vaccinated?
  • When will you receive your first injection?
  • Have you received your first injection?
  • When will you receive your second injection?
  • Have you received your second injection?
  • Do you have a vaccination certificate?
  • Will you show me a vaccination certificate?
  • Will you provide me with a vaccination certificate?

The least intrusive approach would be that an employer requests, “Please show me your vaccination certificate”. The employer looks at the certificate and does nothing else. Slightly more intrusive would be where the employer checks off on an employee list that this employee has a vaccination certificate.

What questions might be asked in a pre-employment interview?

The above questions could be asked of existing employees. Another question is what employers might want to as of people applying for a job. Employers will need to decide whether they ask any questions or no questions at all.

What privacy legislation might apply?

If an employer decides to require the employee to show or provide a vaccination certificate, the employer needs to know what privacy legislation applies. FOIP applies to government institutions which include Crown corporations, boards, agencies and other prescribed organizations. Part IV of FOIP deals with the collection, use, disclosure, storage and protection of personal information.

LA FOIP applies to local authorities which include cities, towns, villages, municipalities, universities and the Saskatchewan Health Authority. Part IV of LA FOIP deals with the collection, use, disclosure, storage and protection of personal information.

HIPA applies to health trustees which include government institutions, the Saskatchewan Health Authority, a licenced personal care home, a health professional licenced under an Act, a pharmacy, and licenced medical laboratories with custody or control of personal health information. Parts III and IV of HIPA deal with collection, use, disclosure, storage and protection of personal health information.

If an employer falls into one of the above categories, then that particular statute will apply to the collection, use, disclosure, storage and protection of personal information/personal health information. To be sure, an employer should check each of the Acts to see if it has any application to it. If in doubt, the employer should obtain legal advice.

Regulations under each of the Acts can also prescribe the organizations that are government institutions, local authorities or health trustees.

The Privacy Act may allow a lawsuit where a business, community based organization, employer or health trustee has breached someone’s privacy.

A further issue is that after the employee has received the vaccine, is the employee required to show or provide a proof of vaccination? Will the employer accept the employee’s word that the vaccination was taken? If the employee is required to provide proof, will the employer visually examine it or make a copy of it? If so, by whom and for what purpose? If a copy is made, the record may be accessible under HIPA, FOIP or LA FOIP.

If an employer is in doubt regarding requiring employees to get vaccinated or requiring a copy of the vaccination certificate, the employer should obtain legal advice.

What is the purpose of the employer asking whether an employee has gotten a vaccine or requiring a vaccination certificate?

Before embarking upon requiring vaccinations, the employer must determine the purpose for which it is requiring vaccinations and the purpose for an employee showing or providing a vaccination certificate. Is it to keep the workplace safe? More specifically, is it to prevent transmission of COVID-19 being spread from employee to employee, customer or patient? It is important that the employer define the purpose before starting and not change the purpose after starting.

How should employers notify its employees of the purpose?

Employers should be open and transparent. They should advise staff that they will be asking the employee to show or provide the vaccination certificate and inform them of the purpose and the purpose for so asking. Later, at the showing or providing of the vaccination certificate, tell employees the purpose of the collection, what will be collected, who it will be shared with and how long the information will be stored. Employees will particularly want to know if the employer is sharing the information with other third parties, why and under what legal authority.

The employer can provide other staff with statistical information, such as how many have been vaccinated. The employer should not give out names or identify the ones who were or were not vaccinated as this may be considered a privacy breach.

What information will the employer collect?

Asking an employee whether they have had the vaccination and requesting the showing or providing of a vaccination certificate is a collection of personal information/personal health information. Employers should collect the least amount of information necessary to achieve the purpose. If the employer is comfortable, they could choose to accept the employee’s verbal statement that they have had the vaccination. Alternatively, the employer could ask the employee to show a vaccination certificate, but choose not to make a copy of the vaccination certificate. This is referred to as the data minimization principle, that is, only collect what is needed to achieve the purpose.

What if an employee refuses to be vaccinated?

If an employee refuses to get the vaccination, refuses to confirm that they had the vaccination or refuses to show or provide a vaccination certificate, employers will need to decide if it will require the employee to wear a mask at work, stay home and self-isolate, send the employee home without pay or end the employment relationship.

Can the employer use the information for any other purpose?

The employer must determine its authority to collect for a defined purpose, and only collect personal information/personal health information for that purpose. This may include the employee providing the information for that purpose (indicating they had a vaccination and showing or providing a vaccination certificate). The employer should check the relevant legislation before using that information for any other purpose without getting the consent of the employee.

Who can the employer share the information with?

Since the employer has collected the information that the employee has received the vaccination or refused to get it, the employer needs to determine who in the organization needs to know. If the employee gets the vaccination, very few people need-to-know, but the employer can provide statistical information as to how many employees have received the vaccination. If the employee refuses to get the vaccination and is sent home, very few people need-to-know. Just like other sensitive health information, it is confidential, the employer should prohibit supervisors and HR employees from sharing the information with other staff. This does not prevent an individual employee from alerting others around them that they have been vaccinated (sticker, badge, lanyard, headband). An employer could promote this, but should not make it mandatory.

Where does an employer store this information?

The choices are storing on the employees HR personnel file, storing on the employee’s separate health information file or storing in a separate folder for all employees, containing all information regarding vaccination of employees or refusal to vaccinate. There is probably no need to store it anywhere else.

The information the employer has collected must be stored in a secure place. Once the employer collects personal information/personal health information about an employee, it is the employer’s obligation to ensure it is protected and only those with a need-to-know should be able to access it. Possibly the best practice is to set up a separate employee file to contain any personal health information collected. That would include COVID-19 vaccination and testing information.

Is an employer obliged to secure the information?

Under privacy legislation, there is an obligation for an employer to protect and secure the information collected and stored. If an employer is not subject to privacy legislation, best practice would suggest the information be protected. Other resources have made suggestions on securing information and a few tips are given by the British Columbia Information and Privacy Commissioner.

Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.

When should the employer destroy the information?

How long is an employer going to keep this information? Will it get destroyed in accordance with the employer’s destruction of documents policy? Should it have a special destruction period, shorter than the normal? Could it or should it be destroyed within six months? Employers need to decide whether they will develop a policy including destruction guidelines. Maybe the information collected can be destroyed earlier than an employer’s standard procedure.

Do employers need to develop a policy on COVID-19 vaccinations?

Once an employer has made a decision, the employer should consider developing a policy. In normal times, my office would recommend a privacy impact assessment (PIA). In these unique times, an employer might move very quickly and my office would still recommend either a shortened version of a PIA or a policy statement regarding COVID-19 vaccinations. Whatever the form of the document, it should contain:

  • authority for the collection;
  • a statement of the purpose;
  • a statement as to whether employees will be asked to show a vaccination certificate;
  • a statement on possible actions taken based on whether the employee has the vaccination or not;
  • a statement on where information will be stored;
  • a statement as to who it will be shared with (with public authorities or not); and
  • a statement on when the information will be destroyed.

Can a public body ask visitors whether they have had a vaccination for COVID-19?

Public bodies (government institutions and local authorities) have carried on their activities during the pandemic. As much as possible, communications have shifted to emails and telephone calls, but it is still possible that citizens or patients will attend at a public bodies’ front door or reception area. The question arises, can those public bodies ask questions about receipt of a vaccination for COVID-19? Secondly can public bodies insist on seeing a vaccination certificate? If a public body decides to ask the citizen or patient whether they had a vaccination, then many of the questions raised above would apply. Of course public bodies considering this issue should think about obtaining legal advice.

Can a health trustee ask whether patients or employees received a vaccination for COVID-19?

Health trustees are subject to HIPA. That Act contains principles similar to FOIP and LA FOIP when it comes to collection, use, protection or disclosure of information (in this case personal health information). Many of the questions posed and answered above will apply to health trustees.

Conclusion

The principles are simple: establish the purpose and authority, collect the least amount of information to meet the purpose, share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed. This is good advice whether a business, non profit, employer or health trustee is subject to privacy legislation or not.

The Information Commissioner’s Office in Great Britain has issued a document regarding “work testing – guidance for employers”. Although British legislation is different from the legislation in Saskatchewan, the principles set out are good ones and may have some application to public bodies and health trustees in Saskatchewan.

Ronald J. Kruzeniski, Q.C.
Information and Privacy Commissioner

Media contact:
Julie Ursu
jursu@oipc.sk.ca

 

UPDATED: IPC Advisory on questions regarding vaccines for organizations, employers and health trustees

 

Additional Resources 

UK Information Commissioner Office:
Data protection and coronavirus – advice for organizations
Data protection and coronavirus – six data protection steps for organizations
Health, social care organisations and coronavirus – what you need to know

Alberta Office of the Information and Privacy Commissioner:
Pandemic FAQ:  Customer Lists

British Columbia Office of the information and Privacy Commissioner:
Collecting Personal Information at Food and Drink establishments, gatherings, and events during COVID-19

Ontario Office of the Information and Privacy Commissioner:
COVID Alert and Your Privacy

 

UPDATED – Can You Bring an Action or Class Action for the Tort of Violation of Privacy in Saskatchewan?

I was asked whether a person could sue or be part of a class action in Saskatchewan for a breach of privacy. The Privacy Act provides in section 2, that it is a tort, actionable without proof of damage, for a person willfully and without claim of right, to violate the privacy of another. In section 7, the Court can award damages, grant an injunction or any other remedy. In section 8, the right to sue is in addition to any other rights the plaintiff has.

In 2018, the Legislative Assembly amended The Privacy Act to allow an action to be brought for the tort of distributing an intimate image of another person without that other person’s consent. In addition, the amendment allowed a person to sue in small claims court or Queen’s Bench. Thus, an action for violation of privacy could occur in Saskatchewan.

A recent case under The Privacy Act is Bierman v Haidash, 2021 SKQB 44. The Court of Queen’s Bench for Saskatchewan ordered damages of $7,500 and costs of $3,000 against the defendant. The judge stated at paragraph [78]:

[78]…A helpful discussion of damages awarded by Canadian courts is found in Getting to Damages in the Health Information Privacy Context: Is the Cost Worth the Damage? by Liam O’Reilly (April 11, 2016) (CanLll).  He writes that despite increased public concern over privacy violations, courts have generally relegated privacy breaches to the lower end of the damages spectrum.

[79] The author opines that the courts’ reluctance to award more substantial damages for violation of privacy does not reflect society’s growing concern over privacy. He states that more emphasis should be placed on compensating violations of dignity as opposed to actual harm that is often psychological and troublesome to access or quantify. The author notes that s. 6(1) of the Saskatchewan Act, among the other Canadians Acts, is the most generic in its approach in setting out certain criteria to assess damages, noting the Act’s direction to assess the relationship between the victim and the tortfeasor and the expectation of privacy in the circumstances.

[80] The author then recognizes that the bulk of privacy breach jurisprudence has arisen in British Columbia. At the time he wrote, no damages for privacy violation had been awarded in other provinces with a statutorily created tort (Newfoundland, Saskatchewan or Manitoba). The author then provides a detailed and helpful summary of several decisions from British Columbia with damages ranging from a low of $50.00 (Fillion v Fillion, 2011 BCSC 1593 [Fillion]) to a high of $60,000.00 (l.A.M. v J.E.l.I., 2008 BCSC 114 7). The cases at the higher end attracted punitive damages and involved plaintiffs being spied upon in a private washroom (Malcolm v Fleming, [2000] BC.I No 2400 (QL) – $50,000.00 damages); watched in a bedroom through a hole cut in the wall above the bed, concealed on the inside by a two-way mirror (Lee v Jacobson (1992), 87 DLR (4th) 40 I (BC SC) – $36,000.00 damages); intercepting and recording phone calls and providing them to person’s employer resulting in dismissal (Watts v Klaemt, 2007 BCSC 662, [2007] 11 WWR 146 – $36,000.00 damages). The lower end of awards involved reading and copying personal documents (Fillion – $50.00 damages); sending bank statements to an ex-spouse’s address allowing him to use the information to harass her (Albayate v Bank of Montreal, 2015 BCSC 695 – $2,000.00 damages); communicating between financial institutions and revealing confidential information (B.M.P. Globed Distribution Inc. v Bank of Nova Scotia, 2005 BCSC 1091 , 8 BLR (4th) 247 –  2,500.00 damages); photographing persons in their back yard and aiming video surveillance cameras at the windows of their home (Wasserman v Hall, 2009 BCSC 1318, 87 RPR (4th) 184 – $3,500.00 damages); installing close-imaging cameras in a hallway outside of apartments (Heckert v 5470 Investments Ltd., 2008 BCSC 1298, 299 DLR (4th) 689 – $3,500.00 damages).

[81] In Ontario, which does not have a statutorily created tort, the Court of Appeal found that using a workplace computer to access bank accounts of her partner’s spouse at least 174 times was actionable under the developing tort of intrusion upon seclusion (Jones v Tsige, 2012 ONCA 32, 346 DLR (4th) 34) and awarded $10,000.00 in damages.

[82] Within the context of these decisions and considering the factors set out in s. 6( 1 ), the court finds that Dr. Haidash’ s inquiry into any database of persons who were not his patients cannot be justified. Not only did he inquire into Ms. Bierman’s profile, he inquired into several other persons who were not his patients. Health information is highly private. Physicians, more than anyone, should appreciate this truism. …

[83] The court recognizes that Dr. Haidash should receive a firm message from the court that he did not show the expected care he ought to have shown to accessing anyone’s health records for a purpose other than for the benefit of a patient.

The court also recognizes that Dr. Haidash has already been subject to the scrutiny and disapproval of the College of Physicians and Surgeons and the Privacy Commissioner.

This case clearly signals that suing for a breach of privacy under The Privacy Act can result in an award for damages.

Could persons sue in a class action?  

The Class Actions Act sets out the rules and procedures for commencing a class action. Such an action has to be certified by the Court of Queen’s Bench. If certified, a class action or multi-jurisdictional class action for a tort of breach of privacy could proceed in this province.

FOIP, LA FOIP and HIPA

The Freedom of Information and Protection of Privacy Act (FOIP) gives citizens certain rights to access information held by government institutions. The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) does the same for information held by local authorities (e.g. cities, towns, villages and other municipalities’ school and library boards, the U of S and U of R, the Saskatchewan Health Authority and police services.) The Health Information Protection Act (HIPA) applies to trustees and gives the right to individuals to access their personal health information. The rights and actions under these Acts do not affect the right to bring an action under The Privacy Act.

The Information and Privacy Commissioner (IPC) process is completely separate and apart from lawsuits for a breach of privacy. The IPC may undertake a breach of privacy investigation under FOIP, LA FOIP or HIPA. There is no potential for monetary advantage through the IPC process though.

 

 

Including names on municipal maps – can the complicated be made simple?

I grew up on a farm and know how isolated you are out there. Most neighbors are out of eyeshot and earshot and though some know when you are away, you hope it isn’t common knowledge as you most likely will end up with something stolen from your property, gas being one of the most coveted items.

The reason I bring this up, is that recently, our office hosted a number of webinars on the application of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and the topic of access to municipal maps of a municipality came up. And, what is interesting, is that almost everyone seems to be using them for different purposes and none are sure whether or not to include names on them. For example, one informed me that, “[o]ur RM Maps have been available for purchase by the public prior to 1993. They were typically purchased for assessment information, landowner name information, roads and lakes in the area.” I was also told hunters are interested in the information as they need to seek consent from the owner so are not breaking trespassing laws.

In reviewing one of these maps, I noticed that in some cases, the name is that of a business, not a person. In assessing risks to privacy, you always need to start with the question, “is there personal information involved about an identifiable individual?” A business or company, although having an interest in confidentiality, has no privacy protection under LA FOIP. What property a person owns or where a specific person lives, I would expect to be personal information pursuant to subsections 23(1)(e) and 23(1)(j) of LA FOIP. A home address/location is arguably more sensitive.

As soon as you have determined that you have personal information, then you need to know what your authority is to have collected it, use it internally and disclosed it to others. Based on the questions I received, I don’t think this has been well established. For example, are you required to prepare these maps because of a provision in another law or are the maps assembled primarily for the municipalities’ internal purposes? Section 24 of LA FOIP, allows for collection of personal information if it relates to an existing or proposed program or activity of the local authority.

If you are using the information on the map for the same purpose that it was originally obtained or the use is consistent with that purpose, then you probably have authority to use it. However, disclosure to external individuals is a different matter, especially if the reasons external parties want it varies.

If you are looking for authority to disclose personal information to a third party, you need to see if any provisions in subsection 28(2) of LA FOIP, section 10 of the LA FOIP Regulations or another law applies. If you can’t find the authority, then maybe you don’t have authority to disclose it and doing so would result in a privacy breach.

The analysis doesn’t end there. I’m assuming that there are old maps and as details change (i.e. owners, assessed values), the maps are updated. How far back does the practice of collecting and assembling these maps go? And, how were they made available? Did the practices change over time? Why is that important?

Consider whether sections 3 or 4 of LA FOIP would have any application. If the municipality has always made this type of information available for purchase or has historically made it readily available to others outside the municipality, then it could be argued that LA FOIP privacy provisions do not apply. Over the years, though I think it is reasonable to conclude that practices have shifted in terms of who seeks what information and why and how it is made accessible. For example, if in the old days the map was simply tacked to a wall that you could only see if you walked into the office, access was restricted, so not really publicly available. Now, everyone wants access to the information on websites or platforms that can readily be mined and used to create dossiers on individuals. When information is collected for one purpose, but used for another unrelated purpose, we call that function creep. It is a practice to be avoided.

It has been suggested to me that because information may be available from the assessment/tax roll, that it could be available for other purposes at other times. Subsection 213(1) of The Municipalities Act clearly limits when and how access to that information is provided and is for a specific purpose. Opening it for other purposes might not be found to be appropriate if not for a consistent purpose. This however has not been tested to my knowledge.

Finally, in terms of what else is open for public inspection, I note the list in subsection 117(1) of The Municipalities Act does not include municipal maps.

I’ve been told there isn’t a specific address on the map, but the map is after all a map. If there is a little square on the location, that is where the person most likely lives. The mailing address for my parents is less sensitive than this little square on the map with their name beside it because it is a box number in town.

I’ve heard some people want their names removed, so clearly some are concerned about this type of information being publicly available. And, I think from what we saw in the news recently with protestors outside our provincial Chief Medical Health Officer’s family home, finding out where someone lives can be used for unintended purposes.

Even after all this, if you decide that including personal information on municipal maps is the way to go for your municipality, remember, if a complaint comes to our office, you will have to be demonstrate how you arrived at the conclusion that releasing it is authorized and by what legal instrument(s).

And, after all, I am informed that much of what is accessible on the municipal maps is already available from other sources. If individuals are motivated enough, they can seek the information they need for their own purposes, whether it be from land titles or other sources. I propose that instead of navigating all of the above, if after deciding these maps are still worth the effort, maybe consider a new practice; asking individuals if they want their names on the map or not. Consent, after all, is the gold standard and simplifies everything.

Alternatively, the best and safest practice would be to produce the maps without any individual names. Company names could be included, but why not publish the maps with no owner’s names.  Also, publish the maps with the least amount of additional information. For example, is it necessary to indicate there is a residence on a particular quarter of land? I leave that up to you to decide.

 

Who’s minding the storage? Data privacy and Saskatchewan schools

A school division holds what may be the largest store of significant personal data about any individual child that can be found in one location. Parents and guardians are compelled by law to send their children to school, and parents are legally required to provide the school with significant amounts of personal information about their children, and about themselves.

In addition to creating  attendance reports and grades, schools often need to collect detailed medical information about both physical and mental health issues of students, personal information about family members possibly including income and criminal records, details of custody and access issues, as well as the history of interactions with socials services and the justice system. Not to mention all the personal information voluntarily shared by parents and students with teachers, counsellors and other staff in emails, texts, etc.

As a result, the onus on school divisions to protect student data is extremely high. However, school divisions do not have separate budgets for privacy issues. They have privacy policies but it is usually a staff member, working off the side of their desk, who deals with both privacy and access with little or no formal training in the area. Schools and school divisions understand the need for privacy, but how to keep data secure in order to ensure privacy is sometimes a more difficult process to pin down.

Nevertheless school divisions can put in place practices to assist them in meeting the onus to protect student data, including but not limited to: keeping procedures and practices up to date; allocating resources – time and money – to appropriate security practices; having IT and learning services work together on data security issues; addressing privacy and data security in contracts; including data security as part of digital education for students; providing references to resources for parents; and ensuring that staff have adequate training at both central office level and at the school level.

In the classroom, teachers should consider data security when students access sites, apps, etc. At minimum, the student and/or teacher should be able to answer the following: What personal data is being collected? Who will own the data? Who will have access to the data? How long will the data be retained? Does the student have the right to get the data removed?

Data security must not, however, be the sole concern of the school division.

The Ministry of Education in Saskatchewan is encouraging and supporting school divisions to move to MySchoolSask, a provincial record keeping system for student data that will replace local division systems. In addition, the Ministry requires school divisions to provide significant amounts of student data to the Ministry. The Ministry must ensure that systems and procedures and contracts are in place to protect student data at both the provincial and division level. This can include appropriate funding and education of staff.

Parents must know or ask questions about why and how the data of their children is being collected, used, stored and disposed of. They must educate themselves, and help to educate their children, about the risks of and the defences to misuse of data. Resources available or referenced on school division websites should be reviewed. Parents can also hold the school division to account and, when applicable, work with the school division to hold the Ministry to account.

School divisions need to know a lot about their students. Collecting data that is necessary to help students fully access education services should not be compromised by concerns about data security. This can best be accomplished if all those involved in education work together to ensure the security of student data.

Saskatchewan IPC finds ransomware attack results in one of the largest privacy breaches in this province involving citizens’ most sensitive data

An investigation by the Information and Privacy Commissioner of Saskatchewan has found that eHealth Saskatchewan (eHealth), the Saskatchewan Health Authority (SHA) and the Ministry of Health (Health) were the victims of a ransomware attack in late December 2019 and early January 2020, resulting in one of the largest privacy breaches in this province.

On December 20, 2019, an SHA employee opened an infected Microsoft Word document from their personal email account on their personal device while the personal device was being charged by a USB cord on their SHA workstation. The infected Microsoft Word document triggered the execution of ransomware on the workstation and a multi-phase exploit took place between December 20, 2019 and January 5, 2020. This ultimately led to a Ryuk ransomware attack on January 5, 2020, where the attackers made a ransomware demand. The attack affected fileshares with eHealth, the SHA and Health due to the shared infrastructure on which the fileshares reside.

On January 21, 2020, eHealth discovered that files were disclosed to malicious internet protocol (IP) addresses in Germany and the Netherlands. In total, approximately 40 gigabytes of encrypted data was extracted.

Through its investigation, eHealth advised my office that the affected servers contained approximately 50 million files across eHealth, the SHA and Health. eHealth conducted a metadata scan of those 50 million files and identified that approximately 5.5 million of those files may contain personal information and personal health information. eHealth developed a tool to scan the 5.5 million files and that tool identified a total of 547,145 files that potentially contain personal information and/or personal health information.

As there were a minimum of 547,145 files containing personal information and/or personal health information exposed to the ransomware (possibly more depending upon the accuracy of the tool developed by eHealth), the Commissioner concluded that personal information and personal health information of citizens of Saskatchewan was either exposed to the malware or maliciously stolen from eHealth, the SHA and Health.

Through the Commissioner’s investigation, it was discovered that there were three critical opportunities – two by eHealth and one by the SHA employee – where the ransomware may have been detected at an earlier stage. Had these opportunities not have been missed, eHealth may have been able to detect the ransomware, shut down its systems and stop the extraction of data.

“eHealth is charged with collecting, storing and protecting the most sensitive health data in our province,” says Information and Privacy Commissioner Ron Kruzeniski. “Each of us has personal health information in eHealth’s systems. It is absolutely reasonable that each citizen demand the very highest level of security on our health information. To accept less is irresponsible.”

The Commissioner found that eHealth failed in fully investigating the two early threat occurrences which may have prevented the malicious extraction of data that followed. He also determined that eHealth did not sufficiently provide notification and that the SHA and Health failed in their notification efforts due to the excessive delay in providing notification. Furthermore, the Commissioner found that the SHA did not provide the employee at the heart of the incident with training on its Acceptable Use of IT [Information Technology] Assets policy.

“Because we are dealing with the most sensitive personal health information, every person who has access to this information needs to be trained, retrained and trained again as to the things they can do and especially the things they cannot do,” says Information and Privacy Commissioner Ron Kruzeniski. “This incident reveals the tremendous cost of one employee doing something and other employees failing to follow up rigorously on the warnings given.”

The Commissioner made a number of recommendations, including:

  • that eHealth undertake a comprehensive review of its security protocols to include an in-depth investigation when early signs of suspicious activity are detected;
  • that the SHA and Health take immediate steps to provide mass notification including media releases, newspaper notices, website notices and social media alerts;
  • that eHealth, the SHA and Health work together and provide identity theft protection, including credit monitoring, to affected individuals for a minimum of five years from the date an affected individual’s information is discovered on the dark web or to any concerned citizen who requests this protection;
  • that eHealth review whether it should have IT security staff in place 24 hours a day, seven days a week to actively monitor and investigate potential threats;
  • that all eHealth and eHealth partners be required to complete cyber security and privacy refresher training on an annual basis; and
  • that the Minister of Health immediately commence an independent governance, management and program review of eHealth based upon the concerns put forward by SaskTel, the Provincial Auditor and this Report.

The Commissioner recognizes that organizations are under continued threat of cyber security attacks. Therefore, the organizations that hold the citizens most sensitive data must strive to have the best protected systems with the most thoroughly trained employees to mitigate the risks of these attacks happening.

The Commissioner acknowledges that, “eHealth, the SHA and Health have begun to take the necessary steps to ensure they are protecting the personal information and personal health information of the citizens of this province.”

Related Documents

Investigation Report 009-2020, 053-2020, 224-2020

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on eHealth Saskatchewan Potential Privacy Breach – January 16, 2020

Media Contact

Kara Philip (Manager of Communication)
kphilip@oipc.sk.ca
306-798-2260

 

IPC News Release on Ransomware Investigation Report

I need to do WHAT? Processing your first access to information request

So you just started your new job and you get your first access to information request. You might be asking yourself, what do I do with this thing?, while you toss it to the side and ask questions later. I know the feeling, trust me. What you might not know, is that the clock is ticking on that piece of paper you just tossed among the pile of other priority work you need to complete.

I get it, it’s overwhelming and even more so if you don’t know exactly what your obligations are and where to start. Don’t worry, I’m going to save you some grey hair and from stress eating that box of stale doughnuts sitting on the kitchen counter.

Whether you are subject to The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) or The Health Information Protection Act (HIPA), you have an obligation pursuant to section 7 of FOIP/LA FOIP or section 36 of HIPA to consider processing the access to information request and a duty to assist under sections 5.1 of FOIP/LA FOIP or 35 of HIPA when issuing a response to the applicant. The following will hopefully assist in understanding your duty to assist in regard to processing access to information requests from the public.

What it is

Check out our office’s resource Understanding the Duty to Assist, for a better understanding of a public bodies duty to assist regarding processing access to information requests.

Below, I’ve created a 5 step process you can follow that will hopefully guide you in understanding your duty to assist and I have provided an overview on how to process an access to information request from start to finish.

Step 1: Access to Information request is received/seek clarification    

  • If the request for information has all the necessary elements required and any applicable fees have been paid, don’t delay, get started right away. Remember, a request does not need to be on the prescribed form, if you have enough information to understand what it is the applicant is wanting access to, you can get started right away and save yourself from breathing into a brown paper bag later when you start running out of time.
  • Seek clarification. If you are unsure what the applicant is wanting or you feel there may be an opportunity to narrow the request, don’t be afraid to call and ask. In my experience, if an applicant is made aware that narrowing their search could speed up the process, they are more than happy to do so. However, ensure that you are both aware that should they want anything and everything, they have the right to ask for it regardless of whether it will be released or not.
  • While you are on the phone with the applicant seeking clarification, explain the process. A quick phone call explaining the process can go a long way. Remember, some applicants aren’t as well versed in the legislation as you and may not know that they need to wait up to 30 days to receive the requested information. If you can advise them of this up front, the chances of them calling you back before the records are ready or making contact with our office will be minimal.

 Step 2: Searching for records

  • You may find it helpful to ensure that your office has a strategy for searching for records. If a review is submitted to our office in regard to a public body or trustees search efforts we will review whether a thorough search was completed based on the following elements found on pages 7-10 in Chapter 3 of our IPC GUIDE TO FOIP. Making thorough search efforts is very important in ensuring you have met your duty to assist.
  • Scroll through our resource directory on our website and check out our resource Responsive Records Search Checklist to make sure you’ve completed a thorough search for records.
  • If records pertain to an individual or third party other than the applicant, seek consent to release when appropriate.
  • If you were unable to find the records make sure you send a letter out to the applicant right away advising that either no records exist or that they were unable to be located. If you believe that the records in question may be held by a different organization, there is no harm in referring the applicant elsewhere. You will want to consider whether another public body has a greater interest in the records and transfer the application according to section 11 of FOIP/LA FOIP where applicable. This will need to be done within the first 15 days and notification sent to the applicant.

Step 3: Process the records for release

  • Processing the records for release all at once won’t only save you time but will prevent the applicant from contacting numerous times asking for additional information. Remember, you have 30 days to gather ALL the information they have requested and prepare it for release.
  • When determining what can or cannot be released, you will need to review all the records in your possession, custody or control that are responsive to the request, line by line and determine whether they will be released in full, part, or refused. Our office often gets questions about what information can be released. Unfortunately, we cannot guide you through this as it would affect our ability to remain impartial in the event of a review. The best advice we can give is to ensure that the release of information is in accordance with the legislation and that you have the authority to provide the information or withhold it. If you are unsure about whether you are applying the legislation correctly, you can use our guides to help. The guides will advise you of the tests our office uses if an applicant requests a review of exemptions and how decisions are made as to whether our office agrees with the information being withheld. The guides can be found below. The guide to LA FOIP is still under construction but you can find a lot of the same information in the Guide to FOIP.
  • Prepare an index of records. This will help you stay organized and ensure that you have located all pertinent information related to the original request. See our blog titled Enhancing Efficiencies: Updates to The Rules of Procedure for updates to our office’s Rules of Procedure regarding index of records.

Step 4: Tick, Tock, Tick, Tock, You’re running out of time

  • If you are finding that you are running out of time while processing the request, you may have the ability to issue a notice of extension to the applicant. Extensions can be issued allowing a public body/trustee an additional 30 days to respond to a request. However, you will need to ensure you have the ability to do so under section 12 of FOIP or LA FOIP or section 37 of HIPA. Make sure to send an extension letter to the applicant right away to let them know that you require an additional 30 days to process their request.
  • Remember, extensions can only be granted in specific circumstances and you will need to make the applicant aware of this within the first 30 days.

Step 5: Records are ready for release, responding to the applicant

  • Once the records are ready for release, ensure you have issued a section 7 (FOIP or LA FOIP) or section 36 (HIPA) response to the applicant. The letter should reference the original access to information request and date received by your office, an explanation of the records included (if applicable) and whether they have been issued as full release, partial, or explaining that they are refused. Make sure you have referenced which piece of legislation was used in making your decision for partial release or refusal. In addition, if no records were found or they do not exist, you will need to respond appropriately to the applicant advising them of this outcome. Make sure to include that the applicant has the right to request a review of your decision from our office.
  • If you’ve prepared an index of records, please note that our office will not provide a copy to the applicant unless consent has been provided.
  • If you need help with preparing response letters to applicants in accordance with FOIP or LA FOIP, please check out some sample letter templates You can scroll through, select the letter which best suits your situation and start writing. Wow, what a timesaver!
  • If an applicant has questions about the response that has been provided, do your best to explain the information that was provided, why information may have been withheld completely, or in part under a certain section of the act, this too may save you from a review.

I hope these step by step instructions have been helpful in explaining how an access to information request works, your obligations under the applicable legislation and assists you in developing some of your own strategies to help save time and unnecessary stress.

For more information on duty to assist, please check out the following resources below:

In the Door, Out the Door (online training tool developed by the Ministry of Justice’s Access and Privacy Branch)

Understanding the Duty to Assist

IPC Guide to HIPA

IPC Guide to FOIP

IPC Guide to LA FOIP

Deemed refusal of access vs. late response – what is the difference?

Did you know that a late response is different than a deemed refusal of access under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), The Health Information Protection Act (HIPA), and both are reviewable issues with our office?

Unless circumstances exist which would extend the response time, such as the request being transferred, a fee estimate being issued, or an extension being applied, a public body/trustee will have a legislated timeline of 30-days to issue a response to the access to information request which is compliant with section 7 of FOIP/LA FOIP or section 36 of HIPA. Failure to comply with this 30-day legislated timeline may result in a review from our office.

Deemed Refusal of Access

If no response is received for an access request, this is considered a deemed refusal of access. Our Dictionary defines deemed refusal as when a public body/trustee has not responded to an access request within the legislated 30-days and it has been inferred that they will not provide the applicant with the requested information pursuant to subsection 7(5) of FOIP/LA FOIP or subsection 36(3) of HIPA. An applicant has the right to request a review from our office regarding why no response was received within the legislated timeline.

When a request for review is received for a deemed refusal of access, in an effort to resolve the matter via early resolution, our office will attempt to facilitate a response being provided by the public body/trustee. If early resolution is achieved with a section 7/36 response being issued, the matter of the deemed refusal is resolved as a response was now provided. That being said, an applicant would still have a right to request that our office review the matter of the response not being issued within the legislated timeline.

Review Reports 092-2019, 124-2019 and 144-2017 & 145-2017 are examples of when our office was successful in facilitating a response being provided to the applicant and then proceeded with a formal review which included looking at why the response was over the legislated timeline.

If early resolution is not achieved and we are unable to facilitate a response being provided to the applicant, we can then proceed with a formal review regarding the deemed refusal of access.

Review Reports 152-2020 and 106-2016 are examples of when our office was unable to successfully facilitate a response being provided to the applicant and therefore, conducted a formal review on the matter of the deemed refusal.

Late Response

If an applicant receives a response that is issued after the 30-day timeline, it would be considered a late response. An applicant has the right to request a review from our office regarding why the response was over the legislated timeline as well as any concerns with the content of the response.

Review Report 062-2019 is an example of when an applicant requested a review from our office and wished to include the matter of the response being late in the scope of the review.

I hope this information was helpful in distinguishing the difference between a late response and a deemed refusal of access. If you have any questions, please contact our office at intake@oipc.sk.ca.