Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Why some reviews and investigations cannot pass go (updated)

Why some reviews and investigations cannot pass go (updated)

If you have ever contacted our office regarding a concern with how an organization (government institution, local authority or trustee) has responded to your access to information request or handled your personal information or personal health information, you would have been told that we are an office of last resort. As the oversight body, we are an appeal body. That means that you first must have made the access request to the appropriate body and waited the requisite period of time, usually 30 calendar days, before bringing your concerns to our attention. The same can be said for privacy complaints, for the most part. But, even once you submit your request/complaint, we don’t immediately open a file as we have to make a decision in terms of if we can proceed.

What do I mean by that? Firstly, we must have jurisdiction. That is, the organization that your request/complaint is directed to qualifies as a government institution, local authority or trustee. Even if it appears this is the case, we also need grounds to proceed. It is much more straightforward in a review if we have grounds as will be evident from the documentation, but the applicant still needs to point out which issues they want us to consider in the review (i.e., fee estimate, manner of access, search, fee waiver, access denied, time extension). So clearly, providing all the necessary documentation is crucial for us to move forward.

With a privacy complaint, if you believe that an organization has breached your privacy, what you bring to us must be specific and convincing. For instance, what personal information or personal health information is involved? On what day/time did the alleged inappropriate or unauthorized collection, use or disclosure of your personal information or personal health information occur? Who was involved? How do you know that this occurred? What proof do you have that would support your assertions?

In either case, if enough information is not provided even after our intake team intervenes, the request/complaint may be dismissed and no formal review or investigation is undertaken by our office. This could happen too if statutory time limits have expired.

If it looks like our office has jurisdiction and sufficient grounds to go forward with a review or investigation, formal notices to the parties are sent indicating that we are proceeding. However, we could still end up discontinuing the review or investigation if we are convinced that the appeal concerns a trivial matter, is frivolous, vexatious, not made in good faith, or for other reasons noted in the legislation. For the most part, the reasons for making an access request(s) or submitting a privacy complaint(s) aren’t relevant, but motives may be considered if actions taken by the submitter of the request/complaint amount to an abuse of process. For example, the following excerpts are taken from our Review Report 225-2015:

  1. Did the Applicant request this review on grounds that are frivolous, vexatious or not in good faith?

[10] Subsections 43(2)(a) and (b) of HIPA provides:

43(2) The commissioner may refuse to conduct a review or may discontinue a review if, in the opinion of the commissioner, the application for review:

(a) is frivolous or vexatious;

(b) is not made in good faith;

[11] This provision enables the Commissioner to dismiss or discontinue a review where it appears the access provisions of HIPA are not being utilized appropriately. …

[12] Personal health information is one of the most sensitive forms of personal information. It is collected primarily for reasons connected with patient care and is collected under circumstances of vulnerability and trust. Therefore, denying someone the right of review should only be permitted in the most extreme of circumstances and when there is compelling evidence to do so.

[13] On the other hand, HIPA must not become a weapon for disgruntled individuals to use against a trustee for reasons that have nothing to do with the Act. …

[16] Depending on the nature of the case, one factor alone or multiple factors in concert with each other can lead to a finding that a request is an abuse of the right of access. …

[62] The rights afforded the public to access under HIPA are accompanied by concomitant responsibilities on the part of Applicants. One of these responsibilities is working in tandem with the trustee to further the purposes of the Act. Actions, on the part of an Applicant that frustrate this approach can be said to be an abuse of this process. Examples include overwhelming a trustee with access requests, not working constructively to resolve issues, making repeated unfounded accusations and being uncooperative or harassing to those who are attempting to assist.

[65] In conclusion, considering all that is before me, I find that the Applicant’s review request is vexatious.

[66] I find that the review under consideration has been initiated on vexatious grounds pursuant to subsection 43(2)(a) of HIPA. I therefore discontinue this review

[Emphasis added]

In the above case, the review was discontinued for the reasons noted, but this not a common outcome. I find in most cases, individuals that come to our office do so in good faith and are eager to cooperate and not surprisingly, those files proceed without complication. So, if unclear at all as to what is required, please contact us.

 

 

Updates to Chapter 4 for the Guide to FOIP and the Guide to LA FOIP are now available!

Updates to Chapter 4 for the Guide to FOIP and the Guide to LA FOIP include:

  • Fixing minor errors (typos, grammatical errors etc.)
  • Additional guidance for subsection 17(1)(b) (FOIP) / 16(1)(b) (LA FOIP)
  • New guidance for subsection 22(a)(FOIP) / 21(a) (LA FOIP)
    • Ordering production of solicitor-client & litigation privileged records
  • Updates to section 31 (FOIP) / 30(LA FOIP)

We hope you find these chapters helpful as you work through processing access to information requests.

If you have any questions or feedback on these chapters, please do not hesitate to reach out and contact me at alarocque@oipc.sk.ca.

 

Privacy in Organizations not Subject to Legislation

I received a call a few days ago from someone who worked in an organization that is not subject to privacy legislation provincial or federally. The question posed to me was what are the organization’s privacy obligations? I first had to say, you are not subject to provincial legislation and so there are really no privacy obligations (in a legislative sense).

I should note that Saskatchewan does have a Privacy Act where one can be sued for an invasion of privacy (see section 2).

I then went on to say that privacy is given a different definition by almost every person and thus, their expectation as to what an organization should do can be varied. My best advice was that the organization’s executives get together and hammer out a privacy policy that would be good for the organization.

Does an organization have to develop such a policy? No, but if people are raising privacy questions, the organization needs to have one.

I tried to suggest things that might go into such a policy:

  • Rules relating to distribution of membership lists.
  • Rules related to posting names of the executive on the organization’s website.
  • Rules relating to providing people with email, telephone numbers and addresses.

I indicated caution around emails, telephone numbers and addresses should be exercised and should be disclosed only on a need-to-know basis and only if safe and appropriate to do so. It is quite possible someone involved in the organization is separated from a former partner who is abusive or violent. Accidently indicting where the person lives could be dangerous for that person.

Suggesting drafting a policy is daunting and I wanted to suggest where the person might find a good sample. I could not. So, after the telephone call I was able to find a couple of samples. First you might want to look at the Canadian Standards Association, model code for the Protection of Personal Information. Here are some sample privacy policies listed in no preferred order:

Canadian Cancer Society – https://cancer.ca/en/privacy-policy

St. John’s Ambulance – https://www.sja.ca/en/privacy-policy

Big Brothers Big Sisters of Regina https://bbbsregina.ca/privacy-statement/

Canadian Blood Services – https://www.blood.ca/en/mystory/privacy-policy

Remember, a sample policy might be a good start, but a policy has to be tailored to the needs and expectations of the organization. Also once drafted it needs to be widely accepted by executive and staff that it is a good policy and will be followed. A good privacy policy can lead towards developing a culture of privacy in the organization.

Who is “Fake Ron”? (updated)

I have just become aware that staff had received another email from me asking for some cards in a rush because I was in a meeting. Previously, staff in my office had also received an email from me, but it wasn’t from me. They dubbed it, “Fake Ron.” Apparently, I wanted the recipient of the email to do me a favor. This fake email attempting to use my name is a good reminder to me and the staff of my office that there are many people out there dreaming up schemes to lead or mislead us into doing something.

I recently saw an article headline that said, organization breaches are in many instances caused by human error. The 2022 Horizon report on data breaches found that hackers tend to exploit human error to get initial access, particularly through the use of phishing scams.

Sometimes we very innocently click on a link, which results in some malware slipping into our system. So, the “Fake Ron” email has been a good reminder here to be always vigilant and watching for the thing that does not feel right or is too good to be true.

This has caused our office to test our vigilance and readiness – just like we have fire drills. I recommend every organization do the same.

 

 

Interview of the Commissioner by Kristél Kriel

I was pleased to sit down with Kristél Kriel and discuss breaches of privacy in the corporate world. We talked about when breaches occur and the consequences, having a culture of training and being prepared to constantly improve an organization’s security. Please take a moment to listen to our conversation here.

How Does our Office Keep you Anonymous?

The Commissioner publicly posts review and investigation reports regarding a variety of matters involving applicants and complainants. As much as possible, our office tries to conceal their identities. Our office also recognizes that there are times when it is warranted to conceal the identity of someone other than an applicant or a complainant.

De-identification is the process of editing or removing personal information from a record. De-identification reduces the likelihood that a person will be identified or made known. Information is de-identified if: 1) a person’s identity is not revealed; or 2) if it is not reasonably foreseeable that information, either alone or in combination with other information, could reveal a person’s identity.

Personal information is either directly identifying (e.g., name, home address or telephone number) or indirectly identifying (e.g., use of descriptors such as gender, race, postal code, or profession). While direct identifiers openly disclose or make it easier to conclude an identity, indirect identifiers, given their nature and circumstances, can also lead to openly identifying someone. For example, disclosing that a matter involves a male doctor in a town of 1,000 people can more openly reveal his identity than if he was a male doctor in a city of 200,000 people – it’s in the details.

Obviously, the process of de-identifying information involves removing names, but it may also mean removing or editing information that allows readers to draw linkages to an identity. The following are some ways in which our office attempts to reduce such linkages in reports:

  1. We mostly use the third-person plural “they”, which traditionally refers to groups of two or more people. Grammar purists may not agree with using the plural form “they” when discussing a singular person, but the use of “they” can be used when who you are referring to isn’t important or isn’t the focus. Using the term “they” in our reports then allows us to pull focus away from who is being discussed, thereby reducing the likelihood that a person can be identified.
  2. We try to edit names of communities, organizations, etc., if such information can be combined with other information to lead to a person’s identity. This is sometimes the case in situations involving well-known events or events of a sensitive nature that occur in a certain place. Or, in the case of the male doctor above, where saying he is from Grenfell can more directly identify him than if he practiced in Saskatoon.
  3. We sometimes remove sensitive information or details if a matter is well known or highly publicized, or if that information has the potential to cause embarrassment for someone or to re-traumatize them. For example, rather than state the type of offence committed against someone, we may just state that there was an offence committed.

These are just a few ways in which we may bring anonymity to our reports, particularly for applicants and complainants. You will see in our reports, though, that at times we leave in identifying information such as names of public employees or civil servants. Such information is not typically considered personal information or personally identifying if it’s used in a professional or business context. We may remove such information, however, if leaving it in could lead to the identity of an applicant or complainant, or if we determine it is not relevant to the matter.

Determining which information to exclude from a report can be very subjective. The process requires us to balance all the factors and circumstances of a matter while ensuring that we do not mispresent any facts. It’s part of our office’s responsibility to protect a person’s identity when warranted while at the same time being factual and unbiased. The last thing our office wants to do, though, is inadvertently disclose an identity that should remain anonymous, and so we err on the side of caution.

 

 

Saskatchewan Business and Privacy (updated)

The Office of the Privacy Commissioner of Canada (OPC) has issued a guidance document entitled Privacy Guide for Businesses. You may ask, “Does it apply to businesses or organizations in Saskatchewan?” The answer is yes, it does. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal statute that applies to businesses in Saskatchewan. If you are in business in Saskatchewan, I recommend you read the Privacy Guide for Businesses.

First let me summarize the main issues from the guide:

  • PIPEDA sets out the ground rules for businesses in Saskatchewan.
  • The OPC oversees compliance with PIPEDA by conducting independent and impartial investigations and audits.
  • Businesses covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information.
  • People have the right to access their personal information held by a business. They also have the right to challenge its accuracy.
  • Personal information can only be used for the purposes for which it was collected.
  • Generally, personal information must be protected by appropriate safeguards.
  • PIPEDA applies to private-sector businesses across Canada and Saskatchewan that collect, use or disclose personal information in the course of a commercial activity.
  • The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
  • All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA.
  • Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual.
  • PIPEDA includes mandatory breach reporting requirements. Businesses must report to the OPC any breaches of security safeguards that pose a real risk of significant harm.
  • Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. The principles are:
    • Accountability
    • Identifying purposes
    • Consent
    • Limiting collection
    • Limiting use, disclosure and retention
    • Accuracy
    • Safeguards
    • Openness
    • Individual access
    • Challenging compliance

For more information on PIPEDA and Businesses, see the Privacy Guide for Businesses.

When the federal government makes changes (amendments), those changes will affect Saskatchewan businesses, whether Saskatchewan businesses like those changes or not. Alberta, British Columbia and Quebec have passed legislation provincially, which applies to businesses in their province and replaces the operation of PIPEDA to a certain extent.

I pose the question whether Saskatchewan should, like Alberta and British Columbia, develop its own legislation to ensure privacy protections are extended to all employees in Saskatchewan regardless of the type of employer they work.

Currently the parliament of Canada is considering Bill C-27 which would make changes to PIPEDA and would create an Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. The federal privacy commissioner has made 15 recommendations for changes to Bill C-27.

The government of Saskatchewan has embarked upon a consultation on The Saskatchewan Employment Act (SEA). My office has proposed amendments that would give employees of businesses and organizations in Saskatchewan greater access rights and privacy protection for personal information in the hands of their employer.

Can You Bring an Action or Class Action for the Tort of Violation of Privacy in Saskatchewan? (updated)

I was asked whether a person could sue or be part of a class action in Saskatchewan for a breach of privacy. The Privacy Act provides in section 2, that it is a tort, actionable without proof of damage, for a person willfully and without claim of right, to violate the privacy of another. In section 7, the Court can award damages, grant an injunction or any other remedy. In section 8, the right to sue is in addition to any other rights the plaintiff has.

In 2018, the Legislative Assembly amended The Privacy Act to allow an action to be brought for the tort of distributing an intimate image of another person without that other person’s consent. In addition, the amendment allowed a person to sue in small claims court or King’s Bench.

Actions for violation of privacy has occurred in Saskatchewan.In Bierman v Haidash, 2021 SKQB 44, the Court of K’s Bench for Saskatchewan ordered damages of $7,500 and costs of $3,000 against the defendant.

The court also recognizes that Dr. Haidash has already been subject to the scrutiny and disapproval of the College of Physicians and Surgeons and the Privacy Commissioner.

Could persons sue in a class action?  

The Class Actions Act sets out the rules and procedures for commencing a class action. Such an action has to be certified by the Court of King’s Bench. If certified, a class action or multi-jurisdictional class action for a tort of breach of privacy could proceed in this province.

FOIP, LA FOIP and HIPA

The Freedom of Information and Protection of Privacy Act (FOIP) gives citizens certain rights to access information held by government institutions. The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) does the same for information held by local authorities (e.g. cities, towns, villages and other municipalities’ school and library boards, the U of S and U of R, the Saskatchewan Health Authority and police services.) The Health Information Protection Act (HIPA) applies to trustees and gives the right to individuals to access their personal health information. The rights and actions under these Acts do not affect the right to bring an action under The Privacy Act.

The Information and Privacy Commissioner (IPC) process is completely separate and apart from lawsuits for a breach of privacy. The IPC may undertake a breach of privacy investigation under FOIP, LA FOIP or HIPA. There is no potential for monetary advantage through the IPC process.

I note the case of S.B. V D.H. where an award of damages was given in the amount of $160,000 for non-consensual distribution of intimate images (section 7.3).

In Peters-Brown vs Regina District Health Board the court awarded $5000 for negligence and breach of contract.

In Jess v. Saskatchewan District Health Board the court did not award damages.

Research: post pandemic (updated)

As I listen to the news, my head keeps telling me there will be many opportunities and much interest in researching many and varied aspects of this world pandemic. I expect there will also be interest on the part of Saskatchewan researchers.

The law is VERY CLEAR that researchers can ask public bodies for de-identified information. Each public body has to decide how much information it will provide; that is a policy decision. Those public bodies under privacy legislation are allowed to provide de-identified information.

What is de-identified information? It is the information without your or my name, address, or any unique identifier such as the individual’s Social Insurance Number (SIN) or Health Services Number (HSN). For example, subsection 3(2)(a) of The Health Information Protection Act (HIPA) states that it does not apply to statistical information or de-identified personal health information that cannot reasonably be expected, either by itself or when combined with other information available to the person who receives it, to enable the subject individuals to be identified. A public body can provide all the information that does not identify you or me.

If the health trustee or the researcher has the consent of the individuals to use their personal health information, then that is the best way to go. In many cases, that won’t be possible. Either the health trustee did not obtain consent to research or there are thousands and thousands of records and getting consent would not be possible.

If research is being done in such a way that it requires information from two sources and the name, SIN or HSN are sought to connect the information of an individual; that presents a challenge. The Data Matching Agreements Act is not yet proclaimed. Nonetheless, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and HIPA have always authorized use and disclosure of personal information or personal health information for legitimate research purposes in the public interest. The best-case scenario, and for research at the population level, de-identified data should be used and should suffice for those purposes.

However, those same laws provide for the use of identifiable data when appropriate, but I must emphasize the need for written agreements to ensure that data is protected. This rigour is necessary to ensure data is used from one or multiple sources that what is provided is used as intended and protected throughout the process.

I note section 29 of HIPA, requires all research projects where personal health information is used or disclosed by a trustee, must be approved by a research ethics committee that has been approved by the Saskatchewan Minister of Health. If a research ethics committee is small and nimble it should never be a barrier to good research.

I have heard that some say “privacy” is a barrier to research. I do not believe or accept that point of view. That is why I wrote this blog to show that good research can continue and the barriers to obtaining the data should be minimal. If public bodies are citing “privacy” as the problem, they are giving the wrong reason and it just might be they don’t want to provide the information or to cooperate. Privacy is not the barrier.

A Good Access Request (updated)

You want some information from a government ministry, board, agency, Crown corporation, or from a city, town, village, rural municipality, university, school, library or health trustee. First, try the informal method, which is finding out who makes decisions regarding releasing information, maybe the director or a supervisor, and request by telephone or email the information you would like. If that is not successful, your next step is to go formal and prepare an Access to Information Request. A sample of the form can be found here.

I see many access requests that ask for everything. Asking for everything can result in hundreds or thousands of records. It will take longer to find all the records and as staff consider the number of records being requested, their inclination will be to charge a fee. If a public body has to retrieve 25 records it can happen fairly quickly. If you are asking for 4,000 records, you know that will take longer to find and reproduce them all.

So, my first piece of advice is that you think carefully about what exactly you want. Define your purpose and then say I need certain records to fulfill that purpose.

You can limit your request to a certain date range, e.g., for the month of May 2020 or for the year 2019. The narrower the date range, the less extensive the search and the time to retrieve and reproduce those documents.

If you can, specify the types of records you want, e.g., you want emails rather than all documents, or engineering reports rather than all reports.

You can also specify you want the records connected to certain employees, e.g., emails between Joe and Sally rather than emails sent and received by all employees.

In other words, by making your access request more specific, you increase the chances of staff knowing where to look and reducing the time to search, review and reproduce.

You can of course go as broad as you wish, but do not be surprised if you have to wait longer and you receive a high fee estimate.

And remember not to frame your access to information request in the form of a question. The right of access is to copies of source documents that already exist at the time the request is made. There is no obligation under access and privacy legislation for a public body to create records to respond to your question.

It should be noted that where an organization is unable to identify the record you are requesting, the organization can ask you to provide more details to identify the record (see section 6 of The Freedom of Information and Protection of Privacy Act (FOIP).  Thus, it becomes important to be as clear as you can in describing the record or records that you want.

I hope this might help you when seeking information or records and I hope public bodies appreciate your efforts to be specific and narrow your request. I hope those public bodies do their part and give you greater service.