Privacy Commissioner finds that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Joint investigation of TikTok Pte. Ltd.

How systemic delays, a backlog of overdue requests, and process errors led to UBC having the lowest rate of compliance.

NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Canadian privacy regulators launch principles for the responsible development and use of generative AI

Canadian privacy regulators launch principles for the responsible development and use of generative AI

Federal, provincial and territorial privacy authorities have launched a set of principles to advance the responsible, trustworthy and privacy-protective development and use of generative artificial intelligence (AI) technologies in Canada.

The authorities introduced the principles during an international symposium on privacy and generative AI that was hosted in Ottawa by the Office of the Privacy Commissioner of Canada.

While AI presents potential benefits across many domains and in everyday life, the regulators note that there are also risks and potential harms to privacy, data protection, and other fundamental human rights if these technologies are not properly developed and regulated.

Organizations have a responsibility to ensure that products and services that are using AI comply with existing domestic and international privacy legislation and regulation.

The joint document lays out how key privacy principles apply when developing, providing, or using generative AI models, tools, products and services. These include:

  • Establishing legal authority for collecting and using personal information, and when relying on consent ensuring that it is valid and meaningful;
  • Being open and transparent about the way information is used and the privacy risks involved;
  • Making AI tools explainable to users;
  • Developing safeguards for the protection of privacy rights; and
  • Limiting the sharing of personal, sensitive or confidential information.

Developers are also urged to take into consideration the unique impact that these tools can have on vulnerable groups, including children.

The document provides examples of best practices, including implementing “privacy by design” into the development of the tools, and the labelling content created by generative AI.

Related Content:

Joint Guidance: Principles for responsible, trustworthy and privacy-protective generative AI technologies

For more information:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Was this page helpful?

Privacy Savvy Children and Youth

Various studies on how Canadian children and youth use technology have concluded similar findings. One study found that about 90% of young people aged nine to 11 have at least one social media account. The same study found that about 80% of young people aged nine to 17 have their own smartphone, with many having received their first phone by age 11. Other studies have found that young people spend up to two hours or more online every day.

As children and youth become more tech savvy, though, are they also becoming more privacy savvy? Social media or other internet activity may appear free, but participating almost always comes at a cost to personal privacy.

Any online presence comes with its own set of privacy concerns or risks, regardless of age. For children and youth, however, the risks can be greater. Besides the fact that they may access harmful or inappropriate content, children and youth may also be at risk to their privacy and safety. They may share more online than they intend to or should. They may also use apps that reveal their location, which can lead anyone to knowing exactly where they are. This can make them easy targets for predators or others who mean them harm.

There is also the fact that once you put something online, it is very difficult – sometimes impossible – to remove it or to take it back. This can lead to reputational harm and, if the information you put out is used against you, to heightened feelings of anxiety and depression.

Being privacy savvy means having the practical knowledge needed to make good decisions or judgements about your online privacy. Online privacy means protecting your personal information and knowing what trail of personal information you leave behind. Personal information is anything directly related to your personal life, such as your name, date of birth, home address, telephone number, list of contacts, where you go to school, etc.

Parents can start helping their kids become privacy savvy online by teaching them the fundamentals of internet privacy and what happens to their personal information when they go online. Many online resources for this exist, including the following:

Don’t let your kids just be tech savvy – to keep them and their personal information safe, also teach them to be privacy savvy.

Was this page helpful?

Why some reviews and investigations cannot pass go (updated)

If you have ever contacted our office regarding a concern with how an organization (government institution, local authority or trustee) has responded to your access to information request or handled your personal information or personal health information, you would have been told that we are an office of last resort. As the oversight body, we are an appeal body. That means that you first must have made the access request to the appropriate body and waited the requisite period of time, usually 30 calendar days, before bringing your concerns to our attention. The same can be said for privacy complaints, for the most part. But, even once you submit your request/complaint, we don’t immediately open a file as we have to make a decision in terms of if we can proceed.

What do I mean by that? Firstly, we must have jurisdiction. That is, the organization that your request/complaint is directed to qualifies as a government institution, local authority or trustee. Even if it appears this is the case, we also need grounds to proceed. It is much more straightforward in a review if we have grounds as will be evident from the documentation, but the applicant still needs to point out which issues they want us to consider in the review (i.e., fee estimate, manner of access, search, fee waiver, access denied, time extension). So clearly, providing all the necessary documentation is crucial for us to move forward.

With a privacy complaint, if you believe that an organization has breached your privacy, what you bring to us must be specific and convincing. For instance, what personal information or personal health information is involved? On what day/time did the alleged inappropriate or unauthorized collection, use or disclosure of your personal information or personal health information occur? Who was involved? How do you know that this occurred? What proof do you have that would support your assertions?

In either case, if enough information is not provided even after our intake team intervenes, the request/complaint may be dismissed and no formal review or investigation is undertaken by our office. This could happen too if statutory time limits have expired.

If it looks like our office has jurisdiction and sufficient grounds to go forward with a review or investigation, formal notices to the parties are sent indicating that we are proceeding. However, we could still end up discontinuing the review or investigation if we are convinced that the appeal concerns a trivial matter, is frivolous, vexatious, not made in good faith, or for other reasons noted in the legislation. For the most part, the reasons for making an access request(s) or submitting a privacy complaint(s) aren’t relevant, but motives may be considered if actions taken by the submitter of the request/complaint amount to an abuse of process. For example, the following excerpts are taken from our Review Report 225-2015:

  1. Did the Applicant request this review on grounds that are frivolous, vexatious or not in good faith?

[10] Subsections 43(2)(a) and (b) of HIPA provides:

43(2) The commissioner may refuse to conduct a review or may discontinue a review if, in the opinion of the commissioner, the application for review:

(a) is frivolous or vexatious;

(b) is not made in good faith;

[11] This provision enables the Commissioner to dismiss or discontinue a review where it appears the access provisions of HIPA are not being utilized appropriately. …

[12] Personal health information is one of the most sensitive forms of personal information. It is collected primarily for reasons connected with patient care and is collected under circumstances of vulnerability and trust. Therefore, denying someone the right of review should only be permitted in the most extreme of circumstances and when there is compelling evidence to do so.

[13] On the other hand, HIPA must not become a weapon for disgruntled individuals to use against a trustee for reasons that have nothing to do with the Act. …

[16] Depending on the nature of the case, one factor alone or multiple factors in concert with each other can lead to a finding that a request is an abuse of the right of access. …

[62] The rights afforded the public to access under HIPA are accompanied by concomitant responsibilities on the part of Applicants. One of these responsibilities is working in tandem with the trustee to further the purposes of the Act. Actions, on the part of an Applicant that frustrate this approach can be said to be an abuse of this process. Examples include overwhelming a trustee with access requests, not working constructively to resolve issues, making repeated unfounded accusations and being uncooperative or harassing to those who are attempting to assist.

[65] In conclusion, considering all that is before me, I find that the Applicant’s review request is vexatious.

[66] I find that the review under consideration has been initiated on vexatious grounds pursuant to subsection 43(2)(a) of HIPA. I therefore discontinue this review

[Emphasis added]

In the above case, the review was discontinued for the reasons noted, but this not a common outcome. I find in most cases, individuals that come to our office do so in good faith and are eager to cooperate and not surprisingly, those files proceed without complication. So, if unclear at all as to what is required, please contact us.

 

 

Was this page helpful?

Privacy in Organizations not Subject to Legislation

I received a call a few days ago from someone who worked in an organization that is not subject to privacy legislation provincially or federally. The question posed to me was what are the organization’s privacy obligations? I first had to say, you are not subject to provincial legislation and so there are really no privacy obligations (in a legislative sense).

I should note that Saskatchewan does have a Privacy Act where one can be sued for an invasion of privacy (see section 2).

I then went on to say that privacy is given a different definition by almost every person and thus, their expectation as to what an organization should do can be varied. My best advice was that the organization’s executives get together and hammer out a privacy policy that would be good for the organization.

Does an organization have to develop such a policy? No, but if people are raising privacy questions, the organization needs to have one.

I tried to suggest things that might go into such a policy:

  • Rules relating to distribution of membership lists.
  • Rules related to posting names of the executive on the organization’s website.
  • Rules relating to providing people with email, telephone numbers and addresses.

I indicated caution around emails, telephone numbers and addresses should be exercised and should be disclosed only on a need-to-know basis and only if it is safe and appropriate to do so. It is quite possible someone involved in the organization is separated from a former partner who is abusive or violent. Accidently indicting where the person lives could be dangerous for that person.

Suggesting drafting a policy is daunting and I wanted to suggest where the person might find a good sample. I could not. So, after the telephone call I was able to find a couple of samples. First you might want to look at the Canadian Standards Association, model code for the Protection of Personal Information. Here are some sample privacy policies listed in no preferred order:

Canadian Cancer Society – https://cancer.ca/en/privacy-policy

St. John’s Ambulance – https://www.sja.ca/en/privacy-policy

Big Brothers Big Sisters of Regina https://bbbsregina.ca/privacy-statement/

Canadian Blood Services – https://www.blood.ca/en/mystory/privacy-policy

Remember, developing a policy is a good start, but a policy has to be tailored to the needs and expectations of the organization. Also once drafted it needs to be widely circulated and accepted by executive and staff that it is a good policy and will be followed. That policy should be posted on the organization’s website. A good privacy policy can lead towards developing a culture of privacy in the organization.

Was this page helpful?

Who is “Fake Ron”? (updated)

I have just become aware that staff had received another email from me asking for some gift cards in a rush because I was in a meeting. Previously, staff in my office had also received an email from me, but it wasn’t from me. They dubbed it, “Fake Ron.” Apparently, I wanted the recipient of the email to do me a favor. This fake email attempting to use my name is a good reminder to me and the staff of my office that there are many people out there dreaming up schemes to lead or mislead us into doing something.

I recently saw an article headline that said, organization breaches are in many instances caused by human error. The 2022 Horizon report on data breaches found that hackers tend to exploit human error to get initial access, particularly through the use of phishing scams.

Sometimes we very innocently click on a link, which results in some malware slipping into our system. So, the “Fake Ron” email has been a good reminder here to be always vigilant and watching for the thing that does not feel right or is too good to be true.

This has caused our office to test our vigilance and readiness – just like we have fire drills. I recommend every organization do the same.

 

 

Was this page helpful?

How Does our Office Keep you Anonymous?

The Commissioner publicly posts review and investigation reports regarding a variety of matters involving applicants and complainants. As much as possible, our office tries to conceal their identities. Our office also recognizes that there are times when it is warranted to conceal the identity of someone other than an applicant or a complainant.

De-identification is the process of editing or removing personal information from a record. De-identification reduces the likelihood that a person will be identified or made known. Information is de-identified if: 1) a person’s identity is not revealed; or 2) if it is not reasonably foreseeable that information, either alone or in combination with other information, could reveal a person’s identity.

Personal information is either directly identifying (e.g., name, home address or telephone number) or indirectly identifying (e.g., use of descriptors such as gender, race, postal code, or profession). While direct identifiers openly disclose or make it easier to conclude an identity, indirect identifiers, given their nature and circumstances, can also lead to openly identifying someone. For example, disclosing that a matter involves a male doctor in a town of 1,000 people can more openly reveal his identity than if he was a male doctor in a city of 200,000 people – it’s in the details.

Obviously, the process of de-identifying information involves removing names, but it may also mean removing or editing information that allows readers to draw linkages to an identity. The following are some ways in which our office attempts to reduce such linkages in reports:

  1. We mostly use the third-person plural “they”, which traditionally refers to groups of two or more people. Grammar purists may not agree with using the plural form “they” when discussing a singular person, but the use of “they” can be used when who you are referring to isn’t important or isn’t the focus. Using the term “they” in our reports then allows us to pull focus away from who is being discussed, thereby reducing the likelihood that a person can be identified.
  2. We try to edit names of communities, organizations, etc., if such information can be combined with other information to lead to a person’s identity. This is sometimes the case in situations involving well-known events or events of a sensitive nature that occur in a certain place. Or, in the case of the male doctor above, where saying he is from Grenfell can more directly identify him than if he practiced in Saskatoon.
  3. We sometimes remove sensitive information or details if a matter is well known or highly publicized, or if that information has the potential to cause embarrassment for someone or to re-traumatize them. For example, rather than state the type of offence committed against someone, we may just state that there was an offence committed.

These are just a few ways in which we may bring anonymity to our reports, particularly for applicants and complainants. You will see in our reports, though, that at times we leave in identifying information such as names of public employees or civil servants. Such information is not typically considered personal information or personally identifying if it’s used in a professional or business context. We may remove such information, however, if leaving it in could lead to the identity of an applicant or complainant, or if we determine it is not relevant to the matter.

Determining which information to exclude from a report can be very subjective. The process requires us to balance all the factors and circumstances of a matter while ensuring that we do not mispresent any facts. It’s part of our office’s responsibility to protect a person’s identity when warranted while at the same time being factual and unbiased. The last thing our office wants to do, though, is inadvertently disclose an identity that should remain anonymous, and so we err on the side of caution.

 

 

Was this page helpful?

Research: post pandemic (updated)

As I listen to the news, my head keeps telling me there will be many opportunities and much interest in researching many and varied aspects of this world pandemic. I expect there will also be interest on the part of Saskatchewan researchers.

The law is VERY CLEAR that researchers can ask public bodies for de-identified information. Each public body has to decide how much information it will provide; that is a policy decision. Those public bodies under privacy legislation are allowed to provide de-identified information.

What is de-identified information? It is the information without your or my name, address, or any unique identifier such as the individual’s Social Insurance Number (SIN) or Health Services Number (HSN). For example, subsection 3(2)(a) of The Health Information Protection Act (HIPA) states that it does not apply to statistical information or de-identified personal health information that cannot reasonably be expected, either by itself or when combined with other information available to the person who receives it, to enable the subject individuals to be identified. A public body can provide all the information that does not identify you or me.

If the health trustee or the researcher has the consent of the individuals to use their personal health information, then that is the best way to go. In many cases, that won’t be possible. Either the health trustee did not obtain consent to research or there are thousands and thousands of records and getting consent would not be possible.

If research is being done in such a way that it requires information from two sources and the name, SIN or HSN are sought to connect the information of an individual; that presents a challenge. The Data Matching Agreements Act is not yet proclaimed. Nonetheless, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and HIPA have always authorized use and disclosure of personal information or personal health information for legitimate research purposes in the public interest. The best-case scenario, and for research at the population level, de-identified data should be used and should suffice for those purposes.

However, those same laws provide for the use of identifiable data when appropriate, but I must emphasize the need for written agreements to ensure that data is protected. This rigour is necessary to ensure data is used from one or multiple sources that what is provided is used as intended and protected throughout the process.

I note section 29 of HIPA, requires all research projects where personal health information is used or disclosed by a trustee, must be approved by a research ethics committee that has been approved by the Saskatchewan Minister of Health. If a research ethics committee is small and nimble it should never be a barrier to good research.

I have heard that some say “privacy” is a barrier to research. I do not believe or accept that point of view. That is why I wrote this blog to show that good research can continue and the barriers to obtaining the data should be minimal. If public bodies are citing “privacy” as the problem, they are giving the wrong reason and it just might be they don’t want to provide the information or to cooperate. Privacy is not the barrier.

Was this page helpful?

A Good Access Request (updated)

You want some information from a government ministry, board, agency, Crown corporation, or from a city, town, village, rural municipality, university, school, library or health trustee. First, try the informal method, which is finding out who makes decisions regarding releasing information, maybe the director or a supervisor, and request by telephone or email the information you would like. If that is not successful, your next step is to go formal and prepare an Access to Information Request. A sample of the form can be found here.

I see many access requests that ask for everything. Asking for everything can result in hundreds or thousands of records. It will take longer to find all the records and as staff consider the number of records being requested, their inclination will be to charge a fee. If a public body has to retrieve 25 records it can happen fairly quickly. If you are asking for 4,000 records, you know that will take longer to find and reproduce them all.

So, my first piece of advice is that you think carefully about what exactly you want. Define your purpose and then say I need certain records to fulfill that purpose.

You can limit your request to a certain date range, e.g., for the month of May 2020 or for the year 2019. The narrower the date range, the less extensive the search and the time to retrieve and reproduce those documents.

If you can, specify the types of records you want, e.g., you want emails rather than all documents, or engineering reports rather than all reports.

You can also specify you want the records connected to certain employees, e.g., emails between Joe and Sally rather than emails sent and received by all employees.

In other words, by making your access request more specific, you increase the chances of staff knowing where to look and reducing the time to search, review and reproduce.

You can of course go as broad as you wish, but do not be surprised if you have to wait longer and you receive a high fee estimate.

And remember not to frame your access to information request in the form of a question. The right of access is to copies of source documents that already exist at the time the request is made. There is no obligation under access and privacy legislation for a public body to create records to respond to your question.

It should be noted that where an organization is unable to identify the record you are requesting, the organization can ask you to provide more details to identify the record (see section 6 of The Freedom of Information and Protection of Privacy Act (FOIP).  Thus, it becomes important to be as clear as you can in describing the record or records that you want.

I hope this might help you when seeking information or records and I hope public bodies appreciate your efforts to be specific and narrow your request. I hope those public bodies do their part and give you greater service.

Was this page helpful?

Canadian privacy regulators pass resolutions on the privacy of young people and workplace privacy

QUÉBEC, QC, October 6, 2023 – Privacy authorities from across the country are calling on their respective governments to improve privacy legislation to protect young people and employees – groups that are significantly vulnerable, each in their own way to the growing influence of digital technologies.

Federal, provincial, and territorial information and privacy authorities met this week in Québec City for their annual meeting to discuss pressing concerns related to privacy and access to information. These discussions resulted in joint resolutions calling on governments to do more to protect the privacy rights of young people and workers.

For young people, the resolution focuses on the responsibility of organizations across all sectors to actively safeguard young people’s data through responsible measures, including minimized tracking, regulated data sharing, and stringent control over commercial advertising. It also calls on organizations to safeguard their rights to access, correction, and appeal regarding personal data.

The employee privacy resolution addresses the recent proliferation of employee monitoring software and how it has revealed that laws protecting workplace privacy are either out-of-date or absent altogether. In our increasingly digital work environments, there need to be robust and relevant privacy protections in place to safeguard workers from overly intrusive monitoring by employers.

Privacy of young people

Youth have a right to privacy and all sectors, including governments and businesses must put young people’s interests first by setting clear limits on when and how their personal information may be used or shared, the privacy authorities say. They called on their respective governments to review, amend or adopt legislation as necessary to ensure that it includes strong safeguards, transparency requirements and access to remedies for young people. They also called on government institutions to ensure that their practices prioritize a secure, ethical, and transparent digital environment for youth.

The resolution notes that while the digital environment presents many opportunities for young people, it has also brought well-documented harms, including the impact of social media on physical and mental health. Regulators say that special protections are essential for younger generations, because their information can live online for a long time, and may become a life-long reputational burden.

The resolution also calls on organizations to adopt practices that promote the best interests of young people, ensuring not only the safeguarding of young people’s data, but also empowering them with the knowledge and agency to navigate digital platforms and manage their data safely, and with autonomy. Initial steps include identifying and minimizing privacy risks at the design stage. Other recommendations include making the strongest privacy settings the default; turning off location tracking; and rejecting deceptive practices and incentives that influence young people to make poor privacy decisions or to engage in harmful behaviours.

Privacy in the workplace

With the shift towards increased remote work arrangements and use of monitoring technologies in this digital world, the privacy authorities called on governments to develop or strengthen laws to protect employee privacy. They also urged employers to be more transparent and accountable in their workplace monitoring policies and practices.

Employee monitoring has undergone substantial expansion in its use, technological capabilities and application in recent years. Many employers have accelerated the use of monitoring technologies as they seek new ways of tracking employee’s performance and activities on-premises or remotely, whether during work or off hours.

Although some level of information collection is reasonable and may even be necessary to manage the employer-employee relationship, the adoption of digital surveillance technologies can have disproportionate impacts on employees’ privacy and can significantly impact an employee’s career and overall well-being, including heightened stress levels and other adverse mental health effects, not to mention reduced autonomy and creativity.

The resolution calls for a collective effort from governments and employers to address statutory gaps, respect and protect employee rights to privacy and transparency, and ensure the fair and appropriate use of electronic monitoring tools and AI technologies in the modern workplace.

Related content:

Resolution: Putting best interests of young people at the forefront of privacy and access to personal information

Resolution: Protecting Employee Privacy in the Modern Workplace

For more information:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Canadian privacy regulators pass resolutions on the privacy of young people and workplace privacy

Was this page helpful?

Federal, Provincial, and Territorial Information Regulators Unite in Resolution to Enhance Access to Government Information

FOR IMMEDIATE RELEASE

Federal, Provincial, and Territorial Information Regulators Unite in Resolution to Enhance Access to Government Information

(Quebec City, October 4, 2023) — Federal, provincial and territorial Information Commissioners and Ombudspersons, signed a joint resolution today aimed at reinforcing the public’s right to access government-held information.

Freedom of information regimes across Canada have faced persistent challenges in delivering timely responses to access to information requests, underscoring the need to implement alternative and efficient mechanisms for providing access to records, including through proactive disclosure.

It has never been more important for Canadians to have access to official government records, including historical records, if we are to maintain confidence in our democratic institutions. In our modern digital world, disinformation and misinformation spread very quickly. As recent news stories illustrate, timely access to accurate facts and reliable information is more critical than ever.

Recognizing the urgent need for change, the regulators are again calling upon their respective governments to modernize legislation, policies and information management practices to advance transparency and ensure the preservation and dissemination of Canada’s documentary heritage, so that all Canadians can better understand the nation’s past and present, and together chart a future path towards reconciliation.

Building on a joint resolution issued in 2019, the signing of this resolution by federal, provincial, and territorial Information Commissioners and Ombudspersons signals a renewed sense of urgency in a drastically changed context.

This resolution is a clarion call for federal, provincial and territorial governments to act swiftly and decisively in modernizing their respective laws, policies, and information management practices, to strengthen access to information regimes and support a culture of transparency across Canada.

Read the resolution.

-30-

 

For more information:
Commission d’accès à l’information du Québec
media@cai.gouv.qc.ca

Office of the Information Commissioner of Canada
communications@oic-ci.gc.ca

 

FPT Joint Access Resolution

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.