Canada published draft guidelines on the use of medical devices powered by machine learning

RCMP plan to equip every Sask. Detachment

G20 leaders make privacy, AI declaration

Ontario: $988K settlement reached in Peterborough hospital

Three simple rules for managing your privacy

Global definitions for artificial intelligence

New guidance on sending bulk communications

The Essential Guide To Data Privacy

The Legislation Act- Things to Know

The Legislation Act- Things to Know

I had formerly prepared a blog that discussed The Interpretation Act, 1995 and some things to look out for as it relates to FOIP and LA FOIP.  However, The Interpretation Act, 1995 was replaced in May 2019 by The Legislation Act (Legislation Act), so this blog has been updated to reflect those changes.

There are countless numbers of statutes in Saskatchewan governing everything from animal protection to workers compensation. But, the Legislation Act is a very unique statute that I would like to draw your attention to.   What makes the Legislation Act so special?  Well for one, it applies to every enactment in Saskatchewan (unless otherwise noted in the Legislation Act).  Secondly, the Legislation Act essentially guides us in how to interpret Saskatchewan statutes.

Let’s take a look at two areas where the Legislation Act guides us in interpreting Saskatchewan’s access and privacy laws – calculation of time and repealed statutes.

Calculation of Time

Subsections 7(2) of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) provide, “The head shall give written notice to the applicant within 30 days after the application is made…” [emphasis added]. Based on the Legislation Act, the following can be applied for calculating 30 days under FOIP and LA FOIP:

  • The first day the access request is received is excluded in the calculation of time [subsection 2-28(3) of the Legislation Act]
  • If the due date falls on a holiday, the time is extended to the next day that is not a holiday [subsection 2-28(5) of the Legislation Act]
  • If the due date falls on a weekend, the time is extended to the next day the office is open [subsection 2-28(6) of the Legislation Act]
  • As FOIP expresses the time in a number of days, this is interpreted as calendar days, not business days.

It’s important to note that the Legislation Act does not allow for additional time when it is your personal holiday, scheduled day off or if you were away from the office due to illness.

For more information on the calculation of time in FOIP and LA FOIP, please see Chapters 3: Access to Records of IPC Guide to FOIP and IPC Guide to LA FOIP.

Repealed Statutes

There are countless numbers of statutes referenced in FOIP, LA FOIP and The Health Information Protection Act (HIPA).  So, what happens when one of those laws is repealed and replaced by a new statute, but FOIP, LA FOIP or HIPA (or any other Saskatchewan statute for that matter) has not been amended to reflect the new statute?

Here is an example to help. In LA FOIP, subsection 2(f) outlines bodies that are local authorities, and therefore subject to LA FOIP.  Subsection 2(f)(vi) of LA FOIP includes a local authority as being, “… the board of a public library within the meaning of The Public Libraries Act, 1984.”  There is one problem – The Public Libraries Act, 1984 was repealed and replaced with The Public Libraries Act, 1996.

So does that mean library boards are caught in a loophole and not subject to LA FOIP?  Not the case.  Again, we turn to the Legislation Act to help us out.  Subsection 2-8(10) of the Legislation Act provides:

2-8(10) After an enactment is repealed and a new enactment is substituted for it, a reference in an unrepealed enactment to the former enactment is, with respect to any subsequent transaction, matter or thing, deemed to be a reference to the provisions of the new enactment relating to the same subject-matter as the former enactment, but, if there are no provisions in the new enactment relating to the same subject-matter, the former enactment is to be interpreted as being unrepealed insofar as is necessary to maintain or give effect to the unrepealed enactment.

Confused yet? A helpful way to work through this is by actually inserting the names of the statutes:

2-8(10) After an enactment is repealed [The Public Libraries Act, 1984] and a new enactment is substituted for it [The Public Libraries Act, 1996], a reference in an unrepealed enactment [The Local Authority Freedom of Information and Protection of Privacy Act] to the former enactment [The Public Libraries Act, 1984] is, with respect to any subsequent transaction, matter or thing, deemed to be a reference to the provisions of the new enactment [The Public Libraries Act, 1996] relating to the same subject-matter as the former enactment [The Public Libraries Act, 1984], but, if there are no provisions in the new enactment [The Public Libraries Act, 1996] relating to the same subject-matter, the former enactment [The Public Libraries Act, 1984] is to be interpreted as being unrepealed insofar as is necessary to maintain or give effect to the unrepealed enactment [The Public Libraries Act, 1996].

For the purposes of LA FOIP, even though The Public Libraries Act, 1984 was repealed and replaced in 1996, the Legislation Act takes care of that gap and public libraries are still subject to the provisions of LA FOIP because of subsection 2-8(10) of the Legislation Act.

 

Flip These Resources

Our office has been busy at work transforming the way our resources look to provide a more creative and interactive experience than a typical pdf. During the next several months, we will be replacing various pdf resources on our website with flipbooks. Don’t stress, you will still have the ability to access all our resources via pdf.

A flipbook has a variety of benefits over and above their visual appeal. There is the ability to include video, GIF’s, animation and even make your own notes.

Ugh, I need to learn when to stop talking and explaining and just show you. However, before I begin, if you require an accessible pdf version of the flipbook instructions, they can be found here Flip These Resources.

Otherwise, to see how the flipbook works, click on the book below and open to full screen by selecting the icon on the far right of the bottom toolbar.  Now, let’s get started…….

Flip These Resources

How to Complain (Effectively)

Before our office can investigate a privacy complaint, the concern needs to be raised in writing to the public body or health trustee that you believe breached your privacy.  A thoughtfully crafted complaint makes it easier for the health trustee or public body to work with you to find a solution to your concerns. It also makes it easier for our staff to understand the situation if you need to engage our office as a last resort.  Here are a few things to keep in mind:

Send it to the Right Place and the Right Person 

Your complaint should be addressed to the health trustee or public body that you believe breached your privacy.  If possible, try to send it directly to their Privacy Officer.  This might mean doing an internet search or making a telephone call to get the right contact information.  For a list of access and privacy contacts in the Government of Saskatchewan, please click here.

If you can’t find contact information for a Privacy Officer, you can direct your letter to the “head” of the public body or health trustee, as they are responsible for compliance with privacy laws. 

Be Specific and Include Evidence

Tell the public body or health trustee exactly what personal information or personal health information of yours has been breached, by whom, and when. Explain why you think the collection, use, or disclosure of your information was inappropriate, and what you would like to see happen to rectify the situation. If you have any evidence of the privacy breach, you can provide copies to substantiate your claims.

Be Clear that this is a Formal Complaint and Give a Timeline

It is not your responsibility to support your complaint with references to specific sections of the legislation – you certainly can, but you don’t have to.  That said, including a statement that you are making a formal privacy complaint under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), or The Health Information Protection Act (HIPA), and requesting a response within 30 days should make it clear to the public body or health trustee that your complaint requires a timely response that complies with the legislation.

Retain a Copy and Keep Track of the Date

If you ask our office to investigate a privacy concern because you are dissatisfied with the health trustee or public body’s response to your complaint, we will ask for a copy of the complaint you sent and proof of the date it was submitted.  If you submit your complaint as an email, request a read-receipt and hang onto a copy.  If you send it as a letter, we recommend using registered mail, and again, keep a copy for your records.

For more information about the complaint process, please visit our webpage How do I resolve a privacy complaint?

For more tips and a sample letter, the Office of the Privacy Commissioner of Canada has a helpful page – their office covers a different jurisdiction, but their process is similar.  Visit Tips for raising your privacy concern with a federal government institution.

Access, Privacy, Children and Joint Legal Custodians

Commissioner Kruzeniski’s blog UPDATED: Who Signs for a Child? described the rules under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA) applicable to legal custodians.

The Commissioner explained that subsections 59(d) of FOIP, 49(d) of LA FOIP and 56 of HIPA give a legal custodian the right to sign on behalf of their child. He added that depending on the terms of any applicable court order, agreement, one or both parents could sign for the child.

Since publishing that blog, our office conducted a privacy investigation involving two parents who had signed an Interspousal Agreement which included a provision that they would have joint custody of the children of the marriage. The parents disagreed about whether one of their child’s information should be disclosed to a stepparent.

In Investigation Report 083-2022, the Commissioner found that where two legal custodians, with equal rights and responsibilities under an Interspousal Agreement, disagreed, the wishes of one legal custodian could not prevail over the wishes of the other.

This raised the question “How does the head of a local authority or institution, or trustee manage access to information requests or consents to collection, use or disclosure involving children where their joint legal custodians disagree?”

There is no requirement for a head or trustee to canvass the views of every legal custodian to satisfy themselves that the custodian making a request or signing on behalf of a child is doing so with the agreement of the other. However, where a head or trustee is aware that one of the joint legal custodians does not agree with a request or consent provided by the other, they should not rely on the direction of one legal custodian, only.

When determining whether legal custodians have equal rights and responsibilities, heads and trustees will need to consider subsection 3(1) of The Children’s Law Act, 2020 (CLA) which provides:

3(1) Unless otherwise ordered by the court and subject to subsection (2) and any agreement pursuant to subsection (3), the parents of a child are joint legal decision makers for the child, with equal powers and responsibilities.

If there is a court order or agreement between the parties, the legal rights and responsibilities of the parents will be determined by the applicable order or agreement.

What to do if you Receive a Privacy Breach Notification

Receiving notice that you are an affected individual in a privacy breach can be stressful, and you may be wondering what your options are. Here are some answers to common questions that our office receives when people find out that they may be impacted by a privacy breach.

Why am I receiving this notice?

Generally speaking, a privacy breach occurs when personal information or personal health information is collected, used, or disclosed inappropriately. This can be a result of many different situations, from intentional breaches like cyber-attacks or employee snooping, to more mundane things like poor policies, procedures, or training leading to mistakes in handling sensitive information. A person whose information was compromised by the breach is called an “affected individual.”

Whether or not The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and/or The Health Information Protection Act (HIPA) require that notice be provided to an affected individual in the event of a breach, our office encourages notification as a best practice.

Every breach is different, so if you’ve received a notification that you are an affected individual in a privacy breach, it’s important to read it carefully. The public body or trustee might be telling you that your information has been compromised, or it might be telling you that your information may have been compromised. To learn more about what should be included in a breach notification, check out our previous blog, Notifying Affected Individuals: What should I put in the letter?

What questions should I be asking the public body or trustee?

When I receive calls from affected individuals, a lot of people are at a loss to know what to do or even what questions they should be asking the public body or trustee. Again, every breach is different, but here some basic things you may want to clarify:

  • What information about me has or may have been breached? Who has it? Did the public body or trustee get it back?
  • What was the nature of the breach? Was it malicious (e.g. the breach involved theft or employee snooping), or was it accidental (e.g. information was left unattended or a staff member made a mistake)?
  • Could this breach harm me? If so, what steps is the public body/trustee taking to mitigate the potential risk? What steps can I take to protect myself?

Who should I call if I have questions or concerns about this notice?

 If you have questions about the breach itself or how the public body or trustee is dealing with it, you should call the individual from the organization listed in the notification; that person will have the most direct knowledge of the situation and what is being done to contain and address the breach. They often have the title of Privacy Officer.

When should I engage the IPC?

The first step is always to contact the public body or trustee to determine whether your concerns are already being addressed.

If you are not satisfied with how the public body or trustee is handling the breach, you can make a complaint to our office. If the breach has not been proactively reported to us, we will determine whether we have jurisdiction and grounds to investigate.

If the breach was proactively reported, we will likely already have an open investigation. You can request that our office add you formally as an affected individual/complainant. If you don’t want to submit a complaint, but you do want to know the results of the investigation, you can ask to receive a copy of the report, if one is created. To be included as a complainant or to receive a copy of the report of the investigation into the breach, we will ask you to submit a copy of the notification letter you received from the public body or trustee.

What does filing a complaint with the IPC do?

When you file a complaint with our office, it’s important to think about what you hope will come of an investigation – is it learning more about how your privacy was breached, assurances about what steps that will be taken to prevent a future breach, or even getting an apology? Our staff will ask you about this early in the complaint process as a way of clarifying what your concerns and expectations are in the situation. It’s important to note that our office does not have order-making powers; the results of an investigation are usually a set of recommendations to the public body or trustee to prevent a similar breach from occurring again, not to take punitive actions or award damages.

If a breach has been proactively reported to our office, we open a file and will assess the organization’s response. Filing a complaint with our office likely won’t change the outcome of our investigation; however, we are more likely to release a public report if complainants decide to come forward.

If you decide to file a complaint, it is important to note that you will be named to the public body or trustee as the complainant; however, if a report is issued by our office, you will NOT be named publicly.

I hope this helps to give you a starting point and clarify what you can do or how our office may become involved if you receive a breach notification from a public body or trustee. If you have questions or concerns about a breach notification, you can contact us at intake@oipc.sk.ca or at 306-787-8350.

Discussion with Kris Klein, Managing Director of IAPP for Canada

IAPP is an international organization with a focus on access and privacy around the world. In this podcast, Kris Klein, managing director of IAPP for Canada talks about how the IAPP association has grown both internationally and in Canada.

For more on this discussion, you can listen here.

Two Changes in the Rules of Procedure

When my office finalizes a Report, we send it to many people. Recently we realized that those that are interested have two ways of being alerted about our Reports.

First, they can sign up for our RSS feed and each time something is added to our home page, they will receive an email. That would include each new Report that we post.  Second, if one signs up to follow us on Twitter, we tweet every new Report that is posted to our website. So, knowing those interested have a way to access our new Report, we have amended our rules so that we email the Reports to the applicant, public body and third party.

Second, we have recognized that the responses under section 7 of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and section 36 of The Health Information Protection Act (HIPA) are decisions of the head. Rather than calling them letters or responses we have changed to calling them “decisions”.

You can find the amended Rules of Procedure here.

Finally, we have updated the Guide to Submissions to reflect changes we have made over the summer and fall. You can read the amended Guide here.

Learning about Digital ID

I had the pleasure of discussing and learning about digital ID’s, some call digital credentials with Cosanna Preston-Idedia. Cosanna is the Vice President, Advisory Services for the Digital Identity Laboratory of Canada.

During our discussion, Cosanna provides insight into the current state of affairs with digital credentials internationally and in Canada.

“what we are trying to do in the digital space is say ‘ok, how do we take those physical documents and use them in the digital way that we can trust that the document is the right document, that we have confidence that we are showing it to the right person’, and that’s really what digital identity and digital credentials are trying to do…what we are trying to do, is create the digital equivalent of a government issued photo ID.”

If you would like to understand what this is all about, please give the podcast a listen here.

 

Bill 101 Amendments to the CFSA

The Minister of Social Services has tabled Bill 101 with amendments to the CFSA. The Commissioner suggested the Minister consider some amendments that would improve the legislation.

The open letter can be read here.

Raising Awareness of the Facts about Fax

The ongoing use of traditional fax machines to send personal information and personal health information by government institutions and trustees continues to raise privacy concerns. My office and Canada’s other privacy commissioners and ombudspersons called for a concerted effort to phase out the use of traditional fax machines in a September 2022 resolution which can be found here. We understand that developing this plan will require broad consultations and additional resources. However, we continue to urge organizations to address this problem on an urgent basis. Public trust and confidence in organizations’ ability to protect Saskatchewan residents’ personal information and personal health information hangs in the balance.

In the meantime, we continue to receive complaints and reported breaches of misdirected faxes that are caused in part by human error. Staff may enter a number in the fax machine incorrectly, fail to comply with policies that require the use of pre-programmed fax numbers or rely on fax numbers found through unverified sources, such as Google. These errors are often caused by inattention, or lack of awareness or training on applicable policies. Our latest misdirected fax investigation report was issued in November 2022. It involved two Saskatchewan Health Authority (SHA) employees who entered an incorrect fax number in the fax machine. They sent one of the faxes to a Town instead of a public health office. They sent the other fax to the Parole Board of Canada’s office instead of a physician.

In September 2020, my office issued guidance on the safeguards to prevent misdirected faxes titled, Faxing PI and PHI. While plans are being developed to discontinue the use of traditional fax machines, every effort must be made to ensure that appropriate safeguards are in place to prevent faxes from going astray. We encourage all organizations to revisit this guidance.

To help ensure that staff are aware of their need to comply with existing policy and to exercise caution when using fax machines, we have developed a poster that you can download and place in key areas near fax machines.

Remember that a policy is not enough! Creating a privacy sensitive culture requires that organizations raise levels of awareness of privacy risks and provide appropriate training.

For more information about how to reduce the risks of using traditional fax machines while your organization implements its plan to phase them out, the Office of the Privacy Commissioner of Canada has developed some tips to help reduce the risks that can be found here.

To stay up to date on the latest news in access and privacy, please follow us on twitter @SASKIPC.

Privacy Matters