Privacy Commissioner of Canada announced his office is launching a joint investigation into OpenAI

Federal Privacy Commissioner launches new guidance on workplace privacy

Cybersecurity: Best Practices for Setting Up a Security Operations Centre

Alberta IPC finds risk of significant harm from stolen server.

Steps for effectively deploying multi-factor authentication.

Concerns about AI

Federal Privacy Commissioner issued updated guidance on privacy in the work place

Ontario IPC and HRC issue joint statement on implementing guardrails on the public sector’s use of AI

Federal Privacy Commissioner-Erroneous quarantine notifications from ArriveCAN

Good practices, social media and children

Who is “Fake Ron”?

Who is “Fake Ron”?

Staff in my office received an email from me, but it wasn’t from me. They dubbed it, “Fake Ron”. Apparently, I wanted the recipient of the email to do me a favor. This fake email attempting to use my name is a good reminder to me and the staff of my office that there are many people out there dreaming up schemes to lead or mislead us into doing something.

I recently saw an article headline that said, organization breaches are in many instances caused by human error. The 2022 Horizon report on data breaches found that hackers tend to exploit human error to get initial access, particularly through the use of phishing scams.

Sometimes we very innocently click on a link, which results in some malware slipping into our system. So, the “Fake Ron” email has been a good reminder here to be always vigilant and watching for the thing that does not feel right or is too good to be true.

This has caused our office to begin discussing how we might from time to time test our vigilance and readiness – just like we have fire drills.


Learned Helplessness in the World of Data Privacy

A theory in the study of psychology suggests we simply give up if we believe we have no control over what happens to us. This theory, discovered by psychologists Martin Seligman and Steven Maier, is known as “learned helplessness.”

The theory is straightforward: when we are subjected to something repeatedly and feel as though we cannot change the outcome, we just accept the outcome. For example, if we continually fail at something we try hard to accomplish, at a certain point we accept we will always fail, and so we resign ourselves to failing. Or we just stop trying.

How, then, does this theory apply to the world of data privacy? A recent news article on Tim Hortons’ violation of privacy rights in Canada suggests how.

In 2019, Tim Hortons updated its app to include the collection of geolocation data. That meant when you downloaded the app it would track your location and report that data back to Tim Hortons. In 2020, a Financial Post journalist found, through location data Tim Hortons was collecting on him, that Tim Hortons had collected information on where and when he traveled, including when he traveled on overseas vacations. In total, Tim Hortons had collected thousands of pieces of location data on him, and not just from when he was using the app.

After reports such as this came out, the Privacy Commissioner of Canada decided to open an investigation into the Tim Hortons app. Recently, he concluded Tim Hortons had violated Canada’s privacy laws by collecting more information from its customers than it required. He also found Tim Hortons was collecting data outside the reasons it cited for collecting the data in the first place.

While Tim Hortons claims to have removed geolocation tracking from its app and destroyed the data it collected, the fact such tracking occurred represents a larger issue with how much data we give away. Often, we do this without fully understanding what we are giving away or why. At a certain point, we may just accept it as the cost of doing business, shrug our shoulders and submit. We know, for example, we cannot participate in Tim Hortons’ giveaways without the app, so we download the app and resign ourselves to any associated negative consequences.

Tim Hortons stated it did not intend to use the location data it had collected in nefarious ways – or at all – but arguably such data can be invaluable to large corporations. Corporations are often faced with problems such as knowing the best places to open new locations or creating the types of products customers are likely to purchase or consume based on their lifestyle. Vast quantities of data can help them quickly and easily solve such problems.

Tim Hortons is not the first corporation to be caught in a data scandal of this nature. In early 2018, Cambridge Analytica, a data analytics firm based in the United Kingdom, was found to be collecting the personal data of millions of Facebook users without their consent. It was doing so to direct certain types of political advertising towards certain users. In so doing, it is said to have helped influence political campaigns and outcomes in the United States. It is even said to have helped influence the outcome of Brexit.

All this comes back to the concept of learned helplessness and how it applies to individual data privacy. When events such as Tim Hortons and Cambridge happen repeatedly, and laws do not change in ways that fully protect our data privacy rights, we may subconsciously – or consciously – submit to the tactics corporations use to scoop our data. That is, we may just accept there will be unexpected consequences. We no longer weigh the risks, and instead focus on what we think are the rewards.

There are simple ways, though, we can protect our personal data. Consider the following:

  1. The more you share online through social media apps such as Facebook, the more data there is out there on you. That leaves more data about you that corporations can collect to learn about your preferences and habits. They can then use this information, for example, to target you with specific types of advertising.
  2. Think about what specific data you share online and if it is necessary to share it for what you are doing. If it does not seem like a corporation or other entity requires certain data, do not provide it, or at the very least ask them why it is necessary for them to have it. Also see if there is the opportunity to opt out of the data collection.
  3. Keep your social media networks small, and your social media network activity private. Accept only those you know into your social media network and check your privacy settings to ensure only those in your network can see your activity.
  4. Beware of seemingly harmless social media quizzes that ask questions such as the name of your first pet or car you owned. Ask yourself – do these sound like the security answers I use for my online banking? If they do, it is probably not a coincidence.
  5. When you do set up answers for security questions, consider an answer that is not true but still something you will remember. That way, when you say on Facebook your first pet was named “Spot,” at least you know it will not be one of your security answers.
  6. Use private browsers when surfing online as they delete cookies, temporary Internet files and your browsing history.
  7. Use strong passwords and two-factor authentication. Using two-factor authentication requires you to enter a special code the site texts to your phone. When logging into a new or unknown device, you will need this code to log into your account. Others trying to get into your account using unknown devices will then not be able to without the code.
  8. Do what most of us do not do – read the fine print. Review privacy statements and policies to know what data on you a corporation will collect, why they will collect it, how they will use it and for how long, and what you can do if you suspect that corporation is violating its own privacy terms.

Had it not been for a few individuals digging deeper into the Tim Hortons app, we might have never known what was happening. Corporations love data, even if they do not have an immediate purpose for it. There are many steps you can take to protect your data privacy. Think about what data you are putting out there and how it can be used against you, then take even just small steps to protect your privacy. You do not have to resign yourself to learned helplessness – take the time to learn what you can do to protect your data privacy.


Absurd Results: Part II

In 2017, the Commissioner posted a blog entry about absurd results. He provided examples of absurd results that can be reached when interpreting and applying The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA). He emphasized that public bodies take a liberal approach to these three statutes and provide as much of the record(s) to applicants as is possible.

Since 2017, my office has dealt with more reviews that involve absurd results. Therefore, in this blog, I’m revisiting this topic once again.

When an individual submits an access request to a public body, that individual would be denied access to the personal information of others. In Saskatchewan, government institutions would deny access to third parties’ personal information pursuant to section 29(1) of FOIP. Local authorities would deny access to third parties’ personal information pursuant to section 28(1) of LA FOIP. That is, the application of section 29(1) of FOIP and section 28(1) of LA FOIP to third party personal information is meant to prevent the unauthorized disclosure of personal information, which is one of the purposes of FOIP and LA FOIP.

However, what happens when Person A provides information about other individuals to a public body? An example is when an individual provides a witness statement to a police service about a matter they had witnessed involving other individuals. If Person A submitted an access to information request to the police service for the witness statement containing other individuals’ information, would Person A be denied access to the witness statement?

An “absurd result” occurs when a public body applies an exemption to withhold records that contradicts the purpose of the legislation. Using the example described above, Person A originally supplied the third party personal information to the police service. it would be an “absurd result” to withhold the information from Person A pursuant to either section 29(1) of FOIP or section 28(1) of LA FOIP.

In my office’s Review Report 215-2020, the Commissioner discussed a matter where the local authority withheld portions of emails that the Applicant had originally supplied to the local authority. The Commissioner found it would be an absurd result to withhold portions of these emails from the Applicant even if the emails contained the personal information of third parties. The Commissioner recommended the release of the records in their entirety to the Applicant.

Also in Review Report 215-2020, the Commissioner cited a decision by the Office of the Ontario Information and Privacy Commissioner (ON IPC) that noted two other circumstances in which the ON IPC found the absurd result principle to have applied: 1) where the requester was present when the information was presented to the public body, and 2) where the information is clearly within the requester’s knowledge.

When determining if exemptions set out in Parts III and IV of FOIP and LA FOIP apply to a record, government institutions and local authorities should consider whether applying the exemption to a record would manifest in an absurd result. If so, then perhaps the government institution or local authority should consider releasing the record to the applicant.

Annual Report tabled today

I am pleased to have tabled my 8th Annual Report with the Honorable Randy Weekes, Speaker of the Legislative Assembly of Saskatchewan.  In that report, I focus on four issues.

The first is the need for a Saskatchewan digital ID. I encourage this with certain understandings.

Second, I discuss Virtual Health Care platforms and ten suggested considerations for health care providers and patients to consider.

Third, I repeat the call for changes to prevent so many misdirected faxes.

Finally, I summarize the recommendation for legislative changes to access and privacy legislation.

If you think I am the only commissioner focused on digital issues in their province, I note the Annual Report of the Ontario Information and Privacy Commissioner discussing “Setting the cornerstones of a digital Ontario”.

I discuss these issues in a news release and a video posted today. Our office authorizes the use of quotes, excerpts and/or clips of the video, in part or in whole for relevant media coverage regarding our Annual Report.

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has tabled his office’s 2021-2022 Annual Report: Time for a Digital ID, with the Legislative Assembly.

In his report, the Commissioner addresses the need for the development of a Digital ID for Saskatchewan residents, the move toward virtual health care, the systemic issue of misdirected faxes and recommendations for legislative change.

Digital ID

As several other Canadian provinces shift towards the use of a digital ID, it is the hope that Saskatchewan develops a digital ID that meets the needs of our province. Commissioner Kruzeniski states:

“I would hope the Government of Saskatchewan continues to consult, educate and explain the benefits of a digital ID for citizens of our province. My hope is that Saskatchewan develops a digital ID that meets our province’s needs, maximizes the benefits and minimizes the risks.”

Virtual Health Care

Virtual heath care has increased as a result of the Covid-19 pandemic and consideration is required to ensure that personal health information is adequately protected. Commissioner Kruzeniski outlines ten expectations that should be considered as these virtual care initiatives move forward.

Spotlight on Misdirected Faxes

Over the last decade, there has been concerns with misdirected faxes which continues to be a systemic issue impacting patient privacy and the delivery of patient care. Several recommendations have been made to collectively address this concern including the elimination of traditional fax machines.

Recommendations for Change

The Commissioner concluded by summarizing the recommendations for legislative change to amend The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act and The Health Information Protection Act. The goal is that these recommendations will address the gaps and challenges with the legislation as we move from a paper-based society to a digital one.

The Commissioner’s 2021-2022 Annual Report which includes: accomplishments, goals for the future, a thorough statistical report and recommendations for the development of a digital ID, virtual care initiatives, handling of misdirected faxes and legislative change can be viewed here.

A video containing the Commissioner’s comments on the Annual Report can be viewed here.


Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260


Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

BC Special committee’s recommended changes to the Freedom of Information legislation

A special committee of the British Columbia (BC) has tabled its report making 39 recommendations to amend BC’s Freedom of Information and Protection of Privacy Act. You can read their report here.

The BC Information and Privacy Commissioner has issued a news release regarding the special committee report. You can read his statement on BC’s OIPC website.

Recommendations focused on:

  • measures to enhance proactive disclosure
  • a duty to document key decisions and actions of public bodies
  • a cohesive and robust information management framework in government
  • retention of the data residency requirement
  • extension of the Act to cover additional public bodies
  • changes to timelines and the right to anonymity
  • mandatory notification about significant privacy breaches
  • oversight by the Commissioner of automated decision-making
  • requiring consultation with the Commissioner when legislation has access and privacy implications and
  • the legislation would apply to the administrative function of the legislative assembly

The updating of the freedom of information and privacy legislation continues across our country.




Discussion with Daniel Therrien on his leaving office

Daniel Therrien was appointed the federal Privacy Commissioner in 2014. His appointment ended on June 3, 2022. Before his leaving office, I had a chance to discuss his eight years as Privacy Commissioner. We talked about the challenges, the accomplishments, and his outlook for the future.

Please click the link here to hear our conversation.


Open Banking

My discussion with Professor Teresa Scassa regarding open banking has just been posted. Professor Scassa is an expert in the area of information law which includes the issue of open banking.

We discussed the direction the country is going and the implications for our province. Please have a  listen here.

Privacy regulators call for legal framework limiting police use of facial recognition technology

Yesterday, the heads of Canada’s privacy protection authorities issued a joint statement recommending legislators develop a legal framework that establishes clearly and explicitly the circumstances in which police use of facial recognition may be acceptable.

In the joint statement, privacy regulators say a new legal framework for regulating police use of facial recognition technology should include:

  • A clear and explicit definition of the limited purposes for which police use of facial recognition would be authorized, and a list of prohibited uses. “No-go zones” should include a prohibition on any use of facial recognition that can result in mass surveillance.
  • Strict necessity and proportionality requirements. Legislation should require police use of facial recognition to be both necessary and proportionate for any given deployment of the technology.
  • Independent oversight. Police use of facial recognition technology should be subject to strong independent oversight. Oversight should include proactive engagement measures. Police should be required to obtain pre-authorization from an oversight body at the program level, or provide it with advance notice of a proposed use, before launching a facial recognition initiative.
  • Privacy rights and protections. Appropriate privacy protections should be put in place to mitigate risks to individuals, including measures to ensure the accuracy of information and placing limits on how long images can be retained in police databanks.

Released along with the joint statement is a guidance document to clarify police agencies’ privacy obligations relating to the use of facial recognition under the current legal framework.

Copies of both documents along with comments by the Ontario Privacy Commissioner are available at the following:

Discussion with Dr. Khaled El Emam on synthetic data

Dr. El Emam and others have just completed a report on “Pan-Canadian Descriptive Study of Privacy Risks from Synthetic Data Generation Practices within the Evolving Canadian Legislative Landscape.” The report was completed in March of 2022 and submitted to the Federal Privacy Commissioner. Dr. El Emam is an expert in the area of synthetic data. He talks about the conclusions in the report and suggests that the time for studying synthetic data is over and it is now time for innovation in Canada.

The report will be available on the Federal Privacy Commissioner’s website soon. Keep checking.

To hear more about this discussion, please check out our most recent episode of Un-redacted, The Sask IPC Podcast here.