AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Best practices in safeguarding data

Podcast: Hill Times political parties and privacy

Cheat Sheet for the proposed American Privacy Rights Act

The Search for Personal Health Information

The Search for Personal Health Information

When a patient makes an access to information request for their personal health information, the search for responsive records may not be as easy as just checking out the health records department. The Health Information Protection Act (HIPA) applies to all personal health information in the custody or control of a trustee which includes all government institutions. All records, in any form, that are responsive to the request, must be identified, located, retrieved and ready for release within 30 calendar days.

The right of access by a patient or an applicant extends to all personal health information that is in the custody or under the control of the trustee regardless of who created it, where it came from, how old it is or how it is stored.

Records may be in paper or electronic form whether found in a file drawer, legacy system, electronic medical record (EMR) or electronic health record (EHR). Electronic or digital records include electronic documents such as word-processed documents, spreadsheets, email, digital photographs, scanned images and electronic data, such as information stored in databases or in registries or in rarer cases, back-up tapes.

Regardless of the medium, a thorough search needs to be conducted. For instance, this office dealt with a request for access to records from the 1960s. The records existed on microfiche only so the trustee had to find a way to read and copy even though the trustee no longer had the technical capability. The take-away lesson is that, as long as records have not been destroyed, access rights of the individual remain intact, and records need to be produced wherever they reside.

A request for access may be unduly general or vague because the applicant lacks knowledge of the trustee’s operations or programs and the type of health records that may exist. These types of requests may prove challenging for a large trustee organization (i.e., Saskatchewan Health Authority) as could require a search of all facilities, program areas and information systems depending on the scope of the request. This is why communicating with the applicant early on in the process to clarify the request is critical. This communication is also in keeping with a trustee’s obligations under section 35 of HIPA.

Section 35 of HIPA is the express duty to assist which requires a trustee to make every reasonable effort to assist an applicant and to respond to each openly, accurately and completely. This means that if the applicant does not understand what types of records may exist, the trustee should explain what is available and how to get it. For example, many may not realize that eHR Viewer event audit reports are available through eHealth Saskatchewan upon request.

The responsibility to maintain records may fall to many different individuals at different times resulting in records being temporarily retained on the unit, in individual employee’s offices, managed off-site by an information management service provider (IMSP) or put into storage while waiting to be culled (i.e., non-active files). When applicable, records in the physical possession of contracted agencies may also have to be located as may have records responsive to an access request (e.g., independent medical examination).

Also, a search at one time may reveal responsive records, but not necessarily all. For instance, what about records that are in the queue, (i.e., not yet dictated)?  Patient care is not static.  There will always be new responsive records being generated.

There are some exceptions to the right of access. For more advice on this and search and preparation of responsive records, see the IPC Guide to HIPA at https://oipc.sk.ca/guides/ipc-guide-to-hipa/.

In closing, the best advice that I can give is to start with a search strategy by talking to the ‘people in the know’ before proceeding (e.g., record or health information managers).  It will save you a lot of time in the long run!  And don’t forget to document both your search strategy and keep details of the actual search.  In the event a review is undertaken by my office, those details may be requested and should speed up the process for all involved.

Managing Electronic Records

One of the many challenges an organization may face when transitioning from paper-based to electronic records is ensuring proper records management processes are in place. While paper records can be easily organized and stored while waiting for retention periods to be met, electronic records can take a bit more work.

Our office has succeeded in phasing out paper-based records and now deals strictly with electronic records. These documents are stored until they reach their retention period, at which time an electronic records disposal process is followed.

As saving large volumes of electronic records can easily become disorganized, they should be organized in accordance with the records management schedules that your organization follows to assist in easily locating all documents.

Our office follows the Administrative Records Management System (ARMS) and the Operational Records System (ORS). I am currently in the process of organizing our electronic records to be in accordance with ARMS and ORS and conducting electronic disposals. As the scope of this project is overwhelming, I decided the best course of action was to split this into two different phases; organizing the documents and completing an electronic disposal. I am currently finishing up phase 1 and hope to start phase 2 soon.

Phase 1:

Before a record can be disposed of, you need to know the retention period that it falls under. Our ARMS and ORS schedules lay out different record series (which are like categories of records), list examples of the types of documents that fit into the series and state what the retention period of each series is. When organizing these records, my first step was to determine whether the record was under ARMS or ORS to know which schedule to follow. I proceeded with creating a folder for each of the different record series under ARMS and went through each existing folder/document to determine which record series folder to move it to. To make it easier to locate information, I created some subfolders within the record series folders and moved related records into those folders. For records management retention purposes, I created fiscal year folders within each record series or subfolder and sorted all documents out by year. For records saved that have no real value and do not fall under a record series but might be good to keep for a short period of time, I created a transitory folder to move those documents to.

Here is an example of what the structure may look like when complete:

ARMS – Name of ARMS Record Series – Subfolder to sort related documents under a record series – year folder – individual documents

During phase 1 we did come across one issue with the length of file paths and have a blog titled File Path Frustrations that provides some helpful information.

Phase 2:

Once phase 1 is complete and the electronic records are organized, it will be easier for me to proceed with electronic disposals. Using our ARMS or ORS schedules, I will be able to see what the retention period for each records series is, go to that record series folder and see if there are any year folders with documents up for disposal. I will then need to go through each document a second time to ensure it was placed in the correct folder and then follow our disposal process. When I get started on this phase, I am hopeful the work from phase 1 assists in making this a smooth process.

Having all organizational information saved electronically is an exciting time and when properly managed, can make records management a very streamlined process. Hopefully this blog can assist some who are starting this process. Happy organizing!

Ontario – Using Faxes in Health Care

In Saskatchewan, my office has done numerous reports on misdirected faxes. See our blog Raising Awareness of the Facts about Fax.

The access and privacy commissioners across Canada have passed a resolution encouraging the discontinuance of fax machines in the health care sector. See the resolution. The Federal Privacy Commissioner has issued an updated guidance on faxing personal information.

The Ontario government has taken a step toward eliminating the fax machine in the health care sector. The Ontario Information and Privacy Commissioner issued its review of the high number of privacy breaches at St. Joseph’s Healthcare Hamilton due to misdirected faxes. In a blog for Privacy Day, the Ontario Commissioner Patricia Kosseim commented further regarding misdirected faxes in Ontario.

The Ontario government has announced that it would put in place a plan to support phasing out fax machines and that fax machines will be phased out over the next five years. For details see this CBC article.

I am hopeful that the progress in Ontario will help cause the heath sector across Canada, and particularly in Saskatchewan, to accelerate plans to phase out faxes.

Live Streaming a Public Meeting

The Legislative Assembly broadcasts its proceedings over the internet. Each word spoken by an MLA is recorded and published in HansardHansard is available to the public. Similarly, committees of the Legislative Assembly are public, sometimes broadcasted and recorded in Hansard. Both video and text are available on the Legislative Assembly website at (www.legassembly.sk.ca/). Committees can decide to go in-camera but motions and decisions are made in the public portion of the meeting.

All cities, towns and municipalities are required to have public meetings. Regina, Moose Jaw, and Saskatoon live stream their council meetings and Regina and Moose Jaw broadcast through the local cable company. The cities post their agenda and minutes on their website and allow access to archived council meetings. Saskatoon live streams some of its committee meetings. Of course, council or a committee can have an in-camera session, but motions are required to be passed in a public meeting. Other cities and towns post their agendas and minutes to their website.

School boards are also required to hold their meetings in public. The minutes of these meetings are available for inspection. The Regina Public School Board live streams its meetings, and its agendas and minutes are available on its website. Other school boards do post their agendas and minutes on their website.

All of the above leads to greater transparency of our elected officials. For those public bodies whose meetings are required to be public, I would encourage they look at live streaming of their Board or council meetings. Technology is now available that makes live streaming relatively easy and inexpensive. The geography of our province makes it beneficial to citizens when public bodies live stream their meetings. I would encourage those cities, towns, villages or school boards to develop policies and practices that would facilitate the live streaming of all of their public meetings.

The Legislation Act- Things to Know

I had formerly prepared a blog that discussed The Interpretation Act, 1995 and some things to look out for as it relates to FOIP and LA FOIP.  However, The Interpretation Act, 1995 was replaced in May 2019 by The Legislation Act (Legislation Act), so this blog has been updated to reflect those changes.

There are countless numbers of statutes in Saskatchewan governing everything from animal protection to workers compensation. But, the Legislation Act is a very unique statute that I would like to draw your attention to.   What makes the Legislation Act so special?  Well for one, it applies to every enactment in Saskatchewan (unless otherwise noted in the Legislation Act).  Secondly, the Legislation Act essentially guides us in how to interpret Saskatchewan statutes.

Let’s take a look at two areas where the Legislation Act guides us in interpreting Saskatchewan’s access and privacy laws – calculation of time and repealed statutes.

Calculation of Time

Subsections 7(2) of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) provide, “The head shall give written notice to the applicant within 30 days after the application is made…” [emphasis added]. Based on the Legislation Act, the following can be applied for calculating 30 days under FOIP and LA FOIP:

  • The first day the access request is received is excluded in the calculation of time [subsection 2-28(3) of the Legislation Act]
  • If the due date falls on a holiday, the time is extended to the next day that is not a holiday [subsection 2-28(5) of the Legislation Act]
  • If the due date falls on a weekend, the time is extended to the next day the office is open [subsection 2-28(6) of the Legislation Act]
  • As FOIP expresses the time in a number of days, this is interpreted as calendar days, not business days.

It’s important to note that the Legislation Act does not allow for additional time when it is your personal holiday, scheduled day off or if you were away from the office due to illness.

For more information on the calculation of time in FOIP and LA FOIP, please see Chapters 3: Access to Records of IPC Guide to FOIP and IPC Guide to LA FOIP.

Repealed Statutes

There are countless numbers of statutes referenced in FOIP, LA FOIP and The Health Information Protection Act (HIPA).  So, what happens when one of those laws is repealed and replaced by a new statute, but FOIP, LA FOIP or HIPA (or any other Saskatchewan statute for that matter) has not been amended to reflect the new statute?

Here is an example to help. In LA FOIP, subsection 2(f) outlines bodies that are local authorities, and therefore subject to LA FOIP.  Subsection 2(f)(vi) of LA FOIP includes a local authority as being, “… the board of a public library within the meaning of The Public Libraries Act, 1984.”  There is one problem – The Public Libraries Act, 1984 was repealed and replaced with The Public Libraries Act, 1996.

So does that mean library boards are caught in a loophole and not subject to LA FOIP?  Not the case.  Again, we turn to the Legislation Act to help us out.  Subsection 2-8(10) of the Legislation Act provides:

2-8(10) After an enactment is repealed and a new enactment is substituted for it, a reference in an unrepealed enactment to the former enactment is, with respect to any subsequent transaction, matter or thing, deemed to be a reference to the provisions of the new enactment relating to the same subject-matter as the former enactment, but, if there are no provisions in the new enactment relating to the same subject-matter, the former enactment is to be interpreted as being unrepealed insofar as is necessary to maintain or give effect to the unrepealed enactment.

Confused yet? A helpful way to work through this is by actually inserting the names of the statutes:

2-8(10) After an enactment is repealed [The Public Libraries Act, 1984] and a new enactment is substituted for it [The Public Libraries Act, 1996], a reference in an unrepealed enactment [The Local Authority Freedom of Information and Protection of Privacy Act] to the former enactment [The Public Libraries Act, 1984] is, with respect to any subsequent transaction, matter or thing, deemed to be a reference to the provisions of the new enactment [The Public Libraries Act, 1996] relating to the same subject-matter as the former enactment [The Public Libraries Act, 1984], but, if there are no provisions in the new enactment [The Public Libraries Act, 1996] relating to the same subject-matter, the former enactment [The Public Libraries Act, 1984] is to be interpreted as being unrepealed insofar as is necessary to maintain or give effect to the unrepealed enactment [The Public Libraries Act, 1996].

For the purposes of LA FOIP, even though The Public Libraries Act, 1984 was repealed and replaced in 1996, the Legislation Act takes care of that gap and public libraries are still subject to the provisions of LA FOIP because of subsection 2-8(10) of the Legislation Act.

 

Flip These Resources

Our office has been busy transforming the way our resources look to provide a more creative and interactive experience than a typical pdf. We have been converting various pdf resources on our website with flipbooks. Once complete, they will be available under the resources tab. Don’t stress, you will still have the ability to access all our resources via pdf.

A flipbook has a variety of benefits over and above their visual appeal. There is the ability to include video, GIF’s, animation and even make your own notes.

Ugh, I need to learn when to stop talking and explaining and just show you. However, before I begin, if you require an accessible pdf version of the flipbook instructions, they can be found here Flip These Resources.

Otherwise, to see how the flipbook works, click on the book below and open to full screen by selecting the icon on the far right of the bottom toolbar.  Now, let’s get started…….

Flip These Resources

How to Complain (Effectively)

Before our office can investigate a privacy complaint, the concern needs to be raised in writing to the public body or health trustee that you believe breached your privacy.  A thoughtfully crafted complaint makes it easier for the health trustee or public body to work with you to find a solution to your concerns. It also makes it easier for our staff to understand the situation if you need to engage our office as a last resort.  Here are a few things to keep in mind:

Send it to the Right Place and the Right Person 

Your complaint should be addressed to the health trustee or public body that you believe breached your privacy.  If possible, try to send it directly to their Privacy Officer.  This might mean doing an internet search or making a telephone call to get the right contact information.  For a list of access and privacy contacts in the Government of Saskatchewan, please click here.

If you can’t find contact information for a Privacy Officer, you can direct your letter to the “head” of the public body or health trustee, as they are responsible for compliance with privacy laws. 

Be Specific and Include Evidence

Tell the public body or health trustee exactly what personal information or personal health information of yours has been breached, by whom, and when. Explain why you think the collection, use, or disclosure of your information was inappropriate, and what you would like to see happen to rectify the situation. If you have any evidence of the privacy breach, you can provide copies to substantiate your claims.

Be Clear that this is a Formal Complaint and Give a Timeline

It is not your responsibility to support your complaint with references to specific sections of the legislation – you certainly can, but you don’t have to.  That said, including a statement that you are making a formal privacy complaint under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), or The Health Information Protection Act (HIPA), and requesting a response within 30 days should make it clear to the public body or health trustee that your complaint requires a timely response that complies with the legislation.

Retain a Copy and Keep Track of the Date

If you ask our office to investigate a privacy concern because you are dissatisfied with the health trustee or public body’s response to your complaint, we will ask for a copy of the complaint you sent and proof of the date it was submitted.  If you submit your complaint as an email, request a read-receipt and hang onto a copy.  If you send it as a letter, we recommend using registered mail, and again, keep a copy for your records.

For more information about the complaint process, please visit our webpage How do I resolve a privacy complaint?

For more tips and a sample letter, the Office of the Privacy Commissioner of Canada has a helpful page – their office covers a different jurisdiction, but their process is similar.  Visit Tips for raising your privacy concern with a federal government institution.

What to do if you Receive a Privacy Breach Notification

Receiving notice that you are an affected individual in a privacy breach can be stressful, and you may be wondering what your options are. Here are some answers to common questions that our office receives when people find out that they may be impacted by a privacy breach.

Why am I receiving this notice?

Generally speaking, a privacy breach occurs when personal information or personal health information is collected, used, or disclosed inappropriately. This can be a result of many different situations, from intentional breaches like cyber-attacks or employee snooping, to more mundane things like poor policies, procedures, or training leading to mistakes in handling sensitive information. A person whose information was compromised by the breach is called an “affected individual.”

Whether or not The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and/or The Health Information Protection Act (HIPA) require that notice be provided to an affected individual in the event of a breach, our office encourages notification as a best practice.

Every breach is different, so if you’ve received a notification that you are an affected individual in a privacy breach, it’s important to read it carefully. The public body or trustee might be telling you that your information has been compromised, or it might be telling you that your information may have been compromised. To learn more about what should be included in a breach notification, check out our previous blog, Notifying Affected Individuals: What should I put in the letter?

What questions should I be asking the public body or trustee?

When I receive calls from affected individuals, a lot of people are at a loss to know what to do or even what questions they should be asking the public body or trustee. Again, every breach is different, but here some basic things you may want to clarify:

  • What information about me has or may have been breached? Who has it? Did the public body or trustee get it back?
  • What was the nature of the breach? Was it malicious (e.g. the breach involved theft or employee snooping), or was it accidental (e.g. information was left unattended or a staff member made a mistake)?
  • Could this breach harm me? If so, what steps is the public body/trustee taking to mitigate the potential risk? What steps can I take to protect myself?

Who should I call if I have questions or concerns about this notice?

 If you have questions about the breach itself or how the public body or trustee is dealing with it, you should call the individual from the organization listed in the notification; that person will have the most direct knowledge of the situation and what is being done to contain and address the breach. They often have the title of Privacy Officer.

When should I engage the IPC?

The first step is always to contact the public body or trustee to determine whether your concerns are already being addressed.

If you are not satisfied with how the public body or trustee is handling the breach, you can make a complaint to our office. If the breach has not been proactively reported to us, we will determine whether we have jurisdiction and grounds to investigate.

If the breach was proactively reported, we will likely already have an open investigation. You can request that our office add you formally as an affected individual/complainant. If you don’t want to submit a complaint, but you do want to know the results of the investigation, you can ask to receive a copy of the report, if one is created. To be included as a complainant or to receive a copy of the report of the investigation into the breach, we will ask you to submit a copy of the notification letter you received from the public body or trustee.

What does filing a complaint with the IPC do?

When you file a complaint with our office, it’s important to think about what you hope will come of an investigation – is it learning more about how your privacy was breached, assurances about what steps that will be taken to prevent a future breach, or even getting an apology? Our staff will ask you about this early in the complaint process as a way of clarifying what your concerns and expectations are in the situation. It’s important to note that our office does not have order-making powers; the results of an investigation are usually a set of recommendations to the public body or trustee to prevent a similar breach from occurring again, not to take punitive actions or award damages.

If a breach has been proactively reported to our office, we open a file and will assess the organization’s response. Filing a complaint with our office likely won’t change the outcome of our investigation; however, we are more likely to release a public report if complainants decide to come forward.

If you decide to file a complaint, it is important to note that you will be named to the public body or trustee as the complainant; however, if a report is issued by our office, you will NOT be named publicly.

I hope this helps to give you a starting point and clarify what you can do or how our office may become involved if you receive a breach notification from a public body or trustee. If you have questions or concerns about a breach notification, you can contact us at intake@oipc.sk.ca or at 306-787-8350.

File Path Frustrations

Good records management assists in compliance with access and privacy obligations. It requires properly identifying and classifying records. For electronic records, files need a meaningful name and categorization. This all seems simple, but what if your system is working against this goal, and you cannot properly name your files?

We encountered this issue after switching to M365. We follow the Administrative Records Management System (ARMS) and the Operational Records System (ORS). Documents are managed using folders and subfolders in Windows file explorer unless they pertain to a case file, as those are stored in a separate system. Windows file explorer has a 255-character limit for file paths. I had never encountered the 255-character limit before. I was frustrated.

How can I manage our records if I cannot name them as I see fit? In some instances, the file path was too long and we could not open files. File explorer cut off file extensions, and neither I nor the system could tell what program opened the document. We tried to name something in a meaningful way and ran out of characters. We made our file names as short as possible as a band-aid solution, but this also made them harder to identify.

After several months of this struggle, we found a solution which reduces the risk of hitting the 255-character limit and I would like to share it. Hopefully a public body, local authority, or trustee will be saved from the 9-month headache I had.

Before we get going here is a typical file path you might see when following ARMS in Windows file explorer.

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name>\<Sub-Folder>\

This uses up about 97 characters, which will vary user to user.

So, what do you do? The answer is, the shorter the better at every step.

What your IT people can control:

  1. Make the username as short as possible – Existing users converting to M365 may end up with unwanted characters in their username. I was unable to find a way to get rid of these. On new installations the name can be exactly what you want it to be but ask your IT people to keep it short.
  2. Organization/Entity Name – If your organization has a shorthand name or acronym, ask your IT people to use that instead of the full name. OIPC vs “Office of the Saskatchewan Information and Privacy Commissioner” saves a bunch of characters.
  3. Site Naming – Do you need “Administration” or is “Admin” fine or HR instead of “Human Resources”?
  4. Folder syncing – You can configure M365 syncing to Windows file explorer to be for manual or automatic. I learned that automatic syncing uses up precious characters. For instance, my file path when automatically syncing was C:\Users\<username>\<organization/entity name> \<site name> -Documents\General\<Folder Name>\

when I figured out the manual syncing quirk it became:

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name> which saves a handful of precious characters.

What you can (probably) control:

  1. Subfolders and Beyond Naming – Give your folders and subfolders the shortest usable name possible.
  2. Document Naming – If you followed steps one through 5, you will hopefully have more than enough characters to name your files.

Is it too late for me?

If this issue has been plaguing you and your system has already been configured, there is still hope. Steps 5 and 6 can be done at any time. Steps 1 through 4 may need to be done by your IT Department. You will likely need to re-sync your computer, which requires temporarily logging out of M365 and unlinking your OneDrive account from your computer.

Bonus tip 

Even after you have made your file path as short as possible, you might still forget where things should go. Windows file explorer, backed by M365, can quickly find file names and even document contents for things like .doc and .pdf files. As long as you know something about the document, whether it is the name, or some of the content, you should be able to easily search for and locate it. This may come in handy if you are a new FOIP coordinator responding to an access to information request but are not yet fully acquainted with the filing system.

As electronic records management becomes the norm, I hope this blog assists you in managing your records and meeting your access and privacy obligations by making it easier to search for, locate and access records.

Privacy and Transparency in the Digital Identity Ecosystem in Canada

The federal, provincial and territorial Information and Privacy Commissioners across Canada recognize the many potential benefits of a privacy-respecting and secure digital identity for use by Canadians. The development of which is part of a broader global trend intended to enable individuals, businesses and devices to securely and efficiently connect with one another.

To be trusted, digital identities must meet high standards of privacy, security, transparency and accountability; and must not come at the cost of fine-grained tracking and surveillance, increased risk of discrimination, heightened incidence of identity theft, fraud and other harms, or diminished roles for individual users.

In our office’s 2021-2022 Annual Report, Saskatchewan Information and Privacy Commissioner, Ron Kruzeniski, K.C., states

“I would hope the Government of Saskatchewan continues to consult, educate and explain the benefits of a digital ID for citizens of our province. My hope is that Saskatchewan develops a digital ID that meets our province’s needs, maximizes the benefits and minimizes the risks.”

In order to address these potential risks, the federal, provincial and territorial Information and Privacy Commissioners are committed to working with one another, their respective governments and other relevant stakeholders to ensure the responsible design and implementation of a digital identity ecosystem in Canada.

In doing so, they commit to the following:

  • Continually monitor the development of digital identity initiatives.
  • Collaborate between our respective offices to strengthen our collective capacity and knowledge in this area.
  • Stand ready to engage with our respective governments to provide our views and advice on evolving digital ID programs and initiatives in a timely, constructive manner that is conducive to enhancing privacy protections and public trust in the adoption of digital identities.

Finally, the design and operation of privacy-respecting digital identities and a trustworthy digital identity ecosystem should meet various conditions and properties and should be integrated with a legislative framework applicable to the creation and management of digital identities. For more on the list of conditions, including ecosystem properties, role of individuals, governance and oversight, a link to the full resolution can be found here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.sk.ca