Federal Privacy Commissioner on Bill c-27 news release.

Report into the 2021 cyber attack on Newfoundland health information systems released.

Privacy Commissioner of Canada announced his office is launching a joint investigation into OpenAI

Federal Privacy Commissioner launches new guidance on workplace privacy

Cybersecurity: Best Practices for Setting Up a Security Operations Centre

Alberta IPC finds risk of significant harm from stolen server.

Updates to Chapter 3 for the Guide to FOIP and the Guide to LA FOIP are now available!

Steps for effectively deploying multi-factor authentication.

Concerns about AI

Federal Privacy Commissioner issued updated guidance on privacy in the work place

UPDATED – Can You Bring an Action or Class Action for the Tort of Violation of Privacy in Saskatchewan?

UPDATED – Can You Bring an Action or Class Action for the Tort of Violation of Privacy in Saskatchewan?

I was asked whether a person could sue or be part of a class action in Saskatchewan for a breach of privacy. The Privacy Act provides in section 2, that it is a tort, actionable without proof of damage, for a person willfully and without claim of right, to violate the privacy of another. In section 7, the Court can award damages, grant an injunction or any other remedy. In section 8, the right to sue is in addition to any other rights the plaintiff has.

In 2018, the Legislative Assembly amended The Privacy Act to allow an action to be brought for the tort of distributing an intimate image of another person without that other person’s consent. In addition, the amendment allowed a person to sue in small claims court or Queen’s Bench. Thus, an action for violation of privacy could occur in Saskatchewan.

A recent case under The Privacy Act is Bierman v Haidash, 2021 SKQB 44. The Court of Queen’s Bench for Saskatchewan ordered damages of $7,500 and costs of $3,000 against the defendant. The judge stated at paragraph [78]:

[78]…A helpful discussion of damages awarded by Canadian courts is found in Getting to Damages in the Health Information Privacy Context: Is the Cost Worth the Damage? by Liam O’Reilly (April 11, 2016) (CanLll).  He writes that despite increased public concern over privacy violations, courts have generally relegated privacy breaches to the lower end of the damages spectrum.

[79] The author opines that the courts’ reluctance to award more substantial damages for violation of privacy does not reflect society’s growing concern over privacy. He states that more emphasis should be placed on compensating violations of dignity as opposed to actual harm that is often psychological and troublesome to access or quantify. The author notes that s. 6(1) of the Saskatchewan Act, among the other Canadians Acts, is the most generic in its approach in setting out certain criteria to assess damages, noting the Act’s direction to assess the relationship between the victim and the tortfeasor and the expectation of privacy in the circumstances.

[80] The author then recognizes that the bulk of privacy breach jurisprudence has arisen in British Columbia. At the time he wrote, no damages for privacy violation had been awarded in other provinces with a statutorily created tort (Newfoundland, Saskatchewan or Manitoba). The author then provides a detailed and helpful summary of several decisions from British Columbia with damages ranging from a low of $50.00 (Fillion v Fillion, 2011 BCSC 1593 [Fillion]) to a high of $60,000.00 (l.A.M. v J.E.l.I., 2008 BCSC 114 7). The cases at the higher end attracted punitive damages and involved plaintiffs being spied upon in a private washroom (Malcolm v Fleming, [2000] BC.I No 2400 (QL) – $50,000.00 damages); watched in a bedroom through a hole cut in the wall above the bed, concealed on the inside by a two-way mirror (Lee v Jacobson (1992), 87 DLR (4th) 40 I (BC SC) – $36,000.00 damages); intercepting and recording phone calls and providing them to person’s employer resulting in dismissal (Watts v Klaemt, 2007 BCSC 662, [2007] 11 WWR 146 – $36,000.00 damages). The lower end of awards involved reading and copying personal documents (Fillion – $50.00 damages); sending bank statements to an ex-spouse’s address allowing him to use the information to harass her (Albayate v Bank of Montreal, 2015 BCSC 695 – $2,000.00 damages); communicating between financial institutions and revealing confidential information (B.M.P. Globed Distribution Inc. v Bank of Nova Scotia, 2005 BCSC 1091 , 8 BLR (4th) 247 –  2,500.00 damages); photographing persons in their back yard and aiming video surveillance cameras at the windows of their home (Wasserman v Hall, 2009 BCSC 1318, 87 RPR (4th) 184 – $3,500.00 damages); installing close-imaging cameras in a hallway outside of apartments (Heckert v 5470 Investments Ltd., 2008 BCSC 1298, 299 DLR (4th) 689 – $3,500.00 damages).

[81] In Ontario, which does not have a statutorily created tort, the Court of Appeal found that using a workplace computer to access bank accounts of her partner’s spouse at least 174 times was actionable under the developing tort of intrusion upon seclusion (Jones v Tsige, 2012 ONCA 32, 346 DLR (4th) 34) and awarded $10,000.00 in damages.

[82] Within the context of these decisions and considering the factors set out in s. 6( 1 ), the court finds that Dr. Haidash’ s inquiry into any database of persons who were not his patients cannot be justified. Not only did he inquire into Ms. Bierman’s profile, he inquired into several other persons who were not his patients. Health information is highly private. Physicians, more than anyone, should appreciate this truism. …

[83] The court recognizes that Dr. Haidash should receive a firm message from the court that he did not show the expected care he ought to have shown to accessing anyone’s health records for a purpose other than for the benefit of a patient.

The court also recognizes that Dr. Haidash has already been subject to the scrutiny and disapproval of the College of Physicians and Surgeons and the Privacy Commissioner.

This case clearly signals that suing for a breach of privacy under The Privacy Act can result in an award for damages.

Could persons sue in a class action?  

The Class Actions Act sets out the rules and procedures for commencing a class action. Such an action has to be certified by the Court of Queen’s Bench. If certified, a class action or multi-jurisdictional class action for a tort of breach of privacy could proceed in this province.

FOIP, LA FOIP and HIPA

The Freedom of Information and Protection of Privacy Act (FOIP) gives citizens certain rights to access information held by government institutions. The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) does the same for information held by local authorities (e.g. cities, towns, villages and other municipalities’ school and library boards, the U of S and U of R, the Saskatchewan Health Authority and police services.) The Health Information Protection Act (HIPA) applies to trustees and gives the right to individuals to access their personal health information. The rights and actions under these Acts do not affect the right to bring an action under The Privacy Act.

The Information and Privacy Commissioner (IPC) process is completely separate and apart from lawsuits for a breach of privacy. The IPC may undertake a breach of privacy investigation under FOIP, LA FOIP or HIPA. There is no potential for monetary advantage through the IPC process though.

 

 

Including names on municipal maps – can the complicated be made simple?

I grew up on a farm and know how isolated you are out there. Most neighbors are out of eyeshot and earshot and though some know when you are away, you hope it isn’t common knowledge as you most likely will end up with something stolen from your property, gas being one of the most coveted items.

The reason I bring this up, is that recently, our office hosted a number of webinars on the application of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and the topic of access to municipal maps of a municipality came up. And, what is interesting, is that almost everyone seems to be using them for different purposes and none are sure whether or not to include names on them. For example, one informed me that, “[o]ur RM Maps have been available for purchase by the public prior to 1993. They were typically purchased for assessment information, landowner name information, roads and lakes in the area.” I was also told hunters are interested in the information as they need to seek consent from the owner so are not breaking trespassing laws.

In reviewing one of these maps, I noticed that in some cases, the name is that of a business, not a person. In assessing risks to privacy, you always need to start with the question, “is there personal information involved about an identifiable individual?” A business or company, although having an interest in confidentiality, has no privacy protection under LA FOIP. What property a person owns or where a specific person lives, I would expect to be personal information pursuant to subsections 23(1)(e) and 23(1)(j) of LA FOIP. A home address/location is arguably more sensitive.

As soon as you have determined that you have personal information, then you need to know what your authority is to have collected it, use it internally and disclosed it to others. Based on the questions I received, I don’t think this has been well established. For example, are you required to prepare these maps because of a provision in another law or are the maps assembled primarily for the municipalities’ internal purposes? Section 24 of LA FOIP, allows for collection of personal information if it relates to an existing or proposed program or activity of the local authority.

If you are using the information on the map for the same purpose that it was originally obtained or the use is consistent with that purpose, then you probably have authority to use it. However, disclosure to external individuals is a different matter, especially if the reasons external parties want it varies.

If you are looking for authority to disclose personal information to a third party, you need to see if any provisions in subsection 28(2) of LA FOIP, section 10 of the LA FOIP Regulations or another law applies. If you can’t find the authority, then maybe you don’t have authority to disclose it and doing so would result in a privacy breach.

The analysis doesn’t end there. I’m assuming that there are old maps and as details change (i.e. owners, assessed values), the maps are updated. How far back does the practice of collecting and assembling these maps go? And, how were they made available? Did the practices change over time? Why is that important?

Consider whether sections 3 or 4 of LA FOIP would have any application. If the municipality has always made this type of information available for purchase or has historically made it readily available to others outside the municipality, then it could be argued that LA FOIP privacy provisions do not apply. Over the years, though I think it is reasonable to conclude that practices have shifted in terms of who seeks what information and why and how it is made accessible. For example, if in the old days the map was simply tacked to a wall that you could only see if you walked into the office, access was restricted, so not really publicly available. Now, everyone wants access to the information on websites or platforms that can readily be mined and used to create dossiers on individuals. When information is collected for one purpose, but used for another unrelated purpose, we call that function creep. It is a practice to be avoided.

It has been suggested to me that because information may be available from the assessment/tax roll, that it could be available for other purposes at other times. Subsection 213(1) of The Municipalities Act clearly limits when and how access to that information is provided and is for a specific purpose. Opening it for other purposes might not be found to be appropriate if not for a consistent purpose. This however has not been tested to my knowledge.

Finally, in terms of what else is open for public inspection, I note the list in subsection 117(1) of The Municipalities Act does not include municipal maps.

I’ve been told there isn’t a specific address on the map, but the map is after all a map. If there is a little square on the location, that is where the person most likely lives. The mailing address for my parents is less sensitive than this little square on the map with their name beside it because it is a box number in town.

I’ve heard some people want their names removed, so clearly some are concerned about this type of information being publicly available. And, I think from what we saw in the news recently with protestors outside our provincial Chief Medical Health Officer’s family home, finding out where someone lives can be used for unintended purposes.

Even after all this, if you decide that including personal information on municipal maps is the way to go for your municipality, remember, if a complaint comes to our office, you will have to be demonstrate how you arrived at the conclusion that releasing it is authorized and by what legal instrument(s).

And, after all, I am informed that much of what is accessible on the municipal maps is already available from other sources. If individuals are motivated enough, they can seek the information they need for their own purposes, whether it be from land titles or other sources. I propose that instead of navigating all of the above, if after deciding these maps are still worth the effort, maybe consider a new practice; asking individuals if they want their names on the map or not. Consent, after all, is the gold standard and simplifies everything.

Alternatively, the best and safest practice would be to produce the maps without any individual names. Company names could be included, but why not publish the maps with no owner’s names.  Also, publish the maps with the least amount of additional information. For example, is it necessary to indicate there is a residence on a particular quarter of land? I leave that up to you to decide.

 

Who’s minding the storage? Data privacy and Saskatchewan schools

A school division holds what may be the largest store of significant personal data about any individual child that can be found in one location. Parents and guardians are compelled by law to send their children to school, and parents are legally required to provide the school with significant amounts of personal information about their children, and about themselves.

In addition to creating  attendance reports and grades, schools often need to collect detailed medical information about both physical and mental health issues of students, personal information about family members possibly including income and criminal records, details of custody and access issues, as well as the history of interactions with socials services and the justice system. Not to mention all the personal information voluntarily shared by parents and students with teachers, counsellors and other staff in emails, texts, etc.

As a result, the onus on school divisions to protect student data is extremely high. However, school divisions do not have separate budgets for privacy issues. They have privacy policies but it is usually a staff member, working off the side of their desk, who deals with both privacy and access with little or no formal training in the area. Schools and school divisions understand the need for privacy, but how to keep data secure in order to ensure privacy is sometimes a more difficult process to pin down.

Nevertheless school divisions can put in place practices to assist them in meeting the onus to protect student data, including but not limited to: keeping procedures and practices up to date; allocating resources – time and money – to appropriate security practices; having IT and learning services work together on data security issues; addressing privacy and data security in contracts; including data security as part of digital education for students; providing references to resources for parents; and ensuring that staff have adequate training at both central office level and at the school level.

In the classroom, teachers should consider data security when students access sites, apps, etc. At minimum, the student and/or teacher should be able to answer the following: What personal data is being collected? Who will own the data? Who will have access to the data? How long will the data be retained? Does the student have the right to get the data removed?

Data security must not, however, be the sole concern of the school division.

The Ministry of Education in Saskatchewan is encouraging and supporting school divisions to move to MySchoolSask, a provincial record keeping system for student data that will replace local division systems. In addition, the Ministry requires school divisions to provide significant amounts of student data to the Ministry. The Ministry must ensure that systems and procedures and contracts are in place to protect student data at both the provincial and division level. This can include appropriate funding and education of staff.

Parents must know or ask questions about why and how the data of their children is being collected, used, stored and disposed of. They must educate themselves, and help to educate their children, about the risks of and the defences to misuse of data. Resources available or referenced on school division websites should be reviewed. Parents can also hold the school division to account and, when applicable, work with the school division to hold the Ministry to account.

School divisions need to know a lot about their students. Collecting data that is necessary to help students fully access education services should not be compromised by concerns about data security. This can best be accomplished if all those involved in education work together to ensure the security of student data.

Saskatchewan IPC finds ransomware attack results in one of the largest privacy breaches in this province involving citizens’ most sensitive data

An investigation by the Information and Privacy Commissioner of Saskatchewan has found that eHealth Saskatchewan (eHealth), the Saskatchewan Health Authority (SHA) and the Ministry of Health (Health) were the victims of a ransomware attack in late December 2019 and early January 2020, resulting in one of the largest privacy breaches in this province.

On December 20, 2019, an SHA employee opened an infected Microsoft Word document from their personal email account on their personal device while the personal device was being charged by a USB cord on their SHA workstation. The infected Microsoft Word document triggered the execution of ransomware on the workstation and a multi-phase exploit took place between December 20, 2019 and January 5, 2020. This ultimately led to a Ryuk ransomware attack on January 5, 2020, where the attackers made a ransomware demand. The attack affected fileshares with eHealth, the SHA and Health due to the shared infrastructure on which the fileshares reside.

On January 21, 2020, eHealth discovered that files were disclosed to malicious internet protocol (IP) addresses in Germany and the Netherlands. In total, approximately 40 gigabytes of encrypted data was extracted.

Through its investigation, eHealth advised my office that the affected servers contained approximately 50 million files across eHealth, the SHA and Health. eHealth conducted a metadata scan of those 50 million files and identified that approximately 5.5 million of those files may contain personal information and personal health information. eHealth developed a tool to scan the 5.5 million files and that tool identified a total of 547,145 files that potentially contain personal information and/or personal health information.

As there were a minimum of 547,145 files containing personal information and/or personal health information exposed to the ransomware (possibly more depending upon the accuracy of the tool developed by eHealth), the Commissioner concluded that personal information and personal health information of citizens of Saskatchewan was either exposed to the malware or maliciously stolen from eHealth, the SHA and Health.

Through the Commissioner’s investigation, it was discovered that there were three critical opportunities – two by eHealth and one by the SHA employee – where the ransomware may have been detected at an earlier stage. Had these opportunities not have been missed, eHealth may have been able to detect the ransomware, shut down its systems and stop the extraction of data.

“eHealth is charged with collecting, storing and protecting the most sensitive health data in our province,” says Information and Privacy Commissioner Ron Kruzeniski. “Each of us has personal health information in eHealth’s systems. It is absolutely reasonable that each citizen demand the very highest level of security on our health information. To accept less is irresponsible.”

The Commissioner found that eHealth failed in fully investigating the two early threat occurrences which may have prevented the malicious extraction of data that followed. He also determined that eHealth did not sufficiently provide notification and that the SHA and Health failed in their notification efforts due to the excessive delay in providing notification. Furthermore, the Commissioner found that the SHA did not provide the employee at the heart of the incident with training on its Acceptable Use of IT [Information Technology] Assets policy.

“Because we are dealing with the most sensitive personal health information, every person who has access to this information needs to be trained, retrained and trained again as to the things they can do and especially the things they cannot do,” says Information and Privacy Commissioner Ron Kruzeniski. “This incident reveals the tremendous cost of one employee doing something and other employees failing to follow up rigorously on the warnings given.”

The Commissioner made a number of recommendations, including:

  • that eHealth undertake a comprehensive review of its security protocols to include an in-depth investigation when early signs of suspicious activity are detected;
  • that the SHA and Health take immediate steps to provide mass notification including media releases, newspaper notices, website notices and social media alerts;
  • that eHealth, the SHA and Health work together and provide identity theft protection, including credit monitoring, to affected individuals for a minimum of five years from the date an affected individual’s information is discovered on the dark web or to any concerned citizen who requests this protection;
  • that eHealth review whether it should have IT security staff in place 24 hours a day, seven days a week to actively monitor and investigate potential threats;
  • that all eHealth and eHealth partners be required to complete cyber security and privacy refresher training on an annual basis; and
  • that the Minister of Health immediately commence an independent governance, management and program review of eHealth based upon the concerns put forward by SaskTel, the Provincial Auditor and this Report.

The Commissioner recognizes that organizations are under continued threat of cyber security attacks. Therefore, the organizations that hold the citizens most sensitive data must strive to have the best protected systems with the most thoroughly trained employees to mitigate the risks of these attacks happening.

The Commissioner acknowledges that, “eHealth, the SHA and Health have begun to take the necessary steps to ensure they are protecting the personal information and personal health information of the citizens of this province.”

Related Documents

Investigation Report 009-2020, 053-2020, 224-2020

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on eHealth Saskatchewan Potential Privacy Breach – January 16, 2020

Media Contact

Kara Philip (Manager of Communication)
kphilip@oipc.sk.ca
306-798-2260

 

IPC News Release on Ransomware Investigation Report

I need to do WHAT? Processing your first access to information request

So you just started your new job and you get your first access to information request. You might be asking yourself, what do I do with this thing?, while you toss it to the side and ask questions later. I know the feeling, trust me. What you might not know, is that the clock is ticking on that piece of paper you just tossed among the pile of other priority work you need to complete.

I get it, it’s overwhelming and even more so if you don’t know exactly what your obligations are and where to start. Don’t worry, I’m going to save you some grey hair and from stress eating that box of stale doughnuts sitting on the kitchen counter.

Whether you are subject to The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) or The Health Information Protection Act (HIPA), you have an obligation pursuant to section 7 of FOIP/LA FOIP or section 36 of HIPA to consider processing the access to information request and a duty to assist under sections 5.1 of FOIP/LA FOIP or 35 of HIPA when issuing a response to the applicant. The following will hopefully assist in understanding your duty to assist in regard to processing access to information requests from the public.

What it is

Check out our office’s resource Understanding the Duty to Assist, for a better understanding of a public bodies duty to assist regarding processing access to information requests.

Below, I’ve created a 5 step process you can follow that will hopefully guide you in understanding your duty to assist and I have provided an overview on how to process an access to information request from start to finish.

Step 1: Access to Information request is received/seek clarification    

  • If the request for information has all the necessary elements required and any applicable fees have been paid, don’t delay, get started right away. Remember, a request does not need to be on the prescribed form, if you have enough information to understand what it is the applicant is wanting access to, you can get started right away and save yourself from breathing into a brown paper bag later when you start running out of time.
  • Seek clarification. If you are unsure what the applicant is wanting or you feel there may be an opportunity to narrow the request, don’t be afraid to call and ask. In my experience, if an applicant is made aware that narrowing their search could speed up the process, they are more than happy to do so. However, ensure that you are both aware that should they want anything and everything, they have the right to ask for it regardless of whether it will be released or not.
  • While you are on the phone with the applicant seeking clarification, explain the process. A quick phone call explaining the process can go a long way. Remember, some applicants aren’t as well versed in the legislation as you and may not know that they need to wait up to 30 days to receive the requested information. If you can advise them of this up front, the chances of them calling you back before the records are ready or making contact with our office will be minimal.

 Step 2: Searching for records

  • You may find it helpful to ensure that your office has a strategy for searching for records. If a review is submitted to our office in regard to a public body or trustees search efforts we will review whether a thorough search was completed based on the following elements found on pages 7-10 in Chapter 3 of our IPC GUIDE TO FOIP. Making thorough search efforts is very important in ensuring you have met your duty to assist.
  • Scroll through our resource directory on our website and check out our resource Responsive Records Search Checklist to make sure you’ve completed a thorough search for records.
  • If records pertain to an individual or third party other than the applicant, seek consent to release when appropriate.
  • If you were unable to find the records make sure you send a letter out to the applicant right away advising that either no records exist or that they were unable to be located. If you believe that the records in question may be held by a different organization, there is no harm in referring the applicant elsewhere. You will want to consider whether another public body has a greater interest in the records and transfer the application according to section 11 of FOIP/LA FOIP where applicable. This will need to be done within the first 15 days and notification sent to the applicant.

Step 3: Process the records for release

  • Processing the records for release all at once won’t only save you time but will prevent the applicant from contacting numerous times asking for additional information. Remember, you have 30 days to gather ALL the information they have requested and prepare it for release.
  • When determining what can or cannot be released, you will need to review all the records in your possession, custody or control that are responsive to the request, line by line and determine whether they will be released in full, part, or refused. Our office often gets questions about what information can be released. Unfortunately, we cannot guide you through this as it would affect our ability to remain impartial in the event of a review. The best advice we can give is to ensure that the release of information is in accordance with the legislation and that you have the authority to provide the information or withhold it. If you are unsure about whether you are applying the legislation correctly, you can use our guides to help. The guides will advise you of the tests our office uses if an applicant requests a review of exemptions and how decisions are made as to whether our office agrees with the information being withheld. The guides can be found below. The guide to LA FOIP is still under construction but you can find a lot of the same information in the Guide to FOIP.
  • Prepare an index of records. This will help you stay organized and ensure that you have located all pertinent information related to the original request. See our blog titled Enhancing Efficiencies: Updates to The Rules of Procedure for updates to our office’s Rules of Procedure regarding index of records.

Step 4: Tick, Tock, Tick, Tock, You’re running out of time

  • If you are finding that you are running out of time while processing the request, you may have the ability to issue a notice of extension to the applicant. Extensions can be issued allowing a public body/trustee an additional 30 days to respond to a request. However, you will need to ensure you have the ability to do so under section 12 of FOIP or LA FOIP or section 37 of HIPA. Make sure to send an extension letter to the applicant right away to let them know that you require an additional 30 days to process their request.
  • Remember, extensions can only be granted in specific circumstances and you will need to make the applicant aware of this within the first 30 days.

Step 5: Records are ready for release, responding to the applicant

  • Once the records are ready for release, ensure you have issued a section 7 (FOIP or LA FOIP) or section 36 (HIPA) response to the applicant. The letter should reference the original access to information request and date received by your office, an explanation of the records included (if applicable) and whether they have been issued as full release, partial, or explaining that they are refused. Make sure you have referenced which piece of legislation was used in making your decision for partial release or refusal. In addition, if no records were found or they do not exist, you will need to respond appropriately to the applicant advising them of this outcome. Make sure to include that the applicant has the right to request a review of your decision from our office.
  • If you’ve prepared an index of records, please note that our office will not provide a copy to the applicant unless consent has been provided.
  • If you need help with preparing response letters to applicants in accordance with FOIP or LA FOIP, please check out some sample letter templates You can scroll through, select the letter which best suits your situation and start writing. Wow, what a timesaver!
  • If an applicant has questions about the response that has been provided, do your best to explain the information that was provided, why information may have been withheld completely, or in part under a certain section of the act, this too may save you from a review.

I hope these step by step instructions have been helpful in explaining how an access to information request works, your obligations under the applicable legislation and assists you in developing some of your own strategies to help save time and unnecessary stress.

For more information on duty to assist, please check out the following resources below:

In the Door, Out the Door (online training tool developed by the Ministry of Justice’s Access and Privacy Branch)

Understanding the Duty to Assist

IPC Guide to HIPA

IPC Guide to FOIP

IPC Guide to LA FOIP

Deemed refusal of access vs. late response – what is the difference?

Did you know that a late response is different than a deemed refusal of access under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), The Health Information Protection Act (HIPA), and both are reviewable issues with our office?

Unless circumstances exist which would extend the response time, such as the request being transferred, a fee estimate being issued, or an extension being applied, a public body/trustee will have a legislated timeline of 30-days to issue a response to the access to information request which is compliant with section 7 of FOIP/LA FOIP or section 36 of HIPA. Failure to comply with this 30-day legislated timeline may result in a review from our office.

Deemed Refusal of Access

If no response is received for an access request, this is considered a deemed refusal of access. Our Dictionary defines deemed refusal as when a public body/trustee has not responded to an access request within the legislated 30-days and it has been inferred that they will not provide the applicant with the requested information pursuant to subsection 7(5) of FOIP/LA FOIP or subsection 36(3) of HIPA. An applicant has the right to request a review from our office regarding why no response was received within the legislated timeline.

When a request for review is received for a deemed refusal of access, in an effort to resolve the matter via early resolution, our office will attempt to facilitate a response being provided by the public body/trustee. If early resolution is achieved with a section 7/36 response being issued, the matter of the deemed refusal is resolved as a response was now provided. That being said, an applicant would still have a right to request that our office review the matter of the response not being issued within the legislated timeline.

Review Reports 092-2019, 124-2019 and 144-2017 & 145-2017 are examples of when our office was successful in facilitating a response being provided to the applicant and then proceeded with a formal review which included looking at why the response was over the legislated timeline.

If early resolution is not achieved and we are unable to facilitate a response being provided to the applicant, we can then proceed with a formal review regarding the deemed refusal of access.

Review Reports 152-2020 and 106-2016 are examples of when our office was unable to successfully facilitate a response being provided to the applicant and therefore, conducted a formal review on the matter of the deemed refusal.

Late Response

If an applicant receives a response that is issued after the 30-day timeline, it would be considered a late response. An applicant has the right to request a review from our office regarding why the response was over the legislated timeline as well as any concerns with the content of the response.

Review Report 062-2019 is an example of when an applicant requested a review from our office and wished to include the matter of the response being late in the scope of the review.

I hope this information was helpful in distinguishing the difference between a late response and a deemed refusal of access. If you have any questions, please contact our office at intake@oipc.sk.ca.

Providing the record to my office

I attended a virtual conference of a Commissioner roundtable. One of the Commissioners addressed an issue regarding providing his office with the record when reviewing an appeal of the denial of an access request. He went on to say that the record was necessary to do the job of a review and that his office never releases the record. I thought it was timely to write about this in Saskatchewan.

The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), in section 5 of each Act, establish the principle that citizens can ask for records in the possession or control of government institutions or local authorities (public bodies). The record is to be provided to citizens, if requested, subject to certain exemptions. When a public body decides not to provide a record or portions thereof, the citizen can ask for a review of the decision by my office. One of the first things we ask for is the record that is at issue. It is impossible to do what we have to do without seeing that record. This means we need to see a redacted and unredacted version. Some public bodies are at times reluctant to give us that record. They might ask why we need it. The answer is it is absolutely essential to doing our job. Some will say the record is very sensitive. We understand a record might be sensitive, but that does not change the job the Legislative Assembly requires us to do. Some might feel a particular record is embarrassing or affect the public body’s reputation, but that does not change our need for the record. Some might suggest they do not want the record to become public. My office is not going to release that document to anyone, including the Applicant. My office does not release documents that are at issue.

What we do is review the record and the representations of the public body, do an analysis and then write a report recommending that the public body release the record or withhold the record. It is then up to the public body to decide whether it will release or continue to withhold the record. If there are no appeals, my office will destroy the record or delete it electronically, six months after the report is issued. If there is an appeal to the Court, my office will hold the record until the appeal decision is issued.

All of this to say, to do our job we need the record and we NEVER, NEVER RELEASE RECORDS. That is the decision of the public body.

Saskatchewan Business and Privacy

The Office of the Privacy Commissioner of Canada (OPC) has issued a guidance document entitled Privacy Guide for Businesses. You may ask, “Does it apply to businesses or organizations in Saskatchewan?” The answer is yes, it does. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal statute that applies to businesses in Saskatchewan. If you are in business in Saskatchewan, I recommend you read the Privacy Guide for Businesses.

First let me summarize the main issues from the guide:

  • PIPEDA sets out the ground rules for businesses in Saskatchewan;
  • The OPC oversees compliance with PIPEDA by conducting independent and impartial investigations and audits;
  • Businesses covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information;
  • People have the right to access their personal information held by a business. They also have the right to challenge its accuracy;
  • Personal information can only be used for the purposes for which it was collected;
  • Generally, personal information must be protected by appropriate safeguards;
  • PIPEDA applies to private-sector businesses across Canada and Saskatchewan that collect, use or disclose personal information in the course of a commercial activity;
  • The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists;
  • All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA;
  • Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual;
  • PIPEDA includes mandatory breach reporting requirements. Businesses must report to the OPC any breaches of security safeguards that pose a real risk of significant harm;
  • Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. The principles are:
    • Accountability
    • Identifying purposes
    • Consent
    • Limiting collection
    • Limiting use, disclosure and retention
    • Accuracy
    • Safeguards
    • Openness
    • Individual access
    • Challenging compliance

For more information on PIPEDA and Businesses, see the Privacy Guide for Businesses.

When the federal government makes changes (amendments), those changes will affect Saskatchewan businesses, whether Saskatchewan businesses like those changes or not. Alberta, British Columbia and Quebec have passed legislation provincially, which applies to businesses in their province and replaces the operation of PIPEDA. Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation. Ontario is currently consulting on similar legislation. See the Ontario Private Reform Discussion Paper.

I pose the question whether Saskatchewan should, like Alberta and British Columbia and as Ontario is considering, develop its own legislation to replace PIPEDA.

 

 

Understanding “fees” with ease!

In my experience, an applicant is sometimes surprised when they receive a fee estimate from a government institution pursuant to The Freedom of Information and Protection of Privacy Act (FOIP), or a local authority pursuant to The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). For example, the applicant questions why they need to pay fees to get access to their own personal information in the possession or under the control of a government institution or local authority (public bodies). I think understanding the concept of “fees” may assist with understanding why a public body, may issue a fee estimate.

Fees are intended to provide for reasonable cost recovery for public bodies, when providing records to individuals. A reasonable fee estimate is the one that is proportionate to the work required by the public body to respond efficiently and effectively to the applicant’s request. Public bodies should issue reasonable, fair and consistent fee estimates.

Below are the relevant sections from the FOIP and LA FOIP Acts and the accompanying regulations that govern fees.

Section 9 of FOIP/Section 9 of LA FOIP address fees and subsection 9(2) states:

9(2) where the amount of fees to be paid by an applicant for access to records is greater than a prescribed amount, the head shall give the applicant a reasonable estimate of the amount, and the applicant shall not be required to pay for an amount greater than the estimated amount.

This prescribed amount of $100 is found in section 7(1) of The Freedom of Information and Protection of Privacy Regulations (FOIP Regulations) and section 6(1) of The Local Authority Freedom of Information and Protection of Privacy Regulations (LA FOIP Regulations).

Subsection 7(2) of the FOIP Regulations/Subsection 6(2) of the LA FOIP Regulations provides if actual fees are less than the original estimate, then the government institution/local authority should refund the excess amount to the applicant.

Subsection 6(2) of the FOIP Regulations/Subsection 5(3) of the LA FOIP Regulations provide guidance on fees, while preparing records for disclosure. Both subsections advise where time in excess of the prescribed amount (two hours for FOIP, one hour for LA FOIP) is required by experienced staff in searching and preparing the records for disclosure, a fee of $15 per half-hour may be charged.

Subsection 6(1) of the FOIP Regulations/Subsection 5(2) of the LA FOIP Regulations provide guidance on the actual cost of reproduction of records, such as photocopy/print-out cost, is prescribed at $0.25 per page; where records exist in electronic format, subsection 6(b.1) of the FOIP Regulations /5(b.1) of the LAFOIP Regulations, provide that government institution/local authority could charge the actual cost of the portable storage device; and where records exist in any other form than paper and electronic, these subsections provide that government institution/local authority can charge the actual cost of copying the records.

Subsection 5(1) of the LA FOIP Regulations provides, “An application fee of $20 is payable at the time an application for access to a record is made.” There is no application fee pursuant to the FOIP Regulations.

For further explanation as to how to calculate fees, see the following resources available on our website: IPC Guide to FOIP, Chapter 3 and IPC Guide to LA FOIP, Chapter 3.

Below are some best practices to reduce fee estimates for citizens and public bodies.

Best practices for citizens:

  • When making an access to information request, list specific documents if possible and a specific time period in order to limit and focus the search efforts for the government institution/local authority;
  • If possible, narrow the scope of your request, based on the nature of the information you seek from a government institution/local authority. Broadly worded requests require more time to process. More time to process = larger fees; and
  • It is beneficial to work with the government institution/local authority to reach a reasonable fee or resolution; however if you remain dissatisfied with the fee estimate, you have a right to request a Review from our office.

Best practices for government institutions/local authorities:

  • Pursuant to section 5.1 of FOIP and LA FOIP, government institutions/local authorities have a “duty to assist”, which requires a government institution/local authority to make every reasonable effort to identify and seek out records responsive to an applicant’s access to information request, to explain the steps in the process, and seek any necessary clarification on the nature or scope of the request within legislative timeframes;
  • If possible, only complete the preliminary search, not the full search prior to providing the fee estimate. This could save the amount of work government institutions/local authorities put in before confirmation from the applicant that they wish to proceed;
  • Remember that, pursuant to subsection 9(4) of FOIP/subsection 9(4) of LA FOIP the 30 day clock stops until 50% of the fee estimate amount is paid by the applicant. Therefore, it is advisable to issue a fee estimate within 3-10 days of receiving the access to information request; and
  • It is beneficial to work with the applicant to reach a reasonable fee or resolution as this could avoid involvement from our office.

Government institutions/local authorities can find more resources on our website that provide guidance for charging fees/issuing fee estimates, such as:

Applicants and public bodies may find the following reports issued by our office helpful on this topic:

I am hopeful this resource would make understanding fees much easier. For any questions, please contact our office at intake@oipc.sk.ca.

Responding to access to information requests during an election

As Saskatchewan prepares for both a provincial and municipal election this fall, it is a good time to remind everyone about their obligations under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA). This includes the importance of responding to access to information requests during election periods.

Civil servants can be nervous about responding to access to information requests during the writ period, especially requests that may relate to “hot topic” issues. Our office also recognizes that there are specific communication directives during the writ period that civil servants must follow.

However, during the writ period, your obligations under FOIP, LA FOIP and HIPA do not change.

Public bodies and trustees must respond to formal access to information requests during a writ period as they would any other time during the year. This means, you must respond to the request in writing within 30 days of receiving the request. You may extend the response time an additional 30 days only if a limited and specific circumstance exists as provided for in section 12 of FOIP, section 12 of LA FOIP and section 37 of HIPA. One of the reasons to extend a response time does not include a provision that covers elections or the writ period.

So, before the writ drops, our office would suggest having these internal conversations about FOIP, LA FOIP and HIPA obligations. That way, if you receive a “hot topic” request during the writ period, everyone is on the same page and you can carry on business as usual with your day to day FOIP, LA FOIP and HIPA obligations – before, during and after an election.

For further background, please see Review Report 064-2016 to 076-2016 where the Information and Privacy Commissioner, in part, looked at the issue of responding to access to information requests during an election.