Check out the OIPC’s new resource Steps to Processing an Access to Information Request

Updated statement on proposed changes to Ontario’s Freedom of Information and Protection of Privacy Act

OPC examines websites and apps used by children as part of global privacy sweep

Statement on proposed changes to Ontario’s FIPPA stemming from the production order issued by Ontario’s Information and Privacy Commissioner which was upheld by the Divisional Court.

New podcast episode out now Un-redacted, The Sask IPC Podcast | IPC

New Report Posted: Read Snooping in a Police Database for more information

Check out this new resource that explains the interaction between LA FOIP and The Municipalities Act in the province of Saskatchewan and as it pertains to personal information.

When AI Turns DarkWarning: this blog contains details about suicide. If you are struggling with your mental health, call 988 for 24/7 voice or text support or visit 988.ca

Updated Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on COVID-19

Updated Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on COVID-19

Privacy in the Context of COVID-19

Privacy laws are not a barrier to appropriate information sharing in an epidemic.

It is important that public bodies, health trustees and private sector organizations know how personal information or personal health information may be shared during an epidemic.

How Information May be Shared under Saskatchewan’s Privacy Laws

Saskatchewan has three privacy laws:

  • The Freedom of Information and Protection of Privacy Act (FOIP) applies to government institutions;
  • The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities such as municipalities, universities and school boards; and
  • The Health Information Protection Act (HIPA) applies to health trustees.

These Acts and accompanying Regulations govern the collection, use and disclosure of personal information or personal health information in most situations.

Each Act contains provisions to allow for the sharing of personal information or personal health information in the event of an emergency by public bodies and trustees.

All three Acts require that any collection, use or disclosure of personal information or personal health information be limited to that which is needed to achieve the purpose of the collection, use or disclosure. This is referred to as the “data minimization principle.”

FOIP

FOIP applies to government institutions or “public bodies”, which include provincial government ministries, Crown corporations, boards, agencies and commissions.

FOIP permits public bodies to collect personal information if the collection is expressly authorized by another statute or if the collection relates directly to and is necessary for an operating program or activity of the public body.

FOIP generally requires public bodies to collect personal information directly from the individual the information is about. Public bodies may collect information about an individual from other sources with the individual’s consent, or without consent in specific circumstances, such as when the collection is authorized by law or the individual is not able to provide the information directly in a health or safety emergency.

Public bodies may disclose personal information in emergency situations with the consent of the individual, or without consent in certain circumstances, including:

  • where necessary to protect the mental or physical health or safety of any individual; or
  • the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or
  • disclosure would clearly benefit the individual to whom the information relates; or
  • if the disclosure is authorized by a statute of Saskatchewan or Canada.

LA FOIP

LA FOIP applies to local authorities, including municipalities, universities and school boards. Basically, the same rules apply as outlined above for FOIP.

HIPA

HIPA applies to personal health information in the custody or control of health trustees. Trustees include the Saskatchewan Health Authority, nursing homes, ambulance operators, physicians, pharmacists and certain other health professionals with custody or control of personal health information. HIPA authorizes trustees to collect and use personal health information for the purposes of providing health services among others.

HIPA also allows trustees to disclose personal health information with the consent of the individual, or without consent in specific circumstances, including:

  • where the trustee believes, on reasonable grounds, that the disclosure will avoid or minimize a danger to the health or safety of any person; or
  • to family members or other individuals in a close relationship with the individual so they may be notified that the individual is ill, injured or deceased, providing the disclosure is not contrary to the expressed wishes of the individual; or
  • to another health trustee for the provision of health services; or
  • to a person responsible for continuing treatment and care for the individual; or
  • if the disclosure is authorized or required by a statute of Saskatchewan.

The Private Sector

Except for trustees under HIPA, Saskatchewan does not have legislation that applies to the private sector. Private sector organizations might be covered by federal legislation and should check the federal privacy commissioner’s website: https://www.priv.gc.ca/en/. If the private sector however is contracting with a public body or trustee (e.g. information management service provider), contractual agreements should be checked for language that might actually put personal information or personal health information that the private sector has in its physical possession instead in the control of the public body or trustee.

General Principles

The Canadian Privacy Commissioner, Daniel Therrien, has issued A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19. In that framework, he establishes key principles which can be applied by public bodies when making decisions on collection in Saskatchewan. He summarizes those principles in his News Release April 17, 2020. These principles should be applied in Saskatchewan. With some editing, these principles are:

  • legal authority: the proposed measures must have a clear legal basis;
  • the measures must be necessary and proportionate, and, therefore, be science-based and necessary to achieve a specific identified purpose;
  • purpose limitation: personal information and personal health information must be used to protect public health and for no other purpose;
  • use de-identified or aggregate data whenever possible;
  • exceptional measures should be time-limited and data collected during this period should be destroyed when the crisis ends; and
  • transparency and accountability: public bodies should be clear about the basis and the terms applicable to exceptional measures, and be accountable for them.

The Public Health Act, 1994

The Minister of Health or the Chief Medical Officer have powers under The Public Health Act, 1994 (P.37.1) which can be viewed here: https://publications.saskatchewan.ca/#/products/786. In particular, section 45 sets out the powers of the minister and the medical officer. Further, this Act contains mandatory reporting provisions of certain health care professionals in certain circumstances (e.g. sections 32, 34 and 36).

The Information and Privacy Commissioner

The Office will continue to work on matters during this time, but will be closed to the public. People seeking information can call 306-787-8350 or the toll free number 1-877-748-2298 or email us at webmaster@oipc.sk.ca.

There may be delays getting back to those who contact us, but we will get back to you.

My office usually requests that public bodies respond with information within certain timelines. We know other offices may be experiencing difficulties in getting back to us. Thus, we will be flexible regarding tight timelines. We do ask that you call us so that we can set a different timeline if one is required.

Ronald J. Kruzeniski, Q.C.
Saskatchewan Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Was this page helpful?

Statement from the Office of the Information and Privacy Commissioner on Access to Information During a Pandemic

The question has been raised: What about access requests during a pandemic?

In Saskatchewan, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA) are still in force. Citizens of Saskatchewan still have the right to request information or records. The public bodies still are required to accept and process access requests. If staff are assigned to pandemic or other essential issues, I understand. On the other hand, public bodies have designated FOI staff who may be now working from home, and the processing of access requests can continue. It might not be quite as efficient but it can and should continue. Public bodies when faced with a heavier than normal workload on access requests, can consider an extension but no public body should just refuse to process requests. If someone is working from home, they may need access to records which are at the office. Before stopping to work on the request, the public body should explore other ways of getting the record. It might be slower but the process can still move forward. Of course, with electronic records, working from home may still allow access to the necessary records.

When access requests focus on COVID-19, I would ask public bodies to accelerate those requests and give them priority. Citizens are naturally concerned and worried about the situation. Being transparent can reduce the anxiety that is in society right now. Getting an answer 30 or 60 days from now will not be of much assistance to the citizen.

When we thought this situation would take two weeks, suspension of service might have been reasonable. When isolation might occur for three months or longer, we need to have our information process systems operating, although maybe not quite as efficiently as before.

Finally, FOIP, LA FOIP and HIPA are still operative and requirements and timelines in legislation cannot be waived by me. My office can be flexible on timelines imposed by my office during reviews and investigations. For example, providing a submission, providing the record or answering questions. If you need an extension, please make those requests directly to the individual in my office working on that file with you.

I ask all public bodies to work with my office to keep the access to information system working.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

 

Was this page helpful?

Records blowing in the wind – Saskatchewan needs a private-sector privacy law

Citizens in Regina had a difficult time navigating Victoria Avenue on Wednesday January 22, 2020. Boxes and papers that had spilled out of the back of a truck blocked the road. It was determined that the papers contained the personal information of citizens and that the owner of the papers was a private-sector business for which my office has no jurisdiction. The type of personal information involved included names, addresses, phone numbers, email addresses and financial transactions that individuals were involved in (e.g. payments received).

Unlike some other provinces in Canada, Saskatchewan does not have a private-sector privacy law. If it did, the Commissioner would have jurisdiction to investigate such a privacy breach. However, despite not having jurisdiction, my office still played an initial role in trying to determine where the records originated.

My office contacted the Office of the Privacy Commissioner of Canada to see if the federal Privacy Commissioner had jurisdiction. Federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), sets national standards for privacy practices in the private sector such as how private-sector businesses collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. It also applies to the personal information of employees of federally-regulated businesses such as banks, airlines and telecommunications companies.

The outcome of this privacy breach was that the federal office provided directions through our office to the City of Regina who had initially gathered records off the street. A local response by my office might have been more efficient. We are available to attend to the scene right away, respond to the media inquiries, be available to quickly interview witnesses, gather evidence and provide prompt guidance to both the City and the business that lost its records. In order for us to do that, we need a Saskatchewan private-sector privacy law similar to ones in British Columbia, Alberta and Quebec.

If this type of event occurs again in the future, some initial steps that can be taken are:

  1. Immediately secure the records – collect them and put them in a secure place (locked office or drawer);
  2. If it is possible to identify whom the records belong to, notify them; notify my office or the federal Privacy Commissioner’s office at 1-800-282-1376; and
  3. Keep the records securely stored, limit access and wait for further instructions from my office or the federal Privacy Commissioner’s office.

Was this page helpful?

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on eHealth Saskatchewan Potential Privacy Breach

The Office of the Information and Privacy Commissioner of Saskatchewan is investigating a cyberattack affecting eHealth and potentially health care information

The Office of the Information and Privacy Commissioner of Saskatchewan (IPC) is undertaking an investigation into a cyberattack on the computer systems of eHealth. eHealth is Saskatchewan’s main service provider of health information in the province.

The office is working closely with eHealth.

On January 10, 2020, eHealth reported a ransomware attack on their computer systems to the IPC. eHealth has confirmed publicly that it was subject to a ransomware attack.

The IPC investigation will, among other things, examine whether there was a breach of personal information or personal health information, and if so, the scope of the breach, the circumstances leading to it, and what, if any, measures eHealth could have taken to prevent and contain the breach. My office will also investigate ways eHealth can help ensure the future security of personal health information and avoid further attacks.

If anyone has any questions, they can contact eHealth at privacyandaccess@eHealthSask.ca  or you can Phone: 1-855-eHS-LINK (347-5465)

Alternatively, persons who have questions or wish to file a complaint can contact my office at 306-787-0488 or 1-877-748-2298.

Note to media: My office will not discuss the details of the investigation while it is ongoing.  My office will issue a public report once the investigation is complete.

Ronald J. Kruzeniski, Q.C.
Information and Privacy Commissioner of Saskatchewan

Media contact: Kim Mignon-Stark, Executive Assistant

Office of the Information and Privacy Commissioner of Saskatchewan
kmignon-stark@oipc.sk.ca 306-798-0173

503 – 1801 Hamilton Street, Regina SK S4P 4B4
Telephone: 306-787-8350 / Toll Free Telephone (within Saskatchewan): 1-877-748-2298
Email: webmaster@oipc.sk.ca / Twitter: @SaskIPC

Statement from IPC on eHealth Potential Privacy Breach

Was this page helpful?

Statement from Office of the Information and Privacy Commissioner of Saskatchewan on LifeLabs Privacy Breach

The office of the Commissioner is investigating a cyberattack affecting health care information of millions of customers in Canada and approximately 93,000 residents in Saskatchewan

 Thursday, December 19, 2019 – The Office of the Information and Privacy Commissioner of Saskatchewan (IPC) is undertaking an investigation into a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs. The office is working closely with the Information and Privacy Commissioner of British Columbia and the Information and Privacy Commissioner of Ontario who are also undertaking investigations.

LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services. The company has four core divisions – LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical, and Excelleris.

On December 13, 2019, LifeLabs reported a cyberattack on their computer systems to the IPC. On December 17, 2019, they confirmed they were the subject of an attack affecting the personal information of millions of customers, in Ontario, British Columbia and Saskatchewan. They told us that the affected systems contain information of approximately 15 million LifeLab customers across Canada, including name, address, email, customer logins and passwords, health card numbers, and lab tests.

The IPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it, and what, if any, measures LifeLabs could have taken to prevent and contain the breach. My office will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.

If you have visited a LifeLabs for a test or received a test/service from LifeLabs Genetics and Rocky Mountain Analytical, then it is likely your information is in LifeLabs database.

LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.

Alternatively, persons who have questions or wish to file a complaint can contact my office at 306-787-0488 or 1-877-748-2298.

Note to media: My office will not discuss the details of the investigation while it is ongoing. My office will issue a public report once the investigation is complete.

Ronald J. Kruzeniski
Information and Privacy Commissioner of Saskatchewan

Media contact:
Office of the Information and Privacy Commissioner of Saskatchewan
Kim Mignon-Stark
kmignon-stark@oipc.sk.ca 306-798-0173

Download PDF

Was this page helpful?

Canada’s access to information and privacy guardians urge governments to modernize legislation to better protect Canadians

Information and Privacy Ombudspersons and Commissioners from across Canada are urging their governments to modernize access to information and privacy laws.

In a joint resolution, Canada’s access to information and privacy guardians note that along with its many benefits, the rapid advancement of technologies has had an impact on fundamental democratic principles and human rights, including access to information and privacy. They further point out that Canadians have growing concerns about the use and exploitation of their personal information by both government and private businesses.

“Most Canadian access and privacy laws have not been fundamentally changed since their passage, some more than 35 years ago,” the resolution says. “They have sadly fallen behind the laws of many other countries in the level of privacy protection provided to citizens.”

While there have been legislative advances made in some Canadian jurisdictions, work is still required to ensure modern legislation is in place across the country in order to better protect Canadians.

The resolution notes that privacy and access to information are fundamental to self-determination, democracy and good government. It calls for:

  • a legislative framework to ensure the responsible development and use of artificial intelligence and machine learning technologies
  • all public and private sector entities engaged in handling personal information to be subject to privacy laws
  • Enforcement powers, such as legislating order-making powers and the power to impose penalties, fines or sanctions
  • the right of access should apply to all information held by public entities, regardless of format

Canada’s Information and Privacy Commissioners and Ombudspersons reaffirmed their commitment to collaborate, make recommendations to government, and to continue to study and make public how access and privacy laws impact all Canadians.

Related Documents

Joint statement – Modernizing Access and Privacy Laws

Was this page helpful?

Best practices when using USB drives

When thinking about this topic I decided to research how big of a USB drive I could actually purchase. I was surprised to see you can purchase one that stores 2 terabytes (TB) of data. Just think about that – something the size of a car key can 2 TB of data. With the ability to store that much data in a very small and portable way, it is important to be super vigilant when using memory sticks.

In January 2018, the IPC developed a resource – Helpful Tips: Mobile Device Security. This resource offers many tips and considerations that are helpful when using memory sticks, including administrative safeguards, technical safeguards and physical safeguards. However, here is a quick list of some things to keep in mind when using USB Drives:

  • Encryption/password protected devices: Only purchase USB drives that have encryption or password protection functionality.
  • Strong passwords: If you have a need to store personal information (pi), personal health information (phi) or other forms of sensitive or confidential information on a USB drive, be sure to have it locked by a strong password.
  • De-identify: When storing pi/phi on a USB, de-identify the information wherever possible.
  • Delete data: Immediately delete the data from the USB once it is no longer needed.
  • Unattended USBs: Do not leave USB’s in vehicles or unattended in public. If absolutely necessary, lock it in the trunk or glove box where it would be out of site. When not in use in your office, be sure to lock it up.
  • Access on a Need-to-Know Basis: When storing data on a device, access to that data should be on a need-to-know basis.
  • Lost or stolen USBs: Report lost or stolen USB’s immediately to your supervisor and the Privacy Officer.
  • Disposal: At the end of its lifecycle, be sure that all the data has been wiped from the USB. Once that is done, safely dispose of or destroy the USB before disposal.

For more applicable information on USB drive use, please see the following resources:

 

Was this page helpful?

Technology and function creep

“I love technology,

But not as much as you, you see.

But I still love technology.

Always and forever.”

  • Kip from the movie Napoleon Dynamite

Technology takes on a central role in most, if not all, workplaces. It is difficult to imagine a workplace without computers. Further, cloud computing is enabling workplaces to organize themselves far more dynamically while completing tasks efficiently. With all of its benefits, we must be cognizant of technology’s impact upon employee privacy.

“Function creep” occurs when information is used for a purpose that is not the original specified purpose. For example, a workplace may install a security system that requires employees to sign-in or sign-out of the workplace. The purpose of the security system is to prevent unauthorized access to a particular workplace. However, organizations may end up using this information about individual employees to track employee attendance. This could be a privacy breach if the organization has not fulfilled the collections requirements in The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). For example, if the organization is collecting the information to track employee attendance without informing employees of the purpose for which the information is being collected pursuant to subsection 26(2) of FOIP or subsection 25(2) of LA FOIP, then this would be a privacy breach.

Function creep is often unintended. However, this is not an excuse for organizations to breach employee privacy. Below are some suggestions that organizations could undertake to avoid or stop function creep:

  • Have at least one employee designated as the privacy officer.
  • Have a process in place so that employees (or members of the public) can raise concerns and that those concerns are investigated.
  • Since function creep is often unintended, organizations who learn that technologies or processes that are committing function creep should be open to adjusting so that the function creep is discontinued.
  • Regularly undertake privacy impact assessments (PIA) so they can comprehensively analyze and evaluate how technology impacts privacy. A PIA is a process that should be undertaken not only by the privacy officer, but managers and employees implementing new technology, processes, projects, and/or programs. PIAs require teamwork!

For more information, check out my office’s resource called Technology’s Impact Upon Employee Privacy.

 

Was this page helpful?

Privacy versus Confidentiality

Privacy and confidentiality are two concepts often mistaken to be the same thing.

In terms of information, privacy is the right of an individual to have some control over how his or her personal information (or personal health information) is collected, used, and/or disclosed. In Saskatchewan, individuals’ privacy is maintained through FOIP, LA FOIP and HIPA. These three laws establish individuals’ right to privacy by setting out how government institutions, local authorities, and trustees are to collect, use, and/or disclose personal information or personal health information.

Confidentiality, on the other hand, is a far slimmer concept than privacy. Confidentiality is the duty to ensure information is kept secret only to the extent possible.

It is important to distinguish between these two concepts. This is because organizations often require employees to sign confidentiality agreements (i.e., keep information secret) but then offer very little or no privacy training.  There are certainly circumstances in which employees of government institutions, local authorities, and trustee organizations need to legitimately share information in order for their programs to function. However, sharing information may seem contrary to what confidentiality agreements require of them.

Privacy Officers play a vital role in ensuring that government institutions, local authorities, and trustee organizations are in compliance with FOIP, LA FOIP, and/or HIPA.  Privacy Officers should be experts in these three laws who can advise their organizations when it is okay to collect, use, and/or disclose personal information (or personal health information).

For fun, below are two haikus to help explain privacy and confidentiality

Privacy

Collecting, using,

disclosing and safeguarding,

personal info.

 

Confidentiality

Keep info secret.

Do not tell anybody.

Or else you lose trust.

Was this page helpful?

What Makes a Good Submission?

The staff at the OIPC recently watched a webinar called The Art of Persuasive Speaking put on by The Canadian Bar Association. Some of the points made in the webinar are relevant to public bodies providing submissions to our office. I thought I would share some further tips pulled from that webinar.

When you want to be persuasive in your arguments to our office:

1. Have a plan and prepare:

Your goal is to convince our office that the public body is in compliance with the legislation.

  • Assemble all the evidence (information) relevant for our office;
  • Lay out the facts, tests, law and argument;
  • Focus on the key disputed facts and issues; and
  • Understand the role of the public body as it pertains to burden of proof (section 61 of FOIP/section 51 of LA FOIP).

2. Know your audience:

Understanding the role of our office is important in tailoring your arguments. Our office is a neutral oversight body. Our office is being asked to make a decision and recommendations.  We have found that when dealing with other organizations, a cooperative approach really works. We are not on the side of the applicant, third party or the public body. We are the first level of appeal before the Court of King’s Bench (2nd level of appeal).

  • Remember, our office will also be receiving arguments from the opposing parties in the case; and
  • How persuasive a party’s arguments are will influence the outcome of the case and you want yours to be most persuasive.

3. Use persuasive techniques:

Your goal is to make our office want to decide in your favour. Show us how to get there.

  • Put yourself in the shoes of our office, and ask: “If I had to make this decision, what would I need to make it?” This will help you focus on the key issues and anticipate questions our office would likely ask;
  • Use solid arguments and deliver only true and accurate statements;
  • Put your best (strongest) arguments first;
  • Avoid filling your submission with endless details without context;
  • Broad general statements are not persuasive; and
  • Present arguments from reputable sources.

These are all effective means of putting your arguments forward, which is in turn more persuasive. For more assistance on preparing your submission, Index of Records and/or the record itself, you can refer to our resource, What to Expect During a Review with the IPC:  A Resource for Public Bodies and Trustees

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.