Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Survey conducted by OPC found that most parents worry about their children’s online privacy

Information and Privacy Commissioner of Ontario and The French Language Services Commissioner discuss your rights of access to information and services in French June 4, 2025

Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

Privacy Commissioner of Canada and UK Information Commissioner’s Office issue a joint letter regarding 23andMe’s bankruptcy proceedings

Instagram still posing serious risks to children, campaigners say

English Information Commissioner issues statement on police use of facial recognition technology (FRT)

BC OIPC provides instruction to delete a user account and DNA on 23andMe

Solicitor-Client Privilege, Recent Court Decision

Solicitor-Client Privilege, Recent Court Decision

In the spring of 2024, the Ontario Superior Court of Justice issued a decision regarding the Information and Privacy Commissioner of Ontario’s approach to solicitor-client privilege and litigation privilege in a case regarding a breach at LifeLabs. LifeLabs applied for leave to appeal to the Ontario Court of Appeal, which was denied on November 22, 2024.

Saskatchewan had issued an Investigation Report on this breach – see Investigation Report 398-2019, 399-2019, 417-2019, 005-2020, 019-2020, 021-2020.

LifeLabs sought to judicially review the joint decision of the IPC and the Office of the Information & Privacy Commissioner for British Columbia (BC OIPC) that found the information (facts) contained in their joint investigation report were not subject to solicitor-client or litigation privilege (the Privilege Decision).  During the joint investigation into the 2019 cyberattack of LifeLabs computer systems, LifeLabs provided some documents to the Commissioners, but claimed and did not waive privilege with respect to the documents and the information they contained.  LifeLabs was given the opportunity to make representations to the Commissioners on whether certain information was protected by privilege and should not be included in the investigation report.  LifeLabs made representations that continued to claim privilege over certain documents and information.  The IPC and BC OIPC found that LifeLabs had not met its onus of demonstrating that any of the information that was ultimately included in the investigation report was privileged.

The Divisional Court unanimously dismissed LifeLabs’ application for judicial review of the Privilege Decision.  The Court rejected LifeLabs’ arguments that the IPC incorrectly applied the law of solicitor-client and litigation privilege and further rejected the challenge to the IPC’s joint investigation and deliberation of LifeLabs’ claims of privilege with the BC OIPC.  Among other things, the Court upheld the Privilege Decision’s findings that most of the facts in the investigation report had an independent existence outside of the documents provided by LifeLabs.  Notably, a number of facts over which LifeLabs claimed privilege were also found in the Saskatchewan Information and Privacy Commissioner’s publicly released report on the LifeLabs cyberattack.

The Court applied the correctness standard to its review of the Privilege Decision’s identification of the legal test related to the law of privilege and the application of the law to the facts and found that the IPC and BC OIPC were correct.  The Divisional Court’s reasons speak very positively about the Privilege Decision, stating:

The decision is logical, clear and persuasive. It considered all the arguments raised by LifeLabs and gave comprehensive reasons for rejecting the claims of privilege.

Among other things, the Court agreed with the IPC that LifeLabs cannot protect facts relating to statutory compliance simply by claiming privilege:

Health information custodians, such as LifeLabs, cannot defeat these responsibilities [to investigate, contain, and remediate privacy breaches] by placing facts about privacy breaches inside privileged documents. Although the claims of privilege here were rejected, even if they had been accepted, this would not have defeated the ON IPC’s duty to inquire into the facts about the data breach within the control and knowledge of LifeLabs. This result flows not only from the ON IPC’s statutory mandate, but also from how litigation privilege and solicitor client privilege function.

The Court went further and found that the IPC and BC OIPC’s joint investigation and deliberation had statutory authority and did not give rise to apparent bias or a lack of independence.

The most significant statements in the decision and I believe the same approach should be taken in Saskatchewan, are:

[80] Similarly, solicitor-client privilege does not extend to protect facts that are required to be produced pursuant to statutory duty. The ON IPC correctly articulated the law when it stated at para. 49:

Even if the communication is privileged, the facts referred to or reflected to in those communications are not privileged if they exist outside the documents and are relevant and otherwise subject to disclosure. Some facts have a life outside the communication between lawyer and client but have also been communicated within the solicitor-client relationship. Facts that have an independent existence outside of solicitor-client privileged communications are not privileged. When deciding if such facts are privileged, one must keep one eye on the need to protect the freedom and trust between solicitor and client and another eye on the potential use of privilege to insulate otherwise discoverable evidence. While privilege is jealously guarded it must be interpreted to protect only what it is intended to protect and nothing more.

[81] That is, simply depositing a document or providing counsel with a copy of a document does not “cloak” the original document with privilege…

[82] The same reasoning applies to the type of facts at issue here, whether those be lines of code used by the cyber-attackers and copy-pasted into an IT third-party report, information obtained from an employee by counsel about the measures taken to protect software vulnerabilities or an internal data analysis undertaken by LifeLabs to determine the extent of the data breach.

               …

[86] During the discussion of the underlying facts in the reports, the ON IPC found, as discussed above, that litigation privilege is not intended to shield relevant facts from disclosure that do not constitute a lawyer’s work product. The Privilege Decision found that the underlying facts in the third-party cybersecurity firm’s report “would address the key questions of the cause of the breach, the scope of the breach, how the scope was determined, and what was done by [the cybersecurity firm] to contain and then remediate the breach. LifeLabs has not provided us with any evidence or arguments to demonstrate that disclosure of these facts would reveal or undermine the legal strategy of LifeLabs’ defence” (emphasis added).

I would encourage public bodies and their lawyers to read the case and when dealing with my office be prepared to provide factual information about the breach regardless of who requested those reports.

 

Was this page helpful?

Federal, provincial, and territorial privacy regulators address responsible information sharing in situations involving intimate partner violence

Toronto, Ontario, November 27, 2024 (TBC) Privacy authorities across Canada have issued a joint resolution to guide the responsible disclosure of personal information in situations involving intimate partner violence (IPV). Finalized at their October annual meeting, hosted by the Information and Privacy Commissioner of Ontario, the resolution aims to empower organizations and their staff to make informed decisions about privacy, confidentiality, and public safety.

IPV is a pervasive problem in Canada, primarily harming women and gender-diverse individuals. In 2023, there were 123,319 victims (aged 12 years and older) of intimate partner violence reported to police. While alarming, this statistic very likely underrepresents the true number of IPV incidents nationwide, as many cases go unreported.

Professionals working in the justice, health care, and social services sectors play an important role in reducing or eliminating IPV harm. Private-sector actors can also help identify and take necessary and reasonable steps to prevent potential IPV-related harm to clients and employees. A critical component of IPV prevention and mitigation includes the timely and responsible disclosure of personal information. Effective information sharing could mean the difference between life and death.

In recent years, Canadians have seen a number of public inquiries and inquests involving IPV, which highlighted misconceptions about Canada’s privacy laws. Organizations and their staff reported feeling conflicted about how to respond to an IPV situation due to concerns around their obligations of confidentiality and the risk of infringing privacy rights.

Canada’s privacy regulators collectively affirm that Canada’s privacy laws generally permit the disclosure of personal information if there is a risk of serious harm to health or safety. The resolution calls for a collective effort from governments and organizations to develop privacy-compliant governance frameworks for responsible information-sharing in cases involving risk of serious harm to life, health, or safety when certain conditions are met.

The resolution urges governments to work with their respective privacy regulator or ombuds to ensure organizations develop clear privacy policies around permissible disclosures, conduct public education campaigns, develop culturally sensitive and trauma-informed tools to support organizations serving at-risk communities, and proactively disclose IPV-related data, statistics, and trends to help inform and improve policymaking on this issue.

The resolution also calls on public institutions and private sector organizations to establish corporate policies on permissible disclosures, require staff training, adopt culturally-sensitive and trauma-informed approaches particularly among marginalized, racialized, or vulnerable groups and consider the unique experiences of Indigenous communities, be transparent up front about potential disclosures and document them when they occur, ensure privacy and security safeguards are in place, and respect data minimization principles.

For their part, Canada’s privacy regulators commit to working collectively to clarify permissible disclosures under their respective privacy laws by engaging with governments and other key interested parties to educate professionals, affected individuals, and the public on when and how personal information can be disclosed in IPV situations. Together, they aim to provide ongoing policy guidance and support for the responsible disclosure of personal information to help prevent situations of IPV.

 

Learn more:

 

Media contact:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Was this page helpful?

Severing Email Records (updated)

My office released a blog in June of 2017 regarding the obligation under section 8 of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and section 38(2) of The Health Information Protection Act (HIPA) to release as much information in a record as can be reasonably severed without disclosing the exempt information.

The advice provided in that blog continues to apply today – public bodies and trustees cannot apply an exemption to an entire page or record just because some or most of the information in the record is exempt. To comply with FOIP, LA FOIP and HIPA, public bodies and trustees need to conduct a line-by-line review of each page and only withhold information that is subject to an exemption. This basic rule applies regardless of the exemption that may be found to apply – mandatory or discretionary – and includes records where portions may be subject to solicitor-client privilege.

For email records, this means that a public body or trustee needs to consider if the ‘header’, ‘footer’ and ‘opening and closing statements’ of the email are exempt.

Definitions of these terms can be found in my office’s Review Report 051-2024. In that review, I stated that:

  • ‘Header’ refers to the to, from, cc, bcc, date and subject line of the email.
  • ‘Footer’ refers to the signature block (name, contact details and title of the sender) and confidentiality statement.
  • The ‘opening and closing statements’ are greetings such as ‘Dear’, ‘Yours truly’, and “I hope you are having a good day” that people often include in emails.

If a public body or trustee claims that any of the above information is exempt, it will be required to demonstrate that the exemption applies if an applicant requests a review by my office.

For examples of recent reports where the Commissioner recommended release of this type of information in email records, see Review Reports 026-2019, 188-2022 and 024-2024.

For examples of cases where the public body proactively released this type of information to an applicant, see Review Reports 099-2024, which involved the City of Regina, and 051-2024, which involved the Saskatchewan Health Authority.

For more information about the obligation to sever and the application of exemptions, please see IPC Guide to FOIP, Chapter 3 and Chapter 4, and the IPC Guide to LA FOIP, Chapter 3 and Chapter 4. Our Modern Age Severing Webinar may also be of interest. It provides guidance on how to sever information from responsive records easily and electronically.

Was this page helpful?

Canadian privacy regulators pass resolution to address privacy-related harms resulting from deceptive design patterns

TORONTO, ON, November 13, 2024 – Privacy regulators from across Canada have issued a joint resolution calling for action on the growing use of deceptive design patterns (DDPs) that undermine privacy rights. Passed at their October annual meeting, hosted by the Information and Privacy Commissioner of Ontario, the resolution outlines key measures for organizations to adopt privacy-first design practices.

Deceptive design patterns, often referred to as dark patterns, manipulate or coerce users into making decisions that may not be in their best interests, particularly children. These patterns are frequently used on websites and mobile apps, and their prevalence is a growing concern for regulators, especially as more of Canadians’ daily activities move online.

In 2024, the Global Privacy Enforcement Network (GPEN) launched a sweep of websites and apps, examining the prevalence of privacy-related DDPs. Some Canadian privacy regulators joined this international effort, which examined over 1,000 websites and apps across multiple sectors, including retail, social media, news, entertainment, health, fitness, and those aimed at children.

The findings were troubling: 99 percent of Canadian digital platforms examined in the sweep included at least one deceptive design pattern, with especially high levels of DDPs on platforms designed for children.

In response to the widespread use of and potential harm from privacy-related DDPs, Canada’s privacy commissioners and ombuds are calling on organizations in the public and private sectors to prioritize users’ privacy and support their informed and autonomous choices by avoiding deceptive design practices. The resolution urges organizations to:

  • build privacy and the best interests of young people into the design framework using privacy-by-design principles
  • limit the collection of personal information to only what is necessary for a specific purpose
  • use clear, accessible language that complies with privacy laws, enhances transparency and builds trust
  • regularly review and improve design elements of websites and apps to reduce exposure to deceptive design patterns and support informed privacy choices
  • choose design elements that adhere to privacy principles and do not generate negative habits or behaviors in users

The privacy commissioners and ombuds commit to collaborating with governments and other interested parties to modernize design standards, reduce the presence of DDPs, and champion privacy-friendly design patterns that respect user autonomy.

Learn more:

For more information:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Was this page helpful?

Federal, provincial, territorial information and privacy commissioners and ombuds wrap up successful annual meeting

TORONTO, ON (October 10, 2024) – Today, federal, provincial, and territorial (FPT) information and privacy commissioners and ombuds concluded two days of productive discussions on privacy and access to information issues across Canada. The annual event, hosted this year by the Information and Privacy Commissioner of Ontario, was a significant opportunity to address key issues, enhance collaboration among jurisdictions, and reaffirm a shared commitment to protecting the access and privacy rights of all Canadians.

AI modernization and freedom of information
Participants discussed novel ways artificial intelligence (AI) can modernize government services, including freedom of information (FOI) processes, while ensuring the use of these emerging technologies is in alignment with privacy and ethical standards and principles.

Representatives from the Ministry of the Environment, Conservation and Parks shared valuable insights on some of the ministry’s recent initiatives to improve government services related to access to information.

The evolution of cabinet confidence under constitutional and administrative law
A distinguished panel featuring Paul Daly, Chair in Administrative Law and Governance at the University of Ottawa, Yan Campagnolo, Vice-Dean of the French Common Law Program at the University of Ottawa, and Vincent Kazmierski, Associate Professor at Carleton University, discussed cabinet confidence in Canada in light of recent constitutional and administrative law developments.    

Privacy implications around the use of neurotechnology
Dr. Jennifer Chandler, Professor of Law at the University of Ottawa, delivered a presentation on the implications of neurotechnology for privacy and data protection. Her presentation addressed the ethical and legal challenges posed by advancements in neurotechnology and its application in various sectors, along with future policy options for governing this emerging technology.

First Nations concepts of privacy
Dr. Jonathan Dewar, Chief Executive Officer of the First Nations Information Governance Centre, delivered a compelling presentation on First Nations concepts of privacy and data sovereignty. The perspective he shared enriched discussions and broadened the commissioners’ understanding of collective rights and data sovereignty from First Nations viewpoints, opening the door to further potential collaboration with First Nations groups to advance reconciliation.

Youth privacy
A panel of teens and young adults from the IPC’s Youth Advisory Council engaged directly with FPT commissioners and ombuds to explore the need to protect the rights of Canada’s children and youth in the digital age. Moderated by Jane Bailey, Professor at the University of Ottawa, the panel provided firsthand insights into the challenges faced by youth in a digitally networked environment, emphasizing the importance of policies and educational programs to empower young people with the knowledge and tools to fully and safely participate in the digital world.

Legislative updates
The commissioners and ombuds discussed recent developments and anticipated changes to access and privacy laws across Canada, resulting in a comprehensive overview of the evolving legal landscape. This comparative exercise provided an insightful understanding of general trends and opportunities for legislative modernization.

“FPT discussions over the past two days confirm that our shared commitment to upholding the privacy and access rights of Canadians is stronger and more united than ever,” said Patricia Kosseim, Ontario’s Information and Privacy Commissioner. “My office was pleased to host this year’s FPT meeting, where we tackled some of the most pressing challenges of our times. By fostering collaboration and sharing insights, we are better equipped to ensure that the privacy and access rights of all Canadians are protected in an increasingly digital world. Together, we are more effective and impactful than any one of us can possibly be alone.”

Media Contact:
Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Was this page helpful?

Contracting with Governments (updated)

Government, whether municipal or provincial, charge taxes and spend those taxes on services we need. By government I mean at all levels and includes school boards, universities, colleges and health regions. All of them enter into contracts with service providers. I generally believe that if you contract with an entity which uses tax dollars, your contract and dealings with the entity should be public. I am surprised when I find a public body (at any level) not willing to share a contract or a service provider not wanting their contract with a government entity to not have it disclosed.

In many instances, third parties did not want details of their contract (hourly rates or prices) to be disclosed. See Review Reports 195-2015, 196-2015 and 229-2015. In another report a city did not want a contract released. See Review Report 084-2015. A Ministry severed two winning bid figures although they were publicly available. See Review Report 125-2014. In another case, even after holding a public meeting where an agreement, a contract, with a third party was discussed, the Village withheld them from release. See Review Report 122-2014.

This issue has been litigated in the Court of King’s Bench. In the case Canadian Bank Note Limited v. SGI, the judge held that the head properly withheld unit prices pursuant to subsections 19(1)(b) and (c)(i) and (ii) of FOIP. As a result of this case, the IPC has concluded that the contract should be released but not necessarily the unit pricing. See Review Reports 323-2021, Review Report 123-2020 and Review Report 078-2020. For an example where the public body did not show any prejudice, and it was recommended that unit prices be released see Review Report 048-2024. One can also refer to the Guide to FOIP, Ch. 4, p. 206.

In conclusion, third parties should expect that their contracts with governments will be released but if they can show that they can comply with section 19 of FOIP (section 18 of LA FOIP) they may be successful in not releasing the unit price.

I thought I would do this blog to clarify the situation. When a government entity requests tenders or proposals, the submissions by third parties will generally be kept confidential. Once the successful bidder gets the contract, the contract with all attached schedules, will generally be accessible (viewable) by the public. This is consistent with the provisions of The Cities Act (s. 91) and The Municipalities Act (s. 117). The Freedom of Information and Protection of Privacy Act (FOIP) requires Government Institutions (Ministries, Crown Corporations, Boards and Agencies) to release contracts. FOIP does have a number of exceptions to the general rule such as those found in sections 19 and 29(1).

The Local Authority Freedom of Information and Protection of Privacy Act imposes a similar requirement to provide documents (contracts) unless a specific exemption can be claimed and supported. If a contract does not fit into one of those exceptions, then the contract and its attachments are to be released to anyone who asks. It can be a resident, the media or a competitor. The contract gets released.

I often hear the argument that releasing the contract will affect the competitive situation. Just the opposite is true, if all parties know what the successful contractor proposed, next time other parties are free to propose a cost lower than the previous contract. This is good for competition and for taxpayers.

Also I have heard the argument that the contract contains trade secrets. Contractors should try to avoid putting trade secrets in the contracts because the public are entitled to see the contracts showing the work to be done, the obligations of the contractors, the cost and the responsibilities of the public body.

I have some suggestions for public bodies. One is in the tender or RFP documents, put in a clause saying the final contract and schedules are public documents and in the contract itself, put in a clause that says these contracts and all schedules may be released if requested to the public at any time.

These steps may go part of the way to making it clear to all that contracts with public bodies may be released to the public.

Was this page helpful?

Protecting Your Personal Information in the Digital Age

Whether adding to your shopping cart from your laptop in a café, doom-scrolling social media on the bus ride home from the office, or engaging in work remotely, our online presences make us more vulnerable to invasions of our privacy. So, how can we protect ourselves from risks to our personal information in an era where everything is online?

Stay up to date.
Start with something so simple, you can literally do it in your sleep. The conscious decision to maintain current updates on your devices requires minimal effort but has significant impact. By ensuring your software and apps are up to date, you ensure critical security measures are in place.

Back it up.

Also, while you are sleeping, why not back up your data? With a few keystrokes or screen swipes, you can configure your most beloved fur-baby photos (or your critical work files) to automatically save in a cloud-based storage system or external hard drive and mitigate heart-wrenching (and potentially professionally precarious) digital losses.

Beware of virtual snares.

Phishing scams are everywhere these days, with cybercriminals posing as anything from your utility company to your bank. Take a course on how to recognize phishing scams so that you can easily spot a digital intruder. For more information about phishing, read our blog post A Near Attack or view our Security and Phishing Presentation.

Be wise about your Wi-Fi.

Most free public Wi-Fi networks have minimal security measures in place. This means others using the same network could easily access your activity. Delay any secure online purchases, especially, until you are on a secure, password protected network.

Create passwords that are hard to crack.

Speaking of passwords, make sure yours (yes, plural – as in more than one) is not easily deciphered by a cybercriminal. Employ a combination of lower and uppercase letters, numbers and symbols. Some even swear by splicing together three random words to stump would-be hackers.

Do the two-step.

Two-step verification is valuable in safeguarding your accounts. Two-step verification refers to a process whereby the program you are accessing authenticates that the access request is truly from you. For example, after entering your username and password into your e-mail program on your work computer, an authentication server sends a distinct code to a secondary device, such as your cell phone. You then are prompted in your e-mail to enter the distinct code sent by that authentication server, thereby confirming your identity, and granting you access. This process ensures that, even if a password is compromised, a digital intruder cannot access an account without approval. Without authorization at that second step, a compromised password alone is useless.

While there are many ways to ensure that your private information stays truly private, starting with these six tips will launch you in a positive direction for feeling empowered about your privacy in this increasingly online world.

For more information, please see the links to our support materials below:

5 ways to protect your privacy

Influencing Sources

Government of Canada – Get Cyber Safe

 

Was this page helpful?

Who Signs for a Child? (updated)

When it comes to obtaining the personal information of a child under the age of 18 years, it is commonly accepted that a child cannot sign for themselves.  So, who can sign for that child?

The Children’s Law Act, 2020 sections 3 and 4 provides:

  • The parents of a child are joint legal decision-makers with equal rights unless changed in a court order or an agreement;
  • Where parents have not lived together after the birth of a child, the parent with whom the child resides is the sole legal decision-maker;
  • If a parent dies, the surviving parent is the legal decision-maker of that child unless changed by a court order or an agreement.

The Freedom of Information and Protection of Privacy Act (FOIP), section 59 and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), section 49 both provide:

59 Any right or power conferred on an individual by this Act may be exercised

(d) where the individual is less than 18 years of age, by the individual’s legal custodian in situations where, in the opinion of the head, the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual; or

In effect, then the legal decision-makers can sign on behalf of the child.  This means two parents, sometimes one parent, or as directed in a court order, or agreed to in an agreement. For an analysis of this, see report Investigation Report 083-2022

The Health Information Protection Act (HIPA), has a similar provision, section 56 which provides as follows:

56 Any right or power conferred on an individual by this Act may be exercised:

(c) by an individual who is less than 18 years of age in situations where, in the opinion of the trustee, the individual understands the nature of the right or power and the consequences of exercising the right or power;

(d) where the individual is less than 18 years of age, by the individual’s legal custodian in situations where, in the opinion of the trustee, the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual;

 

These provisions caused a number of questions to be asked.

Q. What if the parents are separated?

A. If parents are separated, they both are still joint legal custodians unless changed by a court order or an agreement.  In a court order, a judge can order that one parent is the sole legal custodian.  In an agreement, one parent can give up his or her rights to be the joint legal custodian.  In these instances, the head or a trustee should ask for a copy of the court order or agreement and identify the clause that deals with legal custodianship.

Q. What if one of the separated parents has a girlfriend, boyfriend or new spouse?

A. The girlfriend, boyfriend or new spouse has no rights unless it has been directed in a court order or dealt with in an agreement.

Q. What if the child wants to exercise his or her rights?

A. FOIP and LA FOIP do not have a specific section that answers this question. When children get to the age of what may be considered a mature minor, heads should use their discretion to provide the personal information if the child, “understands the nature of the right or power and the consequences of exercising the right or power.” Heads should also look to their governing legislation to see if the Legislative Assembly has provided direction on the rights of the child.

HIPA does contemplate an individual under 18 years of age exercising a right under the Act such as requesting his or her personal information or making a decision with respect to it. When such a request is made, it is up to the trustee to determine whether the individual understands the nature of the right or power and the consequences of exercising the right or power.  There is no specific age when one can say that is a mature minor.

The head has to in each circumstance determine whether the child understands the nature of the right or power and the consequences of exercising the right or power.  In circumstances of uncertainty, the head might decide to acquire the signature of the legal custodian and the child.

Q. Can the legal custodian obtain all personal information or personal health information?

A. All three statutes provide that legal custodians can have the information, unless in the opinion of the head or trustee, providing the information would be an unreasonable invasion of privacy of the individual. The data minimization principle would still apply.

Doctors, nurses, social workers, teachers and guidance counsellors can run into this problem.  Parents may want all the information, but that information could include information on pregnancy, drug addiction, sexually transmitted disease, contemplated suicide, contemplated leaving home, gender identity or commission of a crime.  In addition, the child may have expressly asked that the information not be shared with their parents. In these instances, the professional involved, their supervisor, the head or the trustee must consider very carefully the words “unreasonable invasion of privacy.

Q. What if the child verbally or in writing tells the professional that they have shared the information in confidence and does not want their parents to know?

A. This adds to the challenges faced by the professional. Such a request by the child is a clear indication that the child wishes privacy and does not want the information to be shared with others.  It is an important factor in determining whether there would be an “unreasonable invasion of privacy.”

Releasing personal information under The Education (Parents’ Bill of Rights) Amendment Act, 2023 (Chapter 46)

Sections 197.2 and 197.4 of the bill sets outs the rights of the parent or guardian in relation to the student.  School boards and their administrators if faced with requests under these sections should obtain legal advice before taking action.

 

Other Resources

Other helpful resources on this topic can be found at:

  1. Office of the Privacy Commissioner of Canada Form of Consent
  2. Best Practice for Gathering Informed Consent
  3. Alberta IPC Order F2012-21case on unreasonable invasion of privacy

Was this page helpful?

Elections and Responding to Access to Information Requests

In Canada, we are fortunate to live in a democratic society where citizens are able to express their wishes of who governs us through our right to vote. By living in a democratic society, citizens are able to ask questions and exercise their access to information rights to ensure elected officials and provincial and municipal governments are acting in an open, accountable and transparent manner. One tool citizens are able to utilize to exercise this right are access to information laws.

The purpose of access to information laws was eloquently stated by Justice La Forest in the Supreme Court of Canada decision Dagg v. Canada (Minister of Finance). Justice La Forest stated, in part “the overarching purpose of access to information legislation is to facilitate democracy by helping to ensure that citizens have the information required to participate meaningfully in the democratic process and that politicians and bureaucrats remain accountable to the citizenry” (Dagg v. Canada (Minister of Finance), 1997 CanLII 358 (SCC), [1997] 2 SCR 403, <https://canlii.ca/t/1fr0r>, retrieved on 2024-08-21).

As summer is coming to a close, Saskatchewan is preparing for both provincial and municipal elections this fall. With election season upon us, it is a good time to remind everyone about their obligations under The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). This includes the importance of responding to access to information requests during election periods.

Public body employees may be nervous when responding to access to information requests during the election period, especially requests that may relate to hot topic or controversial issues. Our office also recognizes there are specific communication directives during the election period that employees must follow. However, during an election, your obligations under FOIP and LA FOIP do not change.

Public bodies must respond to formal access to information requests during an election as they would any other time during the year. This means, you must respond to the request, in writing, within 30 days of receiving the request. You may extend the response time an additional 30 days only if a limited and specific circumstance exists as provided for in section 12 of FOIP and section 12 of LA FOIP. However, it is important to note that one of the reasons to extend a response time does not include a provision that covers elections.

I would also like to mention that when an applicant makes an access to information request and does not receive a response to the request in the legislated timelines, my office expedites requests for review on late responses/deemed refusal cases. We have established this process so we can work with public bodies to get a section 7 decision to the applicant as quickly as possible in order to decrease the chance that the file will need to proceed to a formal review. For more about this process, please see Part 2.1: Priority Procedure on Reviews of Failure to Provide a Section 7 Decision in my office’s Rules of Procedure. In short, if an applicant submits as access to information request and does not receive a response in 30 days, on day 31 they have a right to request a review by my office.

I would also like to touch on delegation of powers under FOIP and LA FOIP. In a provincial government institution, the Minister is the designated Head under FOIP. In a municipality, the Mayor of the Town or City and the Reeve of the Rural Municipality is the designated Head under LA FOIP. During an election period, if the duties of the Head have not already been delegated to an official within the public body who is not an elected official, the Head may consider delegating those powers to a non-elected official. Some common positions my office sees with delegated powers under FOIP and LA FOIP are Access to Information Officers, City Clerks and Administrators of Towns and RMs. By taking this step, decisions regarding access to information are being made by a delegated official – not an elected official – and helps to remove perceived political bias from the decision-making process.

If the Head decides to delegate powers imposed under FOIP / LA FOIP, this does not mean the Head no longer has decision making powers. It means that the Head is giving another official the ability to make decisions under FOIP / LA FOIP. For more on delegation of powers, Chapter 2 of my office’s Guide to FOIP and Chapter 2 of my office’s Guide to LA FOIP.

For further background, please see Review Report 064-2016 to 076-2016 where the Information and Privacy Commissioner, in part, looked at the issue of responding to access to information requests during an election.

To close, as you enter the election season, my office would suggest having internal conversations about FOIP and LA FOIP and your obligations to respond to access to information requests. That way, if you receive a request during the election period, everyone is on the same page, and you can continue with business as usual as it relates to your FOIP and LA FOIP obligations.

Was this page helpful?

The Search for Personal Health Information (updated)

When a patient (applicant) makes an access to information request for their personal health information, the search for responsive records may not be as easy as just checking out the health records department. The Health Information Protection Act (HIPA) applies to all personal health information in the custody or control of a trustee regardless of who created it, where it came from or how it is stored. All records, in any form, that are responsive to the request, must be identified, located, retrieved and released (subject to exceptions) within 30 calendar days.

Records may be in paper or electronic form whether found in a file drawer, legacy system, electronic medical record (EMR) or electronic health record (EHR).  Electronic or digital records include electronic documents such as word-processed documents, spreadsheets, email, digital photographs, scanned images and electronic data, such as information stored in databases or registries or in rarer cases, back-up tapes.

Regardless of the medium, a thorough search needs to be conducted. For instance, this office dealt with a request for access to records from the 1960s. The records existed only on microfiche, so the trustee had to find a way to read and make a copy for the applicant, even though the trustee no longer had the technical capability. The take-away lesson is that as long as records have not been destroyed, access rights of the individual remain intact, and records need to be produced wherever they reside.

A request for access may be unduly general or vague because the applicant lacks knowledge of the trustee’s operations, systems or programs and the type of health records that may exist. These types of requests may prove challenging for a large trustee organization (e.g., Saskatchewan Health Authority) as could potentially require a search of a number of different facilities, program areas and information systems. This is why communicating with the applicant early on in the process to clarify the request is critical. This communication is also in keeping with a trustee’s obligations under section 35 of HIPA which is the trustee’s duty to assist. This express duty obligates the trustee to make every reasonable effort to assist an applicant by responding to each request openly, accurately and completely.

The responsibility to maintain records may fall to many different individuals at different times resulting in records being temporarily retained on the unit, in individual employee’s offices, vehicles or homes, managed off-site by an information management service provider or put into storage while waiting to be culled (i.e., non-active files). When applicable, records in the physical possession of contracted agencies may also have to be located as may have records responsive to an access request (e.g., independent medical examination).

Different kinds of records are also being generated as more electronic information systems are relied on for service provision. For instance, patients may submit a request to eHealth Saskatchewan for eHR Viewer Event Audits (shows who has looked at their records in the eHR Viewer).

Also, a search at one time may reveal responsive records, but not necessarily all. For instance, what about records that are in the queue (i.e., not yet dictated)? Patient care is not static. There will always be new responsive records being generated as long as a patient continues to interact with the health care system.

As noted, there are some limited exceptions to the right of access and a decision to release may depend on who is making the request. Subsections 27(1) and 38(1) and section 56 of HIPA need to be taken into consideration.

In closing, the best advice that I can give if you are processing such a request is to start with a search strategy by talking to the ‘people in the know’ before proceeding (e.g., record managers).  It will save you a lot of time in the long run. And, don’t forget to document both your search strategy and keep details of the actual search conducted. Those details come in handy if the applicant is dissatisfied and requests a review of my office down the road.

 

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.