Nunavut’s privacy commissioner investigates government’s mail practices

Alberta promises increased privacy protections

British Columbians facing longer wait times to access records from BC Government

Ontario IPC blog on AI and the public sector

England’s ICO issues Tech Horizons Report

Guidelines for use of AI by lawyers

Federal Privacy Commissioner issues report on RCMP collection of data from third parties

Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

Princess Kate-attempted breach of her personal information

Confidentiality Clauses in Contracts (updated)

Confidentiality Clauses in Contracts (updated)

A lot of our work centers around a citizen wanting a contract that a ministry, city, town or municipality has entered into. The public body does not want to release it, for among other reasons, the contract has a confidentiality clause.

The Cities Act and The Municipalities Act specifically provides that a citizen can inspect a contract entered into. See Review Report 049-2021 at paragraph [89]. The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) both provide that a citizen has access to records unless a particular section exempts the public body having to release some of the clauses.  Section 19 of FOIP and section 18 of LA FOIP provide certain exemptions but there is no exemption just based on the parties wanting to keep the information confidential.  A confidentiality clause in a contract might bind the parties but the clause cannot override the law of the land.

Third parties and businesses need to know when they deal with public bodies supported by tax dollars that their contract will probably be released. No confidentiality clause, however well drafted, can override the law. See Review Report 205-2019, 255-2019 at paragraph [95].

Now I have mentioned there are some exemptions. Section19 allows for information regarding trade secrets; financial, commercial or labor relations information can be withheld.

If an exemption applies, like trade secrets information, that information can be withheld but that does not justify withholding the entire contract. The public body might be entitled to sever the exempted information but would be obliged to disclose the rest.

So I hope over time businesses dealing with public bodies come to accept that being transparent in a democracy is important and their contracts will be available to be examined by citizens.

 

 

3 Minutes for a Search (updated)

As public bodies have gone to doing the majority of their communicating by email, access requests for records of emails have increased. I expect such requests will continue. If the access request is for recent records (emails) an employee can perform a search in Outlook (or other email programs) and very quickly locate the emails related to the access request. If the requests are for older emails, which have been archived in the Outlook archive system, the search can still be done (it might take a little longer). If the access request is for emails that are no longer in the Outlook system, then the search might be more difficult depending on the technology used. Or, if the employee has left the organization, and their emails have been stored outside the Outlook system, the effort to get those emails could be difficult and time consuming. This can be hard work or expensive if IT resources are required.

The best solution is that emails be reviewed regularly by each employee. The emails that are part of the official record get stored in an organized electronic filing system, such as a shared drive that is accessible to authorized employees or an electronic document records management system (EDRMS). I know employees don’t always do this, but they should. An alternative solution is that an organization acquires an email management system that stores all emails, old and new, for current and former employees.

Those are two solutions. There may be other solutions and I encourage organizations to determine what solution works for them.

In the meantime, access requests for emails will be made. Organizations need to decide on a search strategy for finding those emails and then decide whether they will charge a fee. If an organization charges a fee for those emails, it is necessary to figure out what is a reasonable fee. My office has developed rules of thumb for searches such as 5 minutes per file drawer or 1 minute to review 12 pages. We have developed another rule of thumb. We will accept that it takes 3 minutes for an employee to search their email Outlook account for each search parameter. Of course, a public body is free to perform its own test and determine the length of time it takes to perform a search of an employee’s email account and store the results.

Our hope is that this new guideline will make it easier for public bodies to estimate a fee and easier for applicants to understand the fee being charged.

We think our 3 minutes is reasonable, but try it, search your email account and time how long it took your computer to deliver the search result and then the time to move those results to a separate file or flash drive. As you are working on a fee estimate, you should review section 9 of FOIP, section 6 and 7 of the FOIP Regulations or section 9 of LA FOIP and sections 5 and 6 of the LA FOIP Regulations. For a report that analyzes a fee estimate, see Review Report 119-2026.

 

Collection/Disclosure; A Two-Step Analysis (updated)

When personal information or personal health information (information) is shared by one public body with another, the issue arises as to who has the authority to disclose and who has the authority to collect. Many collections of information happen when you or I visit a public body, apply for a service or benefit and fill out a form or answer questions orally.  By giving the information to the public body, we are consenting to their collection of it.  We have expectations that they will use it for the purpose collected, that they will protect it and not disclose it to others without consent unless legislative authority to disclose otherwise exists.

So, when it comes to the sharing of information by one public body with another, my office has to ask two questions: Does one body have the authority to collect?  Does another body have the authority to disclose?  For an authorized sharing to occur, the answer to both questions has to be yes.  If one of the answers is no, then the sharing is unauthorized.

If the sharing will only occur once, then the public bodies are wise to reduce their understanding to emails, but probably don’t need a formal data sharing agreement.

If the data sharing will occur often, it is then best practice that the public bodies enter into a written data sharing agreement. That agreement should set out the legislative provisions that allow collection and disclosure and it should set out the obligations of the receiving public body regarding the safeguarding of that information and the rights of the sending public body to review and audit the actions of the receiving body.

The existence of a data sharing agreement itself does not authorize the sharing; it is the provisions in statutes or regulations, authorizing collection and disclosure that make the sharing authorized.

As a final note, any authorized sharing should be looked at with the data minimization principle in mind. The public body collecting the information should collect the least amount possible and the disclosing public body should disclose the least amount possible. Of course, there may have to be discussions between the two bodies to ensure that the least amount of information gets shared.

Another situation where the two-step analysis must be applied is when a public body has the power to investigate. Implied in the power to investigate is the authority to collect information.  When an investigator approaches someone in another public body and asks for information, the other public body needs to decide whether they have the authority to disclose under The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act or The Health Information Protection Act (i.e., where the disclosure is permitted pursuant to another Act or Regulation). Now for general information or de-identified information, they can always disclose that as no privacy interests are engaged.  For personal health information, they should attempt to determine whether the personal health information is reasonably necessary for the investigation. The data minimization principle always suggests that the least amount of information be disclosed. Collection and disclosure are like two sides of the same coin. You can’t have one without the other. It is always necessary to analyze the authority to collect and the authority to disclose before sharing the information in question.

 

Demystifying Access to Information Rights

What rights do members of the public have when it comes to access to information? The right to access information in government records is established at the federal and provincial level.

Federally, the Access to Information Act is overseen by the Information Commissioner of Canada. For more on this, please visit the Information Commissioner of Canada’s website.  The provinces/territories also have access to information legislation. For more on this, check out the Summary of privacy laws in Canada on the Privacy Commissioner of Canada’s website.  In Saskatchewan, we have three Acts that give you access to information rights:  The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA).

In Saskatchewan, your access to information rights include:

A right of access to records

Under FOIP and LA FOIP, anyone has the right to request access to any record in the possession and control of a government institution or local authority. Information in the records of public bodies defaults to being accessible to the public. That said, the legislation also outlines some limited and specific exemptions to the right of access – these are situations when the head of a public body may or must withhold access to some or all of the information.

Under HIPA, an individual has the right to request access to their own personal health information under the custody or control of a trustee. HIPA does not provide a right of access to policy or process information in the holdings of trustees. Like FOIP and LA FOIP, the default is that you have a right to access your own personal health information – if the trustee withholds your personal health information, they must be able to justify their decision by pointing to specific sections of HIPA.

A right to request an amendment or correction to your own information

If, upon receiving access to your own information, you feel there is an error or omission in the records, all three acts give you the right to request correction or amendment. The right of correction only extends to factual information; generally, it does not apply to subjective opinions noted in the records.

A right to request a review from the IPC

If an individual is not satisfied with the public body or trustee’s response to their access request or request for correction within legislated timelines, they have a right to request that our office review the matter. The IPC will determine whether the public body/trustee responded to the request appropriately under the applicable legislation. If we find that they did not, we will, in most cases, issue a public report with recommendations based on our findings.

If you have questions about your access rights under the Saskatchewan legislation, contact our office – we would be happy to help!

Making a Privacy Complaint for Someone Else?

Often, our office is contacted by individuals who are concerned about the inappropriate disclosure of personal information that is not their own. If this is you, then perhaps you are attempting to complain on behalf of a loved one; or you’ve received the personal information of a stranger, and you’re willing to go out of your way to report the matter in hopes of having it rectified.

There are many reasons why our office may determine that it is unable to proceed with privacy concerns that individuals bring to our attention (see “Why some reviews and investigations cannot pass go” for some discussion of these reasons), but, in the aforementioned scenarios, the absence of the affected individual is an immediate obstacle.

That is because your privacy rights under the legislation that our office oversees (The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act, and The Health Information Protection Act) extend to the collection, use, and disclosure of your own personal information or personal health information by public bodies and health trustees. As a result, although you can still inquire regarding the process that an affected individual must follow in submitting a privacy complaint, you will probably not be in a position to actually submit a complaint on behalf of anyone else.

If you know someone whose privacy has been breached, you may be in a position to serve as a witness, but they will likely need to make their own complaint, first to the public body or health trustee, and only then, if they are unsatisfied with the response that they receive to that complaint, to our office.

Similarly, if you have received personal information that is not your own, you should first report it to the Privacy Officer of the public body or health trustee from which it originated and allow them an opportunity to rectify the situation before reporting it to the IPC.

That said, any right conferred by FOIP, LA FOIP, or HIPA can be exercised by a surrogate under specific conditions, usually explicit permission from the affected individual. If you wanted to submit a complaint on behalf of a child, for example, you may need to demonstrate through documentation that you are the child’s legal custodian (see FOIP section 59, LA FOIP 49 and HIPA section 56). If any adults were to grant you permission to pursue a privacy complaint on their behalf, this permission would have to be in writing and very specific regarding the powers and scope that it conferred and the time at which it was intended to expire.

From time to time, the Commissioner does become aware of a breach that he chooses to research or investigate on his own initiative. However, these “own motion” investigations are rare and typically relate to breaches involving a large number of affected individuals and/or more expansive, serious, or recurring problems (e.g., misdirected faxes).

So, although you can be of assistance when you learn that someone else’s privacy has been breached, it is usually necessary for the affected individual to exercise their own rights.

A Near Attack

A few weeks into a new role, Jane received an interesting email supposedly from her “colleague” Stacy.  Stacy welcomed Jane to the team and asked for some time in her day. There was, of course, a smart attempt to cover up any tracks – a clause about Stacy entering a meeting and was only available to communicate via email.

As Jane pondered over the content of the email, other red flags became apparent.  Although she in fact had a co-worker called Stacy, the email was sent from a sketchy address and was missing the signature usual for emails emanating from the office.

With each passing day, scammers develop ingenious ways to attack unsuspecting victims. Publicly accessible information from organizations’ websites and internet activity is unfortunately employed as a springboard for a malicious attack. The Canadian Centre for Cyber Security outlines different ways by which phishing could occur. These include:

  1. Spear phising: A personalized attack which may contain specific details about a victim (as happened with Jane).
  2. Whailing: A personalized attack that targets a big “phish” such as the Chief Executive Officer because of their possible access to sensitive information.
  3. SMiShing: An attack using SMS (texts) where a scammer impersonates someone known by the victim or poses as the provider of a service used.
  4. Quishing: An attack involving Quick Response (QR) codes that re-directs victims to malicious websites when scanned.
  5. Vishing: “Voice phishing” which involves defrauding people through voice calls, enticing them through means which appear legitimate, to divulge sensitive information.

Phishing attacks typically result in identity theft, fraud, and the transmission of computer viruses. There have also been ransomware incidents where files have been encrypted, organizational data stolen and significant ransom payments demanded. In the case of Jane, she deleted the email and never responded to the sender’s request. This protected her account from being compromised and the entire organization from a potential security breach.

The onus is on organizations and individuals to protect personal information and personal health information (where applicable). Employees are generally advised, in the case of suspicious phone calls, not to divulge any personal or sensitive organizational information and to end the call immediately. They are also cautioned not to open any suspected phishing emails, but if do, they should:

  • Not click any links or download any attachments in the attached email.
  • Not respond to the sender.
  • Swiftly report in accordance with their organization’s standard operational practices.
  • Delete immediately!

In the unfortunate event that a person falls victim to an attack, immediate steps to be taken include scanning devices for viruses and other malware, changing affected passwords, enabling multi-factor authentication across their devices and informing co-workers to contain the breach and prevent future attacks. Privacy awareness training and cybersecurity training are a good starting point in the fight against phishing attacks.

Updated HIPA Regulations and Proclaiming Certain Subsections of HIPA

Effective August 1, 2023, certain subsections of the Health Information Protection Act (HIPA) subsection 17(1), 18(2) and 18(4), have been proclaimed. Also, effective August 1 a new version of the HIPA regulations is in effect and should be available by the end of the week here. Below is a Q & A sheet issued by the Ministry of Health which explains the changes. The Q & A is a good summary of the things that have changed.

The Health Information Protection Amendment Regulations, 2023

Questions and Answers for Stakeholders HIPA Regs 2023

 

Severing Email Records

My office released a blog in June of 2017 regarding the obligation under section 8 of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and section 38(2) of The Health Information Protection Act (HIPA) to release as much information in a record as can be reasonably severed without disclosing the exempt information.

The advice provided in that blog continues to apply today – public bodies and trustees cannot apply an exemption to an entire page or record just because some or most of the information in the record is exempt. To comply with FOIP, LA FOIP and HIPA, public bodies and trustees need to conduct a line-by-line review of each page and only withhold information that is subject to an exemption. This basic rule applies regardless of the exemption that may be found to apply – mandatory or discretionary – and includes records that may be subject to solicitor-client privilege.

For email records, this means that a public body or trustee needs to consider if the ‘header’ (that is: the to, from, cc, bcc, date and subject line), signature blocks (name and contact details of the sender), confidentiality statements, and opening and closing statements of the email are exempt. If the public body or trustee claims that any of this information is exempt, it will be required to demonstrate that the exemption applies to this type of information if the applicant requests a review by my office.

For examples of recent reports where the Commissioner recommended release of this type of information in email records, see Review Reports 026-2019, and 188-2022. For more information about the obligation to sever and the application of exemptions, please see IPC Guide to FOIP, Chapter 3 and Chapter 4, and the IPC Guide to LA FOIP, Chapter 3 and Chapter 4. Our Modern Age Severing Webinar may also be of interest. It provides guidance on how to sever information from responsive records easily and electronically.

RIM Executive Training

The Provincial Archives of Saskatchewan has completed a new records and information management (RIM) training module specifically for executives. The 30-min module introduces basic RIM concepts and explains the importance of an effective RIM program.

The training is available on LEARN (PSC Client): TR-01420 – Introduction to Records and Information Management. If you do not have access to LEARN, you can view it on the Provincial Archives website: https://training.saskatchewan.ca/learningmodules/PAOS/RimExecutive/story.html.

I encourage all to take 30 minutes and take this training. Without proper records management, it is nearly impossible to know what you have and where to find it in a timely fashion and you end up keeping what you may not need for far longer than reasonably necessary.

My office has, over the years talked about records management being an important part of protection of privacy. One of the best ways to protect my privacy is to destroy records in an orderly, secure way. To do that, one needs policies, procedures and schedules regarding the maintenance and destruction of records. This approach applies to paper and digital records in all forms including text messages.

These days a lot of information about me is stored electronically, so any policy these days needs to deal with paper and electronic records.

So, I encourage you to take the training and then reflect on your organization. Is there more your organization should do to protect my privacy?

 

 

Delegation of Powers and Duties Under LA FOIP

Frequently, my office is asked by municipalities on how to prepare a delegation instrument where the “head” of the municipality may delegate their powers and/or duties under LA FOIP to one or more employees. In many cases, it is the mayor or reeve who wishes to delegate their powers and duties under LA FOIP to the administrator.

Section 50 of LA FOIP provides that the head may delegate to one or more officers or employees of a local authority their powers or duty under LA FOIP:

50(1) A head may delegate to one or more officers or employees of the local authority a power granted to the head or a duty vested in the head.

(2) A delegation pursuant to subsection (1):

(a) is to be in writing; and

(b) may contain any limitations, restrictions, conditions or requirements that the head considers necessary.

To help with the task of preparing a delegation instrument, my office has prepared a delegation table that breaks down the powers and duties of a head under LA FOIP. Municipalities can fill out the delegation table according to which powers and/or duties the head wishes to delegate. The head must approve the delegation table in order for the delegation to be effective. The head does not need council approval to delegate powers and duties under LA FOIP.

Some important things about a delegation are as follows:

  • The delegation should identify the position, not the individual, to which the powers are delegated. When delegation is to the position, a new delegation is not required when a new appointee assumes the position.
  • It is important to review the delegation periodically for any changes that may be needed, especially if the local authority is restructured or a new head is elected.
  • Delegated authority empowers certain officials and employees to make decisions or act.
  • The person delegating the authority remains responsible and accountable for all actions and decisions made under that delegation.

For more information about LA FOIP and delegations, check out Chapter 2 of my office’s Guide to LA FOIP.