IPC | Page 6

Severing Email Records

My office released a blog in June of 2017 regarding the obligation under section 8 of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and section 38(2) of The Health Information Protection Act (HIPA) to release as much information in a record as can be reasonably severed without disclosing the exempt information.

The advice provided in that blog continues to apply today – public bodies and trustees cannot apply an exemption to an entire page or record just because some or most of the information in the record is exempt. To comply with FOIP, LA FOIP and HIPA, public bodies and trustees need to conduct a line-by-line review of each page and only withhold information that is subject to an exemption. This basic rule applies regardless of the exemption that may be found to apply – mandatory or discretionary – and includes records that may be subject to solicitor-client privilege.

For email records, this means that a public body or trustee needs to consider if the ‘header’ (that is: the to, from, cc, bcc, date and subject line), signature blocks (name and contact details of the sender), confidentiality statements, and opening and closing statements of the email are exempt. If the public body or trustee claims that any of this information is exempt, it will be required to demonstrate that the exemption applies to this type of information if the applicant requests a review by my office.

For examples of recent reports where the Commissioner recommended release of this type of information in email records, see Review Reports 026-2019, and 188-2022. For more information about the obligation to sever and the application of exemptions, please see IPC Guide to FOIP, Chapter 3 and Chapter 4, and the IPC Guide to LA FOIP, Chapter 3 and Chapter 4. Our Modern Age Severing Webinar may also be of interest. It provides guidance on how to sever information from responsive records easily and electronically.

RIM Executive Training

The Provincial Archives of Saskatchewan has completed a new records and information management (RIM) training module specifically for executives. The 30-min module introduces basic RIM concepts and explains the importance of an effective RIM program.

The training is available on LEARN (PSC Client): TR-01420 – Introduction to Records and Information Management. If you do not have access to LEARN, you can view it on the Provincial Archives website: https://training.saskatchewan.ca/learningmodules/PAOS/RimExecutive/story.html.

I encourage all to take 30 minutes and take this training. Without proper records management, it is nearly impossible to know what you have and where to find it in a timely fashion and you end up keeping what you may not need for far longer than reasonably necessary.

My office has, over the years talked about records management being an important part of protection of privacy. One of the best ways to protect my privacy is to destroy records in an orderly, secure way. To do that, one needs policies, procedures and schedules regarding the maintenance and destruction of records. This approach applies to paper and digital records in all forms including text messages.

These days a lot of information about me is stored electronically, so any policy these days needs to deal with paper and electronic records.

So, I encourage you to take the training and then reflect on your organization. Is there more your organization should do to protect my privacy?

Delegation of Powers and Duties Under LA FOIP

Frequently, my office is asked by municipalities on how to prepare a delegation instrument where the “head” of the municipality may delegate their powers and/or duties under LA FOIP to one or more employees. In many cases, it is the mayor or reeve who wishes to delegate their powers and duties under LA FOIP to the administrator.

Section 50 of LA FOIP provides that the head may delegate to one or more officers or employees of a local authority their powers or duty under LA FOIP:

50(1) A head may delegate to one or more officers or employees of the local authority a power granted to the head or a duty vested in the head.

(2) A delegation pursuant to subsection (1):

(a) is to be in writing; and

(b) may contain any limitations, restrictions, conditions or requirements that the head considers necessary.

To help with the task of preparing a delegation instrument, my office has prepared a delegation table that breaks down the powers and duties of a head under LA FOIP. Municipalities can fill out the delegation table according to which powers and/or duties the head wishes to delegate. The head must approve the delegation table in order for the delegation to be effective. The head does not need council approval to delegate powers and duties under LA FOIP.

Some important things about a delegation are as follows:

The delegation should identify the position, not the individual, to which the powers are delegated. When delegation is to the position, a new delegation is not required when a new appointee assumes the position.
It is important to review the delegation periodically for any changes that may be needed, especially if the local authority is restructured or a new head is elected.
Delegated authority empowers certain officials and employees to make decisions or act.
The person delegating the authority remains responsible and accountable for all actions and decisions made under that delegation.

For more information about LA FOIP and delegations, check out Chapter 2 of my office’s Guide to LA FOIP.

Saskatchewan Information and Privacy Commissioner Tables 2022-2023 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, K.C., has tabled his office’s 2022-2023 Annual Report: Data, with the Legislative Assembly.

In his report, the Commissioner focuses on data and the issues that arise as a result of the creation and/or assembling of data. Given the current technological state of the world, vast amounts of data can be found online. As a result, we need to be conscientious about providing the least amount of information as possible and insisting that it only be used for its intended purpose.

“Each time we do a search on the internet, go to a website, log into an account, purchase something online, check our bank balance or post a blog or video, we create data and add to the content on the internet.”

With so much information about us available online, it is a pivotal time for privacy. It is imperative that we understand what we are consenting to, how our information will be used, to whom it will be disclosed and the potential risks involved.

We need to advocate for greater security; “it is not if a breach occurs, but when a breach occurs.” We need to ask ourselves if we are doing enough and need to get serious about employee training and increasing the security and protection of our databases. There is always more that can be done and being proactive is more important than ever.

The Commissioner’s 2022-2023 Annual Report which includes: accomplishments, goals for the future, a thorough statistical report and views on generating and safeguarding data can be viewed here.

A video containing the Commissioner’s comments on the Annual Report can be viewed here.

Media contact:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Annual Report – 2022-2023

Privacy Impact Assessments

Back in 2015, my office blogged privacy impact assessments (PIA). It has been awhile since then so I thought I would highlight our PIA resources once again!

What is a privacy impact assessment (PIA)?

A PIA is a process that assists organizations in assessing whether a project, program, or process complies with the applicable access and privacy legislation. In Saskatchewan, government institutions are subject to The Freedom of Information and Protection of Privacy Act (FOIP), local authorities are subject to The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and trustees are subject to The Health Information Protection Act (HIPA).

What is a privacy impact?

A “privacy impact” is when there are inadequate safeguards to protect personal information or personal health information, or FOIP/LA FOIP/HIPA does not authorize the collection, use, and/or disclosure of personal information or personal health information.

When does an organization engage the PIA process?

As projects are designed, developed, implemented, and carried out, privacy impacts may arise and will need to be addressed. Therefore, PIAs should be done at the outset and throughout projects. The PIA process is not a short exercise and it can require a lot of time and effort depending on the complexity of the project. Further, the PIA process is not a stand-alone, one-time exercise.

Who should be a part of the PIA process?

Although an organization’s Privacy Officer often takes the lead on conducting PIAs, employees and representatives from participating program area, branch, division, business unit, other institutions and third parties can expect to be involved in the PIA process. The PIA process can only be effective if it comprehensively reviews the project.

What should the organization do when it identifies a privacy impact?

When a privacy impact is identified, that is an opportunity for organizations to make adjustments to the project to ensure personal information or personal health information is protected to the greatest extent possible and to be in compliance with the FOIP/LA FOIP/HIPA. For example, if the PIA reveals there is no legal authority for the collection, use, or disclosure of certain personal information or personal health information, then the organization should determine if such personal information or personal health information is required for the project. If not, then the exclusion of such personal information or personal health information in the project will assist the organization in eliminating a privacy impact but still carrying forward with the project.

Where can I find more information?

Check out my office’s guidance documents on privacy impact assessments. My office offers both a PDF and Word version of this document. The Word version allows for organizations to fill in the PIA. Organizations should keep in mind that the guidance document is meant to be a guide. It is not a definitive method of conducting a PIA.

You can also check out Chapter 6 of my office’s Guide to FOIP and Guide to LA FOIP for more step-by-step information on how to conduct PIAs.

Can I get feedback on a PIA?

Yes. If your organization has completed a PIA and want my office to review and provide feedback, you may engage in my office’s consultation process. For more information about the consultation process, please check out my office’s Consultation Request Form.

Thieves Steal a Server From a Law Firm

I became aware of a case in Alberta, where thieves stole a computer from a law firm. Law firms hold a lot of information about their clients. Some of the information can be personal information and some can be personal health information, and the rest is usually viewed as highly confidential. Law firms, like any other organization, needs to keep information as secure as possible. We don’t say, “if a breach occurs”, but say “when a breach occurs”. A law firm can do many things to reduce the risk of a breach but how do they protect against a break in and physical theft of their computers.

Well, it is difficult. Apart from the obvious, secure doors, an alarm system, and special security on the computer room door, it is hard to know what else they can do. There is one thing, they can consider storing all their client information in the cloud. That way, the information is not on site and not available to thieves. Of course, they, like any organization, needs to do due diligence to ensure that the cloud service provider has a security system that is equal to or better than the law firm has right now.

Advice for all organizations – protecting personal information is important and you need to think about your physical security at your office; and consider the pros and cons of storing that information in the cloud.

Employers Hiring Persons of Indigenous Ancestry

I was asked recently about an employer’s ability to ask a candidate about their indigenous ancestry. This is a difficult question in light of media coverage of situations where claims of indigenous ancestry turned out not to be true. I first noted section 19 of the Saskatchewan Human Rights Code that prohibited asking questions about race. I was asked whether an employer could have a policy on this. Whether an employer has policy on this issue or not is a decision of the employer and it is not for me to comment whether they should or should not have a policy.

Before deciding on a policy, an employer needs to determine whether they are going to develop an Employment Equity plan and seek approval from the Human Rights Commission or whether subsection 16(10) of the Saskatchewan Human Rights Code allows them to have preferential hiring on the basis of race. If an employer does not have an approved Employment Equity plan or is not an employer under subsection 16(10), I would assume asking about indigenous ancestry should not occur. If an employer has an approved Employment Equity plan with a target for hiring persons of indigenous ancestry or is an employer under subsection 16(10), then either as part of the plan, or part of a policy, the employer should outline the degree to which it will require supporting evidence of indigenous ancestry.

If an employer decides to have a policy, then I have some advice for that employer from a protection of privacy point of view.

First, if you are covered by privacy legislation provincially or federally, you can collect personal information with authority (legislated or consent), but it is best to determine ahead of time if it is necessary and declare the purpose for which you are collecting the information before collecting it. So, the first step in developing a policy is to indicate why you are requesting evidence of indigenous ancestry, which should be authorized by the Saskatchewan Human Rights Code.

Next you need to determine when the policy applies. If you are recruiting without giving a preference to a person of indigenous ancestry, the policy should not apply. If you are recruiting and giving a preference to a person of indigenous ancestry, then the policy should state that the policy applies. Put another way, if the job vacancy does not require or give preference to a person of indigenous ancestry, then one should not ask any question regarding ancestry.

If the job requires or gives preference to a person of indigenous ancestry, then the employer can determine to what extend they will verify the statement of that applicant that they are indigenous and should then put that in their policy. My suggestion is the policy indicate that when a candidate declares they are of indigenous ancestry, the employer request they sign a consent which allows the employer to take certain steps to verify indigenous ancestry. Consents make it clear to the applicant that verification will occur, and the employer knows it can take the steps referred to in the consent to verify.

Finally, the policy should indicate what will be done with information collected to verify indigenous ancestry. For example, with criminal record checks, some policies indicate that all that has to occur is the proof is shown to an HR person and nothing has to be recorded. Alternatively, the employer might indicate that the documents showing indigenous ancestry be copied and placed on a confidential HR file. Again, from a privacy perspective, the data minimization principle should be followed.

If there is a need to maintain documentation, then the policy should indicate who has access to those records (i.e., restricted to those with a need-to-know) and when those records can be and should be destroyed. The document should only be destroyed in accordance with the organization’s retention policy.

To repeat, it is not my place to determine whether an employer has a policy on proving indigenous ancestry, but if an employer decides when giving preference to indigenous ancestry to have a policy, I would encourage them to consider the above in developing that policy.

Chatbots and Security

There are several security risks associated with using a chatbot, some of which include:

Data privacy: Chatbots may collect sensitive personal data such as names, email addresses, phone numbers and financial information. If this data is not handled properly or falls into the wrong hands, it could be used for fraudulent activities.
Malicious attacks: Chatbots are vulnerable to various attacks such as SQL injection, cross-site scripting, and phishing attacks. These attacks can compromise the chatbot’s security and expose sensitive date to malicious parties.
Identity theft: Hackers can use chatbots to trick users into providing personal information, such as social security numbers, credit card information, and login credentials. This information can be used to commit identity theft.
Unsecured APIs: Chatbots usually use APIs to communicate with backend systems. If these APIs are not properly secured, they can be exploited by attackers to gain unauthorized access to sensitive data.
Lack of authentication: Chatbots that do not require user authentication are susceptible to attacks. Malicious actors can use the chatbot to impersonate legitimate users and access sensitive information.

To mitigate these risks, it is important to ensure that chatbots are designed with security in mind. This includes implementing strong authentication mechanisms, encrypting sensitive data, and regularly testing for vulnerabilities. Additionally, users should be educated on how to use chatbots safely and avoid sharing sensitive information.

Now, full disclosure – everything up to this point was written courtesy of ChatGPT.

Also, full disclosure – I did not use ChatGPT on any of my work devices to compose this blog; rather, I used my own personal device. I would never put my organization or its data at risk by using an application that is not recognized or approved by my organization to use – nor should you!

What is a chatbot? It is an application that uses artificial intelligence and user input to simulate a conversation with the user. ChatGPT is an advanced form of a conversational chatbot that can do things such as compose emails, essays, and even songs or poems! ChatGPT does a convincing job of writing content (except, if you notice, here in Canada we have social insurance numbers, not social security numbers). If writing is part of your everyday work, ChatGPT could prove useful and save time. Therein may lie the temptation to use an application such as Chat GPT.

However, ChatGPT is correct in that the use of a chatbot (and I am not suggesting specifically ChatGPT) could pose security risks for your organization. If you identify and prepare to eliminate those risks, a chatbot is not necessarily a bad idea. It may be the way of the future for many organizations, and certainly we are already seeing organizations employ them. But as with any application, you want to avoid creating system vulnerabilities by conducting risk and privacy impact assessments, and by talking to a security expert (I would suggest a real live one… at least not for now).

Correction Request – What you Need to Know!

So, you are an individual who believes that a public body has an error/omission regarding your personal information/personal health information in a record – what do you do? Subsection 32(1) of The Freedom of Information of Information and Protection of Privacy Act (FOIP), subsection 31(1) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and section 13 of The Health Information Protection Act (HIPA) provide an individual with the right of correction (FOIP and LA FOIP) or right to request amendment (HIPA).

The right of correction/amendment provides individuals a mechanism for requesting the correction of personal information/amendment to personal health information, about themselves when they believe that there is an error or omission in the information. If the public body declines to make the requested correction, it is required to make a notation in its records reflecting the correction that was requested but not made (Guide to FOIP, Chapter 6, Protection of Privacy, Updated 18 January 2023 (Guide to FOIP, Ch. 6), p. 290).

“Notation” is a note made on the individual’s record by the personal information/personal health information at issue or in an electronic record indicating that the individual has requested correction of the personal information/amendment of personal health information. A notation should also include the date, who requested the correction/amendment, what the requested correction/amendment was and a signature or name of the decision-maker (Guide to FOIP, Ch. 6, pp. 292).

Please note that a request for correction/amendment from an individual must, at a minimum:

Identify the personal information/personal health information the individual believes is in error. That personal information/personal health information must be the personal information/personal health information of the individual and not of a third party.
The alleged error must be a factual error or omission.
The request must include some evidence to support the allegation of error or omission (e.g., documents to show correct birth date/medical condition). Mere assertions will not suffice.
The proposed correction must be clearly stated and cannot be a substitution of opinion.

(Guide to FOIP, Ch. 6, pp. 292)

When our office receives a request for review regarding correction/amendment of personal information/personal health information, our office will rely on the evidence provided by the individual, but also request a submission from the public body or trustee before making a final determination.

The (Work) Life of an Intake Officer

When you contact the Saskatchewan Information and Privacy Commissioner’s office with a request for review, breach of privacy complaint, or a general inquiry, you will first be dealing with us, the Intake Officers.

Since the Intake Officer is generally your first point of contact with our office, I feel that it is important to spread the word on what we actually do. The three main areas that we deal with are;

Request for Reviews
Breach of Privacy Complaints
Summary Advice

For a request for review, we want to try to solve the dispute to avoid going to the review stage, if possible, as that can take a lot of time, energy and resources. Our role is to analyze all incoming requests to clearly identify and sort out reviewable issues. We will look to confirm items such as when and where an access request was made, and what the Applicant’s main concerns or goals are, so we may need to contact you to discuss. If we see an opportunity for early resolution, we will contact the public body or trustee where you made the access request and will attempt—to the best of our ability—to come to an “early resolution”; whether that be seeing if more information may be released to the applicant than what was previously released or discovering the reasons why nothing was released at all and share that detail with the applicant to see if it makes a difference. If we are unable to find resolution at the intake stage, we will proceed with the formal review. Once the formal notice of review is issued, our role as Intake Officer is complete and the file is assigned to an Analyst.

When it comes to a breach of privacy complaint, our goal is to determine jurisdiction and grounds which will involve gathering as much necessary information as possible before proceeding to a formal investigation. We begin by asking a few questions:

Has the complainant gone to the public body or trustee responsible for the breach to report it?
Has the breach been contained?
When did the breach occur? (We generally do not investigate a breach that is older than two years from the date of discovery)
If it is a proactively reported breach, have the affected individuals been notified?
Has an investigation and investigation report been completed by the public body or trustee?

It is important to note that we remain an unbiased neutral party in our reviews and privacy breach investigations—this doesn’t just go for Intake Officer’s, it goes for everyone in the office that you will deal with. We will, at no time, take sides. We go where the evidence takes us. The Intake Officer’s goal is to ensure we have the proper documentation and information required, and to streamline the process as much as we possibly can before having to get an Analyst, or possibly the Commissioner involved.

Have an access to information inquiry, privacy related question, or would like general information about our office? Don’t be shy! Give us a call. These questions fall under the “summary advice” category of our position—and believe me, there is no such thing as a “stupid question”. We have heard it all. We can give general, non-binding advice to those seeking information regarding access requests and privacy breach complaints. We can also provide information about the role of our office, when we can become involved with an access to information concern or a privacy complaint, and what sort of findings and recommendations you may expect from our office. If your question is out of our jurisdiction or expertise, we are happy to point you in the right direction.

We understand that being involved in a review or breach investigation with our office may be overwhelming or stressful; therefore, we try our best to make the process as smooth as possible.