Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Knowledge can be a Gateway to Truth and Reconciliation

Knowledge can be a Gateway to Truth and Reconciliation

Today is Canada’s National Day for Truth and Reconciliation. Page 12 of Honouring the Truth, Reconciling for the Future:  Summary of the Final Report of the Truth and Reconciliation Commission of Canada states, “Without truth, justice, and healing, there can be no genuine reconciliation. Reconciliation is not about “closing a sad chapter of Canada’s past,” but about opening new healing pathways of reconciliation that are forged in truth and justice.”

I reflect on this powerful statement and how it holds meaning with a recent Report I issued. The report involved a Metis individual who was seeking information about their deceased parent from the Ministry of Social Services. I was moved by this individual’s story. They advised that their parent passed away in 2015 and they were looking for answers to questions about their parent’s past and what happened when their parent was a child.

Upon requesting that my office review this matter, the individual so eloquently stated, “…upon discovery of mass graves at residential school across Canada and the public conversation this prompted regarding the actions of child welfare agencies more broadly, I felt strengthened to renew my search for answers.” They further stated, “…There is no Truth & Reconciliation without the truth. I submitted my request for information on September 30, 2021, the first National Day for Truth and Reconciliation. This was by no means a coincidence. I just finally want to know the truth around this matter because it affected my [Parent], me and our family.  Therefore, I feel it is our truth and story to understand….”

I feel this story is representative of the story of so many Indigenous peoples. Some of their truth can be found in the records that government holds. Government needs to demonstrate its commitment to truth and reconciliation by removing barriers to access this information. This can help pave the path forward.

 

Canadian Information and Privacy Regulators Urge Governments, Health Sector Institutions and Health Providers to Strengthen Safeguards for Sharing Personal Health Information

In a joint resolution released today, Canada’s federal, provincial, and territorial information and privacy commissioners and ombudspersons are calling for a concerted effort across the healthcare sector to modernize and strengthen privacy protections for sharing personal health information.

Because of the pandemic, the shift to virtual care came quickly, maybe without enough time for a thorough examination of it; that shift in service model could adversely impact access and privacy rights. Despite advancements in the health sector, breaches continue to occur and the use of outdated and vulnerable technologies, such as faxes and unencrypted email not only impacts patient privacy but also the delivery of timely patient care.

This has spurred innovation and change in the delivery of services, including virtual health care visits and other forms of digital health communications.

Canada’s Information and Privacy Commissioners urge stakeholders to take the following action:

  • Develop a strategic plan to phase out the use of traditional fax and unencrypted email and ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians.
  • Promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks. For health sector institutions and providers, this may include the adoption of standards developed by organizations such as ISO, NIST, or CIS that provide reasonable safeguards to protect personal health information.
  • Amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties, for health institutions and providers that willfully refuse to take reasonable measures necessary to protect personal health information as well as for individuals who unlawfully collect, use, or disclose personal health information.
  • Seek guidance to understand how to evaluate new digital health solutions and assess their compatibility with other digital assets, compliance with health information privacy laws, and how they facilitate citizens’ rights to access their own records of personal health information.
  • Promote transparency by completing privacy impact assessments and proactively publishing a plain-language summary in a manner that is easily accessible to the public.
  • Use the procurement process to help ensure third-party compliance by establishing contractual requirements for vendors of health information software and services

If you have any questions or would like to request an interview with the Commissioner, please email or call our office at the contact below.

To learn more, a copy of the joint resolution and these initiatives can be found here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.sk.ca

Absurd Results: Part II

In 2017, the Commissioner posted a blog entry about absurd results. He provided examples of absurd results that can be reached when interpreting and applying The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA). He emphasized that public bodies take a liberal approach to these three statutes and provide as much of the record(s) to applicants as is possible.

Since 2017, my office has dealt with more reviews that involve absurd results. Therefore, in this blog, I’m revisiting this topic once again.

When an individual submits an access request to a public body, that individual would be denied access to the personal information of others. In Saskatchewan, government institutions would deny access to third parties’ personal information pursuant to section 29(1) of FOIP. Local authorities would deny access to third parties’ personal information pursuant to section 28(1) of LA FOIP. That is, the application of section 29(1) of FOIP and section 28(1) of LA FOIP to third party personal information is meant to prevent the unauthorized disclosure of personal information, which is one of the purposes of FOIP and LA FOIP.

However, what happens when Person A provides information about other individuals to a public body? An example is when an individual provides a witness statement to a police service about a matter they had witnessed involving other individuals. If Person A submitted an access to information request to the police service for the witness statement containing other individuals’ information, would Person A be denied access to the witness statement?

An “absurd result” occurs when a public body applies an exemption to withhold records that contradicts the purpose of the legislation. Using the example described above, Person A originally supplied the third party personal information to the police service. it would be an “absurd result” to withhold the information from Person A pursuant to either section 29(1) of FOIP or section 28(1) of LA FOIP.

In my office’s Review Report 215-2020, the Commissioner discussed a matter where the local authority withheld portions of emails that the Applicant had originally supplied to the local authority. The Commissioner found it would be an absurd result to withhold portions of these emails from the Applicant even if the emails contained the personal information of third parties. The Commissioner recommended the release of the records in their entirety to the Applicant.

Also in Review Report 215-2020, the Commissioner cited a decision by the Office of the Ontario Information and Privacy Commissioner (ON IPC) that noted two other circumstances in which the ON IPC found the absurd result principle to have applied: 1) where the requester was present when the information was presented to the public body, and 2) where the information is clearly within the requester’s knowledge.

When determining if exemptions set out in Parts III and IV of FOIP and LA FOIP apply to a record, government institutions and local authorities should consider whether applying the exemption to a record would manifest in an absurd result. If so, then perhaps the government institution or local authority should consider releasing the record to the applicant.

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has tabled his office’s 2021-2022 Annual Report: Time for a Digital ID, with the Legislative Assembly.

In his report, the Commissioner addresses the need for the development of a Digital ID for Saskatchewan residents, the move toward virtual health care, the systemic issue of misdirected faxes and recommendations for legislative change.

Digital ID

As several other Canadian provinces shift towards the use of a digital ID, it is the hope that Saskatchewan develops a digital ID that meets the needs of our province. Commissioner Kruzeniski states:

“I would hope the Government of Saskatchewan continues to consult, educate and explain the benefits of a digital ID for citizens of our province. My hope is that Saskatchewan develops a digital ID that meets our province’s needs, maximizes the benefits and minimizes the risks.”

Virtual Health Care

Virtual heath care has increased as a result of the Covid-19 pandemic and consideration is required to ensure that personal health information is adequately protected. Commissioner Kruzeniski outlines ten expectations that should be considered as these virtual care initiatives move forward.

Spotlight on Misdirected Faxes

Over the last decade, there has been concerns with misdirected faxes which continues to be a systemic issue impacting patient privacy and the delivery of patient care. Several recommendations have been made to collectively address this concern including the elimination of traditional fax machines.

Recommendations for Change

The Commissioner concluded by summarizing the recommendations for legislative change to amend The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act and The Health Information Protection Act. The goal is that these recommendations will address the gaps and challenges with the legislation as we move from a paper-based society to a digital one.

The Commissioner’s 2021-2022 Annual Report which includes: accomplishments, goals for the future, a thorough statistical report and recommendations for the development of a digital ID, virtual care initiatives, handling of misdirected faxes and legislative change can be viewed here.

A video containing the Commissioner’s comments on the Annual Report can be viewed here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.csk.ca

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

But I’m the Applicant – how can my submission help?

So, you have requested a review of an access to information request under The Freedom of Information of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), or The Health Information Protection Act (HIPA). The IPC has opened the file and sent you an email notifying you of the review. However, in the notification email YOU have been invited to make a submission on the matters at hand. You might be thinking to yourself why would I prepare a submission?  I want to assure you that there is no onus on the applicant to make a submission – however, it can be helpful.

First of all, what is a submission?  In a nutshell, for an applicant, a submission gives you the ability to counter the position taken by the local authority, government institution or trustee if you disagree with the decision they made regarding your access to information request. The IPC has developed the resource A Guide to Submissions – Increasing your chances of success (Guide to Submissions -updated December 2022). This resource includes tips for applicants on how to create a submission. In this resource, the IPC has outlined what you may wish to prepare your submission on – depending upon the scope of the review. This includes:

  • An applicant disagrees with the exemption(s) claimed to the record.
  • An applicant is not satisfied that a reasonable fee was estimated.
  • An applicant believes that all or part of the fee should be waived.
  • A head (of the local authority or government institution) or trustee failed to respond to the access to information request within the required time.
  • An applicant requests a correction of personal information or personal health information and the correction is not made.
  • An applicant does not believe that a sufficient search was conducted.

When preparing a submission, if you have any evidence to support your arguments, that can be a great help for the IPC through a course of a review. For example, if the scope of the review includes your belief that an adequate search for records was not conducted and you have evidence of that, provide the evidence as an attachment with your submission. A situation where you may have evidence that an adequate search was not conducted is where you have been provided a copy of an email as part of the response, but the attachment to the email has not been included with the response.

The Guide to Submissions includes a template for an applicant they may wish to use for preparing a submission. However, you can also send your submission in the form of an email – it really doesn’t have to be fancy.

If you would like some additional guidance on what the IPC is looking for in your particular review, contact the analyst who has been assigned the file – you will find that information in the notification email advising you of the review or investigation. If you are not sure who the analyst is, please contact our general inquiry line at 306-787-8350.

 

RIM Best Practices

Records and Information Management (RIM) practices are important for any organization. My office has developed a guide dealing with RIM. The guide contains many best practices that an organization can adopt.

The goal here is that an organization implement best practices which over time become every day practices. Check out the guide here. This guide is based on the Ontario resource Improving Access and Privacy with Records and Information Management.

An activity booklet for kids

The Ontario Information and Privacy Commissioner released a privacy activity book, Privacy Pursuit! Games and Activities for Kids, to help kids better understand and protect their online privacy.

In the Commissioner’s blog she says:

This new activity booklet is designed to help kids learn more about online privacy through games like word searches, crossword puzzles, cryptograms, and word matches, among other fun activities. Through these exercises, kids will pick up some easy-to-understand tips that will help them watch out for scams, protect their privacy, and stay safe online. Some thought-provoking questions will also guide kids through a process of self-discovery by reflecting on what privacy means to them and how to respect the privacy of others through caring and empathy.

Check it out and see if it increases the awareness of your children regarding privacy.

 

Saskatchewan Information and Privacy Commissioner Tables 2020-2021 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has tabled his office’s 2020-2021 Annual Report: Change is in the Air, with the Legislative Assembly.

In his report, the Commissioner addresses the need to update Saskatchewan’s access and privacy legislation. The Freedom of Information and Protection of Privacy Act and The Local Authority Freedom of Information and Protection of Privacy Act were implemented in 1992 and 1993 respectively, at a time when paper records were the norm. Society has shifted. Technology and the digitization of information is now the rule. Kruzeniski stated:

“A vast amount of information about each of us is housed in databases, many of which are accessible by the internet. We look up information, we order things, and we pay bills and communicate with one another through the utilization of these databases and the internet. It is time that we modernize our access and privacy legislation to take this into account.”

The Commissioner concluded by summarizing the legislative changes that are happening in access and privacy jurisdictions across the country.

 

Media contact:
Kara Philip, Manager of Communication
Telephone: 306-798-2260
Email: kphilip@oipc.sk.ca

 

News Release for 2020-2021 Annual Report

Mediation or case-by-case privilege

In the Commissioner’s Review Report 065-2020, he considered if mediation or case-by-case privilege applied to the records in question. The public body had claimed mediation or case-by-case privilege pursuant to subsection 22(a) of The Freedom of Information and Protection of Privacy Act (FOIP).

The Commissioner considered orders issued by the Office of the Information and Privacy Commissioner for Prince Edward Island (PEI IPC) and the Office of the Information and Privacy Commissioner of Alberta (AB IPC) in his analysis of the public body’s claim of mediation or case-by-case privilege. I will briefly describe the orders by PEI IPC and AB IPC.

In Order FI-09-005, the PEI IPC summarized what the Ontario Superior Court of Justice Divisional Court and the Supreme Court of Canada has said on mediation privilege and how it is considered on a case-by case basis:

In Rudd v.  Trossacs Investments Inc. 2006 CanLII 7034 (Ont.  S.A.), Swinton, J. reviewed the case law in respect of mediation privilege. At pp. 25-30, the justice says:

[26] Common law principles have recognized a privilege for confidential communications in certain important societal relationships.  In Slavuytych v.  Baker (1975), 1975 CanLII 5 (SCC), 55 D.L.R.  (3d) 224, the Supreme Court of Canada held that the four conditions from Wigmore on Evidence should be applied to determine whether communications are privileged (at 228):

(1) The communications must originate in a confidence that they will not be disclosed.

(2) The element of confidentiality must be essential to the maintenance of the relationship in which the communications arose.

(3) The relationship must be one which, in the opinion of the community, ought to be “sedulously fostered”.

(4) The injury caused to the relationship by disclosure of the communications must be greater than the benefit gained for the correct disposal of the litigation.

[27] In Slavuytych, the Court held that a document submitted in a university tenure process was privileged – in part because the document was labeled “confidential”, and in part because of the importance of confidentiality in the tenure process, where individuals are asked to give their frank opinion of colleagues.

Swinton, J.  also refers to a more recent case from the Supreme Court of Canada, saying:

[28] In M.(A.) v. Ryan 1197 CanLII 403 (S.C.C.), (1997), 1997 CanLII 403 (SCC), 143 D.L.R. (4th) 1 (S.C.C.), the Supreme Court reaffirmed the approach in Slavuytych, making it clear that privilege is to be determined on a case by case basis (at para.  20).

In my opinion, the Supreme Court of Canada’s views on the existence of legal privilege, outside of solicitor-client privilege or parliamentary privilege, still prevails.  Thus, it is a matter of determining whether, on the facts of the case, the conditions set out in Wigmore on Evidence have been met.

[Emphasis added]

Further, in Order 96-020, the AB IPC provides that case-by-case privilege can apply to two types of records: 1) private records, or 2) Crown records. Different criteria will apply to each type of records in determining whether case-by-case privilege applies. If the records are “private records”, then the “Wigmore criteria” as set out in PEI IPC’s Order FI-09-005 (quoted above) can be used to determine if case-by-case privilege applies. If the records are Crown records, then AB IPC indicated that the Crown “must put forth a proper claim based on the criteria for public interest immunity” in determining if case-by-case privilege applies. AB IPC said:

[79.] For a case-by-case privilege to attach to Crown records, the Court in Carey v. Ontario said that the Crown must put forth a proper claim based on the criteria for public interest immunity. Those criteria, which have been adopted by Leeds v. Alberta (Minister of the Environment) (1990), 69D.L.R. (4th) 681 (Alta. Q.B.), are:

(1) The nature of the policy concerned.

(2) The particular contents of the documents.

(3) The level of the decision-making process.

(4) The time when a document or information is to be revealed.

(5) The importance of producing the documents in the administration of justice, with particular consideration to:

(i) the importance of the case

(ii) the need or desirability of producing the documents to ensure that the case can be adequately and fairly represented

(iii) the ability to ensure that only the particular facts relating to the case are revealed.

(6) Any allegation of improper conduct by the executive branch towards a citizen.

In Review Report 065-2020, the Commissioner determined that the records were private records. As such, he applied the Wigmore criteria to determine if mediation or case-by-case privilege applied to the records. To see the Commissioner’s analysis, findings, and recommendations, check out the report here.

In Review Report 171-2019, the Commissioner determined that records were Crown records. Therefore, he adopted the public interest immunity criteria set out in AB IPC Order 96-020.

When considering if mediation or case-by-case privilege applies to records, public bodies should do the following:

  • Determine if the records are “private records” or “Crown records”.
  • If the records are “private records”, then apply the Wigmore criteria to determine if mediation or case-by-case privilege applies.
  • If the records are “Crown records”, then apply the public interest immunity criteria.

In either case, if public bodies are claiming the records fall into either category, then the public body should be ready to make the case in the event a review by our office is undertaken as the burden of proof rests with the public body.

Federal, Provincial and Territorial Information and Privacy Commissioners and Ombudsman issue joint resolution about privacy and access to information rights during and after a pandemic

In a joint resolution, Canada’s Information and Privacy regulators called on their respective governments to respect Canadians’ quasi-constitutional rights to privacy and access to information. The regulators took note of the serious impact the COVID-19 pandemic has had on the right of access to information and privacy rights in Canada and called on governments to use the lessons learned during the pandemic to improve these rights.

The global pandemic has brought to the forefront the pressing need for strong access to information and privacy laws. The regulators noted that the pandemic has accelerated trends that were ongoing prior to March 2020, namely concerns among the public about increasing surveillance by public bodies and private corporations and the slowing down of processing access requests. The pandemic has also highlighted the need to modernize the access to information system by leveraging technology and innovation to advance transparency.

Saskatchewan’s Information and Privacy Commissioner, Ron Kruzeniski, Q.C., stated:

“There is no doubt that technology and digitization have been instrumental in the response to the pandemic. As we work towards recovery, I encourage authorities to consider the impact such initiatives have on our access and privacy rights. The lessons we have learned during this global crisis should be used to modernize our access and privacy legislation. Digitization is here to stay. It is time our legislation reflected that.”

The joint resolution adopted 11 access to information and privacy principles and called on Canada’s governments to show leadership by implementing them and making the modernization of legislative and governance regimes around freedom of information and protection of privacy a priority.

 

Related Document:
Joint Resolution: Reinforcing Privacy and Access to Information Rights During and After a Pandemic

Media Contact:
Kara Philip, Manager of Communication
Office of the Saskatchewan Information and Privacy Commissioner
Phone: 306-798-2260
Email: kphilip@oipc.sk.ca

 

PDF Version