Updated: Chapter 5 of the Guide to FOIP is now available! Click on Guides, IPC Guide to FOIP for more information.

Podcast with Craig Zawada

Podcast with Craig Zawada

This week I sat down and talked to Craig Zawada a lawyer in Saskatchewan.

He publishes a video cast on the Law Society of Saskatchewan website. We talked about the advice he gives to lawyers and law firms about securing the data they hold. Lawyers are bound to keep information from their clients confidential. This requirement of confidentiality links directly to an obligation to keep both paper and electronic data secure and protected from breaches.

Please take time to listen to what Craig advised law firms to do. The advice is good advice and in fact, applies to any organization.

 

IPC Access and Privacy Co-ordinator Survey

We’re conducting a survey!

If you’re an access and privacy co-ordinator working with FOIP, LA FOIP or HIPA, you may have received an invitation to participate on Friday.

Our office is looking to better understand the challenges faced by public bodies and trustees as they process access requests and respond to privacy complaints. The survey takes 5-10 minutes and is anonymous.

If you would like to participate in the survey, but have not received a copy from our office, please contact llong@oipc.sk.ca.

We appreciate your feedback!

The Search for Personal Health Information

When a patient makes an access to information request for their personal health information, the search for responsive records may not be as easy as just checking out the health records department. The Health Information Protection Act (HIPA) applies to all personal health information in the custody or control of a trustee which includes all government institutions. All records, in any form, that are responsive to the request, must be identified, located, retrieved and ready for release within 30 calendar days.

The right of access by a patient or an applicant extends to all personal health information that is in the custody or under the control of the trustee regardless of who created it, where it came from, how old it is or how it is stored.

Records may be in paper or electronic form whether found in a file drawer, legacy system, electronic medical record (EMR) or electronic health record (EHR). Electronic or digital records include electronic documents such as word-processed documents, spreadsheets, email, digital photographs, scanned images and electronic data, such as information stored in databases or in registries or in rarer cases, back-up tapes.

Regardless of the medium, a thorough search needs to be conducted. For instance, this office dealt with a request for access to records from the 1960s. The records existed on microfiche only so the trustee had to find a way to read and copy even though the trustee no longer had the technical capability. The take-away lesson is that, as long as records have not been destroyed, access rights of the individual remain intact, and records need to be produced wherever they reside.

A request for access may be unduly general or vague because the applicant lacks knowledge of the trustee’s operations or programs and the type of health records that may exist. These types of requests may prove challenging for a large trustee organization (i.e., Saskatchewan Health Authority) as could require a search of all facilities, program areas and information systems depending on the scope of the request. This is why communicating with the applicant early on in the process to clarify the request is critical. This communication is also in keeping with a trustee’s obligations under section 35 of HIPA.

Section 35 of HIPA is the express duty to assist which requires a trustee to make every reasonable effort to assist an applicant and to respond to each openly, accurately and completely. This means that if the applicant does not understand what types of records may exist, the trustee should explain what is available and how to get it. For example, many may not realize that eHR Viewer event audit reports are available through eHealth Saskatchewan upon request.

The responsibility to maintain records may fall to many different individuals at different times resulting in records being temporarily retained on the unit, in individual employee’s offices, managed off-site by an information management service provider (IMSP) or put into storage while waiting to be culled (i.e., non-active files). When applicable, records in the physical possession of contracted agencies may also have to be located as may have records responsive to an access request (e.g., independent medical examination).

Also, a search at one time may reveal responsive records, but not necessarily all. For instance, what about records that are in the queue, (i.e., not yet dictated)?  Patient care is not static.  There will always be new responsive records being generated.

There are some exceptions to the right of access. For more advice on this and search and preparation of responsive records, see the IPC Guide to HIPA at https://oipc.sk.ca/guides/ipc-guide-to-hipa/.

In closing, the best advice that I can give is to start with a search strategy by talking to the ‘people in the know’ before proceeding (e.g., record or health information managers).  It will save you a lot of time in the long run!  And don’t forget to document both your search strategy and keep details of the actual search.  In the event a review is undertaken by my office, those details may be requested and should speed up the process for all involved.

Managing Electronic Records

One of the many challenges an organization may face when transitioning from paper-based to electronic records is ensuring proper records management processes are in place. While paper records can be easily organized and stored while waiting for retention periods to be met, electronic records can take a bit more work.

Our office has succeeded in phasing out paper-based records and now deals strictly with electronic records. These documents are stored until they reach their retention period, at which time an electronic records disposal process is followed.

As saving large volumes of electronic records can easily become disorganized, they should be organized in accordance with the records management schedules that your organization follows to assist in easily locating all documents.

Our office follows the Administrative Records Management System (ARMS) and the Operational Records System (ORS). I am currently in the process of organizing our electronic records to be in accordance with ARMS and ORS and conducting electronic disposals. As the scope of this project is overwhelming, I decided the best course of action was to split this into two different phases; organizing the documents and completing an electronic disposal. I am currently finishing up phase 1 and hope to start phase 2 soon.

Phase 1:

Before a record can be disposed of, you need to know the retention period that it falls under. Our ARMS and ORS schedules lay out different record series (which are like categories of records), list examples of the types of documents that fit into the series and state what the retention period of each series is. When organizing these records, my first step was to determine whether the record was under ARMS or ORS to know which schedule to follow. I proceeded with creating a folder for each of the different record series under ARMS and went through each existing folder/document to determine which record series folder to move it to. To make it easier to locate information, I created some subfolders within the record series folders and moved related records into those folders. For records management retention purposes, I created fiscal year folders within each record series or subfolder and sorted all documents out by year. For records saved that have no real value and do not fall under a record series but might be good to keep for a short period of time, I created a transitory folder to move those documents to.

Here is an example of what the structure may look like when complete:

ARMS – Name of ARMS Record Series – Subfolder to sort related documents under a record series – year folder – individual documents

During phase 1 we did come across one issue with the length of file paths and have a blog titled File Path Frustrations that provides some helpful information.

Phase 2:

Once phase 1 is complete and the electronic records are organized, it will be easier for me to proceed with electronic disposals. Using our ARMS or ORS schedules, I will be able to see what the retention period for each records series is, go to that record series folder and see if there are any year folders with documents up for disposal. I will then need to go through each document a second time to ensure it was placed in the correct folder and then follow our disposal process. When I get started on this phase, I am hopeful the work from phase 1 assists in making this a smooth process.

Having all organizational information saved electronically is an exciting time and when properly managed, can make records management a very streamlined process. Hopefully this blog can assist some who are starting this process. Happy organizing!

TikTok on Work Phones

The federal privacy commissioner and the commissioners of Alberta, British Columbia and Quebec have initiated a joint investigation of TikTok Announcement: Commissioners launch joint investigation into TikTok – Office of the Privacy Commissioner of Canada. They are investigating concerns about privacy and consent.

The United States and the European Union have taken steps to ban the TikTok app.

On February 27th the federal government indicated it was banning the TikTok app from being on public servants’ office phones.

The province of Alberta has announced a ban of TikTok on its devices and the City of Calgary has followed suit. The province of Quebec has also announced a ban of TikTok on government devices. Nova Scotia has banned TikTok on government mobile devices and Saskatchewan in a media advisory has banned TikTok on work devices and the City of Regina has done the same. Newfoundland and Labrador in a press release has banned TikTok on all government-managed mobile devices. The province of British Columbia has announced a ban of TikTok on its government mobile devices.

I have asked staff in my office to remove TikTok from their work phones. I expect other organizations will take the same steps.

Since an investigation is taking place, it is just a prudent thing to do (i.e., remove TikTok from work phones).

The reasons for doing so at the moment are limited, but the reason of security concerns should be sufficient to cause us to pause. If the joint investigation concludes there are no concerns, then organizations can decide whether to allow the TikTok app to be on work phones.

With TikTok or any app, an organization should determine whether having a particular app on employer owned mobile devices serve as a business purpose.

As to personally owned devices, each of us will have to make personal decisions as to whether to have TikTok on our phones. Each should learn more about the effects of having TikTok on your device.

I encourage all to stay tuned and listen to security professionals’ conclusions as to whether TikTok is a security risk. The statement by Minister Fortier announcing a ban on the use of TikTok on government mobile devices can be viewed here.

Ontario – Using Faxes in Health Care

In Saskatchewan, my office has done numerous reports on misdirected faxes. See our blog Raising Awareness of the Facts about Fax.

The access and privacy commissioners across Canada have, at the last federal-provincial meeting, passed a resolution encouraging the discontinuance of fax machines in the health care sector. See the resolution. Recently the Federal Privacy Commissioner has issued an updated guidance on faxing personal information

The Ontario government has taken a step toward eliminating the fax machine in the health care sector. The Ontario Information and Privacy Commissioner issued its review of the high number of privacy breaches at St. Joseph’s Healthcare Hamilton due to misdirected faxes. In a blog for Privacy Day, the Ontario Commissioner Patricia Kosseim commented further regarding misdirected faxes in Ontario.

The Ontario government has announced that it would put in place a plan to support phasing out fax machines and that fax machines will be phased out over the next five years. For details see this CBC article.

I am hopeful that the progress in Ontario will help cause the heath sector across Canada, and particularly in Saskatchewan, to accelerate plans to phase out faxes.

Privacy Education for Young People: Putting the Activities to the Test

Social media is constantly evolving and changing, with information being readily available on our mobile devices – if you can think of it, there is likely an app for that. In this digital age, our personal habits are extremely valuable for companies wanting to increase revenue. Individuals and businesses use our personal information to create and develop their brands.

Taking this a step further, young people are accessing the internet to play games, do homework assignments, chat through social media apps, listen to music, etc. They too are impacted by this everchanging landscape. Young people, however, are often unaware of the consequences of sharing personal information online. Raising awareness about privacy issues, especially with young people, is a key component of reducing a users’ risk to privacy while using the internet.

On September 27, 2021, Information and Privacy Commissioner of Saskatchewan, Ron Kruzeniski posted a blog with a link to the Ontario Information and Privacy Commissioner’s resource for children called, Privacy Pursuit!  Privacy Pursuit is an activity book with tips, games, puzzles, and word searches with all things related to staying safe online.

While it has been a couple years since this resource was posted, I wanted to highlight the value of keeping an open dialog about all things privacy with young people. Navigating these waters can be difficult for parents (and children), but raising awareness and keeping the discussion going can increase knowledge and understanding in this vast area.

Putting Privacy Pursuit to the test: Education is Key

I thought I would put Privacy Pursuit to the test with my own seven and ten-year-old. After going through the age-appropriate activities, I did a Q and A with them asking the following:

What is personal information?

7 – Opinion, name, where you live, if you take the bus, what the inside of your house looks like and where you go to school. Stuff that you do not want strangers to know.

10 – Passwords, birthdate, name including middle and last name, pictures of yourself.  Its important to protect it because people could hack into your computer and threaten you.

What does privacy mean to you?

7 – Privacy means stuff that you don’t want other people to know.

10 – It means when you are in your room by yourself, that is privacy.  Nobody is listening or watching you.

What are cookies?

7 –  I think they are yummy treats.  What about related to the internet?  I am not sure.

10 – Cookies keep track of the things you like looking at on the internet.

Should we download new apps and games without asking your parents?

7 – No because the apps could cost $50 and ask for personal information. Some stuff could be for older children like 13 years and older.

10 – No, because they might not be good for your age group and contain violent stuff. You need to read the ratings and ask your parents.

What was something you learned from Privacy Pursuit?

7 – I learned if a stranger disguised as a friend on the internet gets your personal information, they can use it.

10 – I learned that it is important to protect my private information and that of my friends and family, so we don’t get hacked.

A few tips for parents and young people about privacy and the internet:

  1. Talk to your children about privacy; teach your children not to share or post personal information online including name, birth date, address, place of birth or names of friends.
  2. Use available parental controls to block harmful content.
  3. Encourage your children to discuss any questionable content they come across and ask where they accessed it; go to the site and do your own research.
  4. Stay current on new social media apps that young people are using, do your research to determine if they are within your accepted boundaries for social media use.
  5. Tell your children not to download or click on unknown links or files.
  6. Disable location sharing on devices and do not share passwords.
  7. Tell them that things you post online can stay there forever, even though you have deleted the post or picture.

One final thought…after going through Privacy Pursuit with my family, we have some more work to do but we are better prepared to stay safe online. I encourage adults/parents to try the activity book with the young people in your life.  You might learn a thing or two and – they may as well about all things privacy!

For more information, check out the following links:

https://www.priv.gc.ca/en/about-the-opc/what-we-do/awareness-campaigns-and-events/privacy-education-for-kids/t-v/activ/index/

https://oipc.ab.ca/resource/lesson-plans/

www.mediasmarts.ca

Chapter 6 for the Guide to FOIP is now available!

Chapter 6 for the Guide to FOIP is now available! This Chapter is all about privacy and Part IV of The Freedom of Information and Protection of Privacy Act (FOIP). Government institutions will find helpful information on each provision related to privacy and some underlying principles including but not limited to:

  • Foundational privacy concepts and principles.
  • What qualifies as personal information.
  • The rules around collection, use and disclosure of personal information.
  • The duty to protect personal information.
  • Best practices for dealing with a possible privacy breach.
  • Access to one’s personal information (section 31).
  • The right of correction (section 32).
  • Privacy Impact Assessments.
  • Records management best practices.

This new Chapter deals exclusively with privacy and the sections related to it in FOIP. Part IV and privacy comprise a very large portion of the Act and this Chapter is our most extensive.

To assist government institutions, Chapter 6 also has a section that focuses on current privacy issues. This section will be updated as new issues arise.

We hope you find this Chapter useful as you work through the handling of personal information and privacy matters under FOIP. Chapter 6, which has been converted into a flipbook can be found here. For a short tutorial on using flipbooks, please refer to our recently posted blog Flip These Resources.

In terms of progress, edits to Chapter 5 for the Guide to LA FOIP are coming soon. We are also working hard on a Chapter 6 – Protection of Privacy for the Guide to LA FOIP and anticipate having it completed within the next month or two. We will also be working on updating Chapters 1, 2, 3 and 4 of the Guide to FOIP and LA FOIP shortly after.

If you have any questions or feedback on this new Chapter, please do not hesitate to reach out and contact me at alarocque@oipc.sk.ca.

Data Privacy Day-January 28, 2023

Data Privacy Day is internationally recognized as a day to bring awareness about the importance of protecting personal information. The last few years has resulted in a major shift in how we conduct business. We make purchases online, schedule Dr’s visits with health care professionals via video conferencing, attend classes online and many of us are even working remotely. Keeping our information safe has never been more important than it is now.

Our office has put together a brief presentation which highlights the importance of data privacy, risks involved and what you can do to keep your information safe.

A link to the presentation can be found here.

Live Streaming a Public Meeting

The Legislative Assembly broadcasts its proceedings over the internet. Each word spoken by an MLA is recorded and published in HansardHansard is available to the public. Similarly, committees of the Legislative Assembly are public, sometimes broadcasted and recorded in Hansard. Both video and text are available on the Legislative Assembly web site at (www.legassembly.sk.ca/). Committees can decide to go in-camera but motions and decisions are made in the public portion of the meeting.

All cities, towns and municipalities are required to have public meetings. Regina, Moose Jaw, and Saskatoon live stream their council meetings and Regina and Moose Jaw broadcast through the local cable company. The cities post their agenda and minutes on their website and allow access to archived council meetings. Saskatoon live streams some of its committee meetings. Of course, council or a committee can have an in-camera session, but motions are required to be passed in a public meeting. Other cities and towns post their agendas and minutes to their website.

School boards are also required to hold their meetings in public. The minutes of these meetings are available for inspection. The Regina Public School Board live streams its meetings, and its agendas and minutes are available on its website. Other school boards do post their agendas and minutes on their website.

All of the above leads to greater transparency of our elected officials. For those public bodies whose meetings are required to be public, I would encourage they look at live streaming of their Board or council meetings. Technology is now available that makes live streaming relatively easy and relatively inexpensive. The geography of our province makes it beneficial to citizens when public bodies live stream their meetings. I would encourage those cities, towns, villages or school boards to develop policies and practices that would facilitate the live streaming of all of their public meetings.