Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Providing a Record in the Format Requested by the Applicant

Providing a Record in the Format Requested by the Applicant

Applicants often request records in a format which is convenient for their use i.e., paper, word spreadsheet, Excel or comma-separated values (CSV) or pdf. I find that public bodies are comfortable providing records in paper format but when it comes to electronic formats, they lean toward a pdf format. It appears they believe that the data is more secure in pdf and thus, the applicant cannot change or manipulate the data.

Although I am not a security expert, my information is that the belief that the pdf format is tamper-proof is not true.

First, if a public body provides a record in paper format, an applicant can scan the record, white out parts, or edit the scanned version, re-print it and distribute it or post it on the internet.

If a public body provides the record in word or excel, the applicant can open the document, edit it and then distribute it or post it. Similarly, an applicant can do the same with a record in CSV format.

Finally, if the applicant has Adobe Acrobat Pro, and receives a record in pdf, the applicant can do a number of things. He or she can edit it, save it as a word document or export it into an excel spreadsheet, and distribute it or post it to the internet.

So whatever format is used, a person intent on manipulation can change it and distribute the changed record. Public bodies need to accept there is a risk of people altering the records they provide and remember their duty to assist (section 5.1 of FOIP and LA FOIP). In other words, provide the record in the format requested.

Of course, if it is electronically impossible to produce it in the format requested, the public body should assist by providing the record in the next most practical format (subsections 10(2) to 10(4) of FOIP and LA FOIP).

The best advice to public bodies is to keep and store the record in the format they provided it in, to the applicant. If the applicant manipulates and publishes, the public body can say that was not the record that they provided and can prove it as they have the original and a copy of what was sent.

Duty to Assist – Ask, What Do You Need?

The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) since 2018, have a section on the duty to assist, it provides as follows:

5.1(1) Subject to this Act and the regulations, a government institution shall respond to a written request for access openly, accurately and completely.

(2) On the request of an applicant, the government institution shall:

(a) provide an explanation of any term, code or abbreviation used in the information; or

(b) if the government institution is unable to provide an explanation in accordance with clause (a), endeavour to refer the applicant to a government institution that is able to provide an explanation.

We treat this as an obligation for a public body (government institution or local authority) to assist the applicant as much as possible.

FOIP and LA FOIP also have a section on clarifying an access request which provides:

6(1) An applicant shall:

(a) make the application in the prescribed form to the government institution in which the record containing the information is kept; and

(b) specify the subject matter of the record requested with sufficient particularity as to time, place and event to enable an individual familiar with the subject-matter to identify the record.

(3) Where the head is unable to identify the record requested, the head shall advise the applicant, and shall invite the applicant to supply additional details that might lead to identification of the record.

Applicants sometimes draft their access requests extremely broad. That results in possibly thousands of pages to be copied and sent. That is a lot of work for the staff member and potentially a large fee for the applicant.

My office discourages public bodies from asking why the applicant wants the information, but it can be reasonable to ask the applicant “what do you need?” An answer to that question increases understanding, possibly narrows the scope of the access request, and may result in the applicant getting the records sooner, reduces the fee or results in no fee at all.

I emphasize that the “what do you need” question might be asked in certain circumstances. The applicant may have already stated his or her purpose or made it clear exactly what they wanted. In those instances, there is no need to ask.

It is also important to frame your question in a certain way. You might say:

  • “I have a duty to assist you, and to better assist you, if you tell me what information you need, that will help me get you the records you want”,
  • “I read your access request and I need some clarification as to what information you are seeking”, or
  • “What is it that you require in terms of information?”

Now the applicant may refuse to answer your question and if so, then you must do your best to read the access request and provide those records requested.

I would suggest you never ask an applicant what they are going to do with the information. They are entitled to records under section 5 of FOIP or LA FOIP and what they do with that information is entirely up to them. They may want it because they want to know, they may want to write an MLA or a minister or they may want to contact the media or post the information on a website. If the applicant is from the media, you know they are working on a story. They are doing their job. Those are all legitimate actions, and a citizen is free to do whatever he or she wishes with the record.

On the other hand, if a staff member understands what the applicant needs, that staff member can read the access request, interpret it, and provide the applicant information or records that help meet the applicant’s needs. Again, I repeat, the applicant does not have to say why and a refusal not to say, should always be respected.

A word of encouragement to applicants. Before you write out your access request, you should think about why you want the information and what you are going to do with it. An access request for less information might just let you get that information sooner and for a reduced or no fee. Broad access requests increase the chances that you will get a higher fee quote. You could also telephone the public body and say I am making an access request, and can you tell me the files or file folder I should ask to be searched. Now you might not trust the public body, so in that case don’t ask such questions.

Applicants, when you are asked by the staff member the question “what do you need”, and you determine the staff member is trying to be helpful, tell them what you really are trying to get copies of. It might just get you the information sooner at no cost. Remember if you don’t’ get all that you want, you can always make a second access request.

So, to sum up, knowing “what you need” can help reduce the number of records to be produced, the work involved and sometimes the fees. It is worth it for public bodies and applicants to work together to reduce work, time to respond and fees.

The Law Society Issues “Guidelines for the Use of Generative AI in the Practice of Law”

The Law Society of Saskatchewan has issued guidelines for the use of generative AI in a lawyer’s practice. You can read that guideline here.  The Law Society has also issued three brief videos on the guidelines (Bite Size CPD 124, 125 & 126). You can watch them here.

When you read the guideline, you will see how many of the statements could apply to any profession and in particular the health professions. It talks about the responsibilities of confidentiality, communications and the risks of discrimination and harassment. I would encourage every profession to consider developing a guideline specifically tailored to their profession and develop in person or online training that helps each member become familiar with the benefits and risks of generative AI.

In fact, I would encourage public bodies and health trustees to read the Law Society guideline and consider whether they should develop their own guideline and training.

I hear the experts say there are benefits and risks. All of us will want to take advantage of the benefits and all of us should recognize the risks and take steps to mitigate those risks.

When We Cannot Help You

My office gets calls from residents when they are expecting us to solve their problem. We receive approximately 1300 calls a year. Some of those citizens have called other agencies or public bodies. They may have called the Ombudsman or the Advocate for Children and Youth office, the Ministry of Social Services, Saskatchewan Human Rights Commission, MLA’s office or Ministry of Justice and Attorney General. I understand they may be frustrated and would just like a solution to their problem. I need to say we probably cannot help you unless the issue is access or privacy related, and the proper processes have been followed. We have a narrow mandate.

Here is what we can do. If you have asked a public body for records and they have refused to provide those records to you, we might be able to help. You need to know that those public bodies have the right to withhold certain information from you. Parts III and IV of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) sets out those exemptions. If we find the exemptions apply, we will not recommend those records be released to you.

If the public body wants to charge you a fee that appears to be unreasonable, we can review that fee.

If a public body fails to respond appropriately to your access request within 30 days, we can review their refusal.

If you feel your personal information or personal health information has been improperly collected, used or disclosed, you can ask my office to investigate the public body’s actions to determine whether there was a privacy breach.

These are some of the things we can do.

You might have staff in my office saying to you “we don’t have jurisdiction, or we don’t have grounds to proceed with a review or an investigation.” The Legislative Assembly has given my office certain powers, and it is only those powers that we can exercise. So, if we say, “we cannot help you”, that is another way of saying we do not have the legislative authority to help you.

We might suggest you contact another office but that is just trying to be helpful.

So, before you call, think about what you expect us to do for you. We might recommend you get some records, get a reduced fee or help to ensure a public body appropriately responds to a privacy breach involving your personal information, but we won’t be able to solve any other problem.

Recent Headlines Give me Concern

In the past weeks, media have speculated on health issues pertaining to a high-profile person in the public eye. One of those headlines involved allegations of an attempted breach of personal health information, which you can find here.

The people of Saskatchewan should rest assured that we have laws that prohibit snooping into their personal information and personal health information. In our province, everyone is entitled to privacy, free from unauthorized intrusions or snooping into their confidential medical and other personal information.

Individuals who are in the public eye, are equally entitled to these protections. People may have jobs or roles that invite or attract media attention, but with very few exceptions, they maintain the right to see restrictions on how personal information or personal health information about them is used and if it is disclosed – the very essence of privacy in a democratic society. We can debate how much of their life is private or public, but I hope we all agree that their personal health information, whether it is cancer, diabetes, or a heart condition, is deserving of the same protections that we all enjoy.

Some public officials choose to make public their health issues to put focus on a particular disease or condition. I admire them when they do that. Their goal may be to educate and support those with a similar condition. On the other hand, there are those who choose to keep their health issues to themselves, and we should respect their right to do so.

The Health Information Protection Act prohibits snooping into other’s personal health information. This applies to those that work in the health sector including staff and physicians and to others who may attempt to break into our health care databases. It is an offense and if caught, there can and should be consequences.

We have had our own experiences with unauthorized access to personal health information. For example, I issued an Investigation Report in January 2024, where I found that a doctor working in Saskatchewan was snooping. You can read it here.

Whether motivated by curiosity, or the desire for profit, in spite of the law, some will be tempted to snoop. That’s why health care providers and others that work for trustees in Saskatchewan are required to take steps to protect personal health information. Guidance is available on my office’s website on the steps that can be taken to reduce the risk of snooping. In addition to requirements to raise awareness, trustees must train staff and audit and monitor the use of personal health information and utilize technological solutions that can help detect and deter snooping.

Recently, in Ontario, The Ottawa Hospital piloted some software with AI functionality to monitor health information systems to detect snooping. I think we should study this type of software in Saskatchewan to see if it is reliable and safe.

Let’s make every reasonable effort to ensure that those who are tempted to snoop are not successful and personal health information is protected. And please respect other’s rights to privacy at all times and recognize the sensitive nature of their health care issues. If you don’t, be aware that there are consequences.

 

R. v. Bykovets – Privacy and the Internet

In a recent decision called R. v. Bykovets, 2024 SCC 6, the Supreme Court of Canada (SCC) ruled that the police must get a warrant before obtaining access to an individual’s Internet Protocol (IP) address from a third party. In a news release, the British Columbia Civil Liberties Association, an intervenor in the case, called the decision a huge victory for online privacy.

The case involves an individual who was charged with having made fraudulent online purchases from a liquor store. The company that managed the store’s online sales provided the police with the accused’s IP address voluntarily. The accused claimed that this action violated section 8 of the Charter.

The decision, in favour of the privacy rights of the accused, is significant for many reasons including that it recognizes the importance of individuals’ right to privacy in a free and democratic society. Justice Karakatsanis, who wrote the majority decision, stated:

Personal privacy is vital to individual dignity, autonomy, and personal growth. Its protection is a basic prerequisite to the flourishing of a free and healthy democracy.

It also recognizes that an IP address may reveal sensitive personal information about an individual. Further, it finds that the IP address is deserving of protections against unreasonable search or seizure under section 8 of the Canadian Charter of Rights and Freedoms (Charter).

This is not the first time that the SCC has found that the Charter guarantees Canadians a right of privacy. In previous rulings, it has recognized several kinds of privacy namely, physical, or bodily privacy, territorial privacy, privacy of communications and informational privacy.

In R. v. Dyment, the SCC stated that informational privacy is based on the notion of dignity and integrity of the individual and is based on the idea that all information about a person is their own.

IP addresses may reveal sensitive personal information

Writing for the majority of the SCC, Justice Karakatsanis describes an IP address as a unique identification number that identifies the source of every online activity and connects that activity (through a modem) to a specific location.

She added that IP addresses may reveal deeply personal information such as the identity of the device’s user. When correlated with other online information associated with that IP address, it reveals “the first digital breadcrumb that can lead the state on the trail of an individual’s Internet activity.” She wrote that third party websites can track the IP address of each user and added that some websites, such as Google, also collect massive amounts of other information, such as information about users’ searches and location.

Privacy oversight authorities have long recognized the detailed nature of the information that can be discovered through access to an IP address. The federal Office of the Privacy Commissioner issued a paper in May of 2013 which describes the information that could be revealed from a phone number, email address, and an IP address. The paper concluded that knowledge of subscriber information such as phone numbers and IP addresses can provide a starting point to compile a picture of an individual’s online activities, including the individual’s personal interests and organizational affiliations.

While the question of whether an IP address would qualify as personal information under Saskatchewan’s access and privacy laws was not before the SCC in this case, its findings could be relevant to that analysis.

For examples of circumstances where our office has found that an individual’s IP address qualifies as personal information pursuant to subsections 24(1)(e) and (k) of The Freedom of Information and Protection of Privacy Act (FOIP) or subsection 23(1)(e) and (k) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) see Review Report 147-2022 and Review Report 186-2019.

Application of section 8

Section 8 of the Charter is intended to protect individuals from unjustified state intrusions (such as searches or seizures) upon their privacy. The scope of the protections offered by section 8 is limited by the reasonableness of the individual’s expectation of privacy in a given set of circumstances. This means that when applying section 8 in the context of a law enforcement investigation, the courts weigh or balance reasonable expectations of privacy against legitimate police investigative techniques.

Regarding whether a reasonable expectation of privacy existed, Justice Karakatsanis wrote:

The “reasonable expectation of privacy” analysis revolves around the potential of a particular subject matter to reveal an individual’s biographical core to the state, not whether the IP addresses revealed information about the appellant on these facts. …In my view, the ever-increasing intrusion of the Internet into our private lives must be kept in mind in deciding this case. It is widely accepted that the Internet is ubiquitous and that vast numbers of Internet users leave behind them a trail of information that others gather up to different ends, information that may be pieced together to disclose deeply private details. And, as the expert evidence describes, an IP address is attached to all online activity; it is a fundamental building block to all Internet use. This social context of the digital world is necessary to a functional approach in defining the privacy interest afforded under the Charter to the information that could be revealed by an IP address.

In balancing the reasonable expectation of privacy against the need to combat online crime, the decision recognizes society’s legitimate interest in public safety and security, and the suppression of crime. It notes that the ways in which crimes are committed has evolved with technological developments and police must have tools to investigate these crimes.

The majority concluded its analysis by stating that the burden imposed by recognizing a reasonable expectation of privacy in IP addresses is not onerous as it would only add another step in the investigation process – the need to obtain a warrant.

Many readers will know that the access and privacy laws overseen by our office, FOIP, LA FOIP and The Health Information Protection Act, protect informational or data privacy. They do this by setting rules for the collection, safeguarding, retention, use and disclosure of personal information or personal health information.

Section 8 of the Charter may not apply when most public bodies and trustees engage with individuals through online services or internet-based communications because the activity may not qualify as a search or seizure. However, in light of the SCC findings on IP addresses, they should be aware of the type of information that may be collected through online engagement with the public and what privacy protections need to be in place.

Individuals and organizations may be interested in the resources available regarding privacy, the internet and the Charter on the Office of the Privacy Commissioner of Canada’s (OPC) website. Organizations with law enforcement mandates may be interested in the OPC’s guide titled “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century”.

More information about the Charter and how it protects privacy, can also be found in our office’s Guide to FOIP and Guide to LA FOIP.

For any questions, contact intake@oipc.sk.ca

New Guidance on Survey Research

Governments institutions and local authorities often use surveys to collect public views and opinions on new programs and services, and to support informed policy development. As part of its public engagement strategy, the Government of Saskatchewan website states that it routinely polls residents of Saskatchewan for information to help guide policy decisions. The website lists public opinion polls conducted in recent years.

The University of Regina (U of R) has a survey research unit that provides survey and research expertise to students, faculty members and other groups on campus. The U of R has also developed a policy that governs surveys involving sampling of current and prospective students, and alumni and staff.

As of February 2024, Statistics Canada reported that it had 471 active surveys in the collection stage.

With the exponential growth in online government service delivery brought on by the pandemic, it is not surprising that government institutions and other organizations are increasingly using online survey tools and platforms.

There has been some media attention in the past on high profile online surveys. Media have reported on the Government of Saskatchewan’s cannabis survey and the federal government survey into medical aid in dying. In an article published in April 2019, CBC reported that the Saskatchewan Government has been in the habit of surveying the public on major issues noting a trend of surveying on the future of education in the province.

Where survey projects involve the collection, retention, use, disclosure and disposal of personal information, public bodies conducting surveys need to take steps to ensure compliance with Saskatchewan’s access and privacy laws.

My office has released a guide for public bodies on how to address the privacy risks when conducting surveys and the strategies for managing those risks, including online surveys.

There are separate rules and considerations that would arise when a trustee as defined in The Health Information Protection Act (HIPA) seeks to collect personal health information as part of a survey. The guide does not consider the potential impact and specific requirements of HIPA but is focused on the use of surveys by public bodies or organizations.

If your organization does not have a policy and procedure in place for conducting surveys and expects to be conducting multiple surveys, it should consider developing standards. Many universities, including the U of R, have developed guidance or policies on conducting surveys. The University of Saskatchewan has a master agreement with an online survey provider and a policy that governs the use of that survey tool.

For another example, see the Government of Canada Standards for the Conduct of Government of Canada Public Opinion Research – Online Surveys which were updated in 2020.

For further information consult the guidance document. For any questions, contact intake@oipc.sk.ca

Avoiding the Travelling Blues

As Homer Simpson said, it’s Smarch! It’s that lousy time of year when we’re probably digging ourselves out of snowstorms and simultaneously calling our travel agents. While you jump start your summer by going on a late-winter holiday, don’t forget to be privacy and security aware. The last thing you want when you travel is to have your data breached or identity stolen. The following tips can help!

  • Don’t use public WiFi networks. These are not secure. Instead, use your phone’s data to connect to the internet.
  • When not using them, turn off WiFi, GPS or Bluetooth on your devices.
  • Secure your devices and accounts by using strong passwords and two-factor authentication. Change your passwords when you get home.
  • Make sure your devices all have the latest security updates.
  • Take devices, such as phones or tablets, that you designate for travel. Keep what you store on these devices to the bare minimum of apps, photos, etc.
  • Turn on any tracking capabilities your devices have in case they’re lost or stolen. If you can remotely wipe a device such as your phone, learn how to do this before you set sail. At the same time, make sure you have backed up all important data to an external device that you left safely at home.
  • Keep your devices close to you. Lock them up in the hotel’s safe when you can’t take them with you. Never, ever leave any of your devices unattended. As we’re prone to leaving a device behind rather than having it stolen, double check when you’re leaving an area that you have your device with you.
  • Refrain from logging into accounts on public devices, like those in your hotel’s business centre. Devices such as these may have keyloggers and malware installed.
  • Avoid public USB chargers or charge ports. USB cables transfer data – criminals love accessing your data this way. When you can, directly plug your device into a power outlet.
  • Travel light by taking only the travel documents you need. Make copies of all your travel documents, including your ID, credit cards, or any other personal information you’re bringing. Leave these copies with someone you trust, such as a family member.
  • We all want to tell our friends on Facebook and Instagram about our travel plans, but it’s probably better to hold off until you return. No one needs to know you will be leaving your home empty for a week or two.
  • When you do get home, check your credit card statements to make sure there are no unauthorized or suspicious charges.

Data breaches or identify theft occur when devices, documents, etc., are stolen or left behind, or left vulnerable to cyber-attack. Always be privacy and security aware. It’ll make for a better holiday if you don’t have to deal with lousy Smarch weather AND a breach of your privacy or data.

 

A Discussion With Sharon Polsky

I had the pleasure of talking to Sharon Polsky, President of the Privacy and Access Council of Canada. Sharon has been the president of PACC since its inception. We discussed PACC’s accomplishments in 2023 and her hopes and objectives for 2024. We also discussed her thoughts regarding Bills C-26 and C-27. Please take some time out of your day to listen to our discussion here.

“Unlocking Health Care: How to Free the Flow of Life-Saving Health Data in Canada”: An appeal from Canada’s Public Policy Forum

The Canadian Public Policy Forum’s (PPF) recent report entitled, “Unlocking Health Care: How to Free the Flow of Life-Saving Health Data in Canada” has received a lot of media attention since its release last week. It included some important recommendations relating to the need to ensure personal health information is accessible digitally to all patients and health care providers in a timely, and privacy and security protective manner.

For context, it’s the third report in a three-part study that sought to address what it described as “the shortcomings in Canada’s precious health-care systems.” The first report dealt with accessibility to health services. The second report focused on the delivery of primary care.

Our office is a proponent of secure, privacy protective health information systems that enable secure and appropriate retention, access, use and disclosures of personal health information. We appreciate that there is great value in interoperable digital health records for all residents of Canada. Moreover, we know that privacy is not a barrier to innovation.

Long before the PPF wrote about the value of privacy-protective digital health innovations, Canadian privacy authorities passed a resolution entitled, “Securing Public Trust in Digital Healthcare” calling for concerted effort, leadership and resolve in implementing a modern, secure and interoperable digital health communications infrastructure.

The PPF paper is noteworthy because it explained how better health outcomes for Canadians can be achieved with “a high functioning, data- and digital rich system.” The paper uses a series of case studies illustrating how technology can support timely and efficient health care delivery.

The paper also provided examples of how antiquated communications systems can frustrate timely and appropriate health care services. Not surprisingly, the PPF included a number of examples relating to the use of fax machines to communicate. In one example, a physician working in a family clinic and in a number of hospitals in their province, explained how test results intended for them are regularly sent by fax to the wrong clinic or office.

The PPF paper noted that one consequence of these types of incidents or privacy breaches is the psychological impact on patients and physicians who are frustrated spending time chasing down faxes. It stated:

Canada’s continued reliance on phone calls with no return number, paper letters and fax machines impede critical referrals and prescriptions, potentially lifesaving acts of care. Our seeming inability to move beyond outmoded forms of communication delays vital treatments and extracts a psychological toll on patients and the people caring for them, who often must chase down a misdirected or overlooked fax. We cannot state it strongly enough: lives depend on this information.

The paper reported that in one study, e-referral systems shaved 21.4 days off wait times for Canadian orthopaedic surgeons compared with paper-based referrals, such as faxing.

Our office has had its own experience that illustrates how a paper-based system poses a serious risk to privacy. Since 2018, our office has opened approximately 84 files and issued 18 investigation reports involving misdirected faxes. Many of the reports involved multiple misdirected faxes.

For example, Investigation Report 045-2021, et al, involved 23 misdirected health records originating from four different trustees and Investigation Report 164-2023, et al, involved 86 misdirected health records. As there is no requirement to report breaches to our office, we would have no idea how many privacy breaches have resulted from misdirected faxes in Saskatchewan.

In Ontario, the former Information and Privacy Commissioner noted in his 2021 Annual Report, that his office received 4,848 breach reports related to misdirected faxes.

The PPF paper concluded with twelve recommendations as to how governments and partners can work towards making all health records accessible digitally by 2028. While the recommendations are presented as key to achieving these goals, I was particularly pleased to see that among the recommendations is a recommendation that Canada prioritize national safeguards for the collection, analysis, sharing and use of health data.

According to the report, this included ensuring that privacy and security of health data must be preserved in a way that maximizes the benefits for individuals and for the community at large.

The report also recommended a commitment to being paperless, interoperable and with seamless user access by 2028, starting with eliminating transmission of medical information by fax machines in 2024.

Finally, it recommended that e-consultations, e-referrals and e-prescriptions between all clinical service providers should be made available through fully interoperable digital health platforms.

We commend the PPF for its work and encourage you to read the report.

For any questions, contact intake@oipc.sk.ca