Ontario Proposing Legislation To Better Protect Children

Sophisticated Cyber attacks on BC

Microsoft to make security a top priority

As AI becomes more human like…

Ontario introduces cybersecurity bill

Ontario IPC probes government use of non-government email accounts

Ontario IPC issues guidance on Sharing Information in Situations Involving Intimate Partner Violence

Federal Privacy Commissioner launches breach reporting tool

Ontario IPC issues guidelines on third party procurement

Sask. Privacy Commissioner asks for authority to compel compliance

Discussion with the first Privacy Commissioner in Bermuda

Discussion with the first Privacy Commissioner in Bermuda

I recently had the pleasure of talking to Alexander White, the first Privacy Commissioner in Bermuda. He had the challenge of setting up an office and informing citizens on the island of their privacy rights and obligations.

In 2013, he hosted the Global Privacy Assembly’s annual meeting with about 500 participants.

Alex has been re-appointed for a five-year term and talks about his hopes and plans for the future. You can listen to the podcast here.

Saskatchewan Information and Privacy Commissioner Tables 2023-2024 Annual Report

Commissioner Ronald J. Kruzeniski, K.C., has tabled his office’s 2023-2024 Annual Report with the Legislative Assembly. It is with great significance that the theme of his final Annual Report is titled Change, for a number of reasons including that this will be his last one.

In this Annual Report, Commissioner Kruzeniski has reflected back on the changes and progress his office has made in the last 10 years. Included in the list of achievements is the issuing of over 1100 reports, creating the Guide to FOIP and Guide to LA FOIP, developing the Rules of Procedure and maintaining a website that hosts all the resources our office has developed over the years. He indicated that “all of this will assist those dealing with my office to know what to expect.”

For years, Commissioner Kruzeniski has been saying that we are shifting from a paper society to a digital one, which requires our legislation to be modernized. This need is even more important now with the advancements of artificial intelligence (AI) in which the Commissioner notes, “there is a need to ensure our legislation recognizes the benefits of AI functionality but protects us from the risks of inappropriate use or abuse of the technology.”

It is his hope that the proposals for legislative change outlined in this year’s Annual Report will be adopted in the years ahead to assist with the modernization of access and privacy legislation in Saskatchewan.

For more information, you can review our 2023-2024 Annual Report and accompanying proposals below.

Annual Report – 2023-2024

Proposed LA FOIP/FOIP Amendments

Proposed HIPA Amendments

The Search for Personal Health Information (updated)

When a patient (applicant) makes an access to information request for their personal health information, the search for responsive records may not be as easy as just checking out the health records department. The Health Information Protection Act (HIPA) applies to all personal health information in the custody or control of a trustee regardless of who created it, where it came from or how it is stored. All records, in any form, that are responsive to the request, must be identified, located, retrieved and released (subject to exceptions) within 30 calendar days.

Records may be in paper or electronic form whether found in a file drawer, legacy system, electronic medical record (EMR) or electronic health record (EHR).  Electronic or digital records include electronic documents such as word-processed documents, spreadsheets, email, digital photographs, scanned images and electronic data, such as information stored in databases or registries or in rarer cases, back-up tapes.

Regardless of the medium, a thorough search needs to be conducted. For instance, this office dealt with a request for access to records from the 1960s. The records existed only on microfiche, so the trustee had to find a way to read and make a copy for the applicant, even though the trustee no longer had the technical capability. The take-away lesson is that as long as records have not been destroyed, access rights of the individual remain intact, and records need to be produced wherever they reside.

A request for access may be unduly general or vague because the applicant lacks knowledge of the trustee’s operations, systems or programs and the type of health records that may exist. These types of requests may prove challenging for a large trustee organization (e.g., Saskatchewan Health Authority) as could potentially require a search of a number of different facilities, program areas and information systems. This is why communicating with the applicant early on in the process to clarify the request is critical. This communication is also in keeping with a trustee’s obligations under section 35 of HIPA which is the trustee’s duty to assist. This express duty obligates the trustee to make every reasonable effort to assist an applicant by responding to each request openly, accurately and completely.

The responsibility to maintain records may fall to many different individuals at different times resulting in records being temporarily retained on the unit, in individual employee’s offices, vehicles or homes, managed off-site by an information management service provider or put into storage while waiting to be culled (i.e., non-active files). When applicable, records in the physical possession of contracted agencies may also have to be located as may have records responsive to an access request (e.g., independent medical examination).

Different kinds of records are also being generated as more electronic information systems are relied on for service provision. For instance, patients may submit a request to eHealth Saskatchewan for eHR Viewer Event Audits (shows who has looked at their records in the eHR Viewer).

Also, a search at one time may reveal responsive records, but not necessarily all. For instance, what about records that are in the queue (i.e., not yet dictated)? Patient care is not static. There will always be new responsive records being generated as long as a patient continues to interact with the health care system.

As noted, there are some limited exceptions to the right of access and a decision to release may depend on who is making the request. Subsections 27(1) and 38(1) and section 56 of HIPA need to be taken into consideration.

In closing, the best advice that I can give if you are processing such a request is to start with a search strategy by talking to the ‘people in the know’ before proceeding (e.g., record managers).  It will save you a lot of time in the long run. And, don’t forget to document both your search strategy and keep details of the actual search conducted. Those details come in handy if the applicant is dissatisfied and requests a review of my office down the road.

 

Ontario Introduced Bill 194

On May 13, 2024, the Ontario government introduced Bill 194: the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, which deals with cybersecurity, artificial intelligence (AI) and The Freedom of Information and Protection of Privacy Act of Ontario. You can review Bill 194 here and for a good summary you can read the review of McMillan LLP here.

Privacy Awareness Week and a discussion with the CEO of the SHA

During Privacy Awareness Week, I was able to sit down and talk to Andrew Will, CEO of the Saskatchewan Health Authority (SHA). The discussion was very timely i.e., to talk about privacy during Privacy Awareness Week.

The SHA is our largest employer in the province and the major provider of health care for all of us. The SHA has announced a plan to provide privacy training to all its staff annually. That is no small feat considering the size, scope and diversity of the organization. I hope the SHA’s example will encourage other trustees, and health organizations to commit to annual privacy training. You can listen to the podcast here.

 

 

Privacy Awareness Week – Conversation with New Zealand’s Privacy Commissioner

During Privacy Awareness Week, I have had three conversations with people who take privacy seriously. One of them was with Michael Webster, the Privacy Commissioner in New Zealand. He talks about the important privacy issues in New Zealand. Many of the issues he mentioned, are issues in Canada. Please listen and observe the commonality of issues in our two countries. Listen here.

 

Privacy Awareness Week – Conversation with the Commissioner of Nunavut

As part of Privacy Awareness Week, I have been able to talk to three people who have a real concern for privacy. One of those conversations was with Graham Steele, the first resident Information and Privacy Commissioner for the territory of Nunavut.

He was appointed in 2021 and set out six priorities for his term. He also just issued his Annual Report and testified at a legislative committee. He covered a range of issues including privacy concerns related to Canada Post’s delivery of mail in Iqaluit. Finally, we talked about the issues and challenges being a commissioner in a territory that has great distances and small populations. To hear the podcast, click here.

 

Tricia Ralph Wants Changes to Nova Scotia Access and Privacy Legislation

I sat down and talked to Tricia Ralph, the Information and Privacy Commissioner for Nova Scotia. When the current government was elected, the premier indicated there would be some legislative change in access and privacy legislation. Recently, Tricia Ralph made proposals for legislative reform.

In our conversation, she outlined the important changes she believes should be made. Please listen to her proposals for legislative change in Nova Scotia here.

 

Understanding “fees” with ease! (updated)

In my experience, an applicant is sometimes confused when they receive a fee estimate from a government institution pursuant to The Freedom of Information and Protection of Privacy Act (FOIP), or a local authority pursuant to The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). For example, the applicant questions why they need to pay fees to get access to their own personal information in the possession or under the control of a government institution or local authority (public body) or why certain fees were charged. I think understanding how the legislation governs “fees” may assist with understanding why a public body, may issue a fee estimate.

Fees are intended to provide for reasonable cost recovery for public bodies when providing records to applicants. A reasonable fee estimate is the one that is proportionate to the work required by the public body to respond efficiently and effectively to the applicant’s request. Public bodies should issue reasonable, fair and consistent fee estimates.

Section 9 of FOIP and LA FOIP govern fees and subsection 9(2) of FOIP and LA FOIP state:

  • 9(2) where the amount of fees to be paid by an applicant for access to records is greater than a prescribed amount, the head shall give the applicant a reasonable estimate of the amount, and the applicant shall not be required to pay for an amount greater than the estimated amount.

This prescribed amount of $100 is found in subsection 7(1) of The Freedom of Information and Protection of Privacy Regulations (FOIP Regulations) and subsection 6(1) of The Local Authority Freedom of Information and Protection of Privacy Regulations (LA FOIP Regulations).

There are generally five kinds of fees that a public body can include in its fee estimate: application; search; machine and operator costs; preparation; and reproduction of records. Below are the relevant sections from FOIP and LA FOIP and the accompanying regulations that govern fees:

Application fees:

  • Subsection 5(1) of the LA FOIP Regulations provides, “an application fee of $20 is payable at the time an application for access to a record is made.” FOIP does not have an application fee.

Fees for search of responsive records:

  • Subsection 6(2) of FOIP Regulations/ Subsection 5(3) of LA FOIP Regulations provide guidance on what fees can be charged for search efforts. Both subsections advise where time in excess of the prescribed amount (two hours for FOIP/ one hour for LA FOIP) is required by experienced staff to search for the responsive records, a fee of $15 per half-hour may be charged. Our office advises that it could take an experienced staff, one minute to search 12 pages of records, five minutes to search one drawer and three minutes to search an email account.
  • Subsection 7(2) of FOIP Regulations/ Subsection 6(2) of LA FOIP Regulations provides if actual fees are less than the original estimate, then the public body should refund the excess amount to the applicant.

Fees for machine and operator costs:

  • Subsection 6(3) of FOIP Regulations/ Subsection 5(4) of LA FOIP Regulations provide for the charging of additional fees when a machine and operator costs need to be factored into the search and retrieval of electronic data.

Fees for preparation of responsive records:

  • Subsection 6(2) of FOIP Regulations/ Subsection 5(3) of LA FOIP Regulations also provides the same guidance on fees for preparing records for disclosure. Our office advises that it could take an experienced staff, two minutes to sever one page of responsive record.

Fees for reproduction for responsive records:

  • Subsection 6(1) of FOIP Regulations/ Subsection 5(2) of LA FOIP Regulations provide guidance on the actual cost of reproduction of records, such as photocopy/ print-out cost, is prescribed at $0.25 per page. It should be noted that public body should charge no fees, if the record is provided to an applicant via email. Subsection 6(b.1) of FOIP Regulations/ 5(b.1) of LA FOIP Regulations provide that the public body could charge, the actual cost of the portable storage device; and where records exist in any other form than paper and electronic, these subsections provide that the public body can charge the actual cost of copying the records.

For further explanation as to how to calculate fees, see the following resources available on our website: IPC Guide to FOIP – Chapter 3 and IPC Guide to LA FOIP – Chapter 3.

Below are some best practices to reduce fee estimates for applicants and public bodies:

  1. Best practices for applicants:
    • When making an access to information request, list specific documents if possible and a specific time period in order to limit and focus the search efforts for the public body;
    • If possible, narrow the scope of your request, based on the nature of the information you seek from a public body. Broadly worded requests require more time to process. More time to process = larger fees; and
    • It is beneficial to work with the public body to reach a reasonable fee or resolution; however, if you remain dissatisfied with the fee estimate, you have a right to request a review from our office.
  1. Best practices for public bodies:
    • Pursuant to section 5.1 of FOIP and LA FOIP, public bodies have a “duty to assist”, which requires a public body to make every reasonable effort to identify and seek out records responsive to an applicant’s access to information request; to explain the steps in the process and to seek any necessary clarification on the nature or scope of the request within legislative timeframes;
    • If possible, only complete the preliminary search (representative sample), not the full search prior to providing the fee estimate. This could save the amount of work a public body puts in before confirmation from the applicant that they wish to proceed;
    • Remember that pursuant to subsection 9(3) of FOIP/ subsection 9(3) of LA FOIP, where a public body provides a fee estimate to an Applicant, the Applicant may be required to pay a deposit of an amount that does not exceed one-half of the estimated amount before a search is commenced. Therefore, it is advisable to issue a fee estimate within 3-10 days of receiving the access to information request; and
    • It is beneficial to work with the applicant to reach a reasonable fee or resolution, which could avoid involvement from our office.

Public bodies can find more resources on our website that provide guidance for charging fees/ issuing fee estimates, such as:

Applicants and public bodies may find the following reports issued by our office helpful on this topic:

  • IPC Review Report 042-2019 – recommended that the Ministry reimburse the applicant the fees they paid;
  • IPC Review Report 034-2019 – found that the fee estimate was not reasonable;
  • IPC Review Report 102-2019 – found that the applicant did not provide enough evidence to support their request for a fee waiver;
  • IPC Review Report 106-2022 – found that fees for creating a query to search for emails and a PowerShell script was reasonable;
  • IPC Review Report 258-2022 – found a fee for a computer operator to search for and retrieve information from its human resource information system (HRIS) was appropriate; and
  • IPC Review Report 062-2023 – found that the fee estimate was not reasonable and recommended that the City reimburse the applicant part of the fee it had charged.

 

I am hopeful this blog, will help all with understanding why certain fees may be charged. For any questions, please contact our office at intake@oipc.sk.ca.

Providing a Record in the Format Requested by the Applicant

Applicants often request records in a format which is convenient for their use i.e., paper, word spreadsheet, Excel or comma-separated values (CSV) or pdf. I find that public bodies are comfortable providing records in paper format but when it comes to electronic formats, they lean toward a pdf format. It appears they believe that the data is more secure in pdf and thus, the applicant cannot change or manipulate the data.

Although I am not a security expert, my information is that the belief that the pdf format is tamper-proof is not true.

First, if a public body provides a record in paper format, an applicant can scan the record, white out parts, or edit the scanned version, re-print it and distribute it or post it on the internet.

If a public body provides the record in word or excel, the applicant can open the document, edit it and then distribute it or post it. Similarly, an applicant can do the same with a record in CSV format.

Finally, if the applicant has Adobe Acrobat Pro, and receives a record in pdf, the applicant can do a number of things. He or she can edit it, save it as a word document or export it into an excel spreadsheet, and distribute it or post it to the internet.

So whatever format is used, a person intent on manipulation can change it and distribute the changed record. Public bodies need to accept there is a risk of people altering the records they provide and remember their duty to assist (section 5.1 of FOIP and LA FOIP). In other words, provide the record in the format requested.

Of course, if it is electronically impossible to produce it in the format requested, the public body should assist by providing the record in the next most practical format (subsections 10(2) to 10(4) of FOIP and LA FOIP).

The best advice to public bodies is to keep and store the record in the format they provided it in, to the applicant. If the applicant manipulates and publishes, the public body can say that was not the record that they provided and can prove it as they have the original and a copy of what was sent.