Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on Transparency in a Pandemic

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on Transparency in a Pandemic

As we all know, we are in the middle of a pandemic and many are working hard to protect Saskatchewan. Many are working long hours and assuming risks. All of us need a certain amount of information about the spread of COVID-19 in our province.

I have written earlier about a pandemic and privacy and there is a balancing act between public interest and privacy. There is a big gap between giving little to no information and giving all information. In the middle is an opportunity for decision-makers to determine how much information to provide to the public. Officials are always free to provide aggregate or statistical data or de-identified personal information or personal health information. They can provide information such as how many are sick or pass away in a city, town, municipality, area or region. I would encourage as much transparency as is possible while respecting privacy to the extent possible. More is better under the circumstances we are now in.

Of course, giving someone’s name and address as being affected would be going too far as this is there personal health information. Yes and maybe in small communities indicating one person is affected would identify a person. In those instances, there are work-a-rounds such as saying, “one person in the Ituna vicinity” or “one person north of White City”. The idea is that officials can be transparent and provide as much information as is possible, but still avoid identifying an individual.

As the number of cases rise in our province, officials will have more latitude in providing statistical information to citizens as they won’t be dealing with one person, but dealing with two, three or more persons in a community or area.

Individuals who are infected with COVID-19 may choose to divulge their personal health information in a public forum such as Facebook, Twitter or the media. They may choose to conduct interviews regarding their illness and recovery. That is their choice and we need to respect that they have voluntarily chosen to do so. If an individual does so, that does not give permission to the public body to release their name. A public body could, however, ask the individual to sign a consent agreeing to the release of name and details.

The Federal Information Commissioner, Caroline Maynard, in a News Release dated April 2, 2020 stated:

As Information Commissioner, I call upon heads of federal institutions to set the example in this regard, by providing clear direction and updating guidance on how information is to be managed in this new operating environment. Furthermore, I am of the firm view that institutions ought to display leadership by proactively disclosing information that is of fundamental interest to Canadians, particularly during this time of crisis when Canadians are looking for trust and reassurance from their government without undue delays.

The right of access is a means by which we not only hold our government to account, but determine how and why decisions were made and actions taken, in order to learn and find ways to do better in the future. It is only by being fully transparent, and respecting good information management practices and the right of access, that the government can build an open and complete public record of decisions and actions taken during this extraordinary period in our history—one that will inform future public policy decisions.

In conclusion, I ask public officials, elected and appointed, to continue to provide as much information as possible regarding our province and the Pandemic.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Updated Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on COVID-19

Privacy in the Context of COVID-19

Privacy laws are not a barrier to appropriate information sharing in an epidemic.

It is important that public bodies, health trustees and private sector organizations know how personal information or personal health information may be shared during an epidemic.

How Information May be Shared under Saskatchewan’s Privacy Laws

Saskatchewan has three privacy laws:

  • The Freedom of Information and Protection of Privacy Act (FOIP) applies to government institutions;
  • The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities such as municipalities, universities and school boards; and
  • The Health Information Protection Act (HIPA) applies to health trustees.

These Acts and accompanying Regulations govern the collection, use and disclosure of personal information or personal health information in most situations.

Each Act contains provisions to allow for the sharing of personal information or personal health information in the event of an emergency by public bodies and trustees.

All three Acts require that any collection, use or disclosure of personal information or personal health information be limited to that which is needed to achieve the purpose of the collection, use or disclosure. This is referred to as the “data minimization principle.”

FOIP

FOIP applies to government institutions or “public bodies”, which include provincial government ministries, Crown corporations, boards, agencies and commissions.

FOIP permits public bodies to collect personal information if the collection is expressly authorized by another statute or if the collection relates directly to and is necessary for an operating program or activity of the public body.

FOIP generally requires public bodies to collect personal information directly from the individual the information is about. Public bodies may collect information about an individual from other sources with the individual’s consent, or without consent in specific circumstances, such as when the collection is authorized by law or the individual is not able to provide the information directly in a health or safety emergency.

Public bodies may disclose personal information in emergency situations with the consent of the individual, or without consent in certain circumstances, including:

  • where necessary to protect the mental or physical health or safety of any individual; or
  • the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or
  • disclosure would clearly benefit the individual to whom the information relates; or
  • if the disclosure is authorized by a statute of Saskatchewan or Canada.

LA FOIP

LA FOIP applies to local authorities, including municipalities, universities and school boards. Basically, the same rules apply as outlined above for FOIP.

HIPA

HIPA applies to personal health information in the custody or control of health trustees. Trustees include the Saskatchewan Health Authority, nursing homes, ambulance operators, physicians, pharmacists and certain other health professionals with custody or control of personal health information. HIPA authorizes trustees to collect and use personal health information for the purposes of providing health services among others.

HIPA also allows trustees to disclose personal health information with the consent of the individual, or without consent in specific circumstances, including:

  • where the trustee believes, on reasonable grounds, that the disclosure will avoid or minimize a danger to the health or safety of any person; or
  • to family members or other individuals in a close relationship with the individual so they may be notified that the individual is ill, injured or deceased, providing the disclosure is not contrary to the expressed wishes of the individual; or
  • to another health trustee for the provision of health services; or
  • to a person responsible for continuing treatment and care for the individual; or
  • if the disclosure is authorized or required by a statute of Saskatchewan.

The Private Sector

Except for trustees under HIPA, Saskatchewan does not have legislation that applies to the private sector. Private sector organizations might be covered by federal legislation and should check the federal privacy commissioner’s website: https://www.priv.gc.ca/en/. If the private sector however is contracting with a public body or trustee (e.g. information management service provider), contractual agreements should be checked for language that might actually put personal information or personal health information that the private sector has in its physical possession instead in the control of the public body or trustee.

General Principles

The Canadian Privacy Commissioner, Daniel Therrien, has issued A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19. In that framework, he establishes key principles which can be applied by public bodies when making decisions on collection in Saskatchewan. He summarizes those principles in his News Release April 17, 2020. These principles should be applied in Saskatchewan. With some editing, these principles are:

  • legal authority: the proposed measures must have a clear legal basis;
  • the measures must be necessary and proportionate, and, therefore, be science-based and necessary to achieve a specific identified purpose;
  • purpose limitation: personal information and personal health information must be used to protect public health and for no other purpose;
  • use de-identified or aggregate data whenever possible;
  • exceptional measures should be time-limited and data collected during this period should be destroyed when the crisis ends; and
  • transparency and accountability: public bodies should be clear about the basis and the terms applicable to exceptional measures, and be accountable for them.

The Public Health Act, 1994

The Minister of Health or the Chief Medical Officer have powers under The Public Health Act, 1994 (P.37.1) which can be viewed here: https://publications.saskatchewan.ca/#/products/786. In particular, section 45 sets out the powers of the minister and the medical officer. Further, this Act contains mandatory reporting provisions of certain health care professionals in certain circumstances (e.g. sections 32, 34 and 36).

The Information and Privacy Commissioner

The Office will continue to work on matters during this time, but will be closed to the public. People seeking information can call 306-787-8350 or the toll free number 1-877-748-2298 or email us at webmaster@oipc.sk.ca.

There may be delays getting back to those who contact us, but we will get back to you.

My office usually requests that public bodies respond with information within certain timelines. We know other offices may be experiencing difficulties in getting back to us. Thus, we will be flexible regarding tight timelines. We do ask that you call us so that we can set a different timeline if one is required.

Ronald J. Kruzeniski, Q.C.
Saskatchewan Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Sample access request policy and checklist

In a number of reports issued by my office, we have recommended that the towns/villages/municipalities develop an operational policy regarding processing access to information requests. After a number of questions, it became clear that there didn’t seem to be a sample policy developed for small towns/villages/municipalities. Larger organizations have developed policies that are applicable to an organization that has many employees and probably legal staff. In fact, the policy that has been developed here was tailored from the City of Regina’s operational policy but for a smaller organization.

Anything that is labeled a “sample policy” should be treated as a starting point for drafting. In using this sample, one should feel free to delete language that isn’t applicable to their organization and add language that speaks specifically to them.

In The Local Authority Freedom of Information and Protection of Privacy Act, the “head” is the Mayor or Reeve in a town or village. It is a recommended practice to delegate the “head’s” responsibility to the administrator or city clerk.

Following the posting of the sample operational policy, we have had discussions with people about the need for an access request checklist. Something simple that the head, Reeve or administrators could follow when they receive an access request. So, we developed a sample checklist. Again, the checklist is a “sample” or “guide”. Public bodies should adapt it to their needs: add things and delete things. We have also updated the sample policy to refer to the checklist.

You can find the sample policy link here. The Sample Access Request and Checklist can be found attached at the end of the Sample Operational Policy, Access to Information.

 

Statement from the Office of the Information and Privacy Commissioner on Access to Information During a Pandemic

The question has been raised: What about access requests during a pandemic?

In Saskatchewan, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA) are still in force. Citizens of Saskatchewan still have the right to request information or records. The public bodies still are required to accept and process access requests. If staff are assigned to pandemic or other essential issues, I understand. On the other hand, public bodies have designated FOI staff who may be now working from home, and the processing of access requests can continue. It might not be quite as efficient but it can and should continue. Public bodies when faced with a heavier than normal workload on access requests, can consider an extension but no public body should just refuse to process requests. If someone is working from home, they may need access to records which are at the office. Before stopping to work on the request, the public body should explore other ways of getting the record. It might be slower but the process can still move forward. Of course, with electronic records, working from home may still allow access to the necessary records.

When access requests focus on COVID-19, I would ask public bodies to accelerate those requests and give them priority. Citizens are naturally concerned and worried about the situation. Being transparent can reduce the anxiety that is in society right now. Getting an answer 30 or 60 days from now will not be of much assistance to the citizen.

When we thought this situation would take two weeks, suspension of service might have been reasonable. When isolation might occur for three months or longer, we need to have our information process systems operating, although maybe not quite as efficiently as before.

Finally, FOIP, LA FOIP and HIPA are still operative and requirements and timelines in legislation cannot be waived by me. My office can be flexible on timelines imposed by my office during reviews and investigations. For example, providing a submission, providing the record or answering questions. If you need an extension, please make those requests directly to the individual in my office working on that file with you.

I ask all public bodies to work with my office to keep the access to information system working.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

 

Prescribed access to information request form

My office has encountered situations where an individual writes a letter or sends an email requesting information to a public body. The public body responds that the request is not in the prescribed form and indicates it will not treat it as a formal access to information request. The FOIP/LA FOIP Regulations do prescribe a form and that form is available on our website.

In Review Report 223-2018 regarding the Rural Municipality of Blaine Lake No.434, my office has taken the position that if the letter or email contains all the elements, it should be treated as an access request.

In this regard, The Legislation Act, provides: 

Deviations from required form

2-26 If an enactment requires the use of a specified form, deviations from the form do not invalidate a form used if:

(a) the deviations do not affect the substance;

(b) the deviations are not likely to mislead; and

(c) the form used is organized in the same way or substantially the same way as the form the use of which is required.

This provision in effect says that if you have all the same information as the prescribed form, it should be treated as an access request.

So, I would ask all public bodies to review letters or emails they receive requesting information, and if the request contains all the required elements, then proceed to treat it as an access request.

There will be situations where almost everything is in the letter or email and the public body could say, “oops, sorry you haven’t included all the elements”. A better practice would be to telephone or email the person and request that final piece of information. Subsection 5.1(1) of FOIP/ LA FOIP imposes a duty to assist and what better way to assist than by getting the one piece of information and proceeding with the request. If a public body does not do this, then the person requesting the information could just file another request with the omitted element. Why put people through that when being technical merely causes delay.

Having said all of that, I think it is still fine to have a prescribed form and I would certainly encourage public bodies when they get that initial call asking for information, they suggest that people use the form and provide it if requested. This prevents them from missing out on important information.

 

Circle of Care

When my office investigates privacy breaches in the health care sector, at times, the defense, the explanation, or the reason given is that one believed they were in the “circle of care”. What is the circle of care? It certainly is not used in The Health Information Protection Act (HIPA). I did find one definition on the Canadian Medical Protective Association (CMPA) website in its “Glossary”:

Circle of care
The group of healthcare professionals providing care to a patient who need to know the patient’s personal health information to provide that care.

In using this definition, I note the words “who need to know… to provide that care”. That word “need” is most important.

HIPA, in section 23, deals with the need-to-know. If you define “circle of care” by referring to need-to-know, then one is really echoing the principle set out in section 23 of HIPA.

When people were talking to me, they referred to the “circle of care” as an etched in stone concept. I fear many have their own definition of “circle of care”. That creates problems if we all have our own definition. The CMPA definition is one that might create a common understanding of the term.

Dr. Karen Shaw has written an article in “DocTalk” and says this about “circle of care”:

Unfortunately, the use of terminology such as the concept of “circle of care” has led to some of this confusion. The term should be abandoned, as it infers that once a healthcare worker is in the circle of care that person is entitled to access all of the patient’s personal health information. This is incorrect.

There needs to be further discussion on the use and meaning of “circle of care” and how it works in light of section 23 of HIPA. My preference is that the term be abandoned.

Records blowing in the wind – Saskatchewan needs a private-sector privacy law

Citizens in Regina had a difficult time navigating Victoria Avenue on Wednesday January 22, 2020. Boxes and papers that had spilled out of the back of a truck blocked the road. It was determined that the papers contained the personal information of citizens and that the owner of the papers was a private-sector business for which my office has no jurisdiction. The type of personal information involved included names, addresses, phone numbers, email addresses and financial transactions that individuals were involved in (e.g. payments received).

Unlike some other provinces in Canada, Saskatchewan does not have a private-sector privacy law. If it did, the Commissioner would have jurisdiction to investigate such a privacy breach. However, despite not having jurisdiction, my office still played an initial role in trying to determine where the records originated.

My office contacted the Office of the Privacy Commissioner of Canada to see if the federal Privacy Commissioner had jurisdiction. Federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), sets national standards for privacy practices in the private sector such as how private-sector businesses collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. It also applies to the personal information of employees of federally-regulated businesses such as banks, airlines and telecommunications companies.

The outcome of this privacy breach was that the federal office provided directions through our office to the City of Regina who had initially gathered records off the street. A local response by my office might have been more efficient. We are available to attend to the scene right away, respond to the media inquiries, be available to quickly interview witnesses, gather evidence and provide prompt guidance to both the City and the business that lost its records. In order for us to do that, we need a Saskatchewan private-sector privacy law similar to ones in British Columbia, Alberta and Quebec.

If this type of event occurs again in the future, some initial steps that can be taken are:

  1. Immediately secure the records – collect them and put them in a secure place (locked office or drawer);
  2. If it is possible to identify whom the records belong to, notify them; notify my office or the federal Privacy Commissioner’s office at 1-800-282-1376; and
  3. Keep the records securely stored, limit access and wait for further instructions from my office or the federal Privacy Commissioner’s office.

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on eHealth Saskatchewan Potential Privacy Breach

The Office of the Information and Privacy Commissioner of Saskatchewan is investigating a cyberattack affecting eHealth and potentially health care information

The Office of the Information and Privacy Commissioner of Saskatchewan (IPC) is undertaking an investigation into a cyberattack on the computer systems of eHealth. eHealth is Saskatchewan’s main service provider of health information in the province.

The office is working closely with eHealth.

On January 10, 2020, eHealth reported a ransomware attack on their computer systems to the IPC. eHealth has confirmed publicly that it was subject to a ransomware attack.

The IPC investigation will, among other things, examine whether there was a breach of personal information or personal health information, and if so, the scope of the breach, the circumstances leading to it, and what, if any, measures eHealth could have taken to prevent and contain the breach. My office will also investigate ways eHealth can help ensure the future security of personal health information and avoid further attacks.

If anyone has any questions, they can contact eHealth at privacyandaccess@eHealthSask.ca  or you can Phone: 1-855-eHS-LINK (347-5465)

Alternatively, persons who have questions or wish to file a complaint can contact my office at 306-787-0488 or 1-877-748-2298.

Note to media: My office will not discuss the details of the investigation while it is ongoing.  My office will issue a public report once the investigation is complete.

Ronald J. Kruzeniski, Q.C.
Information and Privacy Commissioner of Saskatchewan

Media contact: Kim Mignon-Stark, Executive Assistant

Office of the Information and Privacy Commissioner of Saskatchewan
kmignon-stark@oipc.sk.ca 306-798-0173

503 – 1801 Hamilton Street, Regina SK S4P 4B4
Telephone: 306-787-8350 / Toll Free Telephone (within Saskatchewan): 1-877-748-2298
Email: webmaster@oipc.sk.ca / Twitter: @SaskIPC

Statement from IPC on eHealth Potential Privacy Breach

Statement from Office of the Information and Privacy Commissioner of Saskatchewan on LifeLabs Privacy Breach

The office of the Commissioner is investigating a cyberattack affecting health care information of millions of customers in Canada and approximately 93,000 residents in Saskatchewan

 Thursday, December 19, 2019 – The Office of the Information and Privacy Commissioner of Saskatchewan (IPC) is undertaking an investigation into a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs. The office is working closely with the Information and Privacy Commissioner of British Columbia and the Information and Privacy Commissioner of Ontario who are also undertaking investigations.

LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services. The company has four core divisions – LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical, and Excelleris.

On December 13, 2019, LifeLabs reported a cyberattack on their computer systems to the IPC. On December 17, 2019, they confirmed they were the subject of an attack affecting the personal information of millions of customers, in Ontario, British Columbia and Saskatchewan. They told us that the affected systems contain information of approximately 15 million LifeLab customers across Canada, including name, address, email, customer logins and passwords, health card numbers, and lab tests.

The IPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it, and what, if any, measures LifeLabs could have taken to prevent and contain the breach. My office will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.

If you have visited a LifeLabs for a test or received a test/service from LifeLabs Genetics and Rocky Mountain Analytical, then it is likely your information is in LifeLabs database.

LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.

Alternatively, persons who have questions or wish to file a complaint can contact my office at 306-787-0488 or 1-877-748-2298.

Note to media: My office will not discuss the details of the investigation while it is ongoing. My office will issue a public report once the investigation is complete.

Ronald J. Kruzeniski
Information and Privacy Commissioner of Saskatchewan

Media contact:
Office of the Information and Privacy Commissioner of Saskatchewan
Kim Mignon-Stark
kmignon-stark@oipc.sk.ca 306-798-0173

Download PDF

Canada’s access to information and privacy guardians urge governments to modernize legislation to better protect Canadians

Information and Privacy Ombudspersons and Commissioners from across Canada are urging their governments to modernize access to information and privacy laws.

In a joint resolution, Canada’s access to information and privacy guardians note that along with its many benefits, the rapid advancement of technologies has had an impact on fundamental democratic principles and human rights, including access to information and privacy. They further point out that Canadians have growing concerns about the use and exploitation of their personal information by both government and private businesses.

“Most Canadian access and privacy laws have not been fundamentally changed since their passage, some more than 35 years ago,” the resolution says. “They have sadly fallen behind the laws of many other countries in the level of privacy protection provided to citizens.”

While there have been legislative advances made in some Canadian jurisdictions, work is still required to ensure modern legislation is in place across the country in order to better protect Canadians.

The resolution notes that privacy and access to information are fundamental to self-determination, democracy and good government. It calls for:

  • a legislative framework to ensure the responsible development and use of artificial intelligence and machine learning technologies
  • all public and private sector entities engaged in handling personal information to be subject to privacy laws
  • Enforcement powers, such as legislating order-making powers and the power to impose penalties, fines or sanctions
  • the right of access should apply to all information held by public entities, regardless of format

Canada’s Information and Privacy Commissioners and Ombudspersons reaffirmed their commitment to collaborate, make recommendations to government, and to continue to study and make public how access and privacy laws impact all Canadians.

Related Documents

Joint statement – Modernizing Access and Privacy Laws