Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Saskatchewan IPC Tables 2018-2019 Annual Report

Saskatchewan IPC Tables 2018-2019 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has submitted his office’s 2018-2019 Annual Report to the Legislative Assembly. In his Report, the Commissioner stated:

“The rest of this Report and the next five years of my term will really be focused on modernizing this legislation to take into account the database/internet world we now live in.”

In this year’s Report, he is calling for modernization of our access and privacy legislation to ensure new threats to privacy are sufficiently addressed and citizens are able to access public records with greater ease.  Some of those threats and process improvements identified in the Report are as follows:

  • Trustees to require express consent before using recording or video devices to collect personal health information;
  • Clarify that an access to information request may be made on the prescribed form, in writing or electronically;
  • Mandate trustees when using electronic means to collect, use or disclose personal health information to create, maintain and regularly audit records of user activity of those systems;
  • Explicitly state that access to manuals, policies, guidelines or procedures, if not on a government institution’s or local authority’s website, is provided free of charge;
  • Require all personal health information be stored in Canada;
  • Provide the ability of the Commissioner to comment on the privacy implications of new technology;
  • Include a section making access easier for those with disabilities; and
  • Streamline the fee structure and provide that no citizen pays if the costs are under $200.

Opinions and Views about Opinions and Views

When it comes to figuring out whether opinions and views qualify as personal information under The Freedom of Information and Protection of Privacy Act (FOIP) or The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), it can get confusing!!

Subsections 24(1)(f) of FOIP/23(1)(f) of LA FOIP indicate that “the personal opinions or views of the individual except where they are about another individual” qualifies as personal information.

Subsections 24(1)(h) of FOIP/23(1)(h) of LA FOIP indicate that “the views or opinions of another individual with respect to the individual” qualifies as personal information.

Finally, subsections 24(2)(c) of FOIP/23(2)(b) of LA FOIP indicate that the personal opinions or views of an individual employed by a public body given in the course of employment, other than personal opinions or views with respect to another individual DOES NOT qualify as personal information.

So what is the FOIP universe trying to tell us about opinions and views?

First thing to know is that subsections 24(1)(f) of FOIP/23(1)(f) indicate that personal opinions or views of an individual are personal information.  The key is that the opinion or view has to be personal – in other words information that reveals something about the individual.

In contrast, opinions or views that are expressed in a professional context would be considered work product.    Work product which is information generated by or otherwise associated with an individual in the normal course of performing professional or employment responsibilities, whether in a public or private setting. Work product is not considered personal information.  This is supported by subsections 24(2)(c) of FOIP/23(2)(b) of LA FOIP.

Also, subsections 24(1)(f) of FOIP/23(1)(f) indicate that an individual’s personal opinion or view is their personal information except where the opinion or view are about another individual.  That is an excellent segue to subsections 24(1)(h) of FOIP/23(1)(h) of LA FOIP…

Subsections 24(1)(h) of FOIP/23(1)(h) of LA FOIP indicates that the views or opinions of another individual with respect to the individual is personal information. This means that an opinion or view about an individual is the personal information of the subject individual.

I hope at this point in my blog that you are not more confused than when you started.  It might be easier to classify opinions and views into three categories:

Professional Opinions

Example:  Sue works for the public body and it’s her job to provide advice and analysis on a proposed program.  Sue’s opinion is that the public body should fund the proposed program.

Is it personal information?  No!  This is not Sue’s personal information as it is her professional opinion, not a personal opinion.  It is work product.

Example:  The public body consults with PrivacyCo, a not for profit organization and a stakeholder, on the proposed program.  Jill, the Director of PrivacyCo volunteers a written submission expressing opinions about the program on behalf of the organization.

Is it personal information?  No. Jill provided the opinions in her professional capacity as Director of PrivacyCo.

Personal Opinions

Example: Bob is a concerned member of the public and Bob writes a letter to the local authority expressing his opinion that the proposed program is flawed.

Is it personal information?  Yes.  This is Bob’s personal information pursuant to subsections 24(1)(f) of FOIP/23(1)(f) of LA FOIP.  The opinion is not about another individual.  There was no indication that Bob gave this opinion in a professional context.

Opinions about another individual

Example:  Lisa is a professional employed by the local authority and is reviewing Marc’s file.  Lisa believes Marc is struggling and could benefit from the program.

Is it personal information?  Yes.  The opinion is about Marc.  This is the personal information of Marc.

Example:  Sue tells Lisa’s boss that Lisa is doing a great job managing the program.

Is it personal information?  Yes, it is the personal information of Lisa.

My professional opinion is that this topic can be confounding but I hope I have clarified it for you a little bit.

By the way, for more information about work product, read the following blog:  Work Product vs. Personal Information.

Best practices when using USB drives

When thinking about this topic I decided to research how big of a USB drive I could actually purchase. I was surprised to see you can purchase one that stores 2 terabytes (TB) of data. Just think about that – something the size of a car key can 2 TB of data. With the ability to store that much data in a very small and portable way, it is important to be super vigilant when using memory sticks.

In January 2018, the IPC developed a resource – Helpful Tips: Mobile Device Security. This resource offers many tips and considerations that are helpful when using memory sticks, including administrative safeguards, technical safeguards and physical safeguards. However, here is a quick list of some things to keep in mind when using USB Drives:

  • Encryption/password protected devices: Only purchase USB drives that have encryption or password protection functionality.
  • Strong passwords: If you have a need to store personal information (pi), personal health information (phi) or other forms of sensitive or confidential information on a USB drive, be sure to have it locked by a strong password.
  • De-identify: When storing pi/phi on a USB, de-identify the information wherever possible.
  • Delete data: Immediately delete the data from the USB once it is no longer needed.
  • Unattended USBs: Do not leave USB’s in vehicles or unattended in public. If absolutely necessary, lock it in the trunk or glove box where it would be out of site. When not in use in your office, be sure to lock it up.
  • Access on a Need-to-Know Basis: When storing data on a device, access to that data should be on a need-to-know basis.
  • Lost or stolen USBs: Report lost or stolen USB’s immediately to your supervisor and the Privacy Officer.
  • Disposal: At the end of its lifecycle, be sure that all the data has been wiped from the USB. Once that is done, safely dispose of or destroy the USB before disposal.

For more applicable information on USB drive use, please see the following resources:

 

Can Public Bodies be a Third Party?

As you probably know, section 19 of The Freedom of Information and Protection of Privacy Act (FOIP) and section 18 of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) are intended to protect the business interests of third parties and to ensure that public bodies are able to maintain the confidentiality necessary to effectively carry on business with the private sector.

A third party is defined separately in both FOIP and LA FOIP.

Subsection 2(1)(j) of FOIP provides a definition of third party as follows:

2(1) In this Act:

(j) “third party” means a person, including an unincorporated entity, other than an applicant or a government institution.

Subsection 2(k) of LA FOIP provides:

2 In this Act:

(k) “third party” means a person, including an unincorporated entity, other than an applicant or a local authority.

You will note that a government institution cannot be a third party for the purposes of FOIP and a local authority cannot be a third party for the purposes of LA FOIP.

So the question is: does this support a principle that a public body cannot qualify as third party for the purposes of access to information legislation?  In other words, can a local authority be a third party for the purposes of FOIP and visa-versa?

One hint of this principle is section 13 of both FOIP and LA FOIP. These sections allow both government institutions and local authorities to withhold records obtained from both government institutions and local authorities in some cases. Further, these sections do not contemplate a formal notification process.

A former Commissioner of this office promoted this principle. In Review Report F-2012-001/LA-2012-001, he found that FOIP and LA FOIP should be read together and as such a local authority could not be a third party for the purposes of FOIP and a government institution could not be a third party for the purposes of LA FOIP. This report cited various sources to support this view.

The current Commissioner recently released Review Report 080-2018. He also agrees with this principle. However, he was not persuaded that it is supported by the wording of the current legislation. He recommended that the Minister of Justice consider an amendment to the definition of third party in both FOIP and LA FOIP that excludes both government institutions and local authorities in both Acts.

So for now, at least, a government institution can treat a local authority as a third party for the purposes of an access to information request. Also, you guessed it, a local authority can treat a government institution as a third party for the purposes of an access to information request.

Party on!

Search Checklist

One government institution that we work with often has developed a search checklist “Responsive Records Search Log”, which has really assisted them and my office knowing that a thorough search was made. I asked permission and permission was given to take their search checklist and modify it so that it might be applicable to any government institution or local authority.

I encourage Access and Privacy coordinators to take a look at the sample search checklist and decide whether such a search checklist would help in ensuring thorough searches. Certainly, one should feel free to adapt the search checklist to the circumstances in one’s organization.

The search checklist could be distributed by the Access and Privacy coordinator to those that he or she has identified as part of his or her search strategy. Along with the search checklist, the Access and Privacy coordinator should give the recipient a timeline to complete the search and indicate whether he or she is only seeking a representative sample for building a fee estimate or a full search for responsive records.

I believe the search checklist is helpful when multiple employees in an organization have to do searches. I believe it assists the Access and Privacy coordinator in determining whether the organization has done a thorough search.

Please take a look at the sample search checklist on our website here. Of course if you have any suggests to improve this search checklist, please email my office.

News Release for Review Report 204-2018 Northern Village of Pinehouse

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski Q.C., has issued his Review Report 204-2018 involving the Northern Village of Pinehouse. Kruzeniski stated:

My office will have now issued 13 Review Reports between 2013 and 2018 involving the Village. 12 of these reports deal with section 7 responses not being provided, delays in providing it or responses being inadequate. In addition, the Village did not cooperate with requests by my office in 10 of these cases.

And he further stated:

My office is concerned that the Mayor and the Village Administrator are obstructing the application of LA FOIP and believe that no town or village should be able to flagrantly disregard or obstruct the operation of a provincial statute. … The Minister of Government Relations has the power to direct an inspection or inquiry. I am recommending that the Minister direct an inspection or inquiry into the Village’s obstruction of LA FOIP.

Canada’s access to information and privacy guardians call for privacy regulation and oversight of political parties

In a joint resolution, Canada’s Information and Privacy Ombudspersons and Commissioners have called on governments to pass legislation requiring political parties to comply with globally recognized privacy principles, to provide Canadians with access to the personal information they hold about them, and to provide for independent oversight to verify and enforce privacy compliance.

Recent events have illuminated how political parties collect and use personal information to target individuals in specific and unique ways for political gain. Digital tools amass extensive amounts of personal information from diverse sources, frequently without the knowledge or consent of the individual.  These increasingly sophisticated big data practices raise new privacy and ethical concerns and the need for greater transparency is evident.

Further, Privacy Commissioner of Canada Daniel Therrien noted: “Recent investigations in various countries have revealed that political parties are gathering significant amounts of personal information on voters as they adopt new targeting techniques. Information about our political views is highly sensitive and it’s clearly unacceptable that federal and provincial political parties are not subject to privacy laws. The federal government’s response to public concern about how personal information is being used in the political process – Bill C-76 – adds nothing of substance in terms of privacy protection. It’s time to act to better protect the rights of Canadians.”

“Political parties access and use sensitive personal information of nearly all Canadians, but only in British Columbia are they subject to privacy legislation. These standards should be applied across the country so all Canadians have the same privacy protections,” says Michael McEvoy, Information and Privacy Commissioner for British Columbia.

The joint resolution, Securing Trust and Privacy in Canada’s Electoral Process, was agreed to at the annual meeting of federal, provincial, territorial Information and Privacy Ombudspersons and Commissioners. The full text is available on their respective websites.

Right to Know 2018 Panel Discussion: tips and tricks to making your request successful

Join us for a panel discussion on how to make the most of your access request in order to get the information you are seeking. Hear from both applicants and FOIP Coordinators about the access to information process in Saskatchewan. A question and answer session will follow. Click here for more information.

When: Monday, October 1 at 4:30 pm

Where: Regina Public Library Theatre (Central Branch – 2311 12th Avenue)

RSVP to webmaster@oipc.sk.ca   |   Cost is free

RTK Certificate of Recognition from the Ministry of Justice and Attorney General date September 11, 2018.

Sask. IPC Tables 2017-2018 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has submitted his office’s 2017-2018 Annual Report to the Legislative Assembly.  Kruzeniski stated:

“It is wise to take steps to reduce the risks of breaches of privacy.”

In this year’s Report, he noted his office conducted 117 privacy breach investigations including issuing a number of reports where a person, the ex-partner, snoops on the new spouse or partner. As such, he urged organizations to take steps to reduce the risk of privacy breaches and provided advice as to how to achieve this end. Some recommended actions included:

  • Consider conducting privacy impact assessments;
  • Ensure new employees get privacy training;
  • Insist on the use of strong passwords;
  • Use two smart phones: one for work and one for personal use;
  • Have two email accounts: one for work and one for personal use;
  • Back-up your data;
  • Develop an audit plan;
  • Discipline snoopers; and
  • Build a culture of privacy.

Who signs for an adult?

Two of my staff were giving a presentation to an organization who has both children and adults in its care. Questions were asked about who could sign for the adult (18 or older) when that adult may not have capacity to sign or consent.  This question took me back to the work I did for 19 years.  I sat down with those staff and gave them a long explanation and by the time I finished, I realized I should do an article on the issue.

A person (an adult) is presumed to have capacity to sign a document or to consent unless a court has declared that the person does not have capacity.  Where a court so declares, there is a court order making the declaration and usually indicating who is the personal or property guardian for that person.  If the document or consent relates to a financial or property issue, the property guardian has the authority, unless limited by the court order.  If the document or consent relates to a personal matter, then the personal guardian has the authority to sign, unless limited by the court order.

It is also possible that a Certificate of Incapacity can be issued under The Public Guardian and Trustee Act and the Public Guardian and Trustee can acknowledge that it will act as property guardian.  In that instance, the Public Guardian and Trustee has authority to sign documents and consent, related to property matters, subject to any limitations in The Public Guardian and Trustee Act.

Many times, particularly with younger adults, there is a reluctance to trigger the court order or a Certificate of Incapacity process.  The court process can be expensive and there is a fear that the adult will be stigmatized by the making of the declaration of incapacity.  The adult may not have assets that would justify the time and cost of a court application.  In these instances, uncertainty can prevail as to the ability to sign a document or a consent.  Remember, an adult is presumed to have capacity unless there is a court order or a Certificate of Incapacity.

Capacity or incapacity is not just black and white.  Adults may function well in one area, but not function well in another area such as judgement.  Adults may act normally today, but on another day, it would appear that their abilities are impaired. Being on or off medications may be a factor.  Emotions and stress will also be a factor.  All of this is to say that on a particular day an adult may or may not have capacity to sign a document or consent.

So, when important decisions have to be made, how do those working with the adult determine whether the adult can sign a document or consent?

In large part, the steps to be taken will depend on the magnitude or gravity of the decision or the consent.  If it is an extremely important decision or document, greater care should be taken by professionals in assessing capacity.  Having the adult examined by a doctor, phycologist, psychiatrist, psychiatric nurse or other health professional, may be the best course of action.  I know lawyers sometimes have this done when taking will instructions when capacity might be an issue.

For decisions that are less significant, it may just involve the professional dealing with the adult making an assessment of the adult’s capacity that day.  First by explaining, very carefully, the contents and the implications of the document or consent.

Now moving to the access and privacy world, an adult can request access to the adult’s personal information by filling in an access request form to a government institution, local authority or trustee.  In this case, the public body will have to determine at the time of delivery of the access request whether the adult understands the nature of the access request being made and if so, they should proceed with processing the access request.

On the privacy side, adults can consent to the release of the adult’s personal information.  Again, where an adult’s capacity is in question, the head of the government institution, local authority or trustee will have to determine whether the adult, at that time, has the capacity to consent.

Q. What does the legislation say?

A. The Freedom of Information and Protection of Privacy Act (FOIP), section 59 and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), section 49 provides:

Exercise of rights by other persons                

Any right or power conferred on an individual by this Act may be exercised:

(b) where a personal guardian or property guardian has been appointed for the individual, by the guardian if the exercise of the right or power relates to the powers and duties of the guardian;

(c) where a power of attorney has been granted, by the attorney if the exercise of the right or power relates to the powers and duties of the attorney conferred by the power of attorney;

(e) by any person with written authorization from the individual to act on the individual’s behalf.

The Health Information Protection Act (HIPA), has a similar provision, section 56 which provides as follows: 

Exercise of rights by other persons 

56 Any right or power conferred on an individual by this Act may be exercised:

(b) where a personal guardian has been appointed for the individual, by the guardian if the exercise of the right or power relates to the powers and duties of the guardian;

(e) where the individual does not have the capacity to give consent:

(i) by a person designated by the Minister of Community Resources and Employment if the individual is receiving services pursuant to The Residential Services Act or The Rehabilitation Act; or

(ii) by a person who, pursuant to The Health Care Directives and Substitute Health Care Decision Makers Act, is entitled to make a health care decision, as defined in that Act, on behalf of the individual; or

(f) by any person designated in writing by the individual pursuant to section 15.

Q. What if I have a power of attorney?

A. The legislation contemplates a property or personal attorney having the power to obtain information regarding the adult. It should be noted that the property attorney should only be able to get financial or property information and the personal attorney should only get personal information including personal health information.  The adult could set out limits in the power of attorney regarding accessing information. Those relying on a power of attorney must read that document to determine any limits.

Q. If an adult has appointed an attorney, can an adult request information? 

A. The answer is “yes” if the adult has that particular day the capacity to understand the nature of the request and the consequences of making the request. Appointing an attorney under a power of attorney does not take away an adult’s ability to make decisions or request information.  Whether the attorney agrees or disagrees with the decision or consent does not matter.  Thus, the adult, who has capacity on that day, can independently make an access request for information or consent to giving information to another person or organization.

Q. What if I am a proxy under a health care directive?

A. The Health Care Directives and Substitute Health Care Decision Makers Act, 2015 provides for adults making a health care directive where they appoint a proxy. The Act provides:

Personal health information to be disclosed

21 Notwithstanding any other Act or law, personal health information is to be disclosed by a treatment provider to a proxy, nearest relative or personal guardian if it is necessary to enable that person to make an informed health care decision.

So, unless limited by the wording in the health care directive, a proxy would have the right to request personal health information in order to make a health care decision.

One would also note that section 21 contemplates providing personal health information to a nearest relative or a personal guardian in order to make a health care decision.

Q. Does HIPA contemplate and allow disclosure to a proxy or nearest relative? 

A. The answer is yes.  Subsection 27(4)(l) provides as follows:

Disclosure

27(4) A trustee may disclose personal health information in the custody or control of the trustee without the consent of the subject individual in the following cases:

(l) where the disclosure is permitted pursuant to any Act or regulation;

Q. Are there any obligations on the trustee? 

A. Again the answer is yes. Section 21 of HIPA provides as follows:

Duty where disclosing to persons other than trustees

21 Where a trustee discloses personal health information to a person who is not a trustee, the trustee must:

(a) take reasonable steps to verify the identity of the person to whom the information is disclosed; and

(b) where the disclosure is made without the consent of the subject individual, take reasonable steps to ensure that the person to whom the information is disclosed is aware that the information must not be used or disclosed for any purpose other than the purpose for which it was disclosed unless otherwise authorized pursuant to this Act.

Q. Can an adult do anything else to authorize someone else to obtain information?

A. The answer is “yes”. FOIP subsection 59(e), LA FOIP subsection 49(e) and HIPA subsection 56(f) contemplates something in writing, signed by an adult who has capacity on a particular day and understands the nature of the document being signed. This could be less formal than a power of attorney, a health care directive or court order.  It could be on a form designed by the organization.  The head of the government institution, local authority or trustee would need to, as best as the head can, determine whether the adult had capacity at the time of signing.

I hope this blog has clarified an area that at times is complex.  It is always important to remember that an adult has capacity unless there is a court declaration or a Certificate of Incapacity.  Professionals will have to, on a regular basis, determine whether a particular adult has capacity to sign or consent.  Those decisions will be influenced by the seriousness of the consequences of making the decision.  If in doubt, professionals can ask for an assessment from another professional, but should always start from the point of view that an adult has capacity.  Being eccentric, difficult and non-cooperative does not necessarily indicate lack of capacity.

Other helpful resources on this topic can be found at the Public Guardian and Trustee website: https://www.saskatchewan.ca/government/government-structure/boards-commissions-and-agencies/office-of-the-public-guardian-and-trustee