Privacy Commissioner finds that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Joint investigation of TikTok Pte. Ltd.

How systemic delays, a backlog of overdue requests, and process errors led to UBC having the lowest rate of compliance.

NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Lawyers Bills: Are They a “No Brainer”?

Lawyers Bills: Are They a “No Brainer”?

We have now had a few reports that have dealt with the application of solicitor-client privilege exemptions (sections 22 of FOIP and 21 of LA FOIP) to lawyers bills.  In these cases, the Commissioner relied on a Supreme Court of Canada decision Maranda v. Richer, [2003] 3 S.C.R. 193, 2003 SCC67 to find that lawyers bills are subject to solicitor-client privilege.  The Supreme Court asserted that there is a presumption of privilege for lawyers’ bills of account as a whole in order to ensure that solicitor-client privilege is honoured. (See IPC Review Reports 052-2013 and 280-2016 & 281-2016)

When I refer to “lawyers bills”, I mean an invoice or statement of account that is communicated from a lawyer or law firm to a public body after providing legal services.  Some lawyers bills can be quite detailed and list the dates of individual phone calls, tasks performed and the subject matter. 

It is possible for an Applicant to rebut that solicitor-client privilege applies.  To do so, it must provide persuasive arguments that the disclosure of information will not result in the Applicant learning of information that is subject to solicitor-client privilege. Order F15-16 from the Information and Privacy Commissioner of British Columbia lays out a test for determining whether the presumption of privilege has been rebutted.  Applicants, though, are at a disadvantage when having to make arguments for why privilege does not exist to information when they cannot see or examine the information.

So it does seem like a no brainer that solicitor-client exemptions would apply to this type of information, right?

Well… I think every issue in the FOIP World is unique!

A public body still has to be accountable for the public money it spends on legal services.  In Review Report 003-2017, the Commissioner found that the details of payment for legal services in a public body’s accounts payable invoice history report was not subject to solicitor-client privilege.  In other words, some of the information from the lawyer’s bill was entered into the public body’s accounting system, which was the subject of the review.  The Commissioner reasoned that some of the data items in this record, such as purchase order number, voucher number and bank information, was information that the public body assigned to the lawyer’s bill once it was received  – the exemption did not apply to these items.  Further, the name of the law firm did not qualify as it was confirmed through public documents that a particular firm had been engaged by the public body.  The firm’s invoice number and the due date did not reveal the nature of the advice that was sought.  Finally, he also did not find that there was a reasonable possibility that disclosure of the amount of the fees paid would reveal any communication protected by privilege.

Once again, I am reminded that our office must review every record, and the circumstances surrounding it, on a case by case basis.

 

Was this page helpful?

Access and Privacy Rights of Minors Online

On May 3, 2016, our office posted to our website a blog titled, Who Signs for a Child?. Though the focus of that blog was on who can sign for a child under the age of 18 years, the following advice on mature minors was offered:

FOIP and LA FOIP do not contemplate the child asking for his or her personal information. But when children get to the age of what may be considered a mature minor, heads should use their discretion to provide the personal information if the child “understands the nature of the right or power and the consequences of exercising the right or power.” Heads should also look to their governing legislation to see if the Legislative Assembly has provided direction on the rights of the child.

HIPA does contemplate an individual under 18 years of age exercising a right under the Act such as requesting his or her personal information. When such a request is made, it is up to the trustee to determine whether the individual understands the nature of the right or power and the consequences of exercising the right or power.

What further complicates matters is when services being offered to children and adolescents move to the online world. How are access and privacy rights impacted?

Although there does not appear to be any global rules on children’s consent under the new General Data Protection Regulation (GDPR), Article 8 speaks to children’s consent for ‘information society services’ (services requested and delivered over the internet).  It appears that for most services provided to children, parental consent for those under 16 is needed unless otherwise set by Member States.  If offered online, age-verification measures and reasonable efforts to verify parental responsibility for those under the relevant age is a must.

In an interesting decision, PIPEDA Report of Finding #2014-011, dealing with an investigation involving a website aimed at children between the ages of 6 and 13 years of age, the Privacy Commissioner of Canada’s office commented as follows:

112.  The consent provisions of PIPEDA do not expressly speak to age-based consent. Principle 4.3 states that the knowledge and consent of an individual are required for the collection, use and disclosure of personal information. Principle 4.3.2 requires organizations to ensure that individuals are advised of the purposes for which the information will be used and that consent obtained from individuals is meaningful. Meaningful consent means that the individual concerned can reasonably understand how the information will be used or disclosed prior to providing consent.

113.  Meaningful consent becomes a more difficult notion where personal information is being sought from children. Can a child reasonably understand what they are being asked to consent to?

114.  Principle 4.3.6 of Schedule 1 states that consent can be given by an authorized representative (such as a legal guardian or a person having a power of attorney). However, it does not specify under what circumstances this can or should occur.

115.  In PIPEDA Report of Findings #2012-001, we recognized that there was value in users of a Canadian social networking website aimed at teenagers and young adults involving their parents in their online transactions. However, we concluded that PIPEDA did not require parents to provide consent on behalf of their teenager in the context of that website. We concluded in that case that in order to ensure meaningful consent was obtained, the information handling practices of the organization had to be explained in such a way that its teenage users could understand how their personal information would be handled by the website.

116.  Ganz’s Website is aimed at children under 13, a younger demographic group than the one at issue in PIPEDA Report of Findings: #2012-001. Children under the age of 13 have arguably a less sophisticated understanding of online marketing and social media interactions.

122.  We considered it questionable as to whether a child under the age of thirteen opening an account would be able to find this provision in the User Agreement, understand the text, and act accordingly.

Canada Health Infoway has done some work in this area specifically examining adolescent access to PHI in a number of publications including Consumer Health Solutions – Pandora’s Box Adolescent Access to Digital Health Records – Research Summary dated August 2016. In its Executive Summary it states, “Outside of Quebec, statutes do not set an age requirement for a person to access their own PHI, to consent to the collection, use and disclosure of their PHI or to consent to treatment. However, there are other requirements to exercise the rights, such as knowledge, capacity or maturity.” Later it is stated, “the general rule is that a contract cannot be enforced against a minor (although there are exceptions).”

How do you cover your bases? The Privacy Commissioner of Canada offers good advice when dealing with kids online in Collecting from kids? Ten tips for services aimed at children and youth, as follows:

Make clear who is agreeing to terms and conditions. The ubiquitous “I have read and agree to the Terms and Conditions and Privacy Policy” checkbox on registration forms poses an additional difficulty when your users are youth. Is your organization asking the user to agree to these terms, or his or her parent/guardian? Remember, with younger children, the former is not possible given the need for meaningful consent. Moreover, if it is the latter, you must also ask yourself how you are ensuring that the parent/guardian has actually been involved in the process. The answer to these questions needs to be clear to, and consistent between, both you and your users.

Now that we are moving to online access to PHI through patient portals, what, if any, limits should be set as to age of those that can log-in and get direct access to his or her own PHI? Are any associated terms and conditions accepted akin to entering a contract? Our office has not yet had to offer any formal views on the particular issue. We will have to wait and see.

Was this page helpful?

2017 Saskatchewan Connections Conference

The 2017 Saskatchewan Connections Conference is happening May 10 & 11 at Regina’s The Doubletree By Hilton. For more details please vist http://skconnections.ca/sk2017/index

Was this page helpful?

Transitory Records and Access-to-Information Requests

What are transitory records?

The Provincial Archives of Saskatchewan defines transitory records as:

Records of temporary usefulness that are needed only for a limited period of time, to complete a routine task or to prepare an ongoing document. Also, exact copies of official records made for convenience of reference. These records are not required to meet statutory obligations or to sustain administrative or operational functions. Once they have served their purpose and, in the case of convenience copies the official record has been identified, these records should be destroyed in accordance with internal disposal procedures.

What are some examples of transitory records?

As mentioned above, records of short-term value are transitory records. Similar to official records, transitory records can come in any format, including post-it notes, handwritten notes, and electronic records including emails and text messages.

Are transitory records subject to FOIP or LA FOIP requests?

Yes. Although transitory records are routinely disposed, if the public body receives an access-to-information request under FOIP or LA FOIP, then any responsive transitory records in the possession or control of the public body must not be disposed.

The receipt of a FOIP request should freeze all disposition action relating to records responsive to the request.

Public bodies should have processes in place to communicate to employees to not dispose of records that are responsive to a FOIP or LA FOIP request.  It is an offense to willfully destroy records to evade an access-to-information request.  The penalty can be a fine and/or imprisonment.

How long must the public body wait before disposing of the transitory records?

The public body should wait at least one year before disposing of transitory records that are responsive to an access-to-information request. This is because the public body must include the transitory records as it processes the access-to-information request. Then, once the public body responds to the Applicant, the Applicant has one year from the time the response is given to appeal to the Commissioner (subsection 7(3) of FOIP and LA FOIP). Once this time period has expired, then the public body can dispose of the transitory records.

It should be noted that public bodies may continue to destroy transitory records that are not responsive to an access-to-information request according to their records management policy.

 

Was this page helpful?

When the Media Calls (updated)

Every once in a while, a journalist or some other individual will call my office to ask whether a review had been started on a particular request for information or investigation launched into a privacy breach. The policy of this office is to not immediately confirm that a request for review or specific privacy investigation is underway, so time can be taken to consider the privacy and confidentiality obligations that my office has under The Freedom of Information and Protection of Privacy Act (ss. 46 and 53). One consideration is that the name of the applicant is personal information and should not be shared without the requisite need-to-know. I may nonetheless exercise my discretion as Commissioner in certain cases and confirm basic details (i.e., investigation file has been opened).

I think a bit more on the process may make it clearer what is going on behind the scenes once a review or investigation is underway. Briefly, for example, when Intake Officers of this office receive a request for review, they contact the parties and attempt to see if the matter can be settled. Will the applicant narrow his or her request? Will the public body re-visit part or all of its decision to withhold information, reduce a fee or take any steps to provide the applicants with some or part of the information requested? If the matter cannot be settled, a letter notifying the public body, any engaged third party and the applicant that a review has started is sent and an Analyst is assigned. Staff request the public body to provide a copy of the records at issue, index of the records and its submission as to why it is withholding records. Upon receipt of those documents, the Analyst proceeds with the review, asks questions of the public body and if necessary, interviews people and makes a site visit. Once this stage is completed, the final report is prepared, sent to the parties and posted on our website. The name of the applicant is not included in the public report. The public body has 30 days to advise the applicant and my office whether it will comply with the recommendations. After that, the applicant or a third party have 30 days to appeal to the Court of King’s Bench.

You can see a diagram showing the process by clicking here.

It is a pretty straight-forward process, and my office makes every attempt to move the process along quickly so that parties get their decisions as soon as possible. Our goal is to resolve matters within 30 days or issue a report, on average, within 150 days. In certain instances where the public body has failed to issue a section 7 decision, the applicant is requesting a review of the fee quoted or fee waiver decision, it is our objective to issue the report, on average, within 90 days. I ask all that work with us to help us reach these goals.

Was this page helpful?

Unauthorized Access

This blog is focused on the unauthorized access to electronic health records for purposes such as curiosity, concern, personal gain, spite, or boredom, and the harm that results from such unauthorized access.

I note that the majority of trustee employees or individuals in service of a trustee (including physicians) access electronic health records for purposes that are authorized by The Health Information Protection Act (HIPA). This blog is not meant to deter these employees or individuals from accessing electronic health records they require to do their jobs.

UNAUTHORIZED ACCESS

The following are some examples of unauthorized access:

1. Looking up a family member’s personal health information out of concern.

There should be very limited circumstances in which employees or individuals look up their own or a family member’s personal health information. For physicians and surgeons, the College of Physicians and Surgeons’ Code of Ethics provides that the treatment of themselves or immediately family members be limited:

Limit treatment of yourself or members of your immediate family to minor or emergency services and only when another physician is not readily available; there should be no fee for such treatment. (https://www.cps.sk.ca/imis/Documents/Legislation/Legislation/RegulatoryBylaws.pdf)

Therefore, physicians and surgeons should not be looking up a family member’s personal health information unless it’s in the limited circumstances as described in the Code of Ethics.

2. Looking up your own or a co-worker’s personal health information out of concern, curiosity, or spite.

Investigation Report H-2013-001 reported on snooping cases that resulted in employees accessing and modifying not only their own personal health information but that of their coworker’s personal health information. It doesn’t take a lot of imagination to understand the consequences of such actions, including future health care decisions for these individuals could have been based on false information. (https://oipc.sk.ca/assets/hipa-investigation-h-2013-001.pdf)

3. Looking up patient records to alleviate boredom.

Electronic health records are support health care providers in providing care to patients. It is not meant to alleviate boredom as discussed in Investigation Report 100-2015. (https://oipc.sk.ca/assets/hipa-investigation-100-2015.pdf)

4. Looking up patient records without a need-to-know.

Investigation Report 142-2015 reported a case where an employee accessed the personal health information of 901 individuals. This employee was fired and the Commissioner recommended that the case be forwarded to the Ministry of Justice, Public Prosecution Division, so that it can determine if charges should be laid under HIPA. (https://oipc.sk.ca/assets/hipa-investigation-142-2015.pdf)

HARM OF UNAUTHORIZED ACCESS

Patients lose trust and confidence in the health system. They may be cautious in seeking treatment if they learn that a family member, friend, co-worker, colleague may have unauthorized access to their personal health information.

Trustees also suffer reputational damage when employees or individuals who are in service to the trustee (such as physicians) access electronic health records without a need-to-know.

FINES AND IMPRISONMENT

Recent amendments to HIPA provide individual offences for unauthorized access to personal health information. Therefore, employees or individuals in service of a trustee (such as a physician) may be fined up to $50,000 and/or face imprisonment of up to one year if they are found to have accessed personal health information for purposes that are not authorized by HIPA.

WHAT TO DO?

Trustees and trustee organizations should establish policies, procedures, and training so employees and individuals clearly know how to manage personal health information in accordance with HIPA. Audits should also be conducted regularly to ensure policies and procedures are being followed.

Employees and individuals in service of trustees should only access personal health information, including electronic health records they require to complete job duties. If they have any questions, they should contact their supervisor, manager, and/or the privacy officer of the trustee organization.

Was this page helpful?

Updated: Tips for a Good Submission

So much of what we do here at the OIPC involves reviewing submissions (or representations) from parties.  In my time here, I have seen some very persuasive ones. I thought some tips on what, in my view, made a persuasive submission would be helpful.

A submission contains a party’s arguments in support of their position.  For public bodies or third parties, depending on the nature of the case, this often means arguments for why particular exemptions apply.  For applicants, it means arguments for why information should be released and why particular exemptions do not apply.  Here are some tips and things to avoid.

Tips 

When drafting your submission, our office encourages parties to rely on its resource called the IPC Guide to FOIP for government institutions or the IPC Guide to LA FOIP for local authorities.  These Guides have six chapters each and cover all the provisions in The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP).  Of particular interest would in a review matter is Chapter 4: Exemptions from the Right of Access which sets out the tests and definitions for all the exemptions under Parts III of FOIP and LA FOIP. These tests reflect the precedents set by the current and former Information and Privacy Commissioners in Saskatchewan, Commissioners in other jurisdictions and court decisions from across Canada.  We use these tests in our reviews. As such, our office is looking for how an exemption applies using the test in the applicable Guide so covering this in your submission improves its likely of successfully convincing the Commissioner the exemption applies.

A persuasive submission should have just enough information to support your position but not more than what is needed.  It should have the following four things for each exemption relied on:

  1. List the exemption that has been applied.
  2. List the page numbers that it applies to (group pages if the records are similar).
  3. Reproduce the test from the Guide for that exemption.
  4. Lay-out your arguments for each part of the test (make sure to tie it to the information in the record).

Things to Avoid

  • Avoid just stating “yes” to the test questions in the Guide. Explanation is needed.
  • If citing court cases and/or orders from other jurisdictions, simply provide the URL. No hard copies are required.
  • Avoid just restating the exemption or the test question as an argument. For example, stating “This information qualifies for exemption under subsection 17(1)(a) of FOIP because it is a recommendation developed by or for a government institution.”
  • Avoid arguments that go beyond what is contemplated by the exemption (e.g., public interest override arguments when it’s not part of the exemption).

Things to consider:

  • If providing supporting documentation (e.g., court cases or evidence) explain in the submission how it supports your position (i.e., tie it into your arguments). If a supporting document isn’t tied to anything, it won’t be persuasive.
  • Ensure that your submission matches your Index of Records and the record itself (i.e., page numbers and exemptions relied on). If not, it can appear that the preparation of materials was rushed which could give the impression that so were the application of exemptions.
  • Make sure you explain sufficiently how the information meets the test threshold (e.g., explain the ‘harm’ that you foresee in detail for harms based exemptions).

For more assistance on preparing your submission, Index of Records and/or the record itself, you can refer to our resources:

What to Expect During a Review with the IPC:  A Resource for Public Bodies and Trustees
A Guide to Submissions
The Guide to FOIP
The Guide to LA FOIP
But I’m the Applicant – how can my submission help?
Preparing and writing a submission

Was this page helpful?

Risk Management and Privacy Protection

Most organizations today have addressed the issue of risk management. Many have gone through a process of identifying the risks and the ways of mitigating those risks. They will have a document with the risks and the mitigating factors. Some will report to the CEO, a board council or minister on a regular basis.

When you hear the reports from around the world of hacking into systems and data being copied and or released on the web, when you hear of the costs to prevent future breaches, when you hear of the damage to reputation and brand, or security of data (personal information and or personal health information) these are undoubtedly risks that an organization faces. It is a significant risk and managers need to find ways of lessening that risk. Can you eliminate the risk? Probably not, but you can lessen the risk in the future.

This blog is to encourage all organizations to identify as a high risk the security of their data and to regularly discuss and report the level of risk and the steps they are taking to mitigate that risk. As to how to lessen that risk, there are many resources out there on best practices to protect your data including The Personal Information Protection Act, PIPA Advisory #8, Implementing Reasonable Safeguards from the Alberta IPC or Securing Personal Information: A Self-Assessment Tool for Organizations available on the Privacy Commissioner of Canada’s website.

Another way to identify and mitigate risk is by conducting a privacy impact assessment. More is available on my office’s website our publication Privacy Impact Assessment Guidance Document.

I encourage all organizations to put into practice ways of reducing the risks.

Was this page helpful?

Work Product vs. Personal Information

We often get questions about employees’ or board members” names on documents, meeting minutes, organizational websites, etc. Public bodies are unsure whether the names should be severed before released to an applicant or made public on a website.

So, I thought I would write a blog on what is personal information of an employee and what is what we would consider as ‘work product’.

Personal information is defined in sections 24 of The Freedom of Information and Protection of Privacy Act (FOIP) and section 23 of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). Part of the definition includes “employment history” and “personal opinions”.

‘Employment history’ is the type of information normally found in a personnel file such as performance reviews, evaluations, disciplinary actions taken, reasons for leaving a job or leave transactions. It does not include work product.

A public body collects various personal information of its employees and board members. This personal information should, of course, be protected. But it is not the same as work product.

‘Work product’ means information prepared or collected by an individual or group of individuals as a part of the individual’s or group’s responsibilities or activities related to the individual’s or group’s employment or business.

So, I bet you are confused now! Here are some examples that may help clarify this:

 Work Product  Personal Information
Jane made this decision based on certain criteria.  It was her role to make the decision. Even though Jane made the decision based on certain criteria, her opinion was that she would have preferred a different opinion.
The public body has awarded a contract to Bill for a service. The public body did not award Bill this contract because he did not have favorable references.
Jill gave the following advice to her supervisor when asked to do so. Jill’s performance evaluation suggests that she should do more research before providing advice.
Board Member Joe made a motion in the meeting. Board Member Joe resigned from the Board for personal reasons.
Just a few other notes to keep in mind:
  • Pursuant to subsections 24(1)(h) of FOIP and 23(1)(h) of LA FOIP, Joe’s opinions about Bill qualifies as Bill’s personal information.
  • If you are wondering about salary information, that is a whole different can of worms…  see our blog When Salary is Open to Public Scrutiny.

Don’t worry… I’ve worked at the OIPC for 7 years, and it still takes all my concentration to figure this out. Wait… is that my personal information?

Was this page helpful?

Snooping: When Will People Learn?

Before being appointed Commissioner, my reading, studying and listening to the media caused me to really be concerned about staff snooping into personal information (PI) or personal health information (PHI) when there was no need to be looking. Before being appointed, I attended a conference where a speaker on security said the greatest problem for organizations is from within. Reviewing cases since and looking at media reports from across Canada and North America, I have come to the conclusion that we have a problem that just does not seem to go away. I am asked what the reasons are; and they can be curiosity, boredom, checking on an ex-spouse or girlfriend, or family member. All of these reasons are unacceptable. There is only one reason for accessing my PI or PHI; that is, you need to in order to do your job and to provide the client with service or the patient with care.

I am asked what should be the consequences for snooping. Because of the frequency of such events, I believe CEO’s should consider thinking about making the consequences more serious. Firing should be an option but I accept that it is not applicable in all circumstances. A suspension for a period of time should definitely be considered. If the snooping involved an electronic system, suspension of access to that system for a period of time is essential. Once the snooper is allowed back on the system, there should be monitoring for one or two years.

I am also asked what employers should do when they discover a case of snooping. First, CEO’s should be angry that an employee has breached a very basic rule of their corporate culture. Second, they need to launch an internal investigation quickly, sometimes done by someone outside of the organization. They should authorize, as soon as possible, a letter being sent to each client/patient, indicating that their PI or PHI has been accessed and that an investigation has begun. Later, they should advise those affected that disciplinary action has been taken, indicating the exact discipline. There are sections in the acts and regulations which will support the release of the details of the discipline.

Further, employers should insist on annual access and privacy training for all staff. Employees should be asked to sign confidentiality agreements at the beginning of employment and annually.

In the past, there may have been a culture that it was okay to look up someone’s PI or PHI, but since 1992 and 1993, the legislation changed that. It is necessary for the culture in public bodies to catch up to the legislation. I hope that happens sooner rather than later.

Ten tips for addressing employee snooping
Ten Tips for Addressing Employee Snooping
Tips for Addressing Employee Snooping
Detecting and Deterring Unauthorized Access to Personal Health Information

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.