NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Survey conducted by OPC found that most parents worry about their children’s online privacy

Information and Privacy Commissioner of Ontario and The French Language Services Commissioner discuss your rights of access to information and services in French June 4, 2025

Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

What Makes a Good Submission?

What Makes a Good Submission?

The staff at the OIPC recently watched a webinar called The Art of Persuasive Speaking put on by The Canadian Bar Association. Some of the points made in the webinar are relevant to public bodies providing submissions to our office. I thought I would share some further tips pulled from that webinar.

When you want to be persuasive in your arguments to our office:

1. Have a plan and prepare:

Your goal is to convince our office that the public body is in compliance with the legislation.

  • Assemble all the evidence (information) relevant for our office;
  • Lay out the facts, tests, law and argument;
  • Focus on the key disputed facts and issues; and
  • Understand the role of the public body as it pertains to burden of proof (section 61 of FOIP/section 51 of LA FOIP).

2. Know your audience:

Understanding the role of our office is important in tailoring your arguments. Our office is a neutral oversight body. Our office is being asked to make a decision and recommendations.  We have found that when dealing with other organizations, a cooperative approach really works. We are not on the side of the applicant, third party or the public body. We are the first level of appeal before the Court of King’s Bench (2nd level of appeal).

  • Remember, our office will also be receiving arguments from the opposing parties in the case; and
  • How persuasive a party’s arguments are will influence the outcome of the case and you want yours to be most persuasive.

3. Use persuasive techniques:

Your goal is to make our office want to decide in your favour. Show us how to get there.

  • Put yourself in the shoes of our office, and ask: “If I had to make this decision, what would I need to make it?” This will help you focus on the key issues and anticipate questions our office would likely ask;
  • Use solid arguments and deliver only true and accurate statements;
  • Put your best (strongest) arguments first;
  • Avoid filling your submission with endless details without context;
  • Broad general statements are not persuasive; and
  • Present arguments from reputable sources.

These are all effective means of putting your arguments forward, which is in turn more persuasive. For more assistance on preparing your submission, Index of Records and/or the record itself, you can refer to our resource, What to Expect During a Review with the IPC:  A Resource for Public Bodies and Trustees

Was this page helpful?

Saskatchewan Information and Privacy Commissioner’s Proposal on Data Matching

First reading has been given to The Data Matching Agreements Act.  Kruzeniski stated:

In the spring of this year, I released proposals for Data Matching legislation.  I am pleased that the Legislative Assembly is now considering such legislation.

And he further stated:

The proposed legislation clarifies the steps that a Ministry must take in order to perform data matching.  It is my intent to require organizations to follow the Act.

And he finally stated:

It will be absolutely necessary that government organizations do a privacy impact assessment before they embark upon a data matching project.  Such an assessment is needed so that privacy protection of personal information is maintained.

 

Was this page helpful?

IPCs across Canada call on governments to safeguard independent review of solicitor-client privilege

In a joint resolution, Canada’s Information and Privacy Commissioners (IPCs) have called on governments to ensure that access to information and privacy legislation in every jurisdiction empowers IPCs to compel the production of records over which solicitor-client privilege has been claimed by public bodies to verify whether these claims are properly asserted when responding to requests for access to information.

In Alberta (Information and Privacy Commissioner) v. University of Calgary, 2016 SCC 53, the Supreme Court determined that legislative language did not expressly permit the Alberta Commissioner to compel the production of records over which solicitor-client privilege had been claimed. Canada’s IPCs are concerned with this decision as they require the power to compel these records in order to properly fulfil their mandate of providing first-level, independent review of public bodies’ responses to requests for access to information.

Canada’s IPCs are calling on their respective governments to amend access to information and privacy legislation to ensure they are empowered to compel the production of records in order to independently review records over which public bodies claim solicitor-client privilege.

The joint resolution is available on the IPCs’ respective websites.

Was this page helpful?

LA FOIP, Municipalities and Cities

Access to information under LA FOIP

One of the purposes of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) is to ensure that local authorities are transparent and accountable to the public. One way of facilitating transparency and accountability is to provide individuals with the right to access records in the possession or under the control of a local authority. Section 5 of LA FOIP provides individuals with the right to access to records in the possession or under the control of a local authority:

5 Subject to this Act and the regulations, every person has a right to and, on an application made in accordance with this Part, shall be permitted access to records that are in the possession or under the control of a local authority.

Individuals may use this form to submit an access to information request to a local authority: http://www.qp.gov.sk.ca/documents/Forms/L27-1R1-B.pdf.

When a local authority receives a written request, it should process the request formally under LA FOIP. This includes assisting the Applicant to identify the record he/she is seeking, issuing a fee estimate if it is appropriate to do so, conducting a reasonable search for records, consulting with third parties, and issuing a formal response in accordance with section 7 of LA FOIP. For more information, please consult my office’s Best Practices for Responding to Access Requests.

Are there records that citizens may access without submitting a formal request under LA FOIP?

A person is entitled under section 117 of The Municipalities Act (MA) to inspect and obtain copies of certain types of records, including contracts approved by council, financial statements prepared in accordance with section 185 of MA, and council’s approved meeting minutes. What this means is that individuals should not have to submit a formal request under LA FOIP to obtain the records they are entitled to under the MA.

Similarly, a person is entitled under section 91 of The Cities Act (CA) and section 133 of The Northern Municipalities Act, 2010 (NMA) to inspect and obtain copies of similar types of records described above. What this means is that individuals should not have to submit a formal request under LA FOIP to obtain the records they are entitled to under the CA.

Do councillors have a right to records?

As a part of their duties, councillors are to represent the interests of the citizens living within their constituency at council meetings and council committee meetings. Councillors must also be informed in order to effectively participate in such meetings. In order to stay informed, councillors should have access to records related to the municipality/city business without requiring them to make a formal access to information request under LA FOIP to gain access.

Municipalities and cities should have policies and procedures in place that enables councillors to have access to records related to municipality/city business. Councillors should also agree to keep matters confidential until the matter is discussed publicly at a council meeting or council committee meeting.

Section 92 of the MA outlines the duties of councillors as follows:

92 Councillors have the following duties:

(a) to represent the public and to consider the well-being and interests of the municipality;

(b) to  participate  in  developing  and  evaluating  the  policies,  services  and  programs of the municipality;

(c) to  participate  in  council  meetings  and  council  committee  meetings  and  meetings of other bodies to which they are appointed by the council;

(d) to  ensure  that  administrative  practices  and  procedures  are  in  place  to  implement the decisions of council;

(e) subject to the bylaws made pursuant to section 81.1, to keep in confidence matters discussed in private or to be discussed in private at a council or council committee meeting until discussed at a meeting held in public;

(f) to maintain the financial integrity of the municipality;

(g) to perform any other duty or function imposed on councillors by this or any other Act or by the council.

Section 65 of the CA and section 106 of the NMA is very similar to the above.

When should council meetings or council committee meetings be held in-camera?

The MA, CA, and NMA requires councils and council committees to meet in public. Parts or all of a meeting can be closed to the public if the matter being discussed is within one of the exemptions in Part III of LA FOIP. Part III of LA FOIP provides for limited and specific circumstances in which information should not be disclosed.  Generally speaking, councils and council committees should make efforts to conduct most of their meetings in public unless one of the limited and specific circumstances in Part III of LA FOIP exists.

An example of when councils or council committees should hold part of a meeting closed to the public is if a matter to be discussed includes personal information of a citizen. This is because Part III of LA FOIP includes the following exemption:

15 (1) A head may refuse to give access to a record that:

(b) discloses agendas or the substance of deliberations of meetings of a local authority if:

(ii) the  matters  discussed  at  the  meetings  are  of  such  a  nature  that  access to the records could be refused pursuant to this Part or Part IV.

Part IV of LA FOIP provides that local authorities must not disclose personal information unless it has consent of an individual or the disclosure is in accordance with section 28 or 29 of LA FOIP:

28 (1) No  local  authority  shall  disclose  personal  information  in  its  possession  or  under  its  control  without  the  consent,  given  in  the  prescribed  manner,  of  the  individual to whom the information relates except in accordance with this section or section 29.

To understand when a meeting should be closed to the public, municipalities and cities should have a sound understanding of LA FOIP. For support, municipalities should contact the Ministry of Government Relations. They should also contact the Ministry of Justice (Access and Privacy Branch) at 306-798-0222 or accessprivacyjustice@gov.sk.ca, who makes training available to cities and municipalities.

Open Government, proactive disclosure, and routine disclosure

Municipalities and cities across Canada are leading the way in open government initiatives, including the City of Regina and the City of Saskatoon. These initiatives allow for citizens to gain access to information without submitting a formal access to information request. Check out the City of Regina’s website here and the City of Saskatoon’s website here.

I also note that many other cities and municipalities in Saskatchewan are proactively preparing and publishing information on their websites such as council agendas and meeting minutes. Such proactive disclosure of information facilitates transparency and accountability and enhances active participation of citizens in civic life.

Check out my office’s blog entry on what a municipality or city should consider when publishing agendas and meeting minutes on its website: https://oipc.sk.ca/council-agendas-and-meeting-minutes/.

Other helpful resources

A resource about LA FOIP for councillors: https://oipc.sk.ca/assets/what-councillors-should-know-about-lafoip.pdf

Mayors, reeves, and councilors may have a steep learning curve when they are elected, including how to handle personal information and personal health information. Here’s a resource on best practices on how to handle records that contain personal information and personal health information: https://oipc.sk.ca/assets/best-practices-for-mayors-reeves-councillors-and-school-boards.pdf

LA FOIP 101: The Basics for Cities, Towns, Municipalities Webinar: https://oipc.sk.ca/resources/webinars/la-foip-101-the-basics-for-cities-towns-municipalities-etc/

Resources by the Ministry of Justice, Access and Privacy Branch: http://www.publications.gov.sk.ca/deplist.cfm?d=9&c=3570

Was this page helpful?

What About the Non-Responsive Record?

When a public body gets an access request, it has the obligation of searching for the responsive (relevant) records. In almost all cases, 99.9% of the public body’s records will be non-responsive to the applicant’s access request.

There will be times where a decision has to be made whether a record is responsive or non-responsive to an access to information request. If the decision is that it is non-responsive, I would suggest it is best practice that the public body should provide it anyway (subject to exemptions). If the public body would see the non-responsive record as being exempt from disclosure, then of course, the record should not be provided; however, the applicant should be advised in the section 7 decision that there are records being withheld as non-responsive, but also exempt under a particular section of the legislation. The reason for this suggestion is how else will the applicant or my office know that a record was treated as non-responsive? During a review, my office will ask to see all withheld information whether an exemption was applied or if treated by the public body as non-responsive and will make a call as to whether or not we agree.

In other situations, a record may have responsive and non-responsive information in it. The public body is obliged to provide the applicant with the responsive information (subject to exemptions), and it has to decide what to do with the non-responsive information in that same record. Again, I suggest best practice is to provide the non-responsive information to the applicant (subject to exemptions). Alternatively, the public body might choose to sever the non-responsive information, but that strikes me as a waste of time. Unnecessary severing causes applicants to be suspicious that something is being hidden. An applicant could submit a second access request for the severed non-responsive portions and the public body would have to provide it (subject to exemptions).  So, this blog is written just to encourage public bodies to release non-responsive portions of records where an exemption does not apply.

 

 

Was this page helpful?

Severing

When responding to access to information requests under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA), there may be circumstances where information is exempt from release under mandatory or discretionary exemptions.  However, each of these statutes requires public bodies to release as much information as possible when responding to requests and this is done through severing.

Section 8 of both FOIP (applies to government institutions) and LA FOIP (applies to local authorities) provide:

8 Where a record contains information to which an applicant is refused access, the head shall give access to as much on the record as can be reasonably be severed without disclosing the information to which the applicant is refused access.

Subsection 38(2) of HIPA, which applies to trustees, has similar language.

Severing is the exercise by which portions of a document are blacked out before the document is provided to an Applicant. It is also considered severing where a responsive record is withheld in full.  In order to be compliant with section 8 of FOIP/LA FOIP and subsection 38(2) of HIPA, public bodies and trustees need to conduct a line-by-line review of each page and apply severing where appropriate.  In addition, each severed item should have a notation indicating which exemption(s) applies in each instance.  It must be clear to the Applicant as to what exemption(s) is being relied upon for each item that is severed. The IPC discourages the use of white space redacting. White space redacting is where software removes the content of a record in such a way that it renders the redacted content indistinguishable from the blank background of the document. This type of redacting creates uncertainty as to what, if anything, has been redacted.

It is important that public bodies and trustees not apply a blanket exemption(s) to an entire page or record just because the majority of the information contained on that page is exempt from release. A great example is an email chain.  A communication may almost fully be exempt from release.  However, if a public body or trustee is contemplating also severing the header information (to, from, cc, date, and subject), opening and closing sentences, confidentiality notice, signature lines, etc. of an email, it needs to demonstrate how the exemption applies to that information also.

We encourage you to refer to the IPC Guide to FOIP or the IPC Guide to LA FOIP at the time you are processing an access to information request as these resources outline the tests you need to consider when determining if an exemption should be applied.

On a final note, if you are still severing using hard copies of documents and find this to be onerous, you may want to look into options that are available for electronic severing. Who knows, you may already have this capability with the software that is installed on your system.

To learn more about severing electronically, check out our webinar Modern Age Severing Made A Lot Easier.

Was this page helpful?

Sask. IPC Tables 2016-2017 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C. has submitted his office’s 2016-2017 Annual Report to the Legislative Assembly. Kruzeniski stated:

“I will report on our achievements under the old plan but also outline our objectives under our new 3 year plan.”

And he also identified a number of issues faced when navigating in a digital world:

“From the stories around the world, the breaches, the damage to reputation and the costs to remedy a breach, there is no doubt that public bodies will be required to spend much more to safeguard the information they have collected from their citizens.”

As well, he indicated:

“My office has issued a document regarding data matching in the province of Saskatchewan. That paper outlines the meaning of the word, the benefits, the risks, a review of legislation in other countries and provinces, the inadequacies of current Saskatchewan legislation and the needs in the Saskatchewan environment.

I recommend the government of Saskatchewan propose and the Legislative Assembly consider a stand-alone Act dealing with data matching.”

 

Was this page helpful?

Council Agendas and Meeting Minutes

To be accountable to the public, meetings of council and council committees are public by virtue of section 119 and 120 of The Municipalities Act. Further, subsection 117(1)(d) of The Municipalities Act entitles any person to inspect and obtain copies of council meeting minutes after they have approved by council.

To support this accountability, municipalities can post the agendas of council and council committee meetings to their website. The benefits of municipalities making information available online are plain to see. First, it increases municipalities’ accountability to the citizenry. Second, it increases citizens’ active participation in civic life.

While making information available online, such as council agendas and meeting minutes, has its benefits, municipalities should take care to minimize or avoid the publication of personal information of citizens on their websites.

What are the risks of publishing personal information on a website?

Chilling Effect

Public participation in civic matters is important to a democratic society. If individuals know their personal information, including their name and concerns, will be published on a website, then they may be deterred from raising matters to council.

Misuse

Search engines index websites and make information published on websites easily searchable.

Furthermore, technology is enabling organizations to gather and analyze personal information from various sites to create profiles on individuals. Such profiling can have undesirable results such as identity fraud or theft, embarrassment, and physical or emotional harm.

Dissemination

Publishing information on the World Wide Web has a much broader audience than information published in other formats such as hard copy newsletters, magazines, and books. Further, information published online can easily be copied and disseminated. Information, especially if it is inaccurate or unflattering, can haunt or damage an individual’s reputation.

Can municipalities withhold personal information that is in meeting documents?

The short answer is yes.

The long answer is that while subsection 120(1) of The Municipalities Act requires that council and council committees conduct their meetings in public, subsection 120(2) of The Municipalities Act provides that meetings may be closed to the public if the matters being discussed are within the exemptions in PART III of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP).

Part III of LA FOIP includes subsection 15(1). Subsection 15(1) of LA FOIP provides that a head may refuse to give access to a record that discloses agendas or the substance of deliberations of meetings where matters discussed at the meetings could be refused pursuant to Part III or Part IV of LA FOIP.

Part IV of LA FOIP includes subsection 28(1). Subsection 28(1) of LA FOIP provides that a local authority is not to disclose personal information in its possession or control without the individual’s consent except if the disclosure is authorized by LA FOIP.

Since Part IV of LA FOIP enables a local authority to refuse access to personal information, then council and council committees may close its meetings to the public if the matters being discussed include personal information.

What does this mean for municipalities posting agendas and meeting minutes to its website? Information in documents that falls within the exemption subsection 15(1) of LA FOIP and subsection 28(1) of LA FOIP, then, can be withheld (or redacted) prior to the document being posted online.

What privacy considerations should a municipality undertake when publishing council agendas and meeting minutes?

Notification

Before, or at the time of, collection of personal information, LA FOIP requires that municipalities inform individuals of the purpose for which personal information is collected. Therefore, municipalities should notify citizens about how personal information submitted to it could become a part of public council or committee agendas or meetings minutes, and could also be published to the RM’s website. The notice should include the contact information of someone who works for the municipality to answer questions or respond to concerns about the collection of personal information.

Municipalities should consider putting a notice on its website, in brochures, on posters, and on any other medium where citizens can easily see the notice.

Redaction

If documents such as agendas contain personal information, consider providing council members with a redacted version of the document for the council meeting.

Further, if council meeting minutes contain personal information, then municipalities should consider redacting the personal information prior to publishing the minutes on their website.

Data Minimization

When recording the minutes of a council meeting, the municipality should record the least amount of personal information. Better yet, it can attempt to de-identify the information by using terms such as “a Rate payer,” “a Tax payer”, or an initial to represent the person who is involved in a matter being discussed by council, or a council committee.

Review of Practices

Municipalities change and so does technology. Reviewing and revising practices to account for such change can be a good way to stay ahead of the curve. Asking citizens for feedback on the municipalities’ privacy practices may also help municipalities adjust their privacy policies accordingly!

 

Was this page helpful?

Lawyers Bills: Are They a “No Brainer”?

We have now had a few reports that have dealt with the application of solicitor-client privilege exemptions (sections 22 of FOIP and 21 of LA FOIP) to lawyers bills.  In these cases, the Commissioner relied on a Supreme Court of Canada decision Maranda v. Richer, [2003] 3 S.C.R. 193, 2003 SCC67 to find that lawyers bills are subject to solicitor-client privilege.  The Supreme Court asserted that there is a presumption of privilege for lawyers’ bills of account as a whole in order to ensure that solicitor-client privilege is honoured. (See IPC Review Reports 052-2013 and 280-2016 & 281-2016)

When I refer to “lawyers bills”, I mean an invoice or statement of account that is communicated from a lawyer or law firm to a public body after providing legal services.  Some lawyers bills can be quite detailed and list the dates of individual phone calls, tasks performed and the subject matter. 

It is possible for an Applicant to rebut that solicitor-client privilege applies.  To do so, it must provide persuasive arguments that the disclosure of information will not result in the Applicant learning of information that is subject to solicitor-client privilege. Order F15-16 from the Information and Privacy Commissioner of British Columbia lays out a test for determining whether the presumption of privilege has been rebutted.  Applicants, though, are at a disadvantage when having to make arguments for why privilege does not exist to information when they cannot see or examine the information.

So it does seem like a no brainer that solicitor-client exemptions would apply to this type of information, right?

Well… I think every issue in the FOIP World is unique!

A public body still has to be accountable for the public money it spends on legal services.  In Review Report 003-2017, the Commissioner found that the details of payment for legal services in a public body’s accounts payable invoice history report was not subject to solicitor-client privilege.  In other words, some of the information from the lawyer’s bill was entered into the public body’s accounting system, which was the subject of the review.  The Commissioner reasoned that some of the data items in this record, such as purchase order number, voucher number and bank information, was information that the public body assigned to the lawyer’s bill once it was received  – the exemption did not apply to these items.  Further, the name of the law firm did not qualify as it was confirmed through public documents that a particular firm had been engaged by the public body.  The firm’s invoice number and the due date did not reveal the nature of the advice that was sought.  Finally, he also did not find that there was a reasonable possibility that disclosure of the amount of the fees paid would reveal any communication protected by privilege.

Once again, I am reminded that our office must review every record, and the circumstances surrounding it, on a case by case basis.

 

Was this page helpful?

Access and Privacy Rights of Minors Online

On May 3, 2016, our office posted to our website a blog titled, Who Signs for a Child?. Though the focus of that blog was on who can sign for a child under the age of 18 years, the following advice on mature minors was offered:

FOIP and LA FOIP do not contemplate the child asking for his or her personal information. But when children get to the age of what may be considered a mature minor, heads should use their discretion to provide the personal information if the child “understands the nature of the right or power and the consequences of exercising the right or power.” Heads should also look to their governing legislation to see if the Legislative Assembly has provided direction on the rights of the child.

HIPA does contemplate an individual under 18 years of age exercising a right under the Act such as requesting his or her personal information. When such a request is made, it is up to the trustee to determine whether the individual understands the nature of the right or power and the consequences of exercising the right or power.

What further complicates matters is when services being offered to children and adolescents move to the online world. How are access and privacy rights impacted?

Although there does not appear to be any global rules on children’s consent under the new General Data Protection Regulation (GDPR), Article 8 speaks to children’s consent for ‘information society services’ (services requested and delivered over the internet).  It appears that for most services provided to children, parental consent for those under 16 is needed unless otherwise set by Member States.  If offered online, age-verification measures and reasonable efforts to verify parental responsibility for those under the relevant age is a must.

In an interesting decision, PIPEDA Report of Finding #2014-011, dealing with an investigation involving a website aimed at children between the ages of 6 and 13 years of age, the Privacy Commissioner of Canada’s office commented as follows:

112.  The consent provisions of PIPEDA do not expressly speak to age-based consent. Principle 4.3 states that the knowledge and consent of an individual are required for the collection, use and disclosure of personal information. Principle 4.3.2 requires organizations to ensure that individuals are advised of the purposes for which the information will be used and that consent obtained from individuals is meaningful. Meaningful consent means that the individual concerned can reasonably understand how the information will be used or disclosed prior to providing consent.

113.  Meaningful consent becomes a more difficult notion where personal information is being sought from children. Can a child reasonably understand what they are being asked to consent to?

114.  Principle 4.3.6 of Schedule 1 states that consent can be given by an authorized representative (such as a legal guardian or a person having a power of attorney). However, it does not specify under what circumstances this can or should occur.

115.  In PIPEDA Report of Findings #2012-001, we recognized that there was value in users of a Canadian social networking website aimed at teenagers and young adults involving their parents in their online transactions. However, we concluded that PIPEDA did not require parents to provide consent on behalf of their teenager in the context of that website. We concluded in that case that in order to ensure meaningful consent was obtained, the information handling practices of the organization had to be explained in such a way that its teenage users could understand how their personal information would be handled by the website.

116.  Ganz’s Website is aimed at children under 13, a younger demographic group than the one at issue in PIPEDA Report of Findings: #2012-001. Children under the age of 13 have arguably a less sophisticated understanding of online marketing and social media interactions.

122.  We considered it questionable as to whether a child under the age of thirteen opening an account would be able to find this provision in the User Agreement, understand the text, and act accordingly.

Canada Health Infoway has done some work in this area specifically examining adolescent access to PHI in a number of publications including Consumer Health Solutions – Pandora’s Box Adolescent Access to Digital Health Records – Research Summary dated August 2016. In its Executive Summary it states, “Outside of Quebec, statutes do not set an age requirement for a person to access their own PHI, to consent to the collection, use and disclosure of their PHI or to consent to treatment. However, there are other requirements to exercise the rights, such as knowledge, capacity or maturity.” Later it is stated, “the general rule is that a contract cannot be enforced against a minor (although there are exceptions).”

How do you cover your bases? The Privacy Commissioner of Canada offers good advice when dealing with kids online in Collecting from kids? Ten tips for services aimed at children and youth, as follows:

Make clear who is agreeing to terms and conditions. The ubiquitous “I have read and agree to the Terms and Conditions and Privacy Policy” checkbox on registration forms poses an additional difficulty when your users are youth. Is your organization asking the user to agree to these terms, or his or her parent/guardian? Remember, with younger children, the former is not possible given the need for meaningful consent. Moreover, if it is the latter, you must also ask yourself how you are ensuring that the parent/guardian has actually been involved in the process. The answer to these questions needs to be clear to, and consistent between, both you and your users.

Now that we are moving to online access to PHI through patient portals, what, if any, limits should be set as to age of those that can log-in and get direct access to his or her own PHI? Are any associated terms and conditions accepted akin to entering a contract? Our office has not yet had to offer any formal views on the particular issue. We will have to wait and see.

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.