Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Technology and function creep

Technology and function creep

“I love technology,

But not as much as you, you see.

But I still love technology.

Always and forever.”

  • Kip from the movie Napoleon Dynamite

Technology takes on a central role in most, if not all, workplaces. It is difficult to imagine a workplace without computers. Further, cloud computing is enabling workplaces to organize themselves far more dynamically while completing tasks efficiently. With all of its benefits, we must be cognizant of technology’s impact upon employee privacy.

“Function creep” occurs when information is used for a purpose that is not the original specified purpose. For example, a workplace may install a security system that requires employees to sign-in or sign-out of the workplace. The purpose of the security system is to prevent unauthorized access to a particular workplace. However, organizations may end up using this information about individual employees to track employee attendance. This could be a privacy breach if the organization has not fulfilled the collections requirements in The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). For example, if the organization is collecting the information to track employee attendance without informing employees of the purpose for which the information is being collected pursuant to subsection 26(2) of FOIP or subsection 25(2) of LA FOIP, then this would be a privacy breach.

Function creep is often unintended. However, this is not an excuse for organizations to breach employee privacy. Below are some suggestions that organizations could undertake to avoid or stop function creep:

  • Have at least one employee designated as the privacy officer.
  • Have a process in place so that employees (or members of the public) can raise concerns and that those concerns are investigated.
  • Since function creep is often unintended, organizations who learn that technologies or processes that are committing function creep should be open to adjusting so that the function creep is discontinued.
  • Regularly undertake privacy impact assessments (PIA) so they can comprehensively analyze and evaluate how technology impacts privacy. A PIA is a process that should be undertaken not only by the privacy officer, but managers and employees implementing new technology, processes, projects, and/or programs. PIAs require teamwork!

For more information, check out my office’s resource called Technology’s Impact Upon Employee Privacy.

 

So, Do We Collaborate?

I had someone, whom I respect, say to me that some public bodies feel we don’t collaborate. This caused me to think about this concern and I thought it important to clarify our role and in turn define expectations.

‘Collaborate’ in the Oxford Dictionary is defined as, “work jointly on an activity or project”.

As an oversight body that gets appeals and complaints, we walk a fine line at times when having to do reports that may be critical and also have to be involved in education programs. On the education side, we are most interested in collaborating with others to put on education events. I have made offers for joint projects and will continue to do so to have public bodies, trustees and residents of the province understand the legislation that has been passed by the Legislative Assembly. We have collaborated on workshops, training materials and the writing of certain guidelines. We also consult. For more on that process, see my office’s Consultation Request Form.

When we receive a request to review a public body’s/trustee’s decision to release or not release records, or a complaint of a breach of privacy, we are, at the beginning, most interested in seeing whether the matter can be informally resolved. We take on a mediation role. Mediation is defined in the Oxford Dictionary as, “intervention in a dispute in order to resolve it.” In this role, my office tries to get the public body or trustee and the applicant or complainant to move toward resolution. As a mediator, you are not collaborating, but you are facilitating the parties moving towards resolution. The resolution is a result between the parties. Where it works, that is the best solution. It does not always work, and if the parties just cannot agree, then at some point my office concludes early or informal resolution is not possible.

When early or informal resolution is not possible, my office shifts in its role to one of a neutral objective decision maker. We neither take sides with the applicant/complainant nor the public body/trustee. We are there to apply the legislation based on case law, other commissioner’s office decisions and what seems reasonable under all the circumstances. We turn to gathering information, investigating the situation and analyzing to determine what recommendations, if any, should be made.  At this point, we are not collaborating. We accept representations (submissions) from the parties and start reaching conclusions as we begin to complete a report. Before finalizing a public review or investigation report, we may seek information or clarification on any issue from the public body, trustee, applicant, complainant or a third party as necessary.

Once a report is finalized, my office issues it and provides a copy to the parties involved. From the date my office issues the final report, public bodies or trustees have 30 days to provide their written response to my office and to the applicant or complainant. If the applicant or complainant is not satisfied with the public body’s or trustee’s response, they then have 30 days after receiving it to appeal the decision to the Court of King’s Bench. An appeal, which my office cannot become involved in, is one more opportunity for an applicant or complainant to have their case heard by a higher neutral body. My office also posts reports to our office website approximately seven days after my office issues them, which makes them public.

So, I hope I have clarified that we are always interested in collaborating on joint ventures in education and informally resolving appeals or complaints through mediation. At some point, the collaboration and mediation stop, and a review or investigation and an analysis occur. The result is a report with my findings and recommendations, which a public body – or an applicant – may not like. It is a role our office plays, though, and one in which we do not collaborate.

 

 

Amendments to FOIP and LA FOIP Proclaimed

The government of Saskatchewan has proclaimed Bill No. 30, An Act to amend The Freedom of Information and Protection of Privacy Act and Bill No. 31, An Act to amend The Local Authority Freedom of Information and Protection of Privacy Act effective January 1, 2018.  My office made proposals for the amendments of these Acts in June 2015.  I am most pleased these amendments were passed by the Legislative Assembly in May 2017 and now proclaimed.

The highlights of the amendments to both Acts are:

  • Obligations of government institutions and local authorities to provide breach notification to affected individuals if it is believed the incident creates a real risk of significant harm;
  • The Duty to Protect is now explicit for both government institutions and local authorities;
  • The Duty to Assist those requesting information is now provided for in the legislation;
  • Police services are now a local authority for purposes of the legislation;
  • There is now an obligation of government institutions and local authorities to enter into written agreements with information management service providers (IMSP);
  • MLAs and Ministers’ offices are obliged to protect personal information in accordance with the legislation;
  • The manner of access to records includes giving access in electronic form;
  • The offence provisions have been updated and expanded;
  • Government institutions and local authorities must take reasonable steps to post manuals, policies, guidelines and procedures to its websites; and
  • Categories of records are to be established that can be provided to the public without an application.

In addition, the Regulations to both Acts have been amended.  Some highlights of the Regulation amendments are:

  • Generally now fees do not have to be charged if under $100 or if the records involve the applicant’s personal information;
  • If records are provided to an applicant via a portable storage device (PSD), the cost of the electronic copies is the price of the PSD;
  • Consent requirements are expanded; and
  • Clarification is provided on what elements must be included in written agreements with IMSPs.

The amendments to the Acts and the Regulations are the most significent amendments to this legislation since its introduction in 1992 and 1993.

My office will be working on updating its resources on its website to reflect the changes that are in the amendments.

For copies of amendments to FOIP and LA FOIP, go to www.oipc.sk.ca under the Legislation tab.  The amendments to the Regulations will soon be available on my office’s website and the Queen’s printer website.

Privacy versus Confidentiality

Privacy and confidentiality are two concepts often mistaken to be the same thing.

In terms of information, privacy is the right of an individual to have some control over how his or her personal information (or personal health information) is collected, used, and/or disclosed. In Saskatchewan, individuals’ privacy is maintained through FOIP, LA FOIP and HIPA. These three laws establish individuals’ right to privacy by setting out how government institutions, local authorities, and trustees are to collect, use, and/or disclose personal information or personal health information.

Confidentiality, on the other hand, is a far slimmer concept than privacy. Confidentiality is the duty to ensure information is kept secret only to the extent possible.

It is important to distinguish between these two concepts. This is because organizations often require employees to sign confidentiality agreements (i.e., keep information secret) but then offer very little or no privacy training.  There are certainly circumstances in which employees of government institutions, local authorities, and trustee organizations need to legitimately share information in order for their programs to function. However, sharing information may seem contrary to what confidentiality agreements require of them.

Privacy Officers play a vital role in ensuring that government institutions, local authorities, and trustee organizations are in compliance with FOIP, LA FOIP, and/or HIPA.  Privacy Officers should be experts in these three laws who can advise their organizations when it is okay to collect, use, and/or disclose personal information (or personal health information).

For fun, below are two haikus to help explain privacy and confidentiality

Privacy

Collecting, using,

disclosing and safeguarding,

personal info.

 

Confidentiality

Keep info secret.

Do not tell anybody.

Or else you lose trust.

Closing a Practice

Back in 2011, this office issued an Advisory to address concerns we had at the time regarding abandoned patient records. That resource was titled, Advisory for Saskatchewan Trustees for Record Disposition. This office now again is looking to provide some advice to trustees that are winding up his or her practice as additional cases of abandoned patient records come to our attention.

In one recent case, a physician left the country leaving behind both paper and digital patient records in two different locations. Section 22 of The Health Information Protection Act (HIPA) requires trustees that are closing up his or her practice to transfer custody/control of patient records to another trustee or an Information Management Service Provider (IMSP) that is a designated archive.  This physician did not do this. Instead an IMSP was left with physical possession of patient records.  The full Investigation Report 214-2017 is available on our website here.

So what needs to be done in order to wrap up a practice without leaving loose ends? The Saskatchewan College of Physicians and Surgeons has a helpful resource, Leaving Practice – A guide for physicians and surgeons. In addition to HIPA obligations, this resource addresses other issues such as continuity of care and discharging patients. The Ontario Information and Privacy Commissioner published Succession Planning to Prevent Abandoned Records which considers obligations under its Personal Health Information Protection Act, 2004. HIPA is of course similar but not identical and applies to a wide assortment of trustees (i.e. affiliates, Saskatchewan Health Authority) with custody or control of personal health information, not just physicians.

In terms of HIPA compliance, some of the most important steps to take before closing a practice are as follows:

  1. If you have not done so already, create an inventory of all records (paper and digital) in your custody or control;
  2. If you do not have one, create a record retention/disposition schedule for all records;
  3. Custody or control of patient records must be clearly established before taking action;
  4. Before transferring patient records, enter into a written agreement with the successor trustee or IMSP (that is a designated archive, see HIPA Regs s. 4);
  5. Ensure that any multi-function devices that may contain personal health information are sufficiently wiped/erased or hard-drives are destroyed;
  6. Provide advance, adequate notice (letters to patients, notice on doors, voicemail message and details in the newspaper and/or online) to patients and others;
  7. Securely transfer patient records; and
  8. Leave no records behind including securely destroying any records that are up for disposition.

If a member of a regulated profession, the trustee can also seek advice from its health professional body which also happens to be prescribed as designated archives in the HIPA Regs. Do you have more questions? If so, let us know.

What Makes a Good Submission?

The staff at the OIPC recently watched a webinar called The Art of Persuasive Speaking put on by The Canadian Bar Association. Some of the points made in the webinar are relevant to public bodies providing submissions to our office. I thought I would share some further tips pulled from that webinar.

When you want to be persuasive in your arguments to our office:

1. Have a plan and prepare:

Your goal is to convince our office that the public body is in compliance with the legislation.

  • Assemble all the evidence (information) relevant for our office;
  • Lay out the facts, tests, law and argument;
  • Focus on the key disputed facts and issues; and
  • Understand the role of the public body as it pertains to burden of proof (section 61 of FOIP/section 51 of LA FOIP).

2. Know your audience:

Understanding the role of our office is important in tailoring your arguments. Our office is a neutral oversight body. Our office is being asked to make a decision and recommendations.  We have found that when dealing with other organizations, a cooperative approach really works. We are not on the side of the applicant, third party or the public body. We are the first level of appeal before the Court of King’s Bench (2nd level of appeal).

  • Remember, our office will also be receiving arguments from the opposing parties in the case; and
  • How persuasive a party’s arguments are will influence the outcome of the case and you want yours to be most persuasive.

3. Use persuasive techniques:

Your goal is to make our office want to decide in your favour. Show us how to get there.

  • Put yourself in the shoes of our office, and ask: “If I had to make this decision, what would I need to make it?” This will help you focus on the key issues and anticipate questions our office would likely ask;
  • Use solid arguments and deliver only true and accurate statements;
  • Put your best (strongest) arguments first;
  • Avoid filling your submission with endless details without context;
  • Broad general statements are not persuasive; and
  • Present arguments from reputable sources.

These are all effective means of putting your arguments forward, which is in turn more persuasive. For more assistance on preparing your submission, Index of Records and/or the record itself, you can refer to our resource, What to Expect During a Review with the IPC:  A Resource for Public Bodies and Trustees

Saskatchewan Information and Privacy Commissioner’s Proposal on Data Matching

First reading has been given to The Data Matching Agreements Act.  Kruzeniski stated:

In the spring of this year, I released proposals for Data Matching legislation.  I am pleased that the Legislative Assembly is now considering such legislation.

And he further stated:

The proposed legislation clarifies the steps that a Ministry must take in order to perform data matching.  It is my intent to require organizations to follow the Act.

And he finally stated:

It will be absolutely necessary that government organizations do a privacy impact assessment before they embark upon a data matching project.  Such an assessment is needed so that privacy protection of personal information is maintained.

 

IPCs across Canada call on governments to safeguard independent review of solicitor-client privilege

In a joint resolution, Canada’s Information and Privacy Commissioners (IPCs) have called on governments to ensure that access to information and privacy legislation in every jurisdiction empowers IPCs to compel the production of records over which solicitor-client privilege has been claimed by public bodies to verify whether these claims are properly asserted when responding to requests for access to information.

In Alberta (Information and Privacy Commissioner) v. University of Calgary, 2016 SCC 53, the Supreme Court determined that legislative language did not expressly permit the Alberta Commissioner to compel the production of records over which solicitor-client privilege had been claimed. Canada’s IPCs are concerned with this decision as they require the power to compel these records in order to properly fulfil their mandate of providing first-level, independent review of public bodies’ responses to requests for access to information.

Canada’s IPCs are calling on their respective governments to amend access to information and privacy legislation to ensure they are empowered to compel the production of records in order to independently review records over which public bodies claim solicitor-client privilege.

The joint resolution is available on the IPCs’ respective websites.

LA FOIP, Municipalities and Cities

Access to information under LA FOIP

One of the purposes of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) is to ensure that local authorities are transparent and accountable to the public. One way of facilitating transparency and accountability is to provide individuals with the right to access records in the possession or under the control of a local authority. Section 5 of LA FOIP provides individuals with the right to access to records in the possession or under the control of a local authority:

5 Subject to this Act and the regulations, every person has a right to and, on an application made in accordance with this Part, shall be permitted access to records that are in the possession or under the control of a local authority.

Individuals may use this form to submit an access to information request to a local authority: http://www.qp.gov.sk.ca/documents/Forms/L27-1R1-B.pdf.

When a local authority receives a written request, it should process the request formally under LA FOIP. This includes assisting the Applicant to identify the record he/she is seeking, issuing a fee estimate if it is appropriate to do so, conducting a reasonable search for records, consulting with third parties, and issuing a formal response in accordance with section 7 of LA FOIP. For more information, please consult my office’s Best Practices for Responding to Access Requests.

Are there records that citizens may access without submitting a formal request under LA FOIP?

A person is entitled under section 117 of The Municipalities Act (MA) to inspect and obtain copies of certain types of records, including contracts approved by council, financial statements prepared in accordance with section 185 of MA, and council’s approved meeting minutes. What this means is that individuals should not have to submit a formal request under LA FOIP to obtain the records they are entitled to under the MA.

Similarly, a person is entitled under section 91 of The Cities Act (CA) and section 133 of The Northern Municipalities Act, 2010 (NMA) to inspect and obtain copies of similar types of records described above. What this means is that individuals should not have to submit a formal request under LA FOIP to obtain the records they are entitled to under the CA.

Do councillors have a right to records?

As a part of their duties, councillors are to represent the interests of the citizens living within their constituency at council meetings and council committee meetings. Councillors must also be informed in order to effectively participate in such meetings. In order to stay informed, councillors should have access to records related to the municipality/city business without requiring them to make a formal access to information request under LA FOIP to gain access.

Municipalities and cities should have policies and procedures in place that enables councillors to have access to records related to municipality/city business. Councillors should also agree to keep matters confidential until the matter is discussed publicly at a council meeting or council committee meeting.

Section 92 of the MA outlines the duties of councillors as follows:

92 Councillors have the following duties:

(a) to represent the public and to consider the well-being and interests of the municipality;

(b) to  participate  in  developing  and  evaluating  the  policies,  services  and  programs of the municipality;

(c) to  participate  in  council  meetings  and  council  committee  meetings  and  meetings of other bodies to which they are appointed by the council;

(d) to  ensure  that  administrative  practices  and  procedures  are  in  place  to  implement the decisions of council;

(e) subject to the bylaws made pursuant to section 81.1, to keep in confidence matters discussed in private or to be discussed in private at a council or council committee meeting until discussed at a meeting held in public;

(f) to maintain the financial integrity of the municipality;

(g) to perform any other duty or function imposed on councillors by this or any other Act or by the council.

Section 65 of the CA and section 106 of the NMA is very similar to the above.

When should council meetings or council committee meetings be held in-camera?

The MA, CA, and NMA requires councils and council committees to meet in public. Parts or all of a meeting can be closed to the public if the matter being discussed is within one of the exemptions in Part III of LA FOIP. Part III of LA FOIP provides for limited and specific circumstances in which information should not be disclosed.  Generally speaking, councils and council committees should make efforts to conduct most of their meetings in public unless one of the limited and specific circumstances in Part III of LA FOIP exists.

An example of when councils or council committees should hold part of a meeting closed to the public is if a matter to be discussed includes personal information of a citizen. This is because Part III of LA FOIP includes the following exemption:

15 (1) A head may refuse to give access to a record that:

(b) discloses agendas or the substance of deliberations of meetings of a local authority if:

(ii) the  matters  discussed  at  the  meetings  are  of  such  a  nature  that  access to the records could be refused pursuant to this Part or Part IV.

Part IV of LA FOIP provides that local authorities must not disclose personal information unless it has consent of an individual or the disclosure is in accordance with section 28 or 29 of LA FOIP:

28 (1) No  local  authority  shall  disclose  personal  information  in  its  possession  or  under  its  control  without  the  consent,  given  in  the  prescribed  manner,  of  the  individual to whom the information relates except in accordance with this section or section 29.

To understand when a meeting should be closed to the public, municipalities and cities should have a sound understanding of LA FOIP. For support, municipalities should contact the Ministry of Government Relations. They should also contact the Ministry of Justice (Access and Privacy Branch) at 306-798-0222 or accessprivacyjustice@gov.sk.ca, who makes training available to cities and municipalities.

Open Government, proactive disclosure, and routine disclosure

Municipalities and cities across Canada are leading the way in open government initiatives, including the City of Regina and the City of Saskatoon. These initiatives allow for citizens to gain access to information without submitting a formal access to information request. Check out the City of Regina’s website at http://open.regina.ca/pages/access and the City of Saskatoon’s website at http://opendata-saskatoon.cloudapp.net/.

I also note that many other cities and municipalities in Saskatchewan are proactively preparing and publishing information on their websites such as council agendas and meeting minutes. Such proactive disclosure of information facilitates transparency and accountability and enhances active participation of citizens in civic life.

Check out my office’s blog entry on what a municipality or city should consider when publishing agendas and meeting minutes on its website: https://oipc.sk.ca/council-agendas-and-meeting-minutes/.

Other helpful resources

A resource about LA FOIP for councillors: https://oipc.sk.ca/assets/what-councillors-should-know-about-lafoip.pdf

Mayors, reeves, and councilors may have a steep learning curve when they are elected, including how to handle personal information and personal health information. Here’s a resource on best practices on how to handle records that contain personal information and personal health information: https://oipc.sk.ca/assets/best-practices-for-mayors-reeves-councillors-and-school-boards.pdf

LA FOIP 101: The Basics for Cities, Towns, Municipalities Webinar: https://oipc.sk.ca/resources/webinars/la-foip-101-the-basics-for-cities-towns-municipalities-etc/

Resources by the Ministry of Justice, Access and Privacy Branch: http://www.publications.gov.sk.ca/deplist.cfm?d=9&c=3570

What About the Non-Responsive Record?

When a public body gets an access request, it has the obligation of searching for the responsive (relevant) records. In almost all cases, 99.9% of the public body’s records will be non-responsive to the applicant’s access request.

There will be times where a decision has to be made whether a record is responsive or non-responsive to an access to information request. If the decision is that it is non-responsive, I would suggest it is best practice that the public body should provide it anyway (subject to exemptions). If the public body would see the non-responsive record as being exempt from disclosure, then of course, the record should not be provided; however, the applicant should be advised in the section 7 decision that there are records being withheld as non-responsive, but also exempt under a particular section of the legislation. The reason for this suggestion is how else will the applicant or my office know that a record was treated as non-responsive? During a review, my office will ask to see all withheld information whether an exemption was applied or if treated by the public body as non-responsive and will make a call as to whether or not we agree.

In other situations, a record may have responsive and non-responsive information in it. The public body is obliged to provide the applicant with the responsive information (subject to exemptions), and it has to decide what to do with the non-responsive information in that same record. Again, I suggest best practice is to provide the non-responsive information to the applicant (subject to exemptions). Alternatively, the public body might choose to sever the non-responsive information, but that strikes me as a waste of time. Unnecessary severing causes applicants to be suspicious that something is being hidden. An applicant could submit a second access request for the severed non-responsive portions and the public body would have to provide it (subject to exemptions).  So, this blog is written just to encourage public bodies to release non-responsive portions of records where an exemption does not apply.