AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Best practices in safeguarding data

Podcast: Hill Times political parties and privacy

Cheat Sheet for the proposed American Privacy Rights Act

Severing

Severing

When responding to access to information requests under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA), there may be circumstances where information is exempt from release under mandatory or discretionary exemptions.  However, each of these statutes requires public bodies to release as much information as possible when responding to requests and this is done through severing.

Section 8 of both FOIP (applies to government institutions) and LA FOIP (applies to local authorities) provide:

8 Where a record contains information to which an applicant is refused access, the head shall give access to as much on the record as can be reasonably be severed without disclosing the information to which the applicant is refused access.

Subsection 38(2) of HIPA, which applies to trustees, has similar language.

Severing is the exercise by which portions of a document are blacked out before the document is provided to an Applicant. It is also considered severing where a responsive record is withheld in full.  In order to be compliant with section 8 of FOIP/LA FOIP and subsection 38(2) of HIPA, public bodies and trustees need to conduct a line-by-line review of each page and apply severing where appropriate.  In addition, each severed item should have a notation indicating which exemption(s) applies in each instance.  It must be clear to the Applicant as to what exemption(s) is being relied upon for each item that is severed. The IPC discourages the use of white space redacting. White space redacting is where software removes the content of a record in such a way that it renders the redacted content indistinguishable from the blank background of the document. This type of redacting creates uncertainty as to what, if anything, has been redacted.

It is important that public bodies and trustees not apply a blanket exemption(s) to an entire page or record just because the majority of the information contained on that page is exempt from release. A great example is an email chain.  A communication may almost fully be exempt from release.  However, if a public body or trustee is contemplating also severing the header information (to, from, cc, date, and subject), opening and closing sentences, confidentiality notice, signature lines, etc. of an email, it needs to demonstrate how the exemption applies to that information also.

We encourage you to refer to the IPC Guide to FOIP or the IPC Guide to LA FOIP at the time you are processing an access to information request as these resources outline the tests you need to consider when determining if an exemption should be applied.

On a final note, if you are still severing using hard copies of documents and find this to be onerous, you may want to look into options that are available for electronic severing. Who knows, you may already have this capability with the software that is installed on your system.

To learn more about severing electronically, check out our webinar Modern Age Severing Made A Lot Easier.

Sask. IPC Tables 2016-2017 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C. has submitted his office’s 2016-2017 Annual Report to the Legislative Assembly. Kruzeniski stated:

“I will report on our achievements under the old plan but also outline our objectives under our new 3 year plan.”

And he also identified a number of issues faced when navigating in a digital world:

“From the stories around the world, the breaches, the damage to reputation and the costs to remedy a breach, there is no doubt that public bodies will be required to spend much more to safeguard the information they have collected from their citizens.”

As well, he indicated:

“My office has issued a document regarding data matching in the province of Saskatchewan. That paper outlines the meaning of the word, the benefits, the risks, a review of legislation in other countries and provinces, the inadequacies of current Saskatchewan legislation and the needs in the Saskatchewan environment.

I recommend the government of Saskatchewan propose and the Legislative Assembly consider a stand-alone Act dealing with data matching.”

 

Council Agendas and Meeting Minutes

To be accountable to the public, meetings of council and council committees are public by virtue of section 119 and 120 of The Municipalities Act. Further, subsection 117(1)(d) of The Municipalities Act entitles any person to inspect and obtain copies of council meeting minutes after they have approved by council.

To support this accountability, municipalities can post the agendas of council and council committee meetings to their website. The benefits of municipalities making information available online are plain to see. First, it increases municipalities’ accountability to the citizenry. Second, it increases citizens’ active participation in civic life.

While making information available online, such as council agendas and meeting minutes, has its benefits, municipalities should take care to minimize or avoid the publication of personal information of citizens on their websites.

What are the risks of publishing personal information on a website?

Chilling Effect

Public participation in civic matters is important to a democratic society. If individuals know their personal information, including their name and concerns, will be published on a website, then they may be deterred from raising matters to council.

Misuse

Search engines index websites and make information published on websites easily searchable.

Furthermore, technology is enabling organizations to gather and analyze personal information from various sites to create profiles on individuals. Such profiling can have undesirable results such as identity fraud or theft, embarrassment, and physical or emotional harm.

Dissemination

Publishing information on the World Wide Web has a much broader audience than information published in other formats such as hard copy newsletters, magazines, and books. Further, information published online can easily be copied and disseminated. Information, especially if it is inaccurate or unflattering, can haunt or damage an individual’s reputation.

Can municipalities withhold personal information that is in meeting documents?

The short answer is yes.

The long answer is that while subsection 120(1) of The Municipalities Act requires that council and council committees conduct their meetings in public, subsection 120(2) of The Municipalities Act provides that meetings may be closed to the public if the matters being discussed are within the exemptions in PART III of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP).

Part III of LA FOIP includes subsection 15(1). Subsection 15(1) of LA FOIP provides that a head may refuse to give access to a record that discloses agendas or the substance of deliberations of meetings where matters discussed at the meetings could be refused pursuant to Part III or Part IV of LA FOIP.

Part IV of LA FOIP includes subsection 28(1). Subsection 28(1) of LA FOIP provides that a local authority is not to disclose personal information in its possession or control without the individual’s consent except if the disclosure is authorized by LA FOIP.

Since Part IV of LA FOIP enables a local authority to refuse access to personal information, then council and council committees may close its meetings to the public if the matters being discussed include personal information.

What does this mean for municipalities posting agendas and meeting minutes to its website? Information in documents that falls within the exemption subsection 15(1) of LA FOIP and subsection 28(1) of LA FOIP, then, can be withheld (or redacted) prior to the document being posted online.

What privacy considerations should a municipality undertake when publishing council agendas and meeting minutes?

Notification

Before, or at the time of, collection of personal information, LA FOIP requires that municipalities inform individuals of the purpose for which personal information is collected. Therefore, municipalities should notify citizens about how personal information submitted to it could become a part of public council or committee agendas or meetings minutes, and could also be published to the RM’s website. The notice should include the contact information of someone who works for the municipality to answer questions or respond to concerns about the collection of personal information.

Municipalities should consider putting a notice on its website, in brochures, on posters, and on any other medium where citizens can easily see the notice.

Redaction

If documents such as agendas contain personal information, consider providing council members with a redacted version of the document for the council meeting.

Further, if council meeting minutes contain personal information, then municipalities should consider redacting the personal information prior to publishing the minutes on their website.

Data Minimization

When recording the minutes of a council meeting, the municipality should record the least amount of personal information. Better yet, it can attempt to de-identify the information by using terms such as “a Rate payer,” “a Tax payer”, or an initial to represent the person who is involved in a matter being discussed by council, or a council committee.

Review of Practices

Municipalities change and so does technology. Reviewing and revising practices to account for such change can be a good way to stay ahead of the curve. Asking citizens for feedback on the municipalities’ privacy practices may also help municipalities adjust their privacy policies accordingly!

 

Privacy Officer in a Difficult Spot

I encourage every public body to appoint an Access and Privacy Coordinator. In larger organizations you might want to have a position of Chief Privacy Officer (CPO). The reasons for having an Access and Privacy Coordinator or a CPO are that in these times organizations really need one person who is knowledgeable on access and privacy issues. That person needs to know the legislation, when and where it applies, and the best practices in the organization’s sector or industry. The coordinator will also be responsible for supervising the processing of access requests and investigating privacy breaches.

Any citizen can file an access request and that includes the media. A journalist pursuing a story may request information to assist in writing that story.

When a journalist files an access request, my office will encourage the public body to work with the Applicant to narrow the scope of the request and clarify exactly what is being requested. Such efforts can reduce the time spent by the public body, the fees charged, if any, and the time lag between request and provision of the documents.

The Access and Privacy Coordinator is in a difficult position when first talking to the journalist. His or her organization may have a policy that communications with the media go through the Communication Director. On the other hand, only by talking to the journalist will the possibility of narrowing or clarifying the request occur. If the coordinator talks to the journalist, the fear is that he or she might get quoted in tomorrow’s story. So, does the coordinator not talk at all and give up an opportunity to clarify and speedily deal with the request?

This is a problem for the coordinator, journalist and my office. Why my office? If matters don’t get resolved at the first stage, an Applicant (journalists) might appeal to my office for a review. This takes time and resources in my office. The end result is that it takes a lot longer to get the information.

My solution is that public bodies and the media reach an understanding that communications with the Access and Privacy Coordinator will not be quoted in any story. In other words, there is no interview with the Access and Privacy Coordinator. The communications with the coordinator will be strictly to clarify and narrow the request. The understanding should be that the journalist will contact the Communications Director if they want an interview.

As we work to create this understanding, Access and Privacy Coordinators when contacted by a journalist should ask whether it is an interview or whether they will be quoted in any future stories. If the journalist says yes, the Access and Privacy Coordinator should refer the journalist to the Communications Director. Similarly, a journalist calling about an access request should begin by indicating this is not an interview and if an interview is sought the journalist will contact the Communications Director.

My goal is a well-functioning access to information system in the province where access requests are answered quickly and without confusion as to roles.

 

Lawyers Bills: Are They a “No Brainer”?

We have now had a few reports that have dealt with the application of solicitor-client privilege exemptions (sections 22 of FOIP and 21 of LA FOIP) to lawyers bills.  In these cases, the Commissioner relied on a Supreme Court of Canada decision Maranda v. Richer, [2003] 3 S.C.R. 193, 2003 SCC67 to find that lawyers bills are subject to solicitor-client privilege.  The Supreme Court asserted that there is a presumption of privilege for lawyers’ bills of account as a whole in order to ensure that solicitor-client privilege is honoured. (See IPC Review Reports 052-2013 and 280-2016 & 281-2016)

When I refer to “lawyers bills”, I mean an invoice or statement of account that is communicated from a lawyer or law firm to a public body after providing legal services.  Some lawyers bills can be quite detailed and list the dates of individual phone calls, tasks performed and the subject matter. 

It is possible for an Applicant to rebut that solicitor-client privilege applies.  To do so, it must provide persuasive arguments that the disclosure of information will not result in the Applicant learning of information that is subject to solicitor-client privilege. Order F15-16 from the Information and Privacy Commissioner of British Columbia lays out a test for determining whether the presumption of privilege has been rebutted.  Applicants, though, are at a disadvantage when having to make arguments for why privilege does not exist to information when they cannot see or examine the information.

So it does seem like a no brainer that solicitor-client exemptions would apply to this type of information, right?

Well… I think every issue in the FOIP World is unique!

A public body still has to be accountable for the public money it spends on legal services.  In Review Report 003-2017, the Commissioner found that the details of payment for legal services in a public body’s accounts payable invoice history report was not subject to solicitor-client privilege.  In other words, some of the information from the lawyer’s bill was entered into the public body’s accounting system, which was the subject of the review.  The Commissioner reasoned that some of the data items in this record, such as purchase order number, voucher number and bank information, was information that the public body assigned to the lawyer’s bill once it was received  – the exemption did not apply to these items.  Further, the name of the law firm did not qualify as it was confirmed through public documents that a particular firm had been engaged by the public body.  The firm’s invoice number and the due date did not reveal the nature of the advice that was sought.  Finally, he also did not find that there was a reasonable possibility that disclosure of the amount of the fees paid would reveal any communication protected by privilege.

Once again, I am reminded that our office must review every record, and the circumstances surrounding it, on a case by case basis.

 

Access and Privacy Rights of Minors Online

On May 3, 2016, our office posted to our website a blog titled, Who Signs for a Child?. Though the focus of that blog was on who can sign for a child under the age of 18 years, the following advice on mature minors was offered:

FOIP and LA FOIP do not contemplate the child asking for his or her personal information. But when children get to the age of what may be considered a mature minor, heads should use their discretion to provide the personal information if the child “understands the nature of the right or power and the consequences of exercising the right or power.” Heads should also look to their governing legislation to see if the Legislative Assembly has provided direction on the rights of the child.

HIPA does contemplate an individual under 18 years of age exercising a right under the Act such as requesting his or her personal information. When such a request is made, it is up to the trustee to determine whether the individual understands the nature of the right or power and the consequences of exercising the right or power.

What further complicates matters is when services being offered to children and adolescents move to the online world. How are access and privacy rights impacted?

Although there does not appear to be any global rules on children’s consent under the new General Data Protection Regulation (GDPR), Article 8 speaks to children’s consent for ‘information society services’ (services requested and delivered over the internet).  It appears that for most services provided to children, parental consent for those under 16 is needed unless otherwise set by Member States.  If offered online, age-verification measures and reasonable efforts to verify parental responsibility for those under the relevant age is a must.

In an interesting decision, PIPEDA Report of Finding #2014-011, dealing with an investigation involving a website aimed at children between the ages of 6 and 13 years of age, the Privacy Commissioner of Canada’s office commented as follows:

112.  The consent provisions of PIPEDA do not expressly speak to age-based consent. Principle 4.3 states that the knowledge and consent of an individual are required for the collection, use and disclosure of personal information. Principle 4.3.2 requires organizations to ensure that individuals are advised of the purposes for which the information will be used and that consent obtained from individuals is meaningful. Meaningful consent means that the individual concerned can reasonably understand how the information will be used or disclosed prior to providing consent.

113.  Meaningful consent becomes a more difficult notion where personal information is being sought from children. Can a child reasonably understand what they are being asked to consent to?

114.  Principle 4.3.6 of Schedule 1 states that consent can be given by an authorized representative (such as a legal guardian or a person having a power of attorney). However, it does not specify under what circumstances this can or should occur.

115.  In PIPEDA Report of Findings #2012-001, we recognized that there was value in users of a Canadian social networking website aimed at teenagers and young adults involving their parents in their online transactions. However, we concluded that PIPEDA did not require parents to provide consent on behalf of their teenager in the context of that website. We concluded in that case that in order to ensure meaningful consent was obtained, the information handling practices of the organization had to be explained in such a way that its teenage users could understand how their personal information would be handled by the website.

116.  Ganz’s Website is aimed at children under 13, a younger demographic group than the one at issue in PIPEDA Report of Findings: #2012-001. Children under the age of 13 have arguably a less sophisticated understanding of online marketing and social media interactions.

122.  We considered it questionable as to whether a child under the age of thirteen opening an account would be able to find this provision in the User Agreement, understand the text, and act accordingly.

Canada Health Infoway has done some work in this area specifically examining adolescent access to PHI in a number of publications including Consumer Health Solutions – Pandora’s Box Adolescent Access to Digital Health Records – Research Summary dated August 2016. In its Executive Summary it states, “Outside of Quebec, statutes do not set an age requirement for a person to access their own PHI, to consent to the collection, use and disclosure of their PHI or to consent to treatment. However, there are other requirements to exercise the rights, such as knowledge, capacity or maturity.” Later it is stated, “the general rule is that a contract cannot be enforced against a minor (although there are exceptions).”

How do you cover your bases? The Privacy Commissioner of Canada offers good advice when dealing with kids online in Collecting from kids? Ten tips for services aimed at children and youth, as follows:

Make clear who is agreeing to terms and conditions. The ubiquitous “I have read and agree to the Terms and Conditions and Privacy Policy” checkbox on registration forms poses an additional difficulty when your users are youth. Is your organization asking the user to agree to these terms, or his or her parent/guardian? Remember, with younger children, the former is not possible given the need for meaningful consent. Moreover, if it is the latter, you must also ask yourself how you are ensuring that the parent/guardian has actually been involved in the process. The answer to these questions needs to be clear to, and consistent between, both you and your users.

Now that we are moving to online access to PHI through patient portals, what, if any, limits should be set as to age of those that can log-in and get direct access to his or her own PHI? Are any associated terms and conditions accepted akin to entering a contract? Our office has not yet had to offer any formal views on the particular issue. We will have to wait and see.

2017 Saskatchewan Connections Conference

The 2017 Saskatchewan Connections Conference is happening May 10 & 11 at Regina’s The Doubletree By Hilton. For more details please vist http://skconnections.ca/sk2017/index

Transitory Records and Access-to-Information Requests

What are transitory records?

The Provincial Archives of Saskatchewan defines transitory records as:

Records of temporary usefulness that are needed only for a limited period of time, to complete a routine task or to prepare an ongoing document. Also, exact copies of official records made for convenience of reference. These records are not required to meet statutory obligations or to sustain administrative or operational functions. Once they have served their purpose and, in the case of convenience copies the official record has been identified, these records should be destroyed in accordance with internal disposal procedures.

What are some examples of transitory records?

As mentioned above, records of short-term value are transitory records. Similar to official records, transitory records can come in any format, including post-it notes, handwritten notes, and electronic records including emails and text messages.

Are transitory records subject to FOIP or LA FOIP requests?

Yes. Although transitory records are routinely disposed, if the public body receives an access-to-information request under FOIP or LA FOIP, then any responsive transitory records in the possession or control of the public body must not be disposed.

The receipt of a FOIP request should freeze all disposition action relating to records responsive to the request.

Public bodies should have processes in place to communicate to employees to not dispose of records that are responsive to a FOIP or LA FOIP request.  It is an offense to willfully destroy records to evade an access-to-information request.  The penalty can be a fine and/or imprisonment.

How long must the public body wait before disposing of the transitory records?

The public body should wait at least one year before disposing of transitory records that are responsive to an access-to-information request. This is because the public body must include the transitory records as it processes the access-to-information request. Then, once the public body responds to the Applicant, the Applicant has one year from the time the response is given to appeal to the Commissioner (subsection 7(3) of FOIP and LA FOIP). Once this time period has expired, then the public body can dispose of the transitory records.

It should be noted that public bodies may continue to destroy transitory records that are not responsive to an access-to-information request according to their records management policy.

 

When the Media Calls

Every once in a while, a journalist or some other individual will call my office to ask whether a review had been started on a particular request for information or investigation launched into a privacy breach. The policy of this office is to not immediately confirm that a request for review or specific privacy investigation is underway, so time can be taken to consider the privacy and confidentiality obligations that my office has under The Freedom of Information and Protection of Privacy Act (ss. 46 and 53). One consideration is that the name of the applicant is personal information and should not be shared without the requisite need-to-know. I may nonetheless exercise my discretion as Commissioner in certain cases and confirm basic details (i.e., investigation file has been opened).

I think a bit more on the process may make it clearer what is going on behind the scenes once a review or investigation is underway. Briefly, for example, when Intake Officers of this office receive a request for review, they contact the parties and attempt to see if the matter can be settled. Will the applicant narrow his or her request? Will the public body re-visit part or all of its decision to withhold information, reduce a fee or take any steps to provide the applicants with some or part of the information requested? If the matter cannot be settled, a letter notifying the public body, any engaged third party and the applicant that a review has started is sent and an Analyst is assigned. Staff request the public body to provide a copy of the records at issue, index of the records and its submission as to why it is withholding records. Upon receipt of those documents, the Analyst proceeds with the review, asks questions of the public body and if necessary, interviews people and makes a site visit. Once this stage is completed, the final report is prepared, sent to the parties and posted on our website. The name of the applicant is not included in the public report. The public body has 30 days to advise me whether it will comply with the recommendations. After that, the applicant or a third party have 30 days to appeal to the Court of King’s Bench.

You can see a diagram showing the process by clicking here.

It is a pretty straight-forward process, and my office makes every attempt to move the process along quickly so that parties get their decisions as soon as possible. Our goal is to resolve matters within 30 days or issue a report, on average, within 180 days. In certain instances where the public body has failed to issue a section 7 decision, or the applicant is requesting a review of the fee quoted or fee waiver decision, it is our objective to issue the report, on average, within 90 days. I ask all that work with us to help us reach this goal.

Unauthorized Access

This blog is focused on the unauthorized access to electronic health records for purposes such as curiosity, concern, personal gain, spite, or boredom, and the harm that results from such unauthorized access.

I note that the majority of trustee employees or individuals in service of a trustee (including physicians) access electronic health records for purposes that are authorized by The Health Information Protection Act (HIPA). This blog is not meant to deter these employees or individuals from accessing electronic health records they require to do their jobs.

UNAUTHORIZED ACCESS

The following are some examples of unauthorized access:

1. Looking up a family member’s personal health information out of concern.

There should be very limited circumstances in which employees or individuals look up their own or a family member’s personal health information. For physicians and surgeons, the College of Physicians and Surgeons’ Code of Ethics provides that the treatment of themselves or immediately family members be limited:

Limit treatment of yourself or members of your immediate family to minor or emergency services and only when another physician is not readily available; there should be no fee for such treatment. (https://www.cps.sk.ca/imis/Documents/Legislation/Legislation/RegulatoryBylaws.pdf)

Therefore, physicians and surgeons should not be looking up a family member’s personal health information unless it’s in the limited circumstances as described in the Code of Ethics.

2. Looking up your own or a co-worker’s personal health information out of concern, curiosity, or spite.

Investigation Report H-2013-001 reported on snooping cases that resulted in employees accessing and modifying not only their own personal health information but that of their coworker’s personal health information. It doesn’t take a lot of imagination to understand the consequences of such actions, including future health care decisions for these individuals could have been based on false information. (https://oipc.sk.ca/assets/hipa-investigation-h-2013-001.pdf)

3. Looking up patient records to alleviate boredom.

Electronic health records are support health care providers in providing care to patients. It is not meant to alleviate boredom as discussed in Investigation Report 100-2015. (https://oipc.sk.ca/assets/hipa-investigation-100-2015.pdf)

4. Looking up patient records without a need-to-know.

Investigation Report 142-2015 reported a case where an employee accessed the personal health information of 901 individuals. This employee was fired and the Commissioner recommended that the case be forwarded to the Ministry of Justice, Public Prosecution Division, so that it can determine if charges should be laid under HIPA. (https://oipc.sk.ca/assets/hipa-investigation-142-2015.pdf)

HARM OF UNAUTHORIZED ACCESS

Patients lose trust and confidence in the health system. They may be cautious in seeking treatment if they learn that a family member, friend, co-worker, colleague may have unauthorized access to their personal health information.

Trustees also suffer reputational damage when employees or individuals who are in service to the trustee (such as physicians) access electronic health records without a need-to-know.

FINES AND IMPRISONMENT

Recent amendments to HIPA provide individual offences for unauthorized access to personal health information. Therefore, employees or individuals in service of a trustee (such as a physician) may be fined up to $50,000 and/or face imprisonment of up to one year if they are found to have accessed personal health information for purposes that are not authorized by HIPA.

WHAT TO DO?

Trustees and trustee organizations should establish policies, procedures, and training so employees and individuals clearly know how to manage personal health information in accordance with HIPA. Audits should also be conducted regularly to ensure policies and procedures are being followed.

Employees and individuals in service of trustees should only access personal health information, including electronic health records they require to complete job duties. If they have any questions, they should contact their supervisor, manager, and/or the privacy officer of the trustee organization.