Ontario Proposing Legislation To Better Protect Children

Sophisticated Cyber attacks on BC

Microsoft to make security a top priority

As AI becomes more human like…

Ontario introduces cybersecurity bill

Ontario IPC probes government use of non-government email accounts

Ontario IPC issues guidance on Sharing Information in Situations Involving Intimate Partner Violence

Federal Privacy Commissioner launches breach reporting tool

Ontario IPC issues guidelines on third party procurement

Sask. Privacy Commissioner asks for authority to compel compliance

Duty to Assist – Ask, What Do You Need?

Duty to Assist – Ask, What Do You Need?

The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) since 2018, have a section on the duty to assist, it provides as follows:

5.1(1) Subject to this Act and the regulations, a government institution shall respond to a written request for access openly, accurately and completely.

(2) On the request of an applicant, the government institution shall:

(a) provide an explanation of any term, code or abbreviation used in the information; or

(b) if the government institution is unable to provide an explanation in accordance with clause (a), endeavour to refer the applicant to a government institution that is able to provide an explanation.

We treat this as an obligation for a public body (government institution or local authority) to assist the applicant as much as possible.

FOIP and LA FOIP also have a section on clarifying an access request which provides:

6(1) An applicant shall:

(a) make the application in the prescribed form to the government institution in which the record containing the information is kept; and

(b) specify the subject matter of the record requested with sufficient particularity as to time, place and event to enable an individual familiar with the subject-matter to identify the record.

(3) Where the head is unable to identify the record requested, the head shall advise the applicant, and shall invite the applicant to supply additional details that might lead to identification of the record.

Applicants sometimes draft their access requests extremely broad. That results in possibly thousands of pages to be copied and sent. That is a lot of work for the staff member and potentially a large fee for the applicant.

My office discourages public bodies from asking why the applicant wants the information, but it can be reasonable to ask the applicant “what do you need?” An answer to that question increases understanding, possibly narrows the scope of the access request, and may result in the applicant getting the records sooner, reduces the fee or results in no fee at all.

I emphasize that the “what do you need” question might be asked in certain circumstances. The applicant may have already stated his or her purpose or made it clear exactly what they wanted. In those instances, there is no need to ask.

It is also important to frame your question in a certain way. You might say:

  • “I have a duty to assist you, and to better assist you, if you tell me what information you need, that will help me get you the records you want”,
  • “I read your access request and I need some clarification as to what information you are seeking”, or
  • “What is it that you require in terms of information?”

Now the applicant may refuse to answer your question and if so, then you must do your best to read the access request and provide those records requested.

I would suggest you never ask an applicant what they are going to do with the information. They are entitled to records under section 5 of FOIP or LA FOIP and what they do with that information is entirely up to them. They may want it because they want to know, they may want to write an MLA or a minister or they may want to contact the media or post the information on a website. If the applicant is from the media, you know they are working on a story. They are doing their job. Those are all legitimate actions, and a citizen is free to do whatever he or she wishes with the record.

On the other hand, if a staff member understands what the applicant needs, that staff member can read the access request, interpret it, and provide the applicant information or records that help meet the applicant’s needs. Again, I repeat, the applicant does not have to say why and a refusal not to say, should always be respected.

A word of encouragement to applicants. Before you write out your access request, you should think about why you want the information and what you are going to do with it. An access request for less information might just let you get that information sooner and for a reduced or no fee. Broad access requests increase the chances that you will get a higher fee quote. You could also telephone the public body and say I am making an access request, and can you tell me the files or file folder I should ask to be searched. Now you might not trust the public body, so in that case don’t ask such questions.

Applicants, when you are asked by the staff member the question “what do you need”, and you determine the staff member is trying to be helpful, tell them what you really are trying to get copies of. It might just get you the information sooner at no cost. Remember if you don’t’ get all that you want, you can always make a second access request.

So, to sum up, knowing “what you need” can help reduce the number of records to be produced, the work involved and sometimes the fees. It is worth it for public bodies and applicants to work together to reduce work, time to respond and fees.

The Law Society Issues “Guidelines for the Use of Generative AI in the Practice of Law”

The Law Society of Saskatchewan has issued guidelines for the use of generative AI in a lawyer’s practice. You can read that guideline here.  The Law Society has also issued three brief videos on the guidelines (Bite Size CPD 124, 125 & 126). You can watch them here.

When you read the guideline, you will see how many of the statements could apply to any profession and in particular the health professions. It talks about the responsibilities of confidentiality, communications and the risks of discrimination and harassment. I would encourage every profession to consider developing a guideline specifically tailored to their profession and develop in person or online training that helps each member become familiar with the benefits and risks of generative AI.

In fact, I would encourage public bodies and health trustees to read the Law Society guideline and consider whether they should develop their own guideline and training.

I hear the experts say there are benefits and risks. All of us will want to take advantage of the benefits and all of us should recognize the risks and take steps to mitigate those risks.

When We Cannot Help You

My office gets calls from residents when they are expecting us to solve their problem. We receive approximately 1300 calls a year. Some of those citizens have called other agencies or public bodies. They may have called the Ombudsman or the Advocate for Children and Youth office, the Ministry of Social Services, Saskatchewan Human Rights Commission, MLA’s office or Ministry of Justice and Attorney General. I understand they may be frustrated and would just like a solution to their problem. I need to say we probably cannot help you unless the issue is access or privacy related, and the proper processes have been followed. We have a narrow mandate.

Here is what we can do. If you have asked a public body for records and they have refused to provide those records to you, we might be able to help. You need to know that those public bodies have the right to withhold certain information from you. Parts III and IV of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) sets out those exemptions. If we find the exemptions apply, we will not recommend those records be released to you.

If the public body wants to charge you a fee that appears to be unreasonable, we can review that fee.

If a public body fails to respond appropriately to your access request within 30 days, we can review their refusal.

If you feel your personal information or personal health information has been improperly collected, used or disclosed, you can ask my office to investigate the public body’s actions to determine whether there was a privacy breach.

These are some of the things we can do.

You might have staff in my office saying to you “we don’t have jurisdiction, or we don’t have grounds to proceed with a review or an investigation.” The Legislative Assembly has given my office certain powers, and it is only those powers that we can exercise. So, if we say, “we cannot help you”, that is another way of saying we do not have the legislative authority to help you.

We might suggest you contact another office but that is just trying to be helpful.

So, before you call, think about what you expect us to do for you. We might recommend you get some records, get a reduced fee or help to ensure a public body appropriately responds to a privacy breach involving your personal information, but we won’t be able to solve any other problem.

Recent Headlines Give me Concern

In the past weeks, media have speculated on health issues pertaining to a high-profile person in the public eye. One of those headlines involved allegations of an attempted breach of personal health information, which you can find here.

The people of Saskatchewan should rest assured that we have laws that prohibit snooping into their personal information and personal health information. In our province, everyone is entitled to privacy, free from unauthorized intrusions or snooping into their confidential medical and other personal information.

Individuals who are in the public eye, are equally entitled to these protections. People may have jobs or roles that invite or attract media attention, but with very few exceptions, they maintain the right to see restrictions on how personal information or personal health information about them is used and if it is disclosed – the very essence of privacy in a democratic society. We can debate how much of their life is private or public, but I hope we all agree that their personal health information, whether it is cancer, diabetes, or a heart condition, is deserving of the same protections that we all enjoy.

Some public officials choose to make public their health issues to put focus on a particular disease or condition. I admire them when they do that. Their goal may be to educate and support those with a similar condition. On the other hand, there are those who choose to keep their health issues to themselves, and we should respect their right to do so.

The Health Information Protection Act prohibits snooping into other’s personal health information. This applies to those that work in the health sector including staff and physicians and to others who may attempt to break into our health care databases. It is an offense and if caught, there can and should be consequences.

We have had our own experiences with unauthorized access to personal health information. For example, I issued an Investigation Report in January 2024, where I found that a doctor working in Saskatchewan was snooping. You can read it here.

Whether motivated by curiosity, or the desire for profit, in spite of the law, some will be tempted to snoop. That’s why health care providers and others that work for trustees in Saskatchewan are required to take steps to protect personal health information. Guidance is available on my office’s website on the steps that can be taken to reduce the risk of snooping. In addition to requirements to raise awareness, trustees must train staff and audit and monitor the use of personal health information and utilize technological solutions that can help detect and deter snooping.

Recently, in Ontario, The Ottawa Hospital piloted some software with AI functionality to monitor health information systems to detect snooping. I think we should study this type of software in Saskatchewan to see if it is reliable and safe.

Let’s make every reasonable effort to ensure that those who are tempted to snoop are not successful and personal health information is protected. And please respect other’s rights to privacy at all times and recognize the sensitive nature of their health care issues. If you don’t, be aware that there are consequences.

 

R. v. Bykovets – Privacy and the Internet

In a recent decision called R. v. Bykovets, 2024 SCC 6, the Supreme Court of Canada (SCC) ruled that the police must get a warrant before obtaining access to an individual’s Internet Protocol (IP) address from a third party. In a news release, the British Columbia Civil Liberties Association, an intervenor in the case, called the decision a huge victory for online privacy.

The case involves an individual who was charged with having made fraudulent online purchases from a liquor store. The company that managed the store’s online sales provided the police with the accused’s IP address voluntarily. The accused claimed that this action violated section 8 of the Charter.

The decision, in favour of the privacy rights of the accused, is significant for many reasons including that it recognizes the importance of individuals’ right to privacy in a free and democratic society. Justice Karakatsanis, who wrote the majority decision, stated:

Personal privacy is vital to individual dignity, autonomy, and personal growth. Its protection is a basic prerequisite to the flourishing of a free and healthy democracy.

It also recognizes that an IP address may reveal sensitive personal information about an individual. Further, it finds that the IP address is deserving of protections against unreasonable search or seizure under section 8 of the Canadian Charter of Rights and Freedoms (Charter).

This is not the first time that the SCC has found that the Charter guarantees Canadians a right of privacy. In previous rulings, it has recognized several kinds of privacy namely, physical, or bodily privacy, territorial privacy, privacy of communications and informational privacy.

In R. v. Dyment, the SCC stated that informational privacy is based on the notion of dignity and integrity of the individual and is based on the idea that all information about a person is their own.

IP addresses may reveal sensitive personal information

Writing for the majority of the SCC, Justice Karakatsanis describes an IP address as a unique identification number that identifies the source of every online activity and connects that activity (through a modem) to a specific location.

She added that IP addresses may reveal deeply personal information such as the identity of the device’s user. When correlated with other online information associated with that IP address, it reveals “the first digital breadcrumb that can lead the state on the trail of an individual’s Internet activity.” She wrote that third party websites can track the IP address of each user and added that some websites, such as Google, also collect massive amounts of other information, such as information about users’ searches and location.

Privacy oversight authorities have long recognized the detailed nature of the information that can be discovered through access to an IP address. The federal Office of the Privacy Commissioner issued a paper in May of 2013 which describes the information that could be revealed from a phone number, email address, and an IP address. The paper concluded that knowledge of subscriber information such as phone numbers and IP addresses can provide a starting point to compile a picture of an individual’s online activities, including the individual’s personal interests and organizational affiliations.

While the question of whether an IP address would qualify as personal information under Saskatchewan’s access and privacy laws was not before the SCC in this case, its findings could be relevant to that analysis.

For examples of circumstances where our office has found that an individual’s IP address qualifies as personal information pursuant to subsections 24(1)(e) and (k) of The Freedom of Information and Protection of Privacy Act (FOIP) or subsection 23(1)(e) and (k) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) see Review Report 147-2022 and Review Report 186-2019.

Application of section 8

Section 8 of the Charter is intended to protect individuals from unjustified state intrusions (such as searches or seizures) upon their privacy. The scope of the protections offered by section 8 is limited by the reasonableness of the individual’s expectation of privacy in a given set of circumstances. This means that when applying section 8 in the context of a law enforcement investigation, the courts weigh or balance reasonable expectations of privacy against legitimate police investigative techniques.

Regarding whether a reasonable expectation of privacy existed, Justice Karakatsanis wrote:

The “reasonable expectation of privacy” analysis revolves around the potential of a particular subject matter to reveal an individual’s biographical core to the state, not whether the IP addresses revealed information about the appellant on these facts. …In my view, the ever-increasing intrusion of the Internet into our private lives must be kept in mind in deciding this case. It is widely accepted that the Internet is ubiquitous and that vast numbers of Internet users leave behind them a trail of information that others gather up to different ends, information that may be pieced together to disclose deeply private details. And, as the expert evidence describes, an IP address is attached to all online activity; it is a fundamental building block to all Internet use. This social context of the digital world is necessary to a functional approach in defining the privacy interest afforded under the Charter to the information that could be revealed by an IP address.

In balancing the reasonable expectation of privacy against the need to combat online crime, the decision recognizes society’s legitimate interest in public safety and security, and the suppression of crime. It notes that the ways in which crimes are committed has evolved with technological developments and police must have tools to investigate these crimes.

The majority concluded its analysis by stating that the burden imposed by recognizing a reasonable expectation of privacy in IP addresses is not onerous as it would only add another step in the investigation process – the need to obtain a warrant.

Many readers will know that the access and privacy laws overseen by our office, FOIP, LA FOIP and The Health Information Protection Act, protect informational or data privacy. They do this by setting rules for the collection, safeguarding, retention, use and disclosure of personal information or personal health information.

Section 8 of the Charter may not apply when most public bodies and trustees engage with individuals through online services or internet-based communications because the activity may not qualify as a search or seizure. However, in light of the SCC findings on IP addresses, they should be aware of the type of information that may be collected through online engagement with the public and what privacy protections need to be in place.

Individuals and organizations may be interested in the resources available regarding privacy, the internet and the Charter on the Office of the Privacy Commissioner of Canada’s (OPC) website. Organizations with law enforcement mandates may be interested in the OPC’s guide titled “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century”.

More information about the Charter and how it protects privacy, can also be found in our office’s Guide to FOIP and Guide to LA FOIP.

For any questions, contact intake@oipc.sk.ca

New Guidance on Survey Research

Governments institutions and local authorities often use surveys to collect public views and opinions on new programs and services, and to support informed policy development. As part of its public engagement strategy, the Government of Saskatchewan website states that it routinely polls residents of Saskatchewan for information to help guide policy decisions. The website lists public opinion polls conducted in recent years.

The University of Regina (U of R) has a survey research unit that provides survey and research expertise to students, faculty members and other groups on campus. The U of R has also developed a policy that governs surveys involving sampling of current and prospective students, and alumni and staff.

As of February 2024, Statistics Canada reported that it had 471 active surveys in the collection stage.

With the exponential growth in online government service delivery brought on by the pandemic, it is not surprising that government institutions and other organizations are increasingly using online survey tools and platforms.

There has been some media attention in the past on high profile online surveys. Media have reported on the Government of Saskatchewan’s cannabis survey and the federal government survey into medical aid in dying. In an article published in April 2019, CBC reported that the Saskatchewan Government has been in the habit of surveying the public on major issues noting a trend of surveying on the future of education in the province.

Where survey projects involve the collection, retention, use, disclosure and disposal of personal information, public bodies conducting surveys need to take steps to ensure compliance with Saskatchewan’s access and privacy laws.

My office has released a guide for public bodies on how to address the privacy risks when conducting surveys and the strategies for managing those risks, including online surveys.

There are separate rules and considerations that would arise when a trustee as defined in The Health Information Protection Act (HIPA) seeks to collect personal health information as part of a survey. The guide does not consider the potential impact and specific requirements of HIPA but is focused on the use of surveys by public bodies or organizations.

If your organization does not have a policy and procedure in place for conducting surveys and expects to be conducting multiple surveys, it should consider developing standards. Many universities, including the U of R, have developed guidance or policies on conducting surveys. The University of Saskatchewan has a master agreement with an online survey provider and a policy that governs the use of that survey tool.

For another example, see the Government of Canada Standards for the Conduct of Government of Canada Public Opinion Research – Online Surveys which were updated in 2020.

For further information consult the guidance document. For any questions, contact intake@oipc.sk.ca

Cyber Security Threats – How can you Prepare and What to do After

Cyber security threats are becoming an ever-growing issue as technology and digital information continues to grow and evolve. These types of incidents are a malicious means to steal or destroy data or disrupt computer systems and could result in a breach of personal or personal health information if they do occur. Some common security threats include malware, phishing, and ransomware.

What steps can an organization take to reduce the risk of a cyber security incident and any potential breaches that may come from it? The following are some things to consider:

  • Keep your software and systems updated regularly.
  • Use strong passwords and change them frequently to limit the risk.
  • Use security software and a firewall to protect your network and data.
  • Use multi-factor authentication for your accounts.
  • Back up your data regularly.
  • Train yourself and your staff on basic cyber security principles and how to spot suspicious activity.
  • If you use an outside information technology provider or information management services provider (IMSP), be sure to have agreements in place for regular monitoring of security threats and updating of any security software.
  • Develop and follow cyber security policies and procedures.
  • Have a cyber incident management plan in place so that managing the attack can begin immediately and staff will know their role.

A cyber security incident has occurred – now what?

Implement your cyber security incident management plan which may include things like the following:

  • Identify potential evidence, preserve it, and ensure nothing is lost or damaged.
  • Isolate your network from the Internet and activate your incident response plan.
  • Take note of who was present in your organization before, during, and after the incident.
  • Appoint a point of contact for law enforcement officers to speak to directly and gather information about the incident.
  • Document the report number provided to you by law enforcement.
  • Anticipate law enforcement may need access to your equipment to analyze the technological components of the cyber incident. The police will work with you to collect evidence while minimizing the impacts to your business and recovery efforts.
  • Provide logs, employee statements, emails, and other similar items as potential evidence.
  • Produce a list of key contacts within your organization for law enforcement.
  • Communicate the incident to staff, business associates, clients, and partners.
  • Review your cyber security policies and ensure your staff receive training.
  • Consider purchasing anti-malware and anti-virus software for your network and devices.
  • Enhance your data security with protective measures (e.g., firewalls, virtual private networks, encryption).
  • Prepare your organization for the possibility of testifying in court.

Government of Canada. (November 2021). Have you been a victim of cybercrime?

https://www.cyber.gc.ca/en/guidance/have-you-been-victim-cybercrime

Our office has issued some investigation reports involving this topic:

Investigation Report 009-2020, 053-2020, 224-2020

Investigation Report 398-2019, 399-2019, 417-2019, 005-2020, 019-2020, 021-2020

Investigation Report 370-2022

Investigation Report 098-2021

Some resources available for information on these types of incidents:

Chatbots and Security

Ransomware

Ransomware – What Everyone Should Know

Security and Phishing Presentation

S2 – Episode 7: Unmasking digital threats: How to guard against cyber crime

 

Raising Awareness of the Facts about Fax

The ongoing use of traditional fax machines to send personal information and personal health information by government institutions and trustees continues to raise privacy concerns. My office and Canada’s other privacy commissioners and ombudspersons called for a concerted effort to phase out the use of traditional fax machines in a September 2022 resolution which can be found here. We understand that developing this plan will require broad consultations and additional resources. However, we continue to urge organizations to address this problem on an urgent basis. Public trust and confidence in organizations’ ability to protect Saskatchewan residents’ personal information and personal health information hangs in the balance.

In the meantime, we continue to receive complaints and reported breaches of misdirected faxes that are caused in part by human error. Staff may enter a number in the fax machine incorrectly, fail to comply with policies that require the use of pre-programmed fax numbers or rely on fax numbers found through unverified sources, such as Google. These errors are often caused by inattention, or lack of awareness or training on applicable policies. The office issued an investigation report in November 2022 involving two Saskatchewan Health Authority employees who entered an incorrect fax number in the fax machine. They sent one of the faxes to a Town instead of a public health office. They sent the other fax to the Parole Board of Canada’s office instead of a physician.

Trustees should be aware that the shift from traditional fax machines to digital fax solutions is not sufficient, by itself, to reduce privacy risks. This was shown in Investigation Report 164-2023, et al, which involved 12 different trustees and numerous misdirected faxes. In most cases, the trustees used digital faxing systems. The breaches occurred when staff sent faxes intended for one physician to a different physician with the same last name. In some cases, the faxes were misdirected because the employee involved did not receive clear direction on the recipient. In other cases, the fax was misdirected because of errors in the physician directory or because the employee chose the wrong physician from a drop-down list in the directory.

In September 2020, my office issued guidance on the safeguards to prevent misdirected faxes titled, Faxing PI and PHI. While plans are being developed to discontinue the use of traditional fax machines, every effort must be made to ensure that appropriate safeguards are in place to prevent faxes from going astray. We encourage all organizations to revisit this guidance.

To help ensure that staff are aware of their need to comply with existing policy and to exercise caution when faxing, we have developed a poster that you can download and place in key areas.

Remember that a policy is not enough! Creating a privacy sensitive culture requires that organizations raise levels of awareness of privacy risks and provide appropriate training.

For any questions, contact intake@oipc.sk.ca

Privacy Matters

Advocate’s Report on Independent Schools

The Saskatchewan Advocate for Children and Youth issued her investigation report regarding independent schools in December 2023. She made 36 recommendations, a number of which relate to the access and privacy world. The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) deal with the collection, use, and disclosure of personal information, and the protection of that information by government institutions or local authorities. With that in mind, I note the following recommendations in the Advocate’s report:

External Accountability and Participation Rights of Young People

Recommendation 4: The Government of Saskatchewan amend The Registered Independent Schools Regulations to recognize the right and entitlement of all pupils of sufficient maturity to immediate access to all procedures established by the board of a registered independent school for the purposes of investigation and mediation of any differences or conflicts with the independent school.

Recommendation 5: The Government of Saskatchewan amend section 35 of The Registered Independent Schools Regulations to recognize the right and entitlement of all pupils of sufficient maturity attending, or having previously attended, registered independent schools to independently access their own records.

Recommendation 6: The Government of Saskatchewan amend section 35 of The Registered Independent Schools Regulations to protect the right of all pupils under 18 years of age from disclosures of information that would constitute an unreasonable invasion of the pupil’s privacy.

Recommendation 7: The Ministry of Education amend the Registered Independent Schools Policy and Procedures Manual to reflect changes made to The Registered Independent Schools Regulations related to access to records and protection of privacy, as recommended in this report.

Recommendation 8: The Government of Saskatchewan amend section 148 of The Education Act, 1995 to recognize the right and entitlement of all pupils of sufficient maturity to immediate access to procedures established by the board of education or the Conseil scolaire fransaskois for the purposes of investigation and mediation of any differences or conflicts with the school.

Data on Learning Output

Recommendation 25: The Ministry of Education review its processes of collection, entry, storage and tracking of data from registered independent schools on learning outputs, make improvements to ensure the accuracy of data in Ministry records and develop policy and procedures on these processes.

It is clear independent schools serve the needs of parents and their children. The more transparent an independent school is, the more parents and students will know what is happening in their school. At the same time, the better protected student information is, the more comfortable parents and students will be regarding their personal information. Finally, the easier it is for parents or students to access their information, the more comfortable they will be that the independent school is collecting the proper information and making sure that information is accurate.

Regular school boards in Saskatchewan have these obligations as they are subject to the rules of collection, use, disclosure and protection outlined in LA FOIP.

I have written the Minister of Education requesting that his government make independent schools local authorities under LA FOIP. I am hopeful that the Minister would give serious consideration to doing so.

 

Is De-identified Information Personal Information?

Now and then, our office receives requests for review where a public body (government institution, local authority or health trustee) denied access pursuant to subsection 29(1) of The Freedom of Information and Protection of Privacy Act (FOIP), or subsection 28(1) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) or subsection 27(1) of The Health Information Protection Act (HIPA). Therefore, I thought it may be helpful to explore if de-identified information is personal information.

To qualify as personal information, the information must: 1) be about an identifiable individual; and 2) be personal in nature. Information is about an “identifiable individual” if the individual can be identified from the information (e.g., their name is provided) or if the information, when combined with information otherwise available, could reasonably allow the individual to be identified. To be “personal in nature” requires that the information reveal something personal about the identifiable individual.

One of the most effective ways to protect the privacy of individuals is through strong de-identification. Using proper de-identification techniques and re-identification risk management procedures, remains one of the strongest and most important tools in protecting privacy.

“De-identification” is the general term for the process of removing personal information from a record or data set.

“De-identified information” is information that cannot be used to identify an individual, either directly or indirectly. Information is de-identified if it does not identify an individual, and it is not reasonably foreseeable in the circumstances that the information could be used, either alone or with other information, to identify an individual.

Subsection 2(1)(d) of HIPA defines “de-identified personal health information” as personal health information from which any information that may reasonably be expected to identify an individual has been removed. This is important as subsection 3(2)(a) of HIPA provides that HIPA does not apply to “statistical information or de-identified personal health information.”

The goal is to reduce the risk of re-identification of information once it has been de-identified. The following table shows decreasing probability of re-identification of information:

State Description
1. Identifiable data The data have directly identifying variables or sufficient quasi-identifiers that can be used to identify the individual.
2. Potentially de-identified data Manipulations have been performed on the identifying variables but attempts to disguise the quasi-identifiers may be insufficient. The data may not be fully deidentified, partially exposed, and may represent a re-identification risk.
3. De-identified data An objective assessment of re-identification risk has been done and it is concluded that all directly identifying variables have been adequately manipulated and quasi-identifiers adequately disguised to ensure an acceptable level of re-identification risk.
4. Aggregate data These are summary data such as tables or counts, where there are no identifying variables or quasi-identifiers.

For further explanation regarding de-identified information, please refer to our resources available on our website: IPC Guide to FOIP – Chapter 6 and IPC Guide to LA FOIP – Chapter 6.

Public bodies may find the following recent review reports issued by our office helpful on this topic:

  • IPC Review Report 060-2023 – in this Review Report at paragraph [19], the Commissioner found that the “claim numbers” assigned to individuals by Saskatchewan Government Insurance (SGI) were personal information pursuant to subsection 24(1)(d) of FOIP. However, once the “claim numbers” which were assigned to particular individuals were redacted, any personal health information attached to those numbers, such as reason for doctor appointments, became de-identified information and were releasable.
  • IPC Review Report 063-2023 – in this matter, the Ministry of Health denied access to a spreadsheet of 18 columns pursuant to subsections 29(1) of FOIP and 27(1) of HIPA. However, the Commissioner found that once a few columns of personal information were redacted pursuant to subsection 29(1) of FOIP, the remaining data in the spreadsheet became sufficiently de-identified, and was releasable.

Hopefully, the above will assist you in successfully de-identifying personal information or personal health information. For any questions, please contact our office at intake@oipc.sk.ca.