Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

Privacy Commissioner of Canada and UK Information Commissioner’s Office issue a joint letter regarding 23andMe’s bankruptcy proceedings

Instagram still posing serious risks to children, campaigners say

English Information Commissioner issues statement on police use of facial recognition technology (FRT)

BC OIPC provides instruction to delete a user account and DNA on 23andMe

Alberta, update to access and privacy legislation, passed in December and in force this spring

Federal Privacy Commissioner launches new online privacy breach risk self-assessment tool

Law Society – Bite Size video – cloud computing guide

Ontario IPC commissions report on workplace surveillance technologies

Australian IPC releases new Privacy Basics e-Learning module

The Search for Personal Health Information (updated)

The Search for Personal Health Information (updated)

When a patient (applicant) makes an access to information request for their personal health information, the search for responsive records may not be as easy as just checking out the health records department. The Health Information Protection Act (HIPA) applies to all personal health information in the custody or control of a trustee regardless of who created it, where it came from or how it is stored. All records, in any form, that are responsive to the request, must be identified, located, retrieved and released (subject to exceptions) within 30 calendar days.

Records may be in paper or electronic form whether found in a file drawer, legacy system, electronic medical record (EMR) or electronic health record (EHR).  Electronic or digital records include electronic documents such as word-processed documents, spreadsheets, email, digital photographs, scanned images and electronic data, such as information stored in databases or registries or in rarer cases, back-up tapes.

Regardless of the medium, a thorough search needs to be conducted. For instance, this office dealt with a request for access to records from the 1960s. The records existed only on microfiche, so the trustee had to find a way to read and make a copy for the applicant, even though the trustee no longer had the technical capability. The take-away lesson is that as long as records have not been destroyed, access rights of the individual remain intact, and records need to be produced wherever they reside.

A request for access may be unduly general or vague because the applicant lacks knowledge of the trustee’s operations, systems or programs and the type of health records that may exist. These types of requests may prove challenging for a large trustee organization (e.g., Saskatchewan Health Authority) as could potentially require a search of a number of different facilities, program areas and information systems. This is why communicating with the applicant early on in the process to clarify the request is critical. This communication is also in keeping with a trustee’s obligations under section 35 of HIPA which is the trustee’s duty to assist. This express duty obligates the trustee to make every reasonable effort to assist an applicant by responding to each request openly, accurately and completely.

The responsibility to maintain records may fall to many different individuals at different times resulting in records being temporarily retained on the unit, in individual employee’s offices, vehicles or homes, managed off-site by an information management service provider or put into storage while waiting to be culled (i.e., non-active files). When applicable, records in the physical possession of contracted agencies may also have to be located as may have records responsive to an access request (e.g., independent medical examination).

Different kinds of records are also being generated as more electronic information systems are relied on for service provision. For instance, patients may submit a request to eHealth Saskatchewan for eHR Viewer Event Audits (shows who has looked at their records in the eHR Viewer).

Also, a search at one time may reveal responsive records, but not necessarily all. For instance, what about records that are in the queue (i.e., not yet dictated)? Patient care is not static. There will always be new responsive records being generated as long as a patient continues to interact with the health care system.

As noted, there are some limited exceptions to the right of access and a decision to release may depend on who is making the request. Subsections 27(1) and 38(1) and section 56 of HIPA need to be taken into consideration.

In closing, the best advice that I can give if you are processing such a request is to start with a search strategy by talking to the ‘people in the know’ before proceeding (e.g., record managers).  It will save you a lot of time in the long run. And, don’t forget to document both your search strategy and keep details of the actual search conducted. Those details come in handy if the applicant is dissatisfied and requests a review of my office down the road.

 

Was this page helpful?

Understanding “fees” with ease! (updated)

In my experience, an applicant is sometimes confused when they receive a fee estimate from a government institution pursuant to The Freedom of Information and Protection of Privacy Act (FOIP), or a local authority pursuant to The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). For example, the applicant questions why they need to pay fees to get access to their own personal information in the possession or under the control of a government institution or local authority (public body) or why certain fees were charged. I think understanding how the legislation governs “fees” may assist with understanding why a public body, may issue a fee estimate.

Fees are intended to provide for reasonable cost recovery for public bodies when providing records to applicants. A reasonable fee estimate is the one that is proportionate to the work required by the public body to respond efficiently and effectively to the applicant’s request. Public bodies should issue reasonable, fair and consistent fee estimates.

Section 9 of FOIP and LA FOIP govern fees and subsection 9(2) of FOIP and LA FOIP state:

  • 9(2) where the amount of fees to be paid by an applicant for access to records is greater than a prescribed amount, the head shall give the applicant a reasonable estimate of the amount, and the applicant shall not be required to pay for an amount greater than the estimated amount.

This prescribed amount of $100 is found in subsection 7(1) of The Freedom of Information and Protection of Privacy Regulations (FOIP Regulations) and subsection 6(1) of The Local Authority Freedom of Information and Protection of Privacy Regulations (LA FOIP Regulations).

There are generally five kinds of fees that a public body can include in its fee estimate: application; search; machine and operator costs; preparation; and reproduction of records. Below are the relevant sections from FOIP and LA FOIP and the accompanying regulations that govern fees:

Application fees:

  • Subsection 5(1) of the LA FOIP Regulations provides, “an application fee of $20 is payable at the time an application for access to a record is made.” FOIP does not have an application fee.

Fees for search of responsive records:

  • Subsection 6(2) of FOIP Regulations/ Subsection 5(3) of LA FOIP Regulations provide guidance on what fees can be charged for search efforts. Both subsections advise where time in excess of the prescribed amount (two hours for FOIP/ one hour for LA FOIP) is required by experienced staff to search for the responsive records, a fee of $15 per half-hour may be charged. Our office advises that it could take an experienced staff, one minute to search 12 pages of records, five minutes to search one drawer and three minutes to search an email account.
  • Subsection 7(2) of FOIP Regulations/ Subsection 6(2) of LA FOIP Regulations provides if actual fees are less than the original estimate, then the public body should refund the excess amount to the applicant.

Fees for machine and operator costs:

  • Subsection 6(3) of FOIP Regulations/ Subsection 5(4) of LA FOIP Regulations provide for the charging of additional fees when a machine and operator costs need to be factored into the search and retrieval of electronic data.

Fees for preparation of responsive records:

  • Subsection 6(2) of FOIP Regulations/ Subsection 5(3) of LA FOIP Regulations also provides the same guidance on fees for preparing records for disclosure. Our office advises that it could take an experienced staff, two minutes to sever one page of responsive record.

Fees for reproduction for responsive records:

  • Subsection 6(1) of FOIP Regulations/ Subsection 5(2) of LA FOIP Regulations provide guidance on the actual cost of reproduction of records, such as photocopy/ print-out cost, is prescribed at $0.25 per page. It should be noted that public body should charge no fees, if the record is provided to an applicant via email. Subsection 6(b.1) of FOIP Regulations/ 5(b.1) of LA FOIP Regulations provide that the public body could charge, the actual cost of the portable storage device; and where records exist in any other form than paper and electronic, these subsections provide that the public body can charge the actual cost of copying the records.

For further explanation as to how to calculate fees, see the following resources available on our website: IPC Guide to FOIP – Chapter 3 and IPC Guide to LA FOIP – Chapter 3.

Below are some best practices to reduce fee estimates for applicants and public bodies:

  1. Best practices for applicants:
    • When making an access to information request, list specific documents if possible and a specific time period in order to limit and focus the search efforts for the public body;
    • If possible, narrow the scope of your request, based on the nature of the information you seek from a public body. Broadly worded requests require more time to process. More time to process = larger fees; and
    • It is beneficial to work with the public body to reach a reasonable fee or resolution; however, if you remain dissatisfied with the fee estimate, you have a right to request a review from our office.
  1. Best practices for public bodies:
    • Pursuant to section 5.1 of FOIP and LA FOIP, public bodies have a “duty to assist”, which requires a public body to make every reasonable effort to identify and seek out records responsive to an applicant’s access to information request; to explain the steps in the process and to seek any necessary clarification on the nature or scope of the request within legislative timeframes;
    • If possible, only complete the preliminary search (representative sample), not the full search prior to providing the fee estimate. This could save the amount of work a public body puts in before confirmation from the applicant that they wish to proceed;
    • Remember that pursuant to subsection 9(3) of FOIP/ subsection 9(3) of LA FOIP, where a public body provides a fee estimate to an Applicant, the Applicant may be required to pay a deposit of an amount that does not exceed one-half of the estimated amount before a search is commenced. Therefore, it is advisable to issue a fee estimate within 3-10 days of receiving the access to information request; and
    • It is beneficial to work with the applicant to reach a reasonable fee or resolution, which could avoid involvement from our office.

Public bodies can find more resources on our website that provide guidance for charging fees/ issuing fee estimates, such as:

Applicants and public bodies may find the following reports issued by our office helpful on this topic:

  • IPC Review Report 042-2019 – recommended that the Ministry reimburse the applicant the fees they paid;
  • IPC Review Report 034-2019 – found that the fee estimate was not reasonable;
  • IPC Review Report 102-2019 – found that the applicant did not provide enough evidence to support their request for a fee waiver;
  • IPC Review Report 106-2022 – found that fees for creating a query to search for emails and a PowerShell script was reasonable;
  • IPC Review Report 258-2022 – found a fee for a computer operator to search for and retrieve information from its human resource information system (HRIS) was appropriate; and
  • IPC Review Report 062-2023 – found that the fee estimate was not reasonable and recommended that the City reimburse the applicant part of the fee it had charged.

 

I am hopeful this blog, will help all with understanding why certain fees may be charged. For any questions, please contact our office at intake@oipc.sk.ca.

Was this page helpful?

Providing a Record in the Format Requested by the Applicant

Applicants often request records in a format which is convenient for their use i.e., paper, word spreadsheet, Excel or comma-separated values (CSV) or pdf. I find that public bodies are comfortable providing records in paper format but when it comes to electronic formats, they lean toward a pdf format. It appears they believe that the data is more secure in pdf and thus, the applicant cannot change or manipulate the data.

Although I am not a security expert, my information is that the belief that the pdf format is tamper-proof is not true.

First, if a public body provides a record in paper format, an applicant can scan the record, white out parts, or edit the scanned version, re-print it and distribute it or post it on the internet.

If a public body provides the record in word or excel, the applicant can open the document, edit it and then distribute it or post it. Similarly, an applicant can do the same with a record in CSV format.

Finally, if the applicant has Adobe Acrobat Pro, and receives a record in pdf, the applicant can do a number of things. He or she can edit it, save it as a word document or export it into an excel spreadsheet, and distribute it or post it to the internet.

So whatever format is used, a person intent on manipulation can change it and distribute the changed record. Public bodies need to accept there is a risk of people altering the records they provide and remember their duty to assist (section 5.1 of FOIP and LA FOIP). In other words, provide the record in the format requested.

Of course, if it is electronically impossible to produce it in the format requested, the public body should assist by providing the record in the next most practical format (subsections 10(2) to 10(4) of FOIP and LA FOIP).

The best advice to public bodies is to keep and store the record in the format they provided it in, to the applicant. If the applicant manipulates and publishes, the public body can say that was not the record that they provided and can prove it as they have the original and a copy of what was sent.

Was this page helpful?

Duty to Assist – Ask, What Do You Need?

The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) since 2018, have a section on the duty to assist, it provides as follows:

5.1(1) Subject to this Act and the regulations, a government institution shall respond to a written request for access openly, accurately and completely.

(2) On the request of an applicant, the government institution shall:

(a) provide an explanation of any term, code or abbreviation used in the information; or

(b) if the government institution is unable to provide an explanation in accordance with clause (a), endeavour to refer the applicant to a government institution that is able to provide an explanation.

We treat this as an obligation for a public body (government institution or local authority) to assist the applicant as much as possible.

FOIP and LA FOIP also have a section on clarifying an access request which provides:

6(1) An applicant shall:

(a) make the application in the prescribed form to the government institution in which the record containing the information is kept; and

(b) specify the subject matter of the record requested with sufficient particularity as to time, place and event to enable an individual familiar with the subject-matter to identify the record.

(3) Where the head is unable to identify the record requested, the head shall advise the applicant, and shall invite the applicant to supply additional details that might lead to identification of the record.

Applicants sometimes draft their access requests extremely broad. That results in possibly thousands of pages to be copied and sent. That is a lot of work for the staff member and potentially a large fee for the applicant.

My office discourages public bodies from asking why the applicant wants the information, but it can be reasonable to ask the applicant “what do you need?” An answer to that question increases understanding, possibly narrows the scope of the access request, and may result in the applicant getting the records sooner, reduces the fee or results in no fee at all.

I emphasize that the “what do you need” question might be asked in certain circumstances. The applicant may have already stated his or her purpose or made it clear exactly what they wanted. In those instances, there is no need to ask.

It is also important to frame your question in a certain way. You might say:

  • “I have a duty to assist you, and to better assist you, if you tell me what information you need, that will help me get you the records you want”,
  • “I read your access request and I need some clarification as to what information you are seeking”, or
  • “What is it that you require in terms of information?”

Now the applicant may refuse to answer your question and if so, then you must do your best to read the access request and provide those records requested.

I would suggest you never ask an applicant what they are going to do with the information. They are entitled to records under section 5 of FOIP or LA FOIP and what they do with that information is entirely up to them. They may want it because they want to know, they may want to write an MLA or a minister or they may want to contact the media or post the information on a website. If the applicant is from the media, you know they are working on a story. They are doing their job. Those are all legitimate actions, and a citizen is free to do whatever he or she wishes with the record.

On the other hand, if a staff member understands what the applicant needs, that staff member can read the access request, interpret it, and provide the applicant information or records that help meet the applicant’s needs. Again, I repeat, the applicant does not have to say why and a refusal not to say, should always be respected.

A word of encouragement to applicants. Before you write out your access request, you should think about why you want the information and what you are going to do with it. An access request for less information might just let you get that information sooner and for a reduced or no fee. Broad access requests increase the chances that you will get a higher fee quote. You could also telephone the public body and say I am making an access request, and can you tell me the files or file folder I should ask to be searched. Now you might not trust the public body, so in that case don’t ask such questions.

Applicants, when you are asked by the staff member the question “what do you need”, and you determine the staff member is trying to be helpful, tell them what you really are trying to get copies of. It might just get you the information sooner at no cost. Remember if you don’t’ get all that you want, you can always make a second access request.

So, to sum up, knowing “what you need” can help reduce the number of records to be produced, the work involved and sometimes the fees. It is worth it for public bodies and applicants to work together to reduce work, time to respond and fees.

Was this page helpful?

The Law Society Issues “Guidelines for the Use of Generative AI in the Practice of Law”

The Law Society of Saskatchewan has issued guidelines for the use of generative AI in a lawyer’s practice. You can read that guideline here.  The Law Society has also issued three brief videos on the guidelines (Bite Size CPD 124, 125 & 126). You can watch them here.

When you read the guideline, you will see how many of the statements could apply to any profession and in particular the health professions. It talks about the responsibilities of confidentiality, communications and the risks of discrimination and harassment. I would encourage every profession to consider developing a guideline specifically tailored to their profession and develop in person or online training that helps each member become familiar with the benefits and risks of generative AI.

In fact, I would encourage public bodies and health trustees to read the Law Society guideline and consider whether they should develop their own guideline and training.

I hear the experts say there are benefits and risks. All of us will want to take advantage of the benefits and all of us should recognize the risks and take steps to mitigate those risks.

Was this page helpful?

When We Cannot Help You

My office gets calls from residents when they are expecting us to solve their problem. We receive approximately 1500 calls a year. Some of those citizens have called other agencies or public bodies. They may have called the Ombudsman or the Advocate for Children and Youth office, the Ministry of Social Services, Saskatchewan Human Rights Commission, MLA’s office or Ministry of Justice and Attorney General. I understand they may be frustrated and would just like a solution to their problem. I need to say we probably cannot help you unless the issue is access or privacy related, and the proper processes have been followed. We have a narrow mandate.

Here is what we can do. If you have asked a public body for records and they have refused to provide those records to you, we might be able to help. You need to know that those public bodies have the right to withhold certain information from you. Parts III and IV of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) sets out those exemptions. If we find the exemptions apply, we will not recommend those records be released to you.

If the public body wants to charge you a fee that appears to be unreasonable, we can review that fee.

If a public body fails to respond appropriately to your access request within 30 days, we can review their refusal.

If you feel your personal information or personal health information has been improperly collected, used or disclosed, you can ask my office to investigate the public body’s actions to determine whether there was a privacy breach.

These are some of the things we can do.

You might have staff in my office saying to you “we don’t have jurisdiction, or we don’t have grounds to proceed with a review or an investigation.” The Legislative Assembly has given my office certain powers, and it is only those powers that we can exercise. So, if we say, “we cannot help you”, that is another way of saying we do not have the legislative authority to help you.

We might suggest you contact another office but that is just trying to be helpful.

So, before you call, think about what you expect us to do for you. We might recommend you get some records, get a reduced fee or help to ensure a public body appropriately responds to a privacy breach involving your personal information, but we won’t be able to solve any other problem.

Was this page helpful?

Recent Headlines Give me Concern

From time to time, media speculate on health issues pertaining to a high-profile person in the public eye. One of those headlines involved allegations of an attempted breach of personal health information, which you can find here.

The people of Saskatchewan should rest assured that we have laws that prohibit snooping into their personal information and personal health information. In our province, everyone is entitled to privacy, free from unauthorized intrusions or snooping into their confidential medical and other personal information.

Individuals who are in the public eye, are equally entitled to these protections. People may have jobs or roles that invite or attract media attention, but with very few exceptions, they maintain the right to see restrictions on how personal information or personal health information about them is used and if it is disclosed – the very essence of privacy in a democratic society. We can debate how much of their life is private or public, but I hope we all agree that their personal health information, whether it is cancer, diabetes, or a heart condition, is deserving of the same protections that we all enjoy.

Some public officials choose to make public their health issues to put focus on a particular disease or condition. I admire them when they do that. Their goal may be to educate and support those with a similar condition. On the other hand, there are those who choose to keep their health issues to themselves, and we should respect their right to do so.

The Health Information Protection Act prohibits snooping into other’s personal health information. This applies to those that work in the health sector including staff and physicians and to others who may attempt to break into our health care databases. It is an offense and if caught, there can and should be consequences.

We have had our own experiences with unauthorized access to personal health information. For example, I issued an Investigation Report in January 2024, where I found that a doctor working in Saskatchewan was snooping. You can read it here.

Whether motivated by curiosity, or the desire for profit, in spite of the law, some will be tempted to snoop. That’s why health care providers and others that work for trustees in Saskatchewan are required to take steps to protect personal health information. Guidance is available on my office’s website on the steps that can be taken to reduce the risk of snooping. In addition to requirements to raise awareness, trustees must train staff and audit and monitor the use of personal health information and utilize technological solutions that can help detect and deter snooping.

Recently, in Ontario, The Ottawa Hospital piloted some software with AI functionality to monitor health information systems to detect snooping. I think we should study this type of software in Saskatchewan to see if it is reliable and safe.

Let’s make every reasonable effort to ensure that those who are tempted to snoop are not successful and personal health information is protected. And please respect other’s rights to privacy at all times and recognize the sensitive nature of their health care issues. If you don’t, be aware that there are consequences.

 

Was this page helpful?

R. v. Bykovets – Privacy and the Internet

In a recent decision called R. v. Bykovets, 2024 SCC 6, the Supreme Court of Canada (SCC) ruled that the police must get a warrant before obtaining access to an individual’s Internet Protocol (IP) address from a third party. In a news release, the British Columbia Civil Liberties Association, an intervenor in the case, called the decision a huge victory for online privacy.

The case involves an individual who was charged with having made fraudulent online purchases from a liquor store. The company that managed the store’s online sales provided the police with the accused’s IP address voluntarily. The accused claimed that this action violated section 8 of the Charter.

The decision, in favour of the privacy rights of the accused, is significant for many reasons including that it recognizes the importance of individuals’ right to privacy in a free and democratic society. Justice Karakatsanis, who wrote the majority decision, stated:

Personal privacy is vital to individual dignity, autonomy, and personal growth. Its protection is a basic prerequisite to the flourishing of a free and healthy democracy.

It also recognizes that an IP address may reveal sensitive personal information about an individual. Further, it finds that the IP address is deserving of protections against unreasonable search or seizure under section 8 of the Canadian Charter of Rights and Freedoms (Charter).

This is not the first time that the SCC has found that the Charter guarantees Canadians a right of privacy. In previous rulings, it has recognized several kinds of privacy namely, physical, or bodily privacy, territorial privacy, privacy of communications and informational privacy.

In R. v. Dyment, the SCC stated that informational privacy is based on the notion of dignity and integrity of the individual and is based on the idea that all information about a person is their own.

IP addresses may reveal sensitive personal information

Writing for the majority of the SCC, Justice Karakatsanis describes an IP address as a unique identification number that identifies the source of every online activity and connects that activity (through a modem) to a specific location.

She added that IP addresses may reveal deeply personal information such as the identity of the device’s user. When correlated with other online information associated with that IP address, it reveals “the first digital breadcrumb that can lead the state on the trail of an individual’s Internet activity.” She wrote that third party websites can track the IP address of each user and added that some websites, such as Google, also collect massive amounts of other information, such as information about users’ searches and location.

Privacy oversight authorities have long recognized the detailed nature of the information that can be discovered through access to an IP address. The federal Office of the Privacy Commissioner issued a paper in May of 2013 which describes the information that could be revealed from a phone number, email address, and an IP address. The paper concluded that knowledge of subscriber information such as phone numbers and IP addresses can provide a starting point to compile a picture of an individual’s online activities, including the individual’s personal interests and organizational affiliations.

While the question of whether an IP address would qualify as personal information under Saskatchewan’s access and privacy laws was not before the SCC in this case, its findings could be relevant to that analysis.

For examples of circumstances where our office has found that an individual’s IP address qualifies as personal information pursuant to subsections 24(1)(e) and (k) of The Freedom of Information and Protection of Privacy Act (FOIP) or subsection 23(1)(e) and (k) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) see Review Report 147-2022 and Review Report 186-2019.

Application of section 8

Section 8 of the Charter is intended to protect individuals from unjustified state intrusions (such as searches or seizures) upon their privacy. The scope of the protections offered by section 8 is limited by the reasonableness of the individual’s expectation of privacy in a given set of circumstances. This means that when applying section 8 in the context of a law enforcement investigation, the courts weigh or balance reasonable expectations of privacy against legitimate police investigative techniques.

Regarding whether a reasonable expectation of privacy existed, Justice Karakatsanis wrote:

The “reasonable expectation of privacy” analysis revolves around the potential of a particular subject matter to reveal an individual’s biographical core to the state, not whether the IP addresses revealed information about the appellant on these facts. …In my view, the ever-increasing intrusion of the Internet into our private lives must be kept in mind in deciding this case. It is widely accepted that the Internet is ubiquitous and that vast numbers of Internet users leave behind them a trail of information that others gather up to different ends, information that may be pieced together to disclose deeply private details. And, as the expert evidence describes, an IP address is attached to all online activity; it is a fundamental building block to all Internet use. This social context of the digital world is necessary to a functional approach in defining the privacy interest afforded under the Charter to the information that could be revealed by an IP address.

In balancing the reasonable expectation of privacy against the need to combat online crime, the decision recognizes society’s legitimate interest in public safety and security, and the suppression of crime. It notes that the ways in which crimes are committed has evolved with technological developments and police must have tools to investigate these crimes.

The majority concluded its analysis by stating that the burden imposed by recognizing a reasonable expectation of privacy in IP addresses is not onerous as it would only add another step in the investigation process – the need to obtain a warrant.

Many readers will know that the access and privacy laws overseen by our office, FOIP, LA FOIP and The Health Information Protection Act, protect informational or data privacy. They do this by setting rules for the collection, safeguarding, retention, use and disclosure of personal information or personal health information.

Section 8 of the Charter may not apply when most public bodies and trustees engage with individuals through online services or internet-based communications because the activity may not qualify as a search or seizure. However, in light of the SCC findings on IP addresses, they should be aware of the type of information that may be collected through online engagement with the public and what privacy protections need to be in place.

Individuals and organizations may be interested in the resources available regarding privacy, the internet and the Charter on the Office of the Privacy Commissioner of Canada’s (OPC) website. Organizations with law enforcement mandates may be interested in the OPC’s guide titled “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century”.

More information about the Charter and how it protects privacy, can also be found in our office’s Guide to FOIP and Guide to LA FOIP.

For any questions, contact intake@oipc.sk.ca

Was this page helpful?

Cyber Security Threats – How can you Prepare and What to do After

Cyber security threats are becoming an ever-growing issue as technology and digital information continues to grow and evolve. These types of incidents are a malicious means to steal or destroy data or disrupt computer systems and could result in a breach of personal or personal health information if they do occur. Some common security threats include malware, phishing, and ransomware.

What steps can an organization take to reduce the risk of a cyber security incident and any potential breaches that may come from it? The following are some things to consider:

  • Keep your software and systems updated regularly.
  • Use strong passwords and change them frequently to limit the risk.
  • Use security software and a firewall to protect your network and data.
  • Use multi-factor authentication for your accounts.
  • Back up your data regularly.
  • Train yourself and your staff on basic cyber security principles and how to spot suspicious activity.
  • If you use an outside information technology provider or information management services provider (IMSP), be sure to have agreements in place for regular monitoring of security threats and updating of any security software.
  • Develop and follow cyber security policies and procedures.
  • Have a cyber incident management plan in place so that managing the attack can begin immediately and staff will know their role.

A cyber security incident has occurred – now what?

Implement your cyber security incident management plan which may include things like the following:

  • Identify potential evidence, preserve it, and ensure nothing is lost or damaged.
  • Isolate your network from the Internet and activate your incident response plan.
  • Take note of who was present in your organization before, during, and after the incident.
  • Appoint a point of contact for law enforcement officers to speak to directly and gather information about the incident.
  • Document the report number provided to you by law enforcement.
  • Anticipate law enforcement may need access to your equipment to analyze the technological components of the cyber incident. The police will work with you to collect evidence while minimizing the impacts to your business and recovery efforts.
  • Provide logs, employee statements, emails, and other similar items as potential evidence.
  • Produce a list of key contacts within your organization for law enforcement.
  • Communicate the incident to staff, business associates, clients, and partners.
  • Review your cyber security policies and ensure your staff receive training.
  • Consider purchasing anti-malware and anti-virus software for your network and devices.
  • Enhance your data security with protective measures (e.g., firewalls, virtual private networks, encryption).
  • Prepare your organization for the possibility of testifying in court.

Government of Canada. (November 2021). Have you been a victim of cybercrime?

https://www.cyber.gc.ca/en/guidance/have-you-been-victim-cybercrime

Our office has issued some investigation reports involving this topic:

Investigation Report 009-2020, 053-2020, 224-2020

Investigation Report 398-2019, 399-2019, 417-2019, 005-2020, 019-2020, 021-2020

Investigation Report 370-2022

Investigation Report 089-2021

Some resources available for information on these types of incidents:

Ransomware

Ransomware – What Everyone Should Know

Security and Phishing Presentation

S2 – Episode 7: Unmasking digital threats: How to guard against cyber crime

 

Was this page helpful?

Raising Awareness of the Facts about Fax

The ongoing use of traditional fax machines to send personal information and personal health information by government institutions and trustees continues to raise privacy concerns. My office and Canada’s other privacy commissioners and ombudspersons called for a concerted effort to phase out the use of traditional fax machines in a September 2022 resolution which can be found here. We understand that developing this plan will require broad consultations and additional resources. However, we continue to urge organizations to address this problem on an urgent basis. Public trust and confidence in organizations’ ability to protect Saskatchewan residents’ personal information and personal health information hangs in the balance.

In the meantime, we continue to receive complaints and reported breaches of misdirected faxes that are caused in part by human error. Staff may enter a number in the fax machine incorrectly, fail to comply with policies that require the use of pre-programmed fax numbers or rely on fax numbers found through unverified sources, such as Google. These errors are often caused by inattention, or lack of awareness or training on applicable policies. The office issued an investigation report in November 2022 involving two Saskatchewan Health Authority employees who entered an incorrect fax number in the fax machine. They sent one of the faxes to a Town instead of a public health office. They sent the other fax to the Parole Board of Canada’s office instead of a physician.

Trustees should be aware that the shift from traditional fax machines to digital fax solutions is not sufficient, by itself, to reduce privacy risks. This was shown in Investigation Report 164-2023, et al, which involved 12 different trustees and numerous misdirected faxes. In most cases, the trustees used digital faxing systems. The breaches occurred when staff sent faxes intended for one physician to a different physician with the same last name. In some cases, the faxes were misdirected because the employee involved did not receive clear direction on the recipient. In other cases, the fax was misdirected because of errors in the physician directory or because the employee chose the wrong physician from a drop-down list in the directory.

In September 2020, my office issued guidance on the safeguards to prevent misdirected faxes titled, Faxing PI and PHI. While plans are being developed to discontinue the use of traditional fax machines, every effort must be made to ensure that appropriate safeguards are in place to prevent faxes from going astray. We encourage all organizations to revisit this guidance.

To help ensure that staff are aware of their need to comply with existing policy and to exercise caution when faxing, we have developed a poster that you can download and place in key areas.

Remember that a policy is not enough! Creating a privacy sensitive culture requires that organizations raise levels of awareness of privacy risks and provide appropriate training.

For any questions, contact intake@oipc.sk.ca

Privacy Matters

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.