Nunavut’s privacy commissioner investigates government’s mail practices

Alberta promises increased privacy protections

British Columbians facing longer wait times to access records from BC Government

Ontario IPC blog on AI and the public sector

England’s ICO issues Tech Horizons Report

Guidelines for use of AI by lawyers

Federal Privacy Commissioner issues report on RCMP collection of data from third parties

Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

Princess Kate-attempted breach of her personal information

Interview of the Commissioner by Kristél Kriel

Interview of the Commissioner by Kristél Kriel

I was pleased to sit down with Kristél Kriel and discuss breaches of privacy in the corporate world. We talked about when breaches occur and the consequences, having a culture of training and being prepared to constantly improve an organization’s security. Please take a moment to listen to our conversation here.

How Does our Office Keep you Anonymous?

The Commissioner publicly posts review and investigation reports regarding a variety of matters involving applicants and complainants. As much as possible, our office tries to conceal their identities. Our office also recognizes that there are times when it is warranted to conceal the identity of someone other than an applicant or a complainant.

De-identification is the process of editing or removing personal information from a record. De-identification reduces the likelihood that a person will be identified or made known. Information is de-identified if: 1) a person’s identity is not revealed; or 2) if it is not reasonably foreseeable that information, either alone or in combination with other information, could reveal a person’s identity.

Personal information is either directly identifying (e.g., name, home address or telephone number) or indirectly identifying (e.g., use of descriptors such as gender, race, postal code, or profession). While direct identifiers openly disclose or make it easier to conclude an identity, indirect identifiers, given their nature and circumstances, can also lead to openly identifying someone. For example, disclosing that a matter involves a male doctor in a town of 1,000 people can more openly reveal his identity than if he was a male doctor in a city of 200,000 people – it’s in the details.

Obviously, the process of de-identifying information involves removing names, but it may also mean removing or editing information that allows readers to draw linkages to an identity. The following are some ways in which our office attempts to reduce such linkages in reports:

  1. We mostly use the third-person plural “they”, which traditionally refers to groups of two or more people. Grammar purists may not agree with using the plural form “they” when discussing a singular person, but the use of “they” can be used when who you are referring to isn’t important or isn’t the focus. Using the term “they” in our reports then allows us to pull focus away from who is being discussed, thereby reducing the likelihood that a person can be identified.
  2. We try to edit names of communities, organizations, etc., if such information can be combined with other information to lead to a person’s identity. This is sometimes the case in situations involving well-known events or events of a sensitive nature that occur in a certain place. Or, in the case of the male doctor above, where saying he is from Grenfell can more directly identify him than if he practiced in Saskatoon.
  3. We sometimes remove sensitive information or details if a matter is well known or highly publicized, or if that information has the potential to cause embarrassment for someone or to re-traumatize them. For example, rather than state the type of offence committed against someone, we may just state that there was an offence committed.

These are just a few ways in which we may bring anonymity to our reports, particularly for applicants and complainants. You will see in our reports, though, that at times we leave in identifying information such as names of public employees or civil servants. Such information is not typically considered personal information or personally identifying if it’s used in a professional or business context. We may remove such information, however, if leaving it in could lead to the identity of an applicant or complainant, or if we determine it is not relevant to the matter.

Determining which information to exclude from a report can be very subjective. The process requires us to balance all the factors and circumstances of a matter while ensuring that we do not mispresent any facts. It’s part of our office’s responsibility to protect a person’s identity when warranted while at the same time being factual and unbiased. The last thing our office wants to do, though, is inadvertently disclose an identity that should remain anonymous, and so we err on the side of caution.

 

 

Ransomware

Our office created the resource, “Ransomware – What Everyone Should Know”, to help individuals and public bodies think about why ransomware attacks happen, what they are, and what can be done to address or prevent them.

Ransomware attacks are not new. The first known instance of ransomware occurred in 1989 when Joseph L. Popp, a Harvard educated biologist, mailed floppy disks to 20,000 individuals containing a program that would encrypt their computers. Victims were asked to mail a $189 payment to a postal box in Panama to receive a second floppy disk containing the encryption key. Since he was a well-known researcher, no one suspected he had sent the floppy disk in bad faith. At the time, no one had heard of ransomware, either. Since then, ransomware has become much more widespread… and much more sophisticated. It has become a multibillion-dollar industry that affects thousands of people around the world.

Statistics Canada reported that in 2021, approximately 20% of Canadian businesses were impacted by cyber security incidents or cybercrimes. Businesses of all sizes were affected, including small ones with less than 50 employees. The most common type of incident involved demands for ransomware payments, followed by threats to steal personal or financial data. Most incidents did not appear to include a motive.

In 2022, the Canadian Anti-Fraud Centre received approximately 71,000 reports, with about half being reports from victims of mass marketing fraud. The top three reported types of fraud included phishing, extortion and personal information scams.

Ransomware evolves quickly. It is important to be aware of the threats and havoc it can create. It can cause temporary – or even permanent loss – of sensitive information, cause financial loss, make files on your computer unusable and disrupt your regular operations. It can also take weeks or more to recover data and get systems back to normal. Ransomware can be stopped, though, by learning what everyone should know.

Saskatchewan Business and Privacy (updated)

The Office of the Privacy Commissioner of Canada (OPC) has issued a guidance document entitled Privacy Guide for Businesses. You may ask, “Does it apply to businesses or organizations in Saskatchewan?” The answer is yes, it does. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal statute that applies to businesses in Saskatchewan. If you are in business in Saskatchewan, I recommend you read the Privacy Guide for Businesses.

First let me summarize the main issues from the guide:

  • PIPEDA sets out the ground rules for businesses in Saskatchewan.
  • The OPC oversees compliance with PIPEDA by conducting independent and impartial investigations and audits.
  • Businesses covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information.
  • People have the right to access their personal information held by a business. They also have the right to challenge its accuracy.
  • Personal information can only be used for the purposes for which it was collected.
  • Generally, personal information must be protected by appropriate safeguards.
  • PIPEDA applies to private-sector businesses across Canada and Saskatchewan that collect, use or disclose personal information in the course of a commercial activity.
  • The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
  • All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA.
  • Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual.
  • PIPEDA includes mandatory breach reporting requirements. Businesses must report to the OPC any breaches of security safeguards that pose a real risk of significant harm.
  • Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. The principles are:
    • Accountability
    • Identifying purposes
    • Consent
    • Limiting collection
    • Limiting use, disclosure and retention
    • Accuracy
    • Safeguards
    • Openness
    • Individual access
    • Challenging compliance

For more information on PIPEDA and Businesses, see the Privacy Guide for Businesses.

When the federal government makes changes (amendments), those changes will affect Saskatchewan businesses, whether Saskatchewan businesses like those changes or not. Alberta, British Columbia and Quebec have passed legislation provincially, which applies to businesses in their province and replaces the operation of PIPEDA to a certain extent.

I pose the question whether Saskatchewan should, like Alberta and British Columbia, develop its own legislation to ensure privacy protections are extended to all employees in Saskatchewan regardless of the type of employer they work.

Currently the parliament of Canada is considering Bill C-27 which would make changes to PIPEDA and would create an Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. The federal privacy commissioner has made 15 recommendations for changes to Bill C-27.

The government of Saskatchewan has embarked upon a consultation on The Saskatchewan Employment Act (SEA). My office has proposed amendments that would give employees of businesses and organizations in Saskatchewan greater access rights and privacy protection for personal information in the hands of their employer.

Can You Bring an Action or Class Action for the Tort of Violation of Privacy in Saskatchewan? (updated)

I was asked whether a person could sue or be part of a class action in Saskatchewan for a breach of privacy. The Privacy Act provides in section 2, that it is a tort, actionable without proof of damage, for a person willfully and without claim of right, to violate the privacy of another. In section 7, the Court can award damages, grant an injunction or any other remedy. In section 8, the right to sue is in addition to any other rights the plaintiff has.

In 2018, the Legislative Assembly amended The Privacy Act to allow an action to be brought for the tort of distributing an intimate image of another person without that other person’s consent. In addition, the amendment allowed a person to sue in small claims court or King’s Bench.

Actions for violation of privacy has occurred in Saskatchewan.In Bierman v Haidash, 2021 SKQB 44, the Court of K’s Bench for Saskatchewan ordered damages of $7,500 and costs of $3,000 against the defendant.

The court also recognizes that Dr. Haidash has already been subject to the scrutiny and disapproval of the College of Physicians and Surgeons and the Privacy Commissioner.

Could persons sue in a class action?  

The Class Actions Act sets out the rules and procedures for commencing a class action. Such an action has to be certified by the Court of King’s Bench. If certified, a class action or multi-jurisdictional class action for a tort of breach of privacy could proceed in this province.

FOIP, LA FOIP and HIPA

The Freedom of Information and Protection of Privacy Act (FOIP) gives citizens certain rights to access information held by government institutions. The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) does the same for information held by local authorities (e.g. cities, towns, villages and other municipalities’ school and library boards, the U of S and U of R, the Saskatchewan Health Authority and police services.) The Health Information Protection Act (HIPA) applies to trustees and gives the right to individuals to access their personal health information. The rights and actions under these Acts do not affect the right to bring an action under The Privacy Act.

The Information and Privacy Commissioner (IPC) process is completely separate and apart from lawsuits for a breach of privacy. The IPC may undertake a breach of privacy investigation under FOIP, LA FOIP or HIPA. There is no potential for monetary advantage through the IPC process.

I note the case of S.B. V D.H. where an award of damages was given in the amount of $160,000 for non-consensual distribution of intimate images (section 7.3).

In Peters-Brown vs Regina District Health Board the court awarded $5000 for negligence and breach of contract.

In Jess v. Saskatchewan District Health Board the court did not award damages.

Research: post pandemic (updated)

As I listen to the news, my head keeps telling me there will be many opportunities and much interest in researching many and varied aspects of this world pandemic. I expect there will also be interest on the part of Saskatchewan researchers.

The law is VERY CLEAR that researchers can ask public bodies for de-identified information. Each public body has to decide how much information it will provide; that is a policy decision. Those public bodies under privacy legislation are allowed to provide de-identified information.

What is de-identified information? It is the information without your or my name, address, or any unique identifier such as the individual’s Social Insurance Number (SIN) or Health Services Number (HSN). For example, subsection 3(2)(a) of The Health Information Protection Act (HIPA) states that it does not apply to statistical information or de-identified personal health information that cannot reasonably be expected, either by itself or when combined with other information available to the person who receives it, to enable the subject individuals to be identified. A public body can provide all the information that does not identify you or me.

If the health trustee or the researcher has the consent of the individuals to use their personal health information, then that is the best way to go. In many cases, that won’t be possible. Either the health trustee did not obtain consent to research or there are thousands and thousands of records and getting consent would not be possible.

If research is being done in such a way that it requires information from two sources and the name, SIN or HSN are sought to connect the information of an individual; that presents a challenge. The Data Matching Agreements Act is not yet proclaimed. Nonetheless, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and HIPA have always authorized use and disclosure of personal information or personal health information for legitimate research purposes in the public interest. The best-case scenario, and for research at the population level, de-identified data should be used and should suffice for those purposes.

However, those same laws provide for the use of identifiable data when appropriate, but I must emphasize the need for written agreements to ensure that data is protected. This rigour is necessary to ensure data is used from one or multiple sources that what is provided is used as intended and protected throughout the process.

I note section 29 of HIPA, requires all research projects where personal health information is used or disclosed by a trustee, must be approved by a research ethics committee that has been approved by the Saskatchewan Minister of Health. If a research ethics committee is small and nimble it should never be a barrier to good research.

I have heard that some say “privacy” is a barrier to research. I do not believe or accept that point of view. That is why I wrote this blog to show that good research can continue and the barriers to obtaining the data should be minimal. If public bodies are citing “privacy” as the problem, they are giving the wrong reason and it just might be they don’t want to provide the information or to cooperate. Privacy is not the barrier.

A Good Access Request (updated)

You want some information from a government ministry, board, agency, Crown corporation, or from a city, town, village, rural municipality, university, school, library or health trustee. First, try the informal method, which is finding out who makes decisions regarding releasing information, maybe the director or a supervisor, and request by telephone or email the information you would like. If that is not successful, your next step is to go formal and prepare an Access to Information Request. A sample of the form can be found here.

I see many access requests that ask for everything. Asking for everything can result in hundreds or thousands of records. It will take longer to find all the records and as staff consider the number of records being requested, their inclination will be to charge a fee. If a public body has to retrieve 25 records it can happen fairly quickly. If you are asking for 4,000 records, you know that will take longer to find and reproduce them all.

So, my first piece of advice is that you think carefully about what exactly you want. Define your purpose and then say I need certain records to fulfill that purpose.

You can limit your request to a certain date range, e.g., for the month of May 2020 or for the year 2019. The narrower the date range, the less extensive the search and the time to retrieve and reproduce those documents.

If you can, specify the types of records you want, e.g., you want emails rather than all documents, or engineering reports rather than all reports.

You can also specify you want the records connected to certain employees, e.g., emails between Joe and Sally rather than emails sent and received by all employees.

In other words, by making your access request more specific, you increase the chances of staff knowing where to look and reducing the time to search, review and reproduce.

You can of course go as broad as you wish, but do not be surprised if you have to wait longer and you receive a high fee estimate.

And remember not to frame your access to information request in the form of a question. The right of access is to copies of source documents that already exist at the time the request is made. There is no obligation under access and privacy legislation for a public body to create records to respond to your question.

It should be noted that where an organization is unable to identify the record you are requesting, the organization can ask you to provide more details to identify the record (see section 6 of The Freedom of Information and Protection of Privacy Act (FOIP).  Thus, it becomes important to be as clear as you can in describing the record or records that you want.

I hope this might help you when seeking information or records and I hope public bodies appreciate your efforts to be specific and narrow your request. I hope those public bodies do their part and give you greater service.

Canadian privacy regulators pass resolutions on the privacy of young people and workplace privacy

QUÉBEC, QC, October 6, 2023 – Privacy authorities from across the country are calling on their respective governments to improve privacy legislation to protect young people and employees – groups that are significantly vulnerable, each in their own way to the growing influence of digital technologies.

Federal, provincial, and territorial information and privacy authorities met this week in Québec City for their annual meeting to discuss pressing concerns related to privacy and access to information. These discussions resulted in joint resolutions calling on governments to do more to protect the privacy rights of young people and workers.

For young people, the resolution focuses on the responsibility of organizations across all sectors to actively safeguard young people’s data through responsible measures, including minimized tracking, regulated data sharing, and stringent control over commercial advertising. It also calls on organizations to safeguard their rights to access, correction, and appeal regarding personal data.

The employee privacy resolution addresses the recent proliferation of employee monitoring software and how it has revealed that laws protecting workplace privacy are either out-of-date or absent altogether. In our increasingly digital work environments, there need to be robust and relevant privacy protections in place to safeguard workers from overly intrusive monitoring by employers.

Privacy of young people

Youth have a right to privacy and all sectors, including governments and businesses must put young people’s interests first by setting clear limits on when and how their personal information may be used or shared, the privacy authorities say. They called on their respective governments to review, amend or adopt legislation as necessary to ensure that it includes strong safeguards, transparency requirements and access to remedies for young people. They also called on government institutions to ensure that their practices prioritize a secure, ethical, and transparent digital environment for youth.

The resolution notes that while the digital environment presents many opportunities for young people, it has also brought well-documented harms, including the impact of social media on physical and mental health. Regulators say that special protections are essential for younger generations, because their information can live online for a long time, and may become a life-long reputational burden.

The resolution also calls on organizations to adopt practices that promote the best interests of young people, ensuring not only the safeguarding of young people’s data, but also empowering them with the knowledge and agency to navigate digital platforms and manage their data safely, and with autonomy. Initial steps include identifying and minimizing privacy risks at the design stage. Other recommendations include making the strongest privacy settings the default; turning off location tracking; and rejecting deceptive practices and incentives that influence young people to make poor privacy decisions or to engage in harmful behaviours.

Privacy in the workplace

With the shift towards increased remote work arrangements and use of monitoring technologies in this digital world, the privacy authorities called on governments to develop or strengthen laws to protect employee privacy. They also urged employers to be more transparent and accountable in their workplace monitoring policies and practices.

Employee monitoring has undergone substantial expansion in its use, technological capabilities and application in recent years. Many employers have accelerated the use of monitoring technologies as they seek new ways of tracking employee’s performance and activities on-premises or remotely, whether during work or off hours.

Although some level of information collection is reasonable and may even be necessary to manage the employer-employee relationship, the adoption of digital surveillance technologies can have disproportionate impacts on employees’ privacy and can significantly impact an employee’s career and overall well-being, including heightened stress levels and other adverse mental health effects, not to mention reduced autonomy and creativity.

The resolution calls for a collective effort from governments and employers to address statutory gaps, respect and protect employee rights to privacy and transparency, and ensure the fair and appropriate use of electronic monitoring tools and AI technologies in the modern workplace.

Related content:

Resolution: Putting best interests of young people at the forefront of privacy and access to personal information

Resolution: Protecting Employee Privacy in the Modern Workplace

For more information:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Canadian privacy regulators pass resolutions on the privacy of young people and workplace privacy

Federal, Provincial, and Territorial Information Regulators Unite in Resolution to Enhance Access to Government Information

FOR IMMEDIATE RELEASE

Federal, Provincial, and Territorial Information Regulators Unite in Resolution to Enhance Access to Government Information

(Quebec City, October 4, 2023) — Federal, provincial and territorial Information Commissioners and Ombudspersons, signed a joint resolution today aimed at reinforcing the public’s right to access government-held information.

Freedom of information regimes across Canada have faced persistent challenges in delivering timely responses to access to information requests, underscoring the need to implement alternative and efficient mechanisms for providing access to records, including through proactive disclosure.

It has never been more important for Canadians to have access to official government records, including historical records, if we are to maintain confidence in our democratic institutions. In our modern digital world, disinformation and misinformation spread very quickly. As recent news stories illustrate, timely access to accurate facts and reliable information is more critical than ever.

Recognizing the urgent need for change, the regulators are again calling upon their respective governments to modernize legislation, policies and information management practices to advance transparency and ensure the preservation and dissemination of Canada’s documentary heritage, so that all Canadians can better understand the nation’s past and present, and together chart a future path towards reconciliation.

Building on a joint resolution issued in 2019, the signing of this resolution by federal, provincial, and territorial Information Commissioners and Ombudspersons signals a renewed sense of urgency in a drastically changed context.

This resolution is a clarion call for federal, provincial and territorial governments to act swiftly and decisively in modernizing their respective laws, policies, and information management practices, to strengthen access to information regimes and support a culture of transparency across Canada.

Read the resolution.

-30-

 

For more information:
Commission d’accès à l’information du Québec
media@cai.gouv.qc.ca

Office of the Information Commissioner of Canada
communications@oic-ci.gc.ca

 

FPT Joint Access Resolution

Real Risk of Significant Harm (updated)

Amendments to The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act in 2018, require that once it is confirmed that a privacy breach occurred, the public body must consider if, as a result of the incident, there is a real risk of significant harm that may come to the affected individual. If so, then breach notification to the affected individual(s) is mandatory.

The wording of the provision in FOIP is as follows:

29.1 A government institution shall take all reasonable steps to notify an individual of an unauthorized use or disclosure of that individual’s personal information by the government institution if it is reasonable in the circumstances to believe that the incident creates a real risk of significant harm to the individual.

LA FOIP’s language is almost identical so it is not reproduced here.

What is a real risk of significant harm? It may, among other things, include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

The second consideration is whether or not there is a ‘real risk’ that the significant harm will occur.  Probability of harm and sensitivity of the personal information must be considered in making this determination.  When assessing whether there is a “real risk of significant harm,” the public body can consider the following factors:

  • Who obtained or could have obtained access to the information?
  • Is there a security measure in place to prevent unauthorized access, such as encryption?
  • Is the information highly sensitive?
  • How long was the information exposed?
  • Is there evidence of malicious intent or purpose associated with the breach, such as theft, hacking, or malware?
  • Could the information be used for criminal purposes, such as for identity theft or fraud?
  • Was the information recovered?
  • How many individuals are affected by the breach?
  • Are there vulnerable individuals involved, such as youth or seniors?

So, does this mean that public bodies only need to provide breach notification in these cases? Not at all.  A public body needs to make that call in the course of investigating any privacy breach.  And, in terms of whether or not to report to the IPC, this is always encouraged.  Generally, if proactively reported, this office will monitor the response to the incident by the public body and if issues are sufficiently addressed may resolve the matter informally.

In terms of providing notification to affected individuals, I draw your attention to a resource from this office titled Privacy Breach Guidelines for Government Institutions and Local Authorities, available on our website, www.oipc.sk.ca.

If you have any questions, feel free to contact our office.