Updated: Chapter 5 of the Guide to FOIP is now available! Click on Guides, IPC Guide to FOIP for more information.

Cybersecurity Awareness

Cybersecurity Awareness

October was Cybersecurity awareness month in Canada. Cybersecurity is everyone within an organization’s responsibility, and a solid regime requires proper policies, procedures, technical safeguards, and training. Ask any cybersecurity expert, and they will tell you the single biggest risk to an organization’s systems and information is the people who already have access to it.

A few weeks ago, we presented to our staff on what they can do as individuals to keep our systems safe and avoid being phished or falling victim to ransomware. After delivering the presentation, we decided to modify it and generalize it for public consumption. Please keep in mind that the intent of the presentation is to provide some best practices for actions which are in the control of the individual user.

A link to the recording can be found here.

To stay up to date on the latest news in access and privacy, please follow us on twitter @SaskIPC.

File Path Frustrations

Good records management assists in compliance with access and privacy obligations. It requires properly identifying and classifying records. For electronic records, files need a meaningful name and categorization. This all seems simple, but what if your system is working against this goal, and you cannot properly name your files?

We encountered this issue after switching to M365. We follow the Administrative Records Management System (ARMS) and the Operational Records System (ORS). Documents are managed using folders and subfolders in Windows file explorer unless they pertain to a case file, as those are stored in a separate system. Windows file explorer has a 255-character limit for file paths. I had never encountered the 255-character limit before. I was frustrated.

How can I manage our records if I cannot name them as I see fit? In some instances, the file path was too long and we could not open files. File explorer cut off file extensions, and neither I nor the system could tell what program opened the document. We tried to name something in a meaningful way and ran out of characters. We made our file names as short as possible as a band-aid solution, but this also made them harder to identify.

After several months of this struggle, we found a solution which reduces the risk of hitting the 255-character limit and I would like to share it. Hopefully a public body, local authority, or trustee will be saved from the 9-month headache I had.

Before we get going here is a typical file path you might see when following ARMS in Windows file explorer.

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name>\<Sub-Folder>\

This uses up about 97 characters, which will vary user to user.

So, what do you do? The answer is, the shorter the better at every step.

What your IT people can control:

  1. Make the username as short as possible – Existing users converting to M365 may end up with unwanted characters in their username. I was unable to find a way to get rid of these. On new installations the name can be exactly what you want it to be but ask your IT people to keep it short.
  2. Organization/Entity Name – If your organization has a shorthand name or acronym, ask your IT people to use that instead of the full name. OIPC vs “Office of the Saskatchewan Information and Privacy Commissioner” saves a bunch of characters.
  3. Site Naming – Do you need “Administration” or is “Admin” fine or HR instead of “Human Resources”?
  4. Folder syncing – You can configure M365 syncing to Windows file explorer to be for manual or automatic. I learned that automatic syncing uses up precious characters. For instance, my file path when automatically syncing was C:\Users\<username>\<organization/entity name> \<site name> -Documents\General\<Folder Name>\

when I figured out the manual syncing quirk it became:

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name> which saves a handful of precious characters.

What you can (probably) control:

  1. Subfolders and Beyond Naming – Give your folders and subfolders the shortest usable name possible.
  2. Document Naming – If you followed steps one through 5, you will hopefully have more than enough characters to name your files.

Is it too late for me?

If this issue has been plaguing you and your system has already been configured, there is still hope. Steps 5 and 6 can be done at any time. Steps 1 through 4 may need to be done by your IT Department. You will likely need to re-sync your computer, which requires temporarily logging out of M365 and unlinking your OneDrive account from your computer.

Bonus tip 

Even after you have made your file path as short as possible, you might still forget where things should go. Windows file explorer, backed by M365, can quickly find file names and even document contents for things like .doc and .pdf files. As long as you know something about the document, whether it is the name, or some of the content, you should be able to easily search for and locate it. This may come in handy if you are a new FOIP coordinator responding to an access to information request but are not yet fully acquainted with the filing system.

As electronic records management becomes the norm, I hope this blog assists you in managing your records and meeting your access and privacy obligations by making it easier to search for, locate and access records.

Privacy and Transparency in the Digital Identity Ecosystem in Canada

The federal, provincial and territorial Information and Privacy Commissioners across Canada recognize the many potential benefits of a privacy-respecting and secure digital identity for use by Canadians. The development of which is part of a broader global trend intended to enable individuals, businesses and devices to securely and efficiently connect with one another.

To be trusted, digital identities must meet high standards of privacy, security, transparency and accountability; and must not come at the cost of fine-grained tracking and surveillance, increased risk of discrimination, heightened incidence of identity theft, fraud and other harms, or diminished roles for individual users.

In our office’s 2021-2022 Annual Report, Saskatchewan Information and Privacy Commissioner, Ron Kruzeniski, K.C., states

“I would hope the Government of Saskatchewan continues to consult, educate and explain the benefits of a digital ID for citizens of our province. My hope is that Saskatchewan develops a digital ID that meets our province’s needs, maximizes the benefits and minimizes the risks.”

In order to address these potential risks, the federal, provincial and territorial Information and Privacy Commissioners are committed to working with one another, their respective governments and other relevant stakeholders to ensure the responsible design and implementation of a digital identity ecosystem in Canada.

In doing so, they commit to the following:

  • Continually monitor the development of digital identity initiatives.
  • Collaborate between our respective offices to strengthen our collective capacity and knowledge in this area.
  • Stand ready to engage with our respective governments to provide our views and advice on evolving digital ID programs and initiatives in a timely, constructive manner that is conducive to enhancing privacy protections and public trust in the adoption of digital identities.

Finally, the design and operation of privacy-respecting digital identities and a trustworthy digital identity ecosystem should meet various conditions and properties and should be integrated with a legislative framework applicable to the creation and management of digital identities. For more on the list of conditions, including ecosystem properties, role of individuals, governance and oversight, a link to the full resolution can be found here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.sk.ca

 

Can’t Do my Job if I Don’t Get the Record

I have written the minister of Social Services asking that he consider introducing an amendment to The Child and Family Services Act or the regulations.

Without this amendment it is not possible to do my job properly.

The open letter is here.

Knowledge can be a Gateway to Truth and Reconciliation

Today is Canada’s National Day for Truth and Reconciliation. Page 12 of Honouring the Truth, Reconciling for the Future:  Summary of the Final Report of the Truth and Reconciliation Commission of Canada states, “Without truth, justice, and healing, there can be no genuine reconciliation. Reconciliation is not about “closing a sad chapter of Canada’s past,” but about opening new healing pathways of reconciliation that are forged in truth and justice.”

I reflect on this powerful statement and how it holds meaning with a recent Report I issued. The report involved a Metis individual who was seeking information about their deceased parent from the Ministry of Social Services. I was moved by this individual’s story. They advised that their parent passed away in 2015 and they were looking for answers to questions about their parent’s past and what happened when their parent was a child. They advised they first requested information from Social Services in 2017, then again in 2021. Each of these requests were denied.

Upon requesting that my office review this matter, the individual so eloquently stated, “…upon discovery of mass graves at residential school across Canada and the public conversation this prompted regarding the actions of child welfare agencies more broadly, I felt strengthened to renew my search for answers.” They further stated, “…There is no Truth & Reconciliation without the truth. I submitted my request for information on September 30, 2021, the first National Day for Truth and Reconciliation. This was by no means a coincidence. I just finally want to know the truth around this matter because it affected my [Parent], me and our family.  Therefore, I feel it is our truth and story to understand….”

I feel this story is representative of the story of so many Indigenous peoples. Some of their truth can be found in the records that government holds. Government needs to demonstrate its commitment to truth and reconciliation by removing barriers to access this information. This can help pave the path forward.

 

Right to Know Day

Once a year those interested in ensuring citizens have a right to obtain information from government, at all levels, take time to talk about the importance of the right to know.

This year I chatted with Aaron Orban. Aaron is the Executive Director of Audit, Information Management and Safety – Integrated Justice Services. He provided me with some interesting information on the number of requests for information received in a year by the Government of Saskatchewan and his branch’s ability to process those requests within the legislated timelines.

Please listen to our conversation here.

Life as the New Privacy Commissioner of Canada

Earlier this month Commissioner Ron Kruzeniski had the pleasure of inviting Phillipe Dufresne, as a guest speaker on Un-redacted, The Sask IPC podcast. Phillippe was appointed Privacy Commissioner of Canada in June 2022. During their conversation, Commissioner Dufresne invites us in for a sneak peek at what life has been like in the first three months of his term.

When asked whether he sees any particularly significant challenges to privacy facing the country he stated:

The challenge or the context is that technology is evolving very very quickly, and that’s exciting, that’s a good thing, and it offers tremendous potential for innovation and for improving the public interest. However, ensuring that we find the balance, the right balance in terms of using these innovations while protecting and promoting our fundamental right to privacy is challenging when the technology evolves so quickly.  

To hear more about his thoughts on the direction our country should take on digital identity and some of the challenges ahead, a link to this discussion can be found here.

Canadian Information and Privacy Regulators Urge Governments, Health Sector Institutions and Health Providers to Strengthen Safeguards for Sharing Personal Health Information

In a joint resolution released today, Canada’s federal, provincial, and territorial information and privacy commissioners and ombudspersons are calling for a concerted effort across the healthcare sector to modernize and strengthen privacy protections for sharing personal health information.

Because of the pandemic, the shift to virtual care came quickly, maybe without enough time for a thorough examination of it; that shift in service model could adversely impact access and privacy rights. Despite advancements in the health sector, breaches continue to occur and the use of outdated and vulnerable technologies, such as faxes and unencrypted email not only impacts patient privacy but also the delivery of timely patient care.

This has spurred innovation and change in the delivery of services, including virtual health care visits and other forms of digital health communications.

Canada’s Information and Privacy Commissioners urge stakeholders to take the following action:

  • Develop a strategic plan to phase out the use of traditional fax and unencrypted email and ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians.
  • Promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks. For health sector institutions and providers, this may include the adoption of standards developed by organizations such as ISO, NIST, or CIS that provide reasonable safeguards to protect personal health information.
  • Amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties, for health institutions and providers that willfully refuse to take reasonable measures necessary to protect personal health information as well as for individuals who unlawfully collect, use, or disclose personal health information.
  • Seek guidance to understand how to evaluate new digital health solutions and assess their compatibility with other digital assets, compliance with health information privacy laws, and how they facilitate citizens’ rights to access their own records of personal health information.
  • Promote transparency by completing privacy impact assessments and proactively publishing a plain-language summary in a manner that is easily accessible to the public.
  • Use the procurement process to help ensure third-party compliance by establishing contractual requirements for vendors of health information software and services

If you have any questions or would like to request an interview with the Commissioner, please email or call our office at the contact below.

To learn more, a copy of the joint resolution and these initiatives can be found here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.sk.ca

Does Privacy Hinder Patient Care?

Recently, I read an article in the Saskatoon StarPhoenix titled, Borderline: Why health record privacy hinders patient care in Lloydminster (part 2), and it caused me to pause. Now, my office has not yet received any specific complaints about cross border sharing of personal health information, so we have yet to fully explore what the challenges may or may not be as described in this article. However, a couple of things I thought I would share could maybe help dispel some myths about privacy and the provision of health care. I also, can only speak from the Saskatchewan perspective.

Firstly, in Saskatchewan, personal health information in the custody or control of trustees is governed by The Health Information Protection Act (HIPA). In terms of personal health information, there are provisions, such as section 27(2)(b) of HIPA that authorize the disclosure of personal health information for the purposes of arranging, assessing the need for, providing, continuing or supporting the provision of, a service requested or required by the subject individual. This includes the provision of diagnosis, treatment and care. What this section does not do is to limit who that personal health information may be shared with. So, a physician in Saskatchewan could disclose a patient’s personal health information to another practicing in Alberta in the right circumstances.

Secondly, HIPA authorizes the sharing of personal health information with the consent of the data subject, or in the case of health care, the patient.

Thirdly, patients move in and out of Saskatchewan all the time. And, in some cases, it would be expected that their patient records would be transferred from one jurisdiction to another.

Finally, as indicated in the article, patients in Saskatchewan can register with eHealth to access their personal health information through MySaskHealthRecords or for Albertans 14 years of age and older, MyHealth Records by completing the steps outlined at the following: https://myhealth.alberta.ca/myhealthrecords.

If the concern is what information is or is not accessible by those on one side of the border versus the other in provincial systems, electronic medical records, or electronic health records like the eHR viewer here in Saskatchewan, discussion should be held with those that make decisions regarding access to see exactly what barriers do or do not exist to facilitating that access. On the Alberta side, those conversations should be had with Alberta Health and other key stakeholders. If there is ever interest in exploring these issues in more depth here in Saskatchewan, my office can be engaged through the consultation process.

Enhancing Efficiencies: Updates to The Rules of Procedure

Our pursuit of continuous improvement has recently focused on the procedures we follow to process reviews and investigations related to access to information requests and privacy complaints. This included a careful examination of the impact of issuing a draft report and sharing an index of records. We also considered our rules about how and when public bodies can claim that information is subject to discretionary exemptions. Our goal is to ensure that we provide services in an effective, efficient and fair manner – we aim to improve customer service for the public, public bodies and trustees.

To support these goals, on September 1, 2022, updated Rules of Procedure applicable to reviews and investigations under The Freedom of Information and Protection of Privacy Act (FOIP) The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA) come into effect. The updated Rules of Procedure can be found here. Under these new rules, our office will no longer provide draft reports to public bodies/trustees to review.

Analysts will contact public bodies/trustees before a report is issued if they have any questions or require any clarification regarding the factual circumstances of the review or investigation. In some limited circumstances, our office may exercise discretion to provide excerpts or an entire draft report to public bodies/trustees and invite them to comment on any factual errors before issuing a final report.

Other important changes to the Rules of Procedure include revisions to the Index of Records Form A. This form has been simplified with an emphasis on sequential page numbering and sequential severance numbering. Our office will only share the Index of Records with an applicant or complainant with the consent of the public body or trustee.

Finally, we are also making changes to how and when public bodies can raise discretionary exemptions. For some time, our office has permitted public bodies to claim that other discretionary exemptions apply after they have issued their response pursuant to section 7 of FOIP and LA FOIP. Effective September 1, 2022, we will no longer permit public bodies to claim any new or additional discretionary exemptions following the release of their section 7 responses, except in rare circumstance. We will always consider mandatory exemptions whenever raised.

Similar restrictions will be in place for trustees responding to access to information requests under HIPA. Once a trustee provides a response to an access to information request under section 36 of HIPA, it will not be entitled to claim any additional discretionary exemptions, absent exceptional circumstances.

For further information about the new process, please see the Commissioner’s blog post titled Continuous Improvement at Our Retreat. If you have any questions about the updated Rules of Procedure and how these changes may impact your organization, contact our office at 306-787-8350.