Updated: Chapter 5 of the Guide to FOIP is now available! Click on Guides, IPC Guide to FOIP for more information.

Updated: There’s Been a Privacy Breach… Now What?

Updated: There’s Been a Privacy Breach… Now What?

Your public body has been notified of a privacy breach, what are some of the questions that cross your mind?

Maybe they include: What steps should I take now? What information should I be recording during my investigation? Should I proactively report the privacy breach to the IPC? What information does the IPC need from me?

Some guidelines to answer these questions include the following:

What steps should I take now?

  • Record any information provided at the time your organization learns of the privacy breach.
  • Take steps to contain the privacy breach. It is important to contain the breach immediately. In other words, ensure the personal information or personal health information is no longer at risk.
  • A public body must determine who needs to be notified of the breach and provide notification as soon as possible after learning of the incident. This could include: your organization’s privacy officer, the IPC, the police (if criminal activity is suspected) and the affected individuals (unless there are compelling reasons why this should not occur).
    • It is important to note that The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) have a provision that require the public body to consider if, as a result of the incident, there is a real risk of significant harm that may come to the affected individual. If so, then breach notification is mandatory. For more information on this provision, please refer to our blog: Real Risk of Significant Harm.
  • Decide if the privacy breach should be proactively reported to the IPC. Please use our reporting form: Proactively Reported Breach of Privacy Reporting Form: for Public Bodies.
  • Conduct an internal privacy breach investigation. For more guidance on conducting an internal privacy breach investigation, refer to our resource: Guide to Creating an Internal Privacy Breach Investigation Report.

What information should I be recording during my investigation?

As outlined in my office’s resource, Privacy Breach Guidelines for Government Institutions and Local Authorities, some of the key questions to ask during a privacy breach investigation are:

  • When and how did your organization learn of the privacy breach?
    • Has the privacy breach been contained?
    • What efforts has our organization made to contain the breach?
  • What occurred?
    • What type of breach occurred (e.g. collection, use, disclosure, accuracy, etc.)
    • What personal information was involved in the privacy breach?
    • When did the privacy breach occur? What are the timelines?
    • Where did the privacy breach occur?
  • How did the privacy breach occur?
    • Who was involved?
    • What employees, if any, were involved with the privacy breach? What privacy training have they received?
    • Who witnessed the privacy breach?
    • What factors or circumstances contributed to the privacy breach?
    • What is the root cause of the breach?
  • What is the applicable legislation and what specific sections are engaged?
  • What safeguards, policies, and procedures were in place at the time of the privacy breach?
  • Was the duty to protect met?
    • Were the safeguards, policies, and procedures followed?
    • If no safeguards, policies, or procedures were in place, why not?
    • Were the individuals involved aware of the safeguards, policies, and procedures?
  • Who are the affected individuals?
    • How many are there?
    • What are the risks associated to a privacy breach involving this information(e.g. is the affected individual at risk for identity theft, credit card fraud, etc.)?
    • Have affected individuals been notified of the breach?

Should I proactively report the privacy breach to the IPC?

  • While not mandatory, our office does encourage organizations to proactively report a privacy breach, please see our blog Proactively Reporting Breaches to the IPC for more information. Some of the benefits of proactively reporting include:
    • Receiving timely, expert advice from our office. We can guide the public body on what to consider, what questions to ask and what parts of legislation may be applicable.
    • Should the media get wind of the privacy breach, a public body can assure the public that it is working with our office to address the matter.
    • If we are satisfied with your organization’s internal investigation report, we may close the file informally rather than issuing a public report.
    • Should affected individuals contact our office, we can assure the individuals that it is working with your organization to address the breach which may prevent a formal complaint to our office.

What information does the IPC need from me?

  • Our office may need all or some of the following information. Please contact our office if you have any questions about what documentation to provide our office.
      • A completed Privacy Breach Investigation Questionnaire
      • Copies of any relevant materials (such as contracts, letters, relevant policies and procedures, etc.)
      • Copies of letters to affected individuals (if applicable)

Resources that public bodies may find helpful to reference during their investigations can be found on our website www.oipc.sk.ca under the Resources tab.  Our office is working to update our resources and develop additional resources to assist Privacy Officers.  To be notified when new information is published to our website, visit our website and provide your email address to receive email alerts when new reports, articles, events and resources are available. You can also follow us on Twitter: @SaskIPC.

Access and Privacy Best Practices in Health Care

On May 20, 2022, the Commissioner and I were invited to host a virtual session for the Meadow Lake Tribal Council titled, Access and Privacy Best Practices in Health Care. In order to ensure that a wider audience has the opportunity to experience what we talked about, we recorded the session which is now available at the following: Access and Privacy Best Practices in Health Care.

We recognize that indigenous organizations will choose to interact with the provincial health care system in different way and as they do, they will need to consider access and privacy issues. In helping them chart the course forward, in the session we emphasized the importance of protecting personal health information in an organization’s custody or control regardless if a trustee as defined by The Health Information Protection Act and the need to have a privacy breach response plan in place.

If your organization is ever interested in participating in a similar session, please contact us at intake@oipc.sk.ca and we will see if we can accommodate your request.

Continuous Improvement at our Retreat

An organization needs to continually look at its processes and determine what works and what does not seem to be effective. We did that this July. Among other things, we discussed our issuing of draft reports. Our current process includes sending them out asking for factual correction and we have gotten few factual corrections.  In many instances we have gotten a second submission either repeating the same arguments as in the first submission or coming up with a different argument that was not in the first submission. As a result, we will be amending our Rules of Procedure so that we will not be sending out draft reports except in unique situations. This change will come into effect on September 1, 2022. The amended Rules of Procedure will be posted sometime earlier in August.

I would ask public bodies and applicants to ensure the facts laid out in their submissions are as accurate as can be. We will be relying on factual statements in the submissions when analyzing the situation and preparing the report. I will be encouraging analysts, where the facts are unclear, to immediately email the public body or applicant to clarify the facts and if one does not reply to the inquiry, the analysis will continue without the clarification.

Also in our discussions, we realized a change we made a number of years ago was not working as intended. We had indicated that we would share the public body’s index of records with the applicant. It had been hoped that would result in more informal resolutions or a narrowing of what records were at issue in a review. Unfortunately, it did not have that effect and the quality of the index of records provided to our office went down. So, going forward we will not share the index of records unless there is consent, and we ask that public bodies make the index of records detailed to assist in our reviews. I will be amending the Rules of Procedure to reflect this change.

It should be noted that in our reports we will refer to the Index of Records and list the records that are at issue.

 

 

Fillable Forms

Our office has been working hard to ensure that the information on our website is as up to date as possible and easily accessible. The first step in reaching this goal was the implementation of two new icons on our home page called Access Forms and Privacy Forms. These two tabs will navigate to our resource directory with the applicable filters selected so the task of searching our site to find a form is no longer necessary; they are now all in one convenient easy to access location.

The most recent update to our forms is our consultation request form and our proactively reported breach form which are now fillable and can be found here. We appreciate your patience while we continue converting our forms into electronic format in order to better serve you.

Lastly, we have replaced the access to information request form and request for review form for both FOIP and LA FOIP with links to Publications Saskatchewan which now include a fillable version found here.

Please feel free to check our Access Forms and Privacy Forms for a comprehensive list of all available forms. We hope these updates will prove helpful in both navigating our website and streamlining our processes.

 

Who is “Fake Ron”?

Staff in my office received an email from me, but it wasn’t from me. They dubbed it, “Fake Ron”. Apparently, I wanted the recipient of the email to do me a favor. This fake email attempting to use my name is a good reminder to me and the staff of my office that there are many people out there dreaming up schemes to lead or mislead us into doing something.

I recently saw an article headline that said, organization breaches are in many instances caused by human error. The 2022 Horizon report on data breaches found that hackers tend to exploit human error to get initial access, particularly through the use of phishing scams.

Sometimes we very innocently click on a link, which results in some malware slipping into our system. So, the “Fake Ron” email has been a good reminder here to be always vigilant and watching for the thing that does not feel right or is too good to be true.

This has caused our office to begin discussing how we might from time to time test our vigilance and readiness – just like we have fire drills.

 

Learned Helplessness in the World of Data Privacy

A theory in the study of psychology suggests we simply give up if we believe we have no control over what happens to us. This theory, discovered by psychologists Martin Seligman and Steven Maier, is known as “learned helplessness.”

The theory is straightforward: when we are subjected to something repeatedly and feel as though we cannot change the outcome, we just accept the outcome. For example, if we continually fail at something we try hard to accomplish, at a certain point we accept we will always fail, and so we resign ourselves to failing. Or we just stop trying.

How, then, does this theory apply to the world of data privacy? A recent news article on Tim Hortons’ violation of privacy rights in Canada suggests how.

In 2019, Tim Hortons updated its app to include the collection of geolocation data. That meant when you downloaded the app it would track your location and report that data back to Tim Hortons. In 2020, a Financial Post journalist found, through location data Tim Hortons was collecting on him, that Tim Hortons had collected information on where and when he traveled, including when he traveled on overseas vacations. In total, Tim Hortons had collected thousands of pieces of location data on him, and not just from when he was using the app.

After reports such as this came out, the Privacy Commissioner of Canada decided to open an investigation into the Tim Hortons app. Recently, he concluded Tim Hortons had violated Canada’s privacy laws by collecting more information from its customers than it required. He also found Tim Hortons was collecting data outside the reasons it cited for collecting the data in the first place.

While Tim Hortons claims to have removed geolocation tracking from its app and destroyed the data it collected, the fact such tracking occurred represents a larger issue with how much data we give away. Often, we do this without fully understanding what we are giving away or why. At a certain point, we may just accept it as the cost of doing business, shrug our shoulders and submit. We know, for example, we cannot participate in Tim Hortons’ giveaways without the app, so we download the app and resign ourselves to any associated negative consequences.

Tim Hortons stated it did not intend to use the location data it had collected in nefarious ways – or at all – but arguably such data can be invaluable to large corporations. Corporations are often faced with problems such as knowing the best places to open new locations or creating the types of products customers are likely to purchase or consume based on their lifestyle. Vast quantities of data can help them quickly and easily solve such problems.

Tim Hortons is not the first corporation to be caught in a data scandal of this nature. In early 2018, Cambridge Analytica, a data analytics firm based in the United Kingdom, was found to be collecting the personal data of millions of Facebook users without their consent. It was doing so to direct certain types of political advertising towards certain users. In so doing, it is said to have helped influence political campaigns and outcomes in the United States. It is even said to have helped influence the outcome of Brexit.

All this comes back to the concept of learned helplessness and how it applies to individual data privacy. When events such as Tim Hortons and Cambridge happen repeatedly, and laws do not change in ways that fully protect our data privacy rights, we may subconsciously – or consciously – submit to the tactics corporations use to scoop our data. That is, we may just accept there will be unexpected consequences. We no longer weigh the risks, and instead focus on what we think are the rewards.

There are simple ways, though, we can protect our personal data. Consider the following:

  1. The more you share online through social media apps such as Facebook, the more data there is out there on you. That leaves more data about you that corporations can collect to learn about your preferences and habits. They can then use this information, for example, to target you with specific types of advertising.
  2. Think about what specific data you share online and if it is necessary to share it for what you are doing. If it does not seem like a corporation or other entity requires certain data, do not provide it, or at the very least ask them why it is necessary for them to have it. Also see if there is the opportunity to opt out of the data collection.
  3. Keep your social media networks small, and your social media network activity private. Accept only those you know into your social media network and check your privacy settings to ensure only those in your network can see your activity.
  4. Beware of seemingly harmless social media quizzes that ask questions such as the name of your first pet or car you owned. Ask yourself – do these sound like the security answers I use for my online banking? If they do, it is probably not a coincidence.
  5. When you do set up answers for security questions, consider an answer that is not true but still something you will remember. That way, when you say on Facebook your first pet was named “Spot,” at least you know it will not be one of your security answers.
  6. Use private browsers when surfing online as they delete cookies, temporary Internet files and your browsing history.
  7. Use strong passwords and two-factor authentication. Using two-factor authentication requires you to enter a special code the site texts to your phone. When logging into a new or unknown device, you will need this code to log into your account. Others trying to get into your account using unknown devices will then not be able to without the code.
  8. Do what most of us do not do – read the fine print. Review privacy statements and policies to know what data on you a corporation will collect, why they will collect it, how they will use it and for how long, and what you can do if you suspect that corporation is violating its own privacy terms.

Had it not been for a few individuals digging deeper into the Tim Hortons app, we might have never known what was happening. Corporations love data, even if they do not have an immediate purpose for it. There are many steps you can take to protect your data privacy. Think about what data you are putting out there and how it can be used against you, then take even just small steps to protect your privacy. You do not have to resign yourself to learned helplessness – take the time to learn what you can do to protect your data privacy.

 

Absurd Results: Part II

In 2017, the Commissioner posted a blog entry about absurd results. He provided examples of absurd results that can be reached when interpreting and applying The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA). He emphasized that public bodies take a liberal approach to these three statutes and provide as much of the record(s) to applicants as is possible.

Since 2017, my office has dealt with more reviews that involve absurd results. Therefore, in this blog, I’m revisiting this topic once again.

When an individual submits an access request to a public body, that individual would be denied access to the personal information of others. In Saskatchewan, government institutions would deny access to third parties’ personal information pursuant to section 29(1) of FOIP. Local authorities would deny access to third parties’ personal information pursuant to section 28(1) of LA FOIP. That is, the application of section 29(1) of FOIP and section 28(1) of LA FOIP to third party personal information is meant to prevent the unauthorized disclosure of personal information, which is one of the purposes of FOIP and LA FOIP.

However, what happens when Person A provides information about other individuals to a public body? An example is when an individual provides a witness statement to a police service about a matter they had witnessed involving other individuals. If Person A submitted an access to information request to the police service for the witness statement containing other individuals’ information, would Person A be denied access to the witness statement?

An “absurd result” occurs when a public body applies an exemption to withhold records that contradicts the purpose of the legislation. Using the example described above, Person A originally supplied the third party personal information to the police service. it would be an “absurd result” to withhold the information from Person A pursuant to either section 29(1) of FOIP or section 28(1) of LA FOIP.

In my office’s Review Report 215-2020, the Commissioner discussed a matter where the local authority withheld portions of emails that the Applicant had originally supplied to the local authority. The Commissioner found it would be an absurd result to withhold portions of these emails from the Applicant even if the emails contained the personal information of third parties. The Commissioner recommended the release of the records in their entirety to the Applicant.

Also in Review Report 215-2020, the Commissioner cited a decision by the Office of the Ontario Information and Privacy Commissioner (ON IPC) that noted two other circumstances in which the ON IPC found the absurd result principle to have applied: 1) where the requester was present when the information was presented to the public body, and 2) where the information is clearly within the requester’s knowledge.

When determining if exemptions set out in Parts III and IV of FOIP and LA FOIP apply to a record, government institutions and local authorities should consider whether applying the exemption to a record would manifest in an absurd result. If so, then perhaps the government institution or local authority should consider releasing the record to the applicant.

Annual Report tabled today

I am pleased to have tabled my 8th Annual Report with the Honorable Randy Weekes, Speaker of the Legislative Assembly of Saskatchewan.  In that report, I focus on four issues.

The first is the need for a Saskatchewan digital ID. I encourage this with certain understandings.

Second, I discuss Virtual Health Care platforms and ten suggested considerations for health care providers and patients to consider.

Third, I repeat the call for changes to prevent so many misdirected faxes.

Finally, I summarize the recommendation for legislative changes to access and privacy legislation.

If you think I am the only commissioner focused on digital issues in their province, I note the Annual Report of the Ontario Information and Privacy Commissioner discussing “Setting the cornerstones of a digital Ontario”.

I discuss these issues in a news release and a video posted today. Our office authorizes the use of quotes, excerpts and/or clips of the video, in part or in whole for relevant media coverage regarding our Annual Report.

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has tabled his office’s 2021-2022 Annual Report: Time for a Digital ID, with the Legislative Assembly.

In his report, the Commissioner addresses the need for the development of a Digital ID for Saskatchewan residents, the move toward virtual health care, the systemic issue of misdirected faxes and recommendations for legislative change.

Digital ID

As several other Canadian provinces shift towards the use of a digital ID, it is the hope that Saskatchewan develops a digital ID that meets the needs of our province. Commissioner Kruzeniski states:

“I would hope the Government of Saskatchewan continues to consult, educate and explain the benefits of a digital ID for citizens of our province. My hope is that Saskatchewan develops a digital ID that meets our province’s needs, maximizes the benefits and minimizes the risks.”

Virtual Health Care

Virtual heath care has increased as a result of the Covid-19 pandemic and consideration is required to ensure that personal health information is adequately protected. Commissioner Kruzeniski outlines ten expectations that should be considered as these virtual care initiatives move forward.

Spotlight on Misdirected Faxes

Over the last decade, there has been concerns with misdirected faxes which continues to be a systemic issue impacting patient privacy and the delivery of patient care. Several recommendations have been made to collectively address this concern including the elimination of traditional fax machines.

Recommendations for Change

The Commissioner concluded by summarizing the recommendations for legislative change to amend The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act and The Health Information Protection Act. The goal is that these recommendations will address the gaps and challenges with the legislation as we move from a paper-based society to a digital one.

The Commissioner’s 2021-2022 Annual Report which includes: accomplishments, goals for the future, a thorough statistical report and recommendations for the development of a digital ID, virtual care initiatives, handling of misdirected faxes and legislative change can be viewed here.

A video containing the Commissioner’s comments on the Annual Report can be viewed here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.csk.ca

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

BC Special committee’s recommended changes to the Freedom of Information legislation

A special committee of the British Columbia (BC) has tabled its report making 39 recommendations to amend BC’s Freedom of Information and Protection of Privacy Act. You can read their report here.

The BC Information and Privacy Commissioner has issued a news release regarding the special committee report. You can read his statement on BC’s OIPC website.

Recommendations focused on:

  • measures to enhance proactive disclosure
  • a duty to document key decisions and actions of public bodies
  • a cohesive and robust information management framework in government
  • retention of the data residency requirement
  • extension of the Act to cover additional public bodies
  • changes to timelines and the right to anonymity
  • mandatory notification about significant privacy breaches
  • oversight by the Commissioner of automated decision-making
  • requiring consultation with the Commissioner when legislation has access and privacy implications and
  • the legislation would apply to the administrative function of the legislative assembly

The updating of the freedom of information and privacy legislation continues across our country.