Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Solicitor-Client Privilege/Litigation Privilege (updated)

Solicitor-Client Privilege/Litigation Privilege (updated)

On May 16, 2018, the Saskatchewan Court of Appeal released its decision in University of Saskatchewan v Saskatchewan (Information and Privacy Commissioner), 2018 SKCA 34 . The appeal addressed the statutory authority of the Information and Privacy Commissioner (IPC) under The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) to require the production of records over which a local authority asserts solicitor-client privilege in order to verify the claim. As a result, the IPC has developed procedures where solicitor-client privilege or litigation privilege is claimed.

Below is a succinct summary of the law related to solicitor-client privilege and litigation privilege.

Question 1:  Scope of Solicitor-client privilege

  • Solicitor-client privilege covers all communications between a lawyer and client directly related to the seeking, formulating, or giving of legal advice, along with communications within the “continuum” in which the solicitor tenders the advice. This includes records of such communications. These communications must, however, be in furtherance of legal advice and must occur within the framework of the relationship between a client and a lawyer acting in his or her capacity as a lawyer.
  • Solicitor-client privilege does not necessarily extend to all records in relation to a matter. For example, owing to the nature of the work of in-house government counsel (e., having both legal and non-legal responsibilities), the government institution will need to review, and the IPC should verify, that solicitor-client privilege is properly asserted in relation to each requested record “depending on the nature of the relationship, the subject matter of the advice and the circumstances in which it was sought and rendered”. Furthermore, solicitor-client privilege does not necessarily extend to the entirety of an individual record where portions of the record do not constitute or relate to legal advice (e.g., header and footer information and confidentiality notices in email communications).
  • Litigation privilege attaches to documents created for the dominant purpose of pending or apprehended litigation. Conceptually distinct from solicitor-client privilege, litigation privilege differs in at least three respects: 1) it arises even in the absence of a solicitor-client relationship; 2) it applies only in the context of litigation; and 3) unlike solicitor-client privilege, it is time-limited and comes to an end upon termination of the litigation or any closely related proceedings.
  • A party asserting solicitor-client privilege bears an evidentiary burden of establishing a prima faciecase for privilege. Courts have held that where a party has tendered evidence in support of a claim of privilege (e.g., an affidavit of documents and schedule), and in the absence of evidence to the contrary, the privilege claim should be sustained.

Question 2: Scope of the Information and Privacy Commissioner’s authority to verify claims of solicitor-client privilege under FOIP/LAFOIP?

  • While the courts have said that solicitor-client privilege must remain as close to absolute as possible, it is not absolute. It can be limited or abrogated by statute.  A statute purporting to limit or abrogate the privilege must be interpreted “restrictively”.
  • Following the U of Scase and pursuant to “the clear and unambiguous” language in FOIP and LA FOIP, the IPC possesses the express statutory authority to request full disclosure of disputed records to verify questionable claims but only to the extent that it is “absolutely necessary.” This threshold is very high. The IPC can likely require full production of a record only in narrow circumstances where the IPC has a reasonable basis in fact to believe that the government institution’s or local authorities’ claim of privilege is improperly or falsely asserted.
  • Short of requiring full production to verify claims of privilege, the “absolutely necessary” threshold requires the IPC to take a number of prior verification steps in incremental fashion before resorting to this last measure.
  • For example, the government institution or local authority could be required to support its privilege claim by:
    • Providing a sworn affidavit of documents along with a schedule of records containing requested information to the level of detail that accords with the usual or best practices expected of an affidavit of documents in the civil litigation context.
    • If the IPC is still unable to reasonably verify a claim of solicitor-client privilege after the provision of an affidavit of documents and schedule of records, containing the requested information, the IPC could then question the government institution on its affidavit or schedule.
    • If the IPC remains unsatisfied at this stage, the U of Scase gives the IPC the power to compel production of the full record in order to verify the claim on the basis of the record itself.
  • Even under this incremental approach, the IPC must have a reasonable basis for questioning the asserted claim in the circumstances before moving to the next stage.

As a result, whenever a public body claims solicitor-client privilege or litigation privilege, step one will be to request the public body to provide a copy of the original records, a redacted copy of the records provided to the applicant. Alternatively, the IPC will require an Affidavit of Records as set out in Form B of The Rules of Procedure and the redacted record provided to the applicant.  That Affidavit contains a Schedule, and the public body is required to list the documents over which privilege is claimed and indicate whether they are claiming solicitor-client privilege or litigation privilege. The government institution or local authority is expected to complete the schedule with all details. Failure to do so may cause the IPC to move to the next step.

The Rules of Procedure have been updated to reflect the current practice in this area.  Part 9 has been amended accordingly and the Affidavit of Records has been provided in Form B.  A representation or submission is optional and at the choice of the public body.  The Schedule has two columns which requires the public body to indicate whether they are claiming solicitor-client privilege or litigation privilege.

I hope this Blog and The Rules of Procedure clarify this issue and make the process somewhat simpler. I must emphasize, it makes our work much easier if the client provides my office with the original records over which they are claiming solicitor-client privilege or litigation privilege and the redacted record which was sent to the applicant. My office never releases these documents to the applicant or to anyone else and they are usual destroyed six months after the file is closed.

 

Privacy Audits (updated)

Your organization has undertaken a privacy impact assessment (PIA) as part of its process of designing and implementing a new program. So, what’s next?

Once the new program has gone live, your organization should plan regular privacy audits to ensure that the program is operating in a manner that complies with applicable access and privacy legislation.

When undertaking the PIA process, your organization would have identified privacy impacts and identified methods (controls) to manage and/or mitigate the privacy impacts of the program to ensure compliance with the applicable access and privacy legislation.

During a privacy audit, you will determine if the controls identified through the PIA process are adequate in managing and/or mitigating the privacy impacts. This will include identifying what personal information/personal health information is actually being collected, used, and disclosed; reviewing the information systems used to store and manage the information; and reviewing the program’s policies, procedures, and actual practices to ensure your organization is managing personal information and/or personal health information in compliance with the applicable access and privacy legislation. While time-consuming, it is a worthwhile exercise to hopefully minimize the impacts of potential privacy breaches.

Through the audit process, your organization may identify areas of the program that may not be in compliance with applicable access and privacy legislation; or areas that may be inviting privacy vulnerabilities. Examples could be:

  1. Collecting, using and/or disclosing more personal information/personal health information than is necessary.
  2. Storing more personal information/personal health information instead of disposing of information in accordance with records and disposition schedules.
  3. Inadequate safeguards in protecting personal information/personal health information, including de-activating the accounts of employees on leave or of former employees.

Once inadequacies in controls are identified, your organization should identify methods to manage and mitigate the privacy impacts.

Programs will inevitably evolve as time goes on. It’s always a good idea to schedule regular privacy audits to ensure privacy impacts are being managed and/or mitigated to reduce the likelihood of a privacy breach.

While my office has not conducted any formal privacy audits, my office has the ability to conduct audits pursuant to subsection 33(d) of The Freedom of Information and Protection of Privacy Act, subsection 32(d) of The Local Authority Freedom of Information and Protection of Privacy Act, and subsection 52(d) of The Health Information Protection Act.

 

 

Demystifying the Right to Privacy

Privacy is a deeply personal concept, and it means something a bit different to everyone – so how does Saskatchewan’s privacy legislation protect your personal information and personal health information?

Saskatchewan’s public sector access and privacy laws, The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) govern how public bodies (government institutions and local authorities) interact with your personal information. Saskatchewan’s health sector privacy law, The Health Information Protection Act (HIPA), for the most part controls how certain health professionals (called trustees under HIPA) interact with your personal health information.

The protection of privacy under these Acts includes setting rules for the collection, use and disclosure of the personal information or personal health information in question, and whether the public body or trustee’s actions are allowable under their respective Act.

Collection is when an organization assembles or obtains information about an individual.

Use is when an organization uses the information internally – the information is still under the control of the organization.

Disclosure is when information is shared with a separate entity outside of the organization, so the information passes out of the possession and control of the organization.

In order to fulfill their roles, public bodies and trustees may need to collect, use and/or disclose information about you. The legislation protects your privacy by placing boundaries around when collection, use and disclosure is appropriate, and by establishing obligations for organizations.  Some of these obligations include:

  • Collecting only as much of your information as is necessary to fulfill an authorized purpose (data minimization principle).
  • Where possible, collecting information directly from you.
  • Ensuring that the information they collect about you is as accurate and complete as possible.
  • Taking reasonable steps to safeguard the information under their control – this means having technical, physical or administrative safeguards in place to protect the information from unauthorized access, use, modification, etc.

If you feel that your personal information or personal health information has been collected, used or disclosed inappropriately by a public body or trustee in Saskatchewan, you have the right to make a complaint. The first step will be to make a written complaint to the organization that you feel breached your privacy – for more on this, please see our webpage How do I resolve a Complaint? and our previous blog post, How to Complain (Effectively). If you don’t receive a response from the organization, or if you are not satisfied with the response, you can make a complaint to our office.

Alternatively, when a breach occurs, you may receive notification from the public body or trustee. For more on this, please see our previous blog post What to do if you Receive a Privacy Breach Notification.

If you have questions about how your privacy is protected in Saskatchewan, you can contact our office for more information.

 

Confidentiality Clauses in Contracts (updated)

A lot of our work centers around a citizen wanting a contract that a ministry, city, town or municipality has entered into. The public body does not want to release it, for among other reasons, the contract has a confidentiality clause.

The Cities Act and The Municipalities Act specifically provides that a citizen can inspect a contract entered into. See Review Report 049-2021 at paragraph [89]. The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) both provide that a citizen has access to records unless a particular section exempts the public body having to release some of the clauses.  Section 19 of FOIP and section 18 of LA FOIP provide certain exemptions but there is no exemption just based on the parties wanting to keep the information confidential.  A confidentiality clause in a contract might bind the parties but the clause cannot override the law of the land.

Third parties and businesses need to know when they deal with public bodies supported by tax dollars that their contract will probably be released. No confidentiality clause, however well drafted, can override the law. See Review Report 205-2019, 255-2019 at paragraph [95].

Now I have mentioned there are some exemptions. Section19 allows for information regarding trade secrets; financial, commercial or labor relations information can be withheld.

If an exemption applies, like trade secrets information, that information can be withheld but that does not justify withholding the entire contract. The public body might be entitled to sever the exempted information but would be obliged to disclose the rest.

So I hope over time businesses dealing with public bodies come to accept that being transparent in a democracy is important and their contracts will be available to be examined by citizens.

 

 

3 Minutes for a Search (updated)

As public bodies have gone to doing the majority of their communicating by email, access requests for records of emails have increased. I expect such requests will continue. If the access request is for recent records (emails) an employee can perform a search in Outlook (or other email programs) and very quickly locate the emails related to the access request. If the requests are for older emails, which have been archived in the Outlook archive system, the search can still be done (it might take a little longer). If the access request is for emails that are no longer in the Outlook system, then the search might be more difficult depending on the technology used. Or, if the employee has left the organization, and their emails have been stored outside the Outlook system, the effort to get those emails could be difficult and time consuming. This can be hard work or expensive if IT resources are required.

The best solution is that emails be reviewed regularly by each employee. The emails that are part of the official record get stored in an organized electronic filing system, such as a shared drive that is accessible to authorized employees or an electronic document records management system (EDRMS). I know employees don’t always do this, but they should. An alternative solution is that an organization acquires an email management system that stores all emails, old and new, for current and former employees.

Those are two solutions. There may be other solutions and I encourage organizations to determine what solution works for them.

In the meantime, access requests for emails will be made. Organizations need to decide on a search strategy for finding those emails and then decide whether they will charge a fee. If an organization charges a fee for those emails, it is necessary to figure out what is a reasonable fee. My office has developed rules of thumb for searches such as 5 minutes per file drawer or 1 minute to review 12 pages. We have developed another rule of thumb. We will accept that it takes 3 minutes for an employee to search their email Outlook account for each search parameter. Of course, a public body is free to perform its own test and determine the length of time it takes to perform a search of an employee’s email account and store the results.

Our hope is that this new guideline will make it easier for public bodies to estimate a fee and easier for applicants to understand the fee being charged.

We think our 3 minutes is reasonable, but try it, search your email account and time how long it took your computer to deliver the search result and then the time to move those results to a separate file or flash drive. As you are working on a fee estimate, you should review section 9 of FOIP, section 6 and 7 of the FOIP Regulations or section 9 of LA FOIP and sections 5 and 6 of the LA FOIP Regulations. For a report that analyzes a fee estimate, see Review Report 119-2026.

 

Collection/Disclosure; A Two-Step Analysis (updated)

When personal information or personal health information (information) is shared by one public body with another, the issue arises as to who has the authority to disclose and who has the authority to collect. Many collections of information happen when you or I visit a public body, apply for a service or benefit and fill out a form or answer questions orally.  By giving the information to the public body, we are consenting to their collection of it.  We have expectations that they will use it for the purpose collected, that they will protect it and not disclose it to others without consent unless legislative authority to disclose otherwise exists.

So, when it comes to the sharing of information by one public body with another, my office has to ask two questions: Does one body have the authority to collect?  Does another body have the authority to disclose?  For an authorized sharing to occur, the answer to both questions has to be yes.  If one of the answers is no, then the sharing is unauthorized.

If the sharing will only occur once, then the public bodies are wise to reduce their understanding to emails, but probably don’t need a formal data sharing agreement.

If the data sharing will occur often, it is then best practice that the public bodies enter into a written data sharing agreement. That agreement should set out the legislative provisions that allow collection and disclosure and it should set out the obligations of the receiving public body regarding the safeguarding of that information and the rights of the sending public body to review and audit the actions of the receiving body.

The existence of a data sharing agreement itself does not authorize the sharing; it is the provisions in statutes or regulations, authorizing collection and disclosure that make the sharing authorized.

As a final note, any authorized sharing should be looked at with the data minimization principle in mind. The public body collecting the information should collect the least amount possible and the disclosing public body should disclose the least amount possible. Of course, there may have to be discussions between the two bodies to ensure that the least amount of information gets shared.

Another situation where the two-step analysis must be applied is when a public body has the power to investigate. Implied in the power to investigate is the authority to collect information.  When an investigator approaches someone in another public body and asks for information, the other public body needs to decide whether they have the authority to disclose under The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act or The Health Information Protection Act (i.e., where the disclosure is permitted pursuant to another Act or Regulation). Now for general information or de-identified information, they can always disclose that as no privacy interests are engaged.  For personal health information, they should attempt to determine whether the personal health information is reasonably necessary for the investigation. The data minimization principle always suggests that the least amount of information be disclosed. Collection and disclosure are like two sides of the same coin. You can’t have one without the other. It is always necessary to analyze the authority to collect and the authority to disclose before sharing the information in question.

 

Demystifying Access to Information Rights

What rights do members of the public have when it comes to access to information? The right to access information in government records is established at the federal and provincial level.

Federally, the Access to Information Act is overseen by the Information Commissioner of Canada. For more on this, please visit the Information Commissioner of Canada’s website.  The provinces/territories also have access to information legislation. For more on this, check out the Summary of privacy laws in Canada on the Privacy Commissioner of Canada’s website.  In Saskatchewan, we have three Acts that give you access to information rights:  The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA).

In Saskatchewan, your access to information rights include:

A right of access to records

Under FOIP and LA FOIP, anyone has the right to request access to any record in the possession and control of a government institution or local authority. Information in the records of public bodies defaults to being accessible to the public. That said, the legislation also outlines some limited and specific exemptions to the right of access – these are situations when the head of a public body may or must withhold access to some or all of the information.

Under HIPA, an individual has the right to request access to their own personal health information under the custody or control of a trustee. HIPA does not provide a right of access to policy or process information in the holdings of trustees. Like FOIP and LA FOIP, the default is that you have a right to access your own personal health information – if the trustee withholds your personal health information, they must be able to justify their decision by pointing to specific sections of HIPA.

A right to request an amendment or correction to your own information

If, upon receiving access to your own information, you feel there is an error or omission in the records, all three acts give you the right to request correction or amendment. The right of correction only extends to factual information; generally, it does not apply to subjective opinions noted in the records.

A right to request a review from the IPC

If an individual is not satisfied with the public body or trustee’s response to their access request or request for correction within legislated timelines, they have a right to request that our office review the matter. The IPC will determine whether the public body/trustee responded to the request appropriately under the applicable legislation. If we find that they did not, we will, in most cases, issue a public report with recommendations based on our findings.

If you have questions about your access rights under the Saskatchewan legislation, contact our office – we would be happy to help!

Making a Privacy Complaint for Someone Else?

Often, our office is contacted by individuals who are concerned about the inappropriate disclosure of personal information that is not their own. If this is you, then perhaps you are attempting to complain on behalf of a loved one; or you’ve received the personal information of a stranger, and you’re willing to go out of your way to report the matter in hopes of having it rectified.

There are many reasons why our office may determine that it is unable to proceed with privacy concerns that individuals bring to our attention (see “Why some reviews and investigations cannot pass go” for some discussion of these reasons), but, in the aforementioned scenarios, the absence of the affected individual is an immediate obstacle.

That is because your privacy rights under the legislation that our office oversees (The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act, and The Health Information Protection Act) extend to the collection, use, and disclosure of your own personal information or personal health information by public bodies and health trustees. As a result, although you can still inquire regarding the process that an affected individual must follow in submitting a privacy complaint, you will probably not be in a position to actually submit a complaint on behalf of anyone else.

If you know someone whose privacy has been breached, you may be in a position to serve as a witness, but they will likely need to make their own complaint, first to the public body or health trustee, and only then, if they are unsatisfied with the response that they receive to that complaint, to our office.

Similarly, if you have received personal information that is not your own, you should first report it to the Privacy Officer of the public body or health trustee from which it originated and allow them an opportunity to rectify the situation before reporting it to the IPC.

That said, any right conferred by FOIP, LA FOIP, or HIPA can be exercised by a surrogate under specific conditions, usually explicit permission from the affected individual. If you wanted to submit a complaint on behalf of a child, for example, you may need to demonstrate through documentation that you are the child’s legal custodian (see FOIP section 59, LA FOIP 49 and HIPA section 56). If any adults were to grant you permission to pursue a privacy complaint on their behalf, this permission would have to be in writing and very specific regarding the powers and scope that it conferred and the time at which it was intended to expire.

From time to time, the Commissioner does become aware of a breach that he chooses to research or investigate on his own initiative. However, these “own motion” investigations are rare and typically relate to breaches involving a large number of affected individuals and/or more expansive, serious, or recurring problems (e.g., misdirected faxes).

So, although you can be of assistance when you learn that someone else’s privacy has been breached, it is usually necessary for the affected individual to exercise their own rights.

A Near Attack

A few weeks into a new role, Jane received an interesting email supposedly from her “colleague” Stacy.  Stacy welcomed Jane to the team and asked for some time in her day. There was, of course, a smart attempt to cover up any tracks – a clause about Stacy entering a meeting and was only available to communicate via email.

As Jane pondered over the content of the email, other red flags became apparent.  Although she in fact had a co-worker called Stacy, the email was sent from a sketchy address and was missing the signature usual for emails emanating from the office.

With each passing day, scammers develop ingenious ways to attack unsuspecting victims. Publicly accessible information from organizations’ websites and internet activity is unfortunately employed as a springboard for a malicious attack. The Canadian Centre for Cyber Security outlines different ways by which phishing could occur. These include:

  1. Spear phising: A personalized attack which may contain specific details about a victim (as happened with Jane).
  2. Whailing: A personalized attack that targets a big “phish” such as the Chief Executive Officer because of their possible access to sensitive information.
  3. SMiShing: An attack using SMS (texts) where a scammer impersonates someone known by the victim or poses as the provider of a service used.
  4. Quishing: An attack involving Quick Response (QR) codes that re-directs victims to malicious websites when scanned.
  5. Vishing: “Voice phishing” which involves defrauding people through voice calls, enticing them through means which appear legitimate, to divulge sensitive information.

Phishing attacks typically result in identity theft, fraud, and the transmission of computer viruses. There have also been ransomware incidents where files have been encrypted, organizational data stolen and significant ransom payments demanded. In the case of Jane, she deleted the email and never responded to the sender’s request. This protected her account from being compromised and the entire organization from a potential security breach.

The onus is on organizations and individuals to protect personal information and personal health information (where applicable). Employees are generally advised, in the case of suspicious phone calls, not to divulge any personal or sensitive organizational information and to end the call immediately. They are also cautioned not to open any suspected phishing emails, but if do, they should:

  • Not click any links or download any attachments in the attached email.
  • Not respond to the sender.
  • Swiftly report in accordance with their organization’s standard operational practices.
  • Delete immediately!

In the unfortunate event that a person falls victim to an attack, immediate steps to be taken include scanning devices for viruses and other malware, changing affected passwords, enabling multi-factor authentication across their devices and informing co-workers to contain the breach and prevent future attacks. Privacy awareness training and cybersecurity training are a good starting point in the fight against phishing attacks.

Updated HIPA Regulations and Proclaiming Certain Subsections of HIPA

Effective August 1, 2023, certain subsections of the Health Information Protection Act (HIPA) subsection 17(1), 18(2) and 18(4), have been proclaimed. Also, effective August 1 a new version of the HIPA regulations is in effect and should be available by the end of the week here. Below is a Q & A sheet issued by the Ministry of Health which explains the changes. The Q & A is a good summary of the things that have changed.

The Health Information Protection Amendment Regulations, 2023

Questions and Answers for Stakeholders HIPA Regs 2023