IPC | Page 5

Absurd Results (updated)

From time to time, when interpreting and applying legislation, one can end up with a result that will be absurd. This can happen from time to time with The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP) or The Health Information Protection Act (HIPA). These statutes are to be liberally interpreted and through court decision have been given a quasi-constitutional status. Because they are to be liberally interpreted, absurd results should be at a minimum, but in the application of the legislation to particular access requests, sometimes absurd conclusions can be reached.

For example, an applicant (citizen) applies for records and the request is denied, or part of the record is severed, because it is personal information. Section 29 of FOIP, section 28 of LA FOIP and section 27 of HIPA provide that personal information is not to be released except with consent (there are exceptions). So, a public body could say they won’t release the applicant’s personal information because of subsection 29(1) of FOIP. That is an absurd result when the public body is refusing to give the applicant their own personal information (unless there is another exemption that applies).

Another example is where a public body refuses to provide a document that is already public. If the request is for a book, then it is understandable that the public body does not want to photocopy the entire book but is not a legitimate reason not to provide. I would suggest in the instances where the document is on a website, that the public body either copy the document or advise the applicant where they can find the document. Advising the citizen/applicant of the URL for the document is just a helpful thing to do and if a formal access to information request is made, referring the applicant to the publication is required pursuant to subsection 7(2)(b) of FOIP/LA FOIP.

Another example is where a public body believes part of a document is non-responsive to the access request, but other parts of the document are responsive (relevant) to the request. A public body might decide to sever the non-responsive portion. This is a bit of a waste of time. The applicant has the right under section 5 of FOIP, section 5 of LAFOIP or section 12 of HIPA to any record the public body has (subject to exemptions). If the applicant becomes suspicious because of the severing, they could submit a second access request and be entitled to the portion considered non-responsive (subject to exemptions). Why make citizens jump through unnecessary hoops to get to what they are otherwise entitled to get?

A final example is where an applicant has submitted something like a letter to a public body. Usually, the letters include complaints about someone else which is technically the other person’s personal information, so a public body often withholds the letter as personal information of a third party. The problem is the applicant provided the information to the public body thus, the applicant is already aware of it. In this instance, the public body should release the letter to the applicant because the applicant has previously provided it. See my office’s Review Report 155-2022 and Review Report 254-2022 where the applicant provided information to the police and participated in interviews with the police.

So, I would ask public bodies to take a liberal approach to these three statutes and if specific exemptions do not apply, to provide as much of the records as is possible. Such an approach will reduce frustration of applicants and increase trust in the public body that is trying to do the right thing and help citizens.

Third parties under FOIP and LA FOIP (updated)

In other blogs I have talked about public bodies and third parties (businesses). If a public body is a city, town or municipality, legislation like section 91of The Cities Act or section 117 of The Municipalities Act requires the release of contracts, and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) requires the same unless part of the contract falls under one of the exemptions. Public bodies like government ministries, boards, agencies and Crown corporations are bound by The Freedom of Information and Protection of Privacy Act (FOIP) and contracts are released unless they come under subsection 19(1).

As we provide advice or begin a review, it always seems the third party expects the entire agreement to be withheld because the third party does not want any of the information released.

Many clauses in an agreement do not disclose sensitive information. Clauses like the singular includes the plural and successors to the parties are bound to not disclose sensitive information. So, in many of the cases, the entire contract will never be withheld.

Third parties sometimes want all correspondence and reports related to the project withheld. Again, they have to show that individual items fall under subsection 19(1) of FOIP and subsection 18(1) of LA FOIP. Some rely on a clause in the contract that all will be kept confidential. I remind both public bodies and third parties they cannot contract out of the law of the province. FOIP and LA FOIP apply in spite of a confidentiality clause in a contract.

Public bodies and third parties sometimes are concerned that the applicant will distribute the documents or publish them. As a citizen, the applicant has the right to documents unless subsection 19(1) of FOIP or subsection 18(1) of LA FOIP applies. The intention or anticipated actions of the applicant are irrelevant in a FOIP or LA FOIP context. Some third parties are more concerned when it is the media applying. The media has the same right to the information. What might the media do with the documents? The answer is, obviously, they will analyze and might write a story. That is part of the democratic process.

If after thinking about the above, a third party intends to object to the release of documents, they will have to move quickly. They have 20 days after they receive notice. The public body is bound to give the applicant a response to the access request within 30 days (or 60 days if an extension is decided upon). If the public body failed to respond to the applicant in 30 days (or 60 days) my office will consider that the public body has decided not to respond, and it is treated as a deemed refusal.

Third parties should, where they enter into contracts involving taxpayer funds, not expect total confidentiality and should read subsection 19(1) of FOIP and subsection 18(1) of LA FOIP.

MySaskHealthRecord (updated)

On October 8, 2019, the Saskatchewan government and eHealth launched MySaskHealthRecord. The news release stated, “New Website Allows Saskatchewan Residents to Access Their Personal Health Information Anywhere, Anytime”. This is an exciting first step in allowing citizens to access their own personal health information. You can check the ehealth website to see what information you can access. As of the date of this blog, you can access:

laboratory test results
medical imaging reports
immunization history
prescription history
clinical visit history (displayed as inpatient, outpatient or emergency visits to a health care facility)
clinical documents (This displays notes from your doctor such as hospital admission, discharge summaries and consults.

It has always been accepted that my personal health information is my information but accessing it could be challenging. One of the benefits of technology is that it allows us to get that information easily and quickly.

For every benefit of a technical advancement there is an added responsibility imposed on us. Your password is very important. You should not share it with anyone. MySaskHealthRecord is only available to users to access their own data at this time. Put another way, one should not leave this pin or password laying around or casually share it with others. With such sensitive information within the app, a strong password is a must. For advice on developing a strong password, check out this link.

I am hopeful eHealth will continue to enhance MySaskHealthRecord in the future. For example, can I see who in the health care system has accessed my health record? Since my personal health information is my information, I have the right, and at times, the need to know who else is looking and question if it is for a legitimate purpose. The only people that should be looking are those I have consulted regarding my personal health situation or have a legitimate need-to-know.

To register for a MySaskHealthRecord account, click here.

Solicitor-Client Privilege/Litigation Privilege (updated)

On May 16, 2018, the Saskatchewan Court of Appeal released its decision in University of Saskatchewan v Saskatchewan (Information and Privacy Commissioner), 2018 SKCA 34 . The appeal addressed the statutory authority of the Information and Privacy Commissioner (IPC) under The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) to require the production of records over which a local authority asserts solicitor-client privilege in order to verify the claim. As a result, the IPC has developed procedures where solicitor-client privilege or litigation privilege is claimed.

Below is a succinct summary of the law related to solicitor-client privilege and litigation privilege.

Question 1: Scope of Solicitor-client privilege

Solicitor-client privilege covers all communications between a lawyer and client directly related to the seeking, formulating, or giving of legal advice, along with communications within the “continuum” in which the solicitor tenders the advice. This includes records of such communications. These communications must, however, be in furtherance of legal advice and must occur within the framework of the relationship between a client and a lawyer acting in his or her capacity as a lawyer.
Solicitor-client privilege does not necessarily extend to all records in relation to a matter. For example, owing to the nature of the work of in-house government counsel (e., having both legal and non-legal responsibilities), the government institution will need to review, and the IPC should verify, that solicitor-client privilege is properly asserted in relation to each requested record “depending on the nature of the relationship, the subject matter of the advice and the circumstances in which it was sought and rendered”. Furthermore, solicitor-client privilege does not necessarily extend to the entirety of an individual record where portions of the record do not constitute or relate to legal advice (e.g., header and footer information and confidentiality notices in email communications).
Litigation privilege attaches to documents created for the dominant purpose of pending or apprehended litigation. Conceptually distinct from solicitor-client privilege, litigation privilege differs in at least three respects: 1) it arises even in the absence of a solicitor-client relationship; 2) it applies only in the context of litigation; and 3) unlike solicitor-client privilege, it is time-limited and comes to an end upon termination of the litigation or any closely related proceedings.
A party asserting solicitor-client privilege bears an evidentiary burden of establishing a prima faciecase for privilege. Courts have held that where a party has tendered evidence in support of a claim of privilege (e.g., an affidavit of documents and schedule), and in the absence of evidence to the contrary, the privilege claim should be sustained.

Question 2: Scope of the Information and Privacy Commissioner’s authority to verify claims of solicitor-client privilege under FOIP/LAFOIP?

While the courts have said that solicitor-client privilege must remain as close to absolute as possible, it is not absolute. It can be limited or abrogated by statute. A statute purporting to limit or abrogate the privilege must be interpreted “restrictively”.
Following the U of Scase and pursuant to “the clear and unambiguous” language in FOIP and LA FOIP, the IPC possesses the express statutory authority to request full disclosure of disputed records to verify questionable claims but only to the extent that it is “absolutely necessary.” This threshold is very high. The IPC can likely require full production of a record only in narrow circumstances where the IPC has a reasonable basis in fact to believe that the government institution’s or local authorities’ claim of privilege is improperly or falsely asserted.
Short of requiring full production to verify claims of privilege, the “absolutely necessary” threshold requires the IPC to take a number of prior verification steps in incremental fashion before resorting to this last measure.
For example, the government institution or local authority could be required to support its privilege claim by:
- Providing a sworn affidavit of documents along with a schedule of records containing requested information to the level of detail that accords with the usual or best practices expected of an affidavit of documents in the civil litigation context.
- If the IPC is still unable to reasonably verify a claim of solicitor-client privilege after the provision of an affidavit of documents and schedule of records, containing the requested information, the IPC could then question the government institution on its affidavit or schedule.
- If the IPC remains unsatisfied at this stage, the U of Scase gives the IPC the power to compel production of the full record in order to verify the claim on the basis of the record itself.
Even under this incremental approach, the IPC must have a reasonable basis for questioning the asserted claim in the circumstances before moving to the next stage.

As a result, whenever a public body claims solicitor-client privilege or litigation privilege, step one will be to request the public body to provide a copy of the original records, a redacted copy of the records provided to the applicant. Alternatively, the IPC will require an Affidavit of Records as set out in Form B of The Rules of Procedure and the redacted record provided to the applicant. That Affidavit contains a Schedule, and the public body is required to list the documents over which privilege is claimed and indicate whether they are claiming solicitor-client privilege or litigation privilege. The government institution or local authority is expected to complete the schedule with all details. Failure to do so may cause the IPC to move to the next step.

The Rules of Procedure have been updated to reflect the current practice in this area. Part 9 has been amended accordingly and the Affidavit of Records has been provided in Form B. A representation or submission is optional and at the choice of the public body. The Schedule has two columns which requires the public body to indicate whether they are claiming solicitor-client privilege or litigation privilege.

I hope this Blog and The Rules of Procedure clarify this issue and make the process somewhat simpler. I must emphasize, it makes our work much easier if the client provides my office with the original records over which they are claiming solicitor-client privilege or litigation privilege and the redacted record which was sent to the applicant. My office never releases these documents to the applicant or to anyone else and they are usual destroyed six months after the file is closed.

Privacy Audits (updated)

Your organization has undertaken a privacy impact assessment (PIA) as part of its process of designing and implementing a new program. So, what’s next?

Once the new program has gone live, your organization should plan regular privacy audits to ensure that the program is operating in a manner that complies with applicable access and privacy legislation.

When undertaking the PIA process, your organization would have identified privacy impacts and identified methods (controls) to manage and/or mitigate the privacy impacts of the program to ensure compliance with the applicable access and privacy legislation.

During a privacy audit, you will determine if the controls identified through the PIA process are adequate in managing and/or mitigating the privacy impacts. This will include identifying what personal information/personal health information is actually being collected, used, and disclosed; reviewing the information systems used to store and manage the information; and reviewing the program’s policies, procedures, and actual practices to ensure your organization is managing personal information and/or personal health information in compliance with the applicable access and privacy legislation. While time-consuming, it is a worthwhile exercise to hopefully minimize the impacts of potential privacy breaches.

Through the audit process, your organization may identify areas of the program that may not be in compliance with applicable access and privacy legislation; or areas that may be inviting privacy vulnerabilities. Examples could be:

Collecting, using and/or disclosing more personal information/personal health information than is necessary.
Storing more personal information/personal health information instead of disposing of information in accordance with records and disposition schedules.
Inadequate safeguards in protecting personal information/personal health information, including de-activating the accounts of employees on leave or of former employees.

Once inadequacies in controls are identified, your organization should identify methods to manage and mitigate the privacy impacts.

Programs will inevitably evolve as time goes on. It’s always a good idea to schedule regular privacy audits to ensure privacy impacts are being managed and/or mitigated to reduce the likelihood of a privacy breach.

While my office has not conducted any formal privacy audits, my office has the ability to conduct audits pursuant to subsection 33(d) of The Freedom of Information and Protection of Privacy Act, subsection 32(d) of The Local Authority Freedom of Information and Protection of Privacy Act, and subsection 52(d) of The Health Information Protection Act.

Demystifying the Right to Privacy

Privacy is a deeply personal concept, and it means something a bit different to everyone – so how does Saskatchewan’s privacy legislation protect your personal information and personal health information?

Saskatchewan’s public sector access and privacy laws, The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) govern how public bodies (government institutions and local authorities) interact with your personal information. Saskatchewan’s health sector privacy law, The Health Information Protection Act (HIPA), for the most part controls how certain health professionals (called trustees under HIPA) interact with your personal health information.

The protection of privacy under these Acts includes setting rules for the collection, use and disclosure of the personal information or personal health information in question, and whether the public body or trustee’s actions are allowable under their respective Act.

Collection is when an organization assembles or obtains information about an individual.

Use is when an organization uses the information internally – the information is still under the control of the organization.

Disclosure is when information is shared with a separate entity outside of the organization, so the information passes out of the possession and control of the organization.

In order to fulfill their roles, public bodies and trustees may need to collect, use and/or disclose information about you. The legislation protects your privacy by placing boundaries around when collection, use and disclosure is appropriate, and by establishing obligations for organizations. Some of these obligations include:

Collecting only as much of your information as is necessary to fulfill an authorized purpose (data minimization principle).
Where possible, collecting information directly from you.
Ensuring that the information they collect about you is as accurate and complete as possible.
Taking reasonable steps to safeguard the information under their control – this means having technical, physical or administrative safeguards in place to protect the information from unauthorized access, use, modification, etc.

If you feel that your personal information or personal health information has been collected, used or disclosed inappropriately by a public body or trustee in Saskatchewan, you have the right to make a complaint. The first step will be to make a written complaint to the organization that you feel breached your privacy – for more on this, please see our webpage How do I resolve a Complaint? and our previous blog post, How to Complain (Effectively). If you don’t receive a response from the organization, or if you are not satisfied with the response, you can make a complaint to our office.

Alternatively, when a breach occurs, you may receive notification from the public body or trustee. For more on this, please see our previous blog post What to do if you Receive a Privacy Breach Notification.

If you have questions about how your privacy is protected in Saskatchewan, you can contact our office for more information.

Confidentiality Clauses in Contracts (updated)

A lot of our work centers around a citizen wanting a contract that a ministry, city, town or municipality has entered into. The public body does not want to release it, for among other reasons, the contract has a confidentiality clause.

The Cities Act and The Municipalities Act specifically provides that a citizen can inspect a contract entered into. See Review Report 049-2021 at paragraph [89]. The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) both provide that a citizen has access to records unless a particular section exempts the public body having to release some of the clauses. Section 19 of FOIP and section 18 of LA FOIP provide certain exemptions but there is no exemption just based on the parties wanting to keep the information confidential. A confidentiality clause in a contract might bind the parties but the clause cannot override the law of the land.

Third parties and businesses need to know when they deal with public bodies supported by tax dollars that their contract will probably be released. No confidentiality clause, however well drafted, can override the law. See Review Report 205-2019, 255-2019 at paragraph [95].

Now I have mentioned there are some exemptions. Section19 allows for information regarding trade secrets; financial, commercial or labor relations information can be withheld.

If an exemption applies, like trade secrets information, that information can be withheld but that does not justify withholding the entire contract. The public body might be entitled to sever the exempted information but would be obliged to disclose the rest.

So I hope over time businesses dealing with public bodies come to accept that being transparent in a democracy is important and their contracts will be available to be examined by citizens.

3 Minutes for a Search (updated)

As public bodies have gone to doing the majority of their communicating by email, access requests for records of emails have increased. I expect such requests will continue. If the access request is for recent records (emails) an employee can perform a search in Outlook (or other email programs) and very quickly locate the emails related to the access request. If the requests are for older emails, which have been archived in the Outlook archive system, the search can still be done (it might take a little longer). If the access request is for emails that are no longer in the Outlook system, then the search might be more difficult depending on the technology used. Or, if the employee has left the organization, and their emails have been stored outside the Outlook system, the effort to get those emails could be difficult and time consuming. This can be hard work or expensive if IT resources are required.

The best solution is that emails be reviewed regularly by each employee. The emails that are part of the official record get stored in an organized electronic filing system, such as a shared drive that is accessible to authorized employees or an electronic document records management system (EDRMS). I know employees don’t always do this, but they should. An alternative solution is that an organization acquires an email management system that stores all emails, old and new, for current and former employees.

Those are two solutions. There may be other solutions and I encourage organizations to determine what solution works for them.

In the meantime, access requests for emails will be made. Organizations need to decide on a search strategy for finding those emails and then decide whether they will charge a fee. If an organization charges a fee for those emails, it is necessary to figure out what is a reasonable fee. My office has developed rules of thumb for searches such as 5 minutes per file drawer or 1 minute to review 12 pages. We have developed another rule of thumb. We will accept that it takes 3 minutes for an employee to search their email Outlook account for each search parameter. Of course, a public body is free to perform its own test and determine the length of time it takes to perform a search of an employee’s email account and store the results.

Our hope is that this new guideline will make it easier for public bodies to estimate a fee and easier for applicants to understand the fee being charged.

We think our 3 minutes is reasonable, but try it, search your email account and time how long it took your computer to deliver the search result and then the time to move those results to a separate file or flash drive. As you are working on a fee estimate, you should review section 9 of FOIP, section 6 and 7 of the FOIP Regulations or section 9 of LA FOIP and sections 5 and 6 of the LA FOIP Regulations. For a report that analyzes a fee estimate, see Review Report 119-2026.

Collection/Disclosure; A Two-Step Analysis (updated)

When personal information or personal health information (information) is shared by one public body with another, the issue arises as to who has the authority to disclose and who has the authority to collect. Many collections of information happen when you or I visit a public body, apply for a service or benefit and fill out a form or answer questions orally. By giving the information to the public body, we are consenting to their collection of it. We have expectations that they will use it for the purpose collected, that they will protect it and not disclose it to others without consent unless legislative authority to disclose otherwise exists.

So, when it comes to the sharing of information by one public body with another, my office has to ask two questions: Does one body have the authority to collect? Does another body have the authority to disclose? For an authorized sharing to occur, the answer to both questions has to be yes. If one of the answers is no, then the sharing is unauthorized.

If the sharing will only occur once, then the public bodies are wise to reduce their understanding to emails, but probably don’t need a formal data sharing agreement.

If the data sharing will occur often, it is then best practice that the public bodies enter into a written data sharing agreement. That agreement should set out the legislative provisions that allow collection and disclosure and it should set out the obligations of the receiving public body regarding the safeguarding of that information and the rights of the sending public body to review and audit the actions of the receiving body.

The existence of a data sharing agreement itself does not authorize the sharing; it is the provisions in statutes or regulations, authorizing collection and disclosure that make the sharing authorized.

As a final note, any authorized sharing should be looked at with the data minimization principle in mind. The public body collecting the information should collect the least amount possible and the disclosing public body should disclose the least amount possible. Of course, there may have to be discussions between the two bodies to ensure that the least amount of information gets shared.

Another situation where the two-step analysis must be applied is when a public body has the power to investigate. Implied in the power to investigate is the authority to collect information. When an investigator approaches someone in another public body and asks for information, the other public body needs to decide whether they have the authority to disclose under The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act or The Health Information Protection Act (i.e., where the disclosure is permitted pursuant to another Act or Regulation). Now for general information or de-identified information, they can always disclose that as no privacy interests are engaged. For personal health information, they should attempt to determine whether the personal health information is reasonably necessary for the investigation. The data minimization principle always suggests that the least amount of information be disclosed. Collection and disclosure are like two sides of the same coin. You can’t have one without the other. It is always necessary to analyze the authority to collect and the authority to disclose before sharing the information in question.

Demystifying Access to Information Rights

What rights do members of the public have when it comes to access to information? The right to access information in government records is established at the federal and provincial level.

Federally, the Access to Information Act is overseen by the Information Commissioner of Canada. For more on this, please visit the Information Commissioner of Canada’s website. The provinces/territories also have access to information legislation. For more on this, check out the Summary of privacy laws in Canada on the Privacy Commissioner of Canada’s website. In Saskatchewan, we have three Acts that give you access to information rights: The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA).

In Saskatchewan, your access to information rights include:

A right of access to records

Under FOIP and LA FOIP, anyone has the right to request access to any record in the possession and control of a government institution or local authority. Information in the records of public bodies defaults to being accessible to the public. That said, the legislation also outlines some limited and specific exemptions to the right of access – these are situations when the head of a public body may or must withhold access to some or all of the information.

Under HIPA, an individual has the right to request access to their own personal health information under the custody or control of a trustee. HIPA does not provide a right of access to policy or process information in the holdings of trustees. Like FOIP and LA FOIP, the default is that you have a right to access your own personal health information – if the trustee withholds your personal health information, they must be able to justify their decision by pointing to specific sections of HIPA.

A right to request an amendment or correction to your own information

If, upon receiving access to your own information, you feel there is an error or omission in the records, all three acts give you the right to request correction or amendment. The right of correction only extends to factual information; generally, it does not apply to subjective opinions noted in the records.

A right to request a review from the IPC

If an individual is not satisfied with the public body or trustee’s response to their access request or request for correction within legislated timelines, they have a right to request that our office review the matter. The IPC will determine whether the public body/trustee responded to the request appropriately under the applicable legislation. If we find that they did not, we will, in most cases, issue a public report with recommendations based on our findings.

If you have questions about your access rights under the Saskatchewan legislation, contact our office – we would be happy to help!