Nunavut’s privacy commissioner investigates government’s mail practices

Alberta promises increased privacy protections

British Columbians facing longer wait times to access records from BC Government

Ontario IPC blog on AI and the public sector

England’s ICO issues Tech Horizons Report

Guidelines for use of AI by lawyers

Federal Privacy Commissioner issues report on RCMP collection of data from third parties

Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

Princess Kate-attempted breach of her personal information

Live Streaming a Public Meeting

Live Streaming a Public Meeting

The Legislative Assembly broadcasts its proceedings over the internet. Each word spoken by an MLA is recorded and published in HansardHansard is available to the public. Similarly, committees of the Legislative Assembly are public, sometimes broadcasted and recorded in Hansard. Both video and text are available on the Legislative Assembly website at (www.legassembly.sk.ca/). Committees can decide to go in-camera but motions and decisions are made in the public portion of the meeting.

All cities, towns and municipalities are required to have public meetings. Regina, Moose Jaw, and Saskatoon live stream their council meetings and Regina and Moose Jaw broadcast through the local cable company. The cities post their agenda and minutes on their website and allow access to archived council meetings. Saskatoon live streams some of its committee meetings. Of course, council or a committee can have an in-camera session, but motions are required to be passed in a public meeting. Other cities and towns post their agendas and minutes to their website.

School boards are also required to hold their meetings in public. The minutes of these meetings are available for inspection. The Regina Public School Board live streams its meetings, and its agendas and minutes are available on its website. Other school boards do post their agendas and minutes on their website.

All of the above leads to greater transparency of our elected officials. For those public bodies whose meetings are required to be public, I would encourage they look at live streaming of their Board or council meetings. Technology is now available that makes live streaming relatively easy and inexpensive. The geography of our province makes it beneficial to citizens when public bodies live stream their meetings. I would encourage those cities, towns, villages or school boards to develop policies and practices that would facilitate the live streaming of all of their public meetings.

The Legislation Act- Things to Know

I had formerly prepared a blog that discussed The Interpretation Act, 1995 and some things to look out for as it relates to FOIP and LA FOIP.  However, The Interpretation Act, 1995 was replaced in May 2019 by The Legislation Act (Legislation Act), so this blog has been updated to reflect those changes.

There are countless numbers of statutes in Saskatchewan governing everything from animal protection to workers compensation. But, the Legislation Act is a very unique statute that I would like to draw your attention to.   What makes the Legislation Act so special?  Well for one, it applies to every enactment in Saskatchewan (unless otherwise noted in the Legislation Act).  Secondly, the Legislation Act essentially guides us in how to interpret Saskatchewan statutes.

Let’s take a look at two areas where the Legislation Act guides us in interpreting Saskatchewan’s access and privacy laws – calculation of time and repealed statutes.

Calculation of Time

Subsections 7(2) of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) provide, “The head shall give written notice to the applicant within 30 days after the application is made…” [emphasis added]. Based on the Legislation Act, the following can be applied for calculating 30 days under FOIP and LA FOIP:

  • The first day the access request is received is excluded in the calculation of time [subsection 2-28(3) of the Legislation Act]
  • If the due date falls on a holiday, the time is extended to the next day that is not a holiday [subsection 2-28(5) of the Legislation Act]
  • If the due date falls on a weekend, the time is extended to the next day the office is open [subsection 2-28(6) of the Legislation Act]
  • As FOIP expresses the time in a number of days, this is interpreted as calendar days, not business days.

It’s important to note that the Legislation Act does not allow for additional time when it is your personal holiday, scheduled day off or if you were away from the office due to illness.

For more information on the calculation of time in FOIP and LA FOIP, please see Chapters 3: Access to Records of IPC Guide to FOIP and IPC Guide to LA FOIP.

Repealed Statutes

There are countless numbers of statutes referenced in FOIP, LA FOIP and The Health Information Protection Act (HIPA).  So, what happens when one of those laws is repealed and replaced by a new statute, but FOIP, LA FOIP or HIPA (or any other Saskatchewan statute for that matter) has not been amended to reflect the new statute?

Here is an example to help. In LA FOIP, subsection 2(f) outlines bodies that are local authorities, and therefore subject to LA FOIP.  Subsection 2(f)(vi) of LA FOIP includes a local authority as being, “… the board of a public library within the meaning of The Public Libraries Act, 1984.”  There is one problem – The Public Libraries Act, 1984 was repealed and replaced with The Public Libraries Act, 1996.

So does that mean library boards are caught in a loophole and not subject to LA FOIP?  Not the case.  Again, we turn to the Legislation Act to help us out.  Subsection 2-8(10) of the Legislation Act provides:

2-8(10) After an enactment is repealed and a new enactment is substituted for it, a reference in an unrepealed enactment to the former enactment is, with respect to any subsequent transaction, matter or thing, deemed to be a reference to the provisions of the new enactment relating to the same subject-matter as the former enactment, but, if there are no provisions in the new enactment relating to the same subject-matter, the former enactment is to be interpreted as being unrepealed insofar as is necessary to maintain or give effect to the unrepealed enactment.

Confused yet? A helpful way to work through this is by actually inserting the names of the statutes:

2-8(10) After an enactment is repealed [The Public Libraries Act, 1984] and a new enactment is substituted for it [The Public Libraries Act, 1996], a reference in an unrepealed enactment [The Local Authority Freedom of Information and Protection of Privacy Act] to the former enactment [The Public Libraries Act, 1984] is, with respect to any subsequent transaction, matter or thing, deemed to be a reference to the provisions of the new enactment [The Public Libraries Act, 1996] relating to the same subject-matter as the former enactment [The Public Libraries Act, 1984], but, if there are no provisions in the new enactment [The Public Libraries Act, 1996] relating to the same subject-matter, the former enactment [The Public Libraries Act, 1984] is to be interpreted as being unrepealed insofar as is necessary to maintain or give effect to the unrepealed enactment [The Public Libraries Act, 1996].

For the purposes of LA FOIP, even though The Public Libraries Act, 1984 was repealed and replaced in 1996, the Legislation Act takes care of that gap and public libraries are still subject to the provisions of LA FOIP because of subsection 2-8(10) of the Legislation Act.

 

Flip These Resources

Our office has been busy transforming the way our resources look to provide a more creative and interactive experience than a typical pdf. We have been converting various pdf resources on our website with flipbooks. Once complete, they will be available under the resources tab. Don’t stress, you will still have the ability to access all our resources via pdf.

A flipbook has a variety of benefits over and above their visual appeal. There is the ability to include video, GIF’s, animation and even make your own notes.

Ugh, I need to learn when to stop talking and explaining and just show you. However, before I begin, if you require an accessible pdf version of the flipbook instructions, they can be found here Flip These Resources.

Otherwise, to see how the flipbook works, click on the book below and open to full screen by selecting the icon on the far right of the bottom toolbar.  Now, let’s get started…….

Flip These Resources

How to Complain (Effectively)

Before our office can investigate a privacy complaint, the concern needs to be raised in writing to the public body or health trustee that you believe breached your privacy.  A thoughtfully crafted complaint makes it easier for the health trustee or public body to work with you to find a solution to your concerns. It also makes it easier for our staff to understand the situation if you need to engage our office as a last resort.  Here are a few things to keep in mind:

Send it to the Right Place and the Right Person 

Your complaint should be addressed to the health trustee or public body that you believe breached your privacy.  If possible, try to send it directly to their Privacy Officer.  This might mean doing an internet search or making a telephone call to get the right contact information.  For a list of access and privacy contacts in the Government of Saskatchewan, please click here.

If you can’t find contact information for a Privacy Officer, you can direct your letter to the “head” of the public body or health trustee, as they are responsible for compliance with privacy laws. 

Be Specific and Include Evidence

Tell the public body or health trustee exactly what personal information or personal health information of yours has been breached, by whom, and when. Explain why you think the collection, use, or disclosure of your information was inappropriate, and what you would like to see happen to rectify the situation. If you have any evidence of the privacy breach, you can provide copies to substantiate your claims.

Be Clear that this is a Formal Complaint and Give a Timeline

It is not your responsibility to support your complaint with references to specific sections of the legislation – you certainly can, but you don’t have to.  That said, including a statement that you are making a formal privacy complaint under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), or The Health Information Protection Act (HIPA), and requesting a response within 30 days should make it clear to the public body or health trustee that your complaint requires a timely response that complies with the legislation.

Retain a Copy and Keep Track of the Date

If you ask our office to investigate a privacy concern because you are dissatisfied with the health trustee or public body’s response to your complaint, we will ask for a copy of the complaint you sent and proof of the date it was submitted.  If you submit your complaint as an email, request a read-receipt and hang onto a copy.  If you send it as a letter, we recommend using registered mail, and again, keep a copy for your records.

For more information about the complaint process, please visit our webpage How do I resolve a privacy complaint?

For more tips and a sample letter, the Office of the Privacy Commissioner of Canada has a helpful page – their office covers a different jurisdiction, but their process is similar.  Visit Tips for raising your privacy concern with a federal government institution.

What to do if you Receive a Privacy Breach Notification

Receiving notice that you are an affected individual in a privacy breach can be stressful, and you may be wondering what your options are. Here are some answers to common questions that our office receives when people find out that they may be impacted by a privacy breach.

Why am I receiving this notice?

Generally speaking, a privacy breach occurs when personal information or personal health information is collected, used, or disclosed inappropriately. This can be a result of many different situations, from intentional breaches like cyber-attacks or employee snooping, to more mundane things like poor policies, procedures, or training leading to mistakes in handling sensitive information. A person whose information was compromised by the breach is called an “affected individual.”

Whether or not The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and/or The Health Information Protection Act (HIPA) require that notice be provided to an affected individual in the event of a breach, our office encourages notification as a best practice.

Every breach is different, so if you’ve received a notification that you are an affected individual in a privacy breach, it’s important to read it carefully. The public body or trustee might be telling you that your information has been compromised, or it might be telling you that your information may have been compromised. To learn more about what should be included in a breach notification, check out our previous blog, Notifying Affected Individuals: What should I put in the letter?

What questions should I be asking the public body or trustee?

When I receive calls from affected individuals, a lot of people are at a loss to know what to do or even what questions they should be asking the public body or trustee. Again, every breach is different, but here some basic things you may want to clarify:

  • What information about me has or may have been breached? Who has it? Did the public body or trustee get it back?
  • What was the nature of the breach? Was it malicious (e.g. the breach involved theft or employee snooping), or was it accidental (e.g. information was left unattended or a staff member made a mistake)?
  • Could this breach harm me? If so, what steps is the public body/trustee taking to mitigate the potential risk? What steps can I take to protect myself?

Who should I call if I have questions or concerns about this notice?

 If you have questions about the breach itself or how the public body or trustee is dealing with it, you should call the individual from the organization listed in the notification; that person will have the most direct knowledge of the situation and what is being done to contain and address the breach. They often have the title of Privacy Officer.

When should I engage the IPC?

The first step is always to contact the public body or trustee to determine whether your concerns are already being addressed.

If you are not satisfied with how the public body or trustee is handling the breach, you can make a complaint to our office. If the breach has not been proactively reported to us, we will determine whether we have jurisdiction and grounds to investigate.

If the breach was proactively reported, we will likely already have an open investigation. You can request that our office add you formally as an affected individual/complainant. If you don’t want to submit a complaint, but you do want to know the results of the investigation, you can ask to receive a copy of the report, if one is created. To be included as a complainant or to receive a copy of the report of the investigation into the breach, we will ask you to submit a copy of the notification letter you received from the public body or trustee.

What does filing a complaint with the IPC do?

When you file a complaint with our office, it’s important to think about what you hope will come of an investigation – is it learning more about how your privacy was breached, assurances about what steps that will be taken to prevent a future breach, or even getting an apology? Our staff will ask you about this early in the complaint process as a way of clarifying what your concerns and expectations are in the situation. It’s important to note that our office does not have order-making powers; the results of an investigation are usually a set of recommendations to the public body or trustee to prevent a similar breach from occurring again, not to take punitive actions or award damages.

If a breach has been proactively reported to our office, we open a file and will assess the organization’s response. Filing a complaint with our office likely won’t change the outcome of our investigation; however, we are more likely to release a public report if complainants decide to come forward.

If you decide to file a complaint, it is important to note that you will be named to the public body or trustee as the complainant; however, if a report is issued by our office, you will NOT be named publicly.

I hope this helps to give you a starting point and clarify what you can do or how our office may become involved if you receive a breach notification from a public body or trustee. If you have questions or concerns about a breach notification, you can contact us at intake@oipc.sk.ca or at 306-787-8350.

File Path Frustrations

Good records management assists in compliance with access and privacy obligations. It requires properly identifying and classifying records. For electronic records, files need a meaningful name and categorization. This all seems simple, but what if your system is working against this goal, and you cannot properly name your files?

We encountered this issue after switching to M365. We follow the Administrative Records Management System (ARMS) and the Operational Records System (ORS). Documents are managed using folders and subfolders in Windows file explorer unless they pertain to a case file, as those are stored in a separate system. Windows file explorer has a 255-character limit for file paths. I had never encountered the 255-character limit before. I was frustrated.

How can I manage our records if I cannot name them as I see fit? In some instances, the file path was too long and we could not open files. File explorer cut off file extensions, and neither I nor the system could tell what program opened the document. We tried to name something in a meaningful way and ran out of characters. We made our file names as short as possible as a band-aid solution, but this also made them harder to identify.

After several months of this struggle, we found a solution which reduces the risk of hitting the 255-character limit and I would like to share it. Hopefully a public body, local authority, or trustee will be saved from the 9-month headache I had.

Before we get going here is a typical file path you might see when following ARMS in Windows file explorer.

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name>\<Sub-Folder>\

This uses up about 97 characters, which will vary user to user.

So, what do you do? The answer is, the shorter the better at every step.

What your IT people can control:

  1. Make the username as short as possible – Existing users converting to M365 may end up with unwanted characters in their username. I was unable to find a way to get rid of these. On new installations the name can be exactly what you want it to be but ask your IT people to keep it short.
  2. Organization/Entity Name – If your organization has a shorthand name or acronym, ask your IT people to use that instead of the full name. OIPC vs “Office of the Saskatchewan Information and Privacy Commissioner” saves a bunch of characters.
  3. Site Naming – Do you need “Administration” or is “Admin” fine or HR instead of “Human Resources”?
  4. Folder syncing – You can configure M365 syncing to Windows file explorer to be for manual or automatic. I learned that automatic syncing uses up precious characters. For instance, my file path when automatically syncing was C:\Users\<username>\<organization/entity name> \<site name> -Documents\General\<Folder Name>\

when I figured out the manual syncing quirk it became:

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name> which saves a handful of precious characters.

What you can (probably) control:

  1. Subfolders and Beyond Naming – Give your folders and subfolders the shortest usable name possible.
  2. Document Naming – If you followed steps one through 5, you will hopefully have more than enough characters to name your files.

Is it too late for me?

If this issue has been plaguing you and your system has already been configured, there is still hope. Steps 5 and 6 can be done at any time. Steps 1 through 4 may need to be done by your IT Department. You will likely need to re-sync your computer, which requires temporarily logging out of M365 and unlinking your OneDrive account from your computer.

Bonus tip 

Even after you have made your file path as short as possible, you might still forget where things should go. Windows file explorer, backed by M365, can quickly find file names and even document contents for things like .doc and .pdf files. As long as you know something about the document, whether it is the name, or some of the content, you should be able to easily search for and locate it. This may come in handy if you are a new FOIP coordinator responding to an access to information request but are not yet fully acquainted with the filing system.

As electronic records management becomes the norm, I hope this blog assists you in managing your records and meeting your access and privacy obligations by making it easier to search for, locate and access records.

Privacy and Transparency in the Digital Identity Ecosystem in Canada

The federal, provincial and territorial Information and Privacy Commissioners across Canada recognize the many potential benefits of a privacy-respecting and secure digital identity for use by Canadians. The development of which is part of a broader global trend intended to enable individuals, businesses and devices to securely and efficiently connect with one another.

To be trusted, digital identities must meet high standards of privacy, security, transparency and accountability; and must not come at the cost of fine-grained tracking and surveillance, increased risk of discrimination, heightened incidence of identity theft, fraud and other harms, or diminished roles for individual users.

In our office’s 2021-2022 Annual Report, Saskatchewan Information and Privacy Commissioner, Ron Kruzeniski, K.C., states

“I would hope the Government of Saskatchewan continues to consult, educate and explain the benefits of a digital ID for citizens of our province. My hope is that Saskatchewan develops a digital ID that meets our province’s needs, maximizes the benefits and minimizes the risks.”

In order to address these potential risks, the federal, provincial and territorial Information and Privacy Commissioners are committed to working with one another, their respective governments and other relevant stakeholders to ensure the responsible design and implementation of a digital identity ecosystem in Canada.

In doing so, they commit to the following:

  • Continually monitor the development of digital identity initiatives.
  • Collaborate between our respective offices to strengthen our collective capacity and knowledge in this area.
  • Stand ready to engage with our respective governments to provide our views and advice on evolving digital ID programs and initiatives in a timely, constructive manner that is conducive to enhancing privacy protections and public trust in the adoption of digital identities.

Finally, the design and operation of privacy-respecting digital identities and a trustworthy digital identity ecosystem should meet various conditions and properties and should be integrated with a legislative framework applicable to the creation and management of digital identities. For more on the list of conditions, including ecosystem properties, role of individuals, governance and oversight, a link to the full resolution can be found here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.sk.ca

 

Knowledge can be a Gateway to Truth and Reconciliation

Today is Canada’s National Day for Truth and Reconciliation. Page 12 of Honouring the Truth, Reconciling for the Future:  Summary of the Final Report of the Truth and Reconciliation Commission of Canada states, “Without truth, justice, and healing, there can be no genuine reconciliation. Reconciliation is not about “closing a sad chapter of Canada’s past,” but about opening new healing pathways of reconciliation that are forged in truth and justice.”

I reflect on this powerful statement and how it holds meaning with a recent Report I issued. The report involved a Metis individual who was seeking information about their deceased parent from the Ministry of Social Services. I was moved by this individual’s story. They advised that their parent passed away in 2015 and they were looking for answers to questions about their parent’s past and what happened when their parent was a child.

Upon requesting that my office review this matter, the individual so eloquently stated, “…upon discovery of mass graves at residential school across Canada and the public conversation this prompted regarding the actions of child welfare agencies more broadly, I felt strengthened to renew my search for answers.” They further stated, “…There is no Truth & Reconciliation without the truth. I submitted my request for information on September 30, 2021, the first National Day for Truth and Reconciliation. This was by no means a coincidence. I just finally want to know the truth around this matter because it affected my [Parent], me and our family.  Therefore, I feel it is our truth and story to understand….”

I feel this story is representative of the story of so many Indigenous peoples. Some of their truth can be found in the records that government holds. Government needs to demonstrate its commitment to truth and reconciliation by removing barriers to access this information. This can help pave the path forward.

 

Canadian Information and Privacy Regulators Urge Governments, Health Sector Institutions and Health Providers to Strengthen Safeguards for Sharing Personal Health Information

In a joint resolution released today, Canada’s federal, provincial, and territorial information and privacy commissioners and ombudspersons are calling for a concerted effort across the healthcare sector to modernize and strengthen privacy protections for sharing personal health information.

Because of the pandemic, the shift to virtual care came quickly, maybe without enough time for a thorough examination of it; that shift in service model could adversely impact access and privacy rights. Despite advancements in the health sector, breaches continue to occur and the use of outdated and vulnerable technologies, such as faxes and unencrypted email not only impacts patient privacy but also the delivery of timely patient care.

This has spurred innovation and change in the delivery of services, including virtual health care visits and other forms of digital health communications.

Canada’s Information and Privacy Commissioners urge stakeholders to take the following action:

  • Develop a strategic plan to phase out the use of traditional fax and unencrypted email and ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians.
  • Promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks. For health sector institutions and providers, this may include the adoption of standards developed by organizations such as ISO, NIST, or CIS that provide reasonable safeguards to protect personal health information.
  • Amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties, for health institutions and providers that willfully refuse to take reasonable measures necessary to protect personal health information as well as for individuals who unlawfully collect, use, or disclose personal health information.
  • Seek guidance to understand how to evaluate new digital health solutions and assess their compatibility with other digital assets, compliance with health information privacy laws, and how they facilitate citizens’ rights to access their own records of personal health information.
  • Promote transparency by completing privacy impact assessments and proactively publishing a plain-language summary in a manner that is easily accessible to the public.
  • Use the procurement process to help ensure third-party compliance by establishing contractual requirements for vendors of health information software and services

If you have any questions or would like to request an interview with the Commissioner, please email or call our office at the contact below.

To learn more, a copy of the joint resolution and these initiatives can be found here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.sk.ca

Absurd Results: Part II

In 2017, the Commissioner posted a blog entry about absurd results. He provided examples of absurd results that can be reached when interpreting and applying The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA). He emphasized that public bodies take a liberal approach to these three statutes and provide as much of the record(s) to applicants as is possible.

Since 2017, my office has dealt with more reviews that involve absurd results. Therefore, in this blog, I’m revisiting this topic once again.

When an individual submits an access request to a public body, that individual would be denied access to the personal information of others. In Saskatchewan, government institutions would deny access to third parties’ personal information pursuant to section 29(1) of FOIP. Local authorities would deny access to third parties’ personal information pursuant to section 28(1) of LA FOIP. That is, the application of section 29(1) of FOIP and section 28(1) of LA FOIP to third party personal information is meant to prevent the unauthorized disclosure of personal information, which is one of the purposes of FOIP and LA FOIP.

However, what happens when Person A provides information about other individuals to a public body? An example is when an individual provides a witness statement to a police service about a matter they had witnessed involving other individuals. If Person A submitted an access to information request to the police service for the witness statement containing other individuals’ information, would Person A be denied access to the witness statement?

An “absurd result” occurs when a public body applies an exemption to withhold records that contradicts the purpose of the legislation. Using the example described above, Person A originally supplied the third party personal information to the police service. it would be an “absurd result” to withhold the information from Person A pursuant to either section 29(1) of FOIP or section 28(1) of LA FOIP.

In my office’s Review Report 215-2020, the Commissioner discussed a matter where the local authority withheld portions of emails that the Applicant had originally supplied to the local authority. The Commissioner found it would be an absurd result to withhold portions of these emails from the Applicant even if the emails contained the personal information of third parties. The Commissioner recommended the release of the records in their entirety to the Applicant.

Also in Review Report 215-2020, the Commissioner cited a decision by the Office of the Ontario Information and Privacy Commissioner (ON IPC) that noted two other circumstances in which the ON IPC found the absurd result principle to have applied: 1) where the requester was present when the information was presented to the public body, and 2) where the information is clearly within the requester’s knowledge.

When determining if exemptions set out in Parts III and IV of FOIP and LA FOIP apply to a record, government institutions and local authorities should consider whether applying the exemption to a record would manifest in an absurd result. If so, then perhaps the government institution or local authority should consider releasing the record to the applicant.