AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Best practices in safeguarding data

Podcast: Hill Times political parties and privacy

Cheat Sheet for the proposed American Privacy Rights Act

Vaccine passports must meet highest level of privacy protection

Vaccine passports must meet highest level of privacy protection

Privacy should be front and centre as governments and businesses consider COVID-19 vaccine passports as a tool to help Canadians return to normal life, say Canada’s privacy guardians.

Vaccine passports would allow people to travel and gather again and could support economic recovery while protecting public health. They would, however, require individuals to disclose personal health information about their vaccine or immunity status in exchange, potentially, for access to goods and services, for example, restaurants, sporting events and airline travel.

“While this may offer substantial public benefit, it is an encroachment on civil liberties that should be taken only after careful consideration,” federal, provincial and territorial privacy commissioners and the ombuds of Manitoba and New Brunswick say in a joint statement issued today.

“Vaccine passports must be developed and implemented in compliance with applicable privacy laws.  They should also incorporate privacy best practices in order to achieve the highest level of privacy protection commensurate with the sensitivity of the personal health information that will be collected, used or disclosed,” the statement says.

The statement was endorsed during the annual meeting of federal, provincial and territorial access to information and privacy guardians. The Manitoba Ombudsman hosted the meeting, which took place virtually given the pandemic.

This statement outlines fundamental privacy principles that should be adhered to in the development of vaccine passports.

In particular, it notes that, in light of the significant privacy risks involved, the necessity, effectiveness and proportionality of vaccine passports must be established for each specific context in which they will be used.

In other words, vaccine passports need to be shown to be necessary to achieve the intended public health purpose; they need to be effective in meeting that purpose; and the privacy risks must be proportionate to the purpose, i.e. the minimum necessary to achieve it.

Further, vaccine passports, whether introduced by governments or public bodies for public services, or by private organizations, need to have clear legal authority. In addition, organizations considering vaccine passports should consult with the privacy commissioners in their jurisdiction as part of the development process.

The statement also notes that any personal health information collected through vaccine passports should be destroyed and vaccine passports decommissioned when the pandemic is declared over by public health officials or when vaccine passports are determined not to be a necessary, effective or proportionate response to address their public health purposes. Vaccine passports should not be used for any purpose other than COVID-19.

 

Related Documents
Joint statement – Privacy and COVID-19 Vaccine Passports

For more information:
Office of the Privacy Commissioner of Canada
Manitoba Ombudsman
Provincial and territorial privacy Ombudspersons and Commissioners

Media Contact
Kim Mignon-Stark  |  Executive Assistant
kmignon-stark@oipc.sk.ca
306-798-0173

 

UPDATED – Advisory from the IPC on questions regarding vaccines for organizations, employers and health trustees

Announcements regarding the approval of vaccines for COVID-19 has been greeted with excitement. The roll out of vaccines is occurring in our province and in other provinces in Canada. As citizens receive the vaccine, questions arise as to how organizations, health trustees and employers will handle this new reality. In my Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on questions, screening or testing by employers regarding COVID-19, I attempted to answer many of the questions surrounding the issue of employers asking questions about screening or testing for COVID-19. This Advisory attempts to answer similar questions in regard to getting the vaccination for COVID-19.

Can organizations ask whether a customer or employee has received a vaccination for COVID-19?

Private sector businesses and other organizations engaged in commercial activities in Saskatchewan are not covered by The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), but are subject to orders made under The Public Health Act, 1994. Many organizations are covered by the Personal Information Protection and Electronic Documents Act (PIPEDA). I note that PIPEDA only protects personal information of employees of federally regulated businesses, works and undertakings (FWUBs). Those organizations, if they have questions, may have to contact the Federal Privacy Commissioner . It should be noted that the federal government has introduced Bill C-11, which introduces significant changes to PIPEDA. In some cases, PIPEDA provides rules and protection for employee personal information and in others, it does not. Whether an employer in Saskatchewan fits any of the following definitions, the advice below can be considered best practice and an employer can choose to follow it.

What organizations are covered by PIPEDA?

PIPEDA defines an “organization” in Part 1, section 2(1) as follows:

  1. “organization” includes an association, a partnership, a person and a trade union.

PIPEDA indicates that the “protection of personal information” applies as:

  1. (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or

PIPEDA defines “commercial activity” as follows:

  1. “commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

As one can see, an “organization” is broad and includes a business, community based organization and charity, if that organization carries on commercial activity. In the rest of this Advisory I will refer to them as “organizations” and they are covered by PIPEDA and not by FOIP or LA FOIP.

Let us now turn to discuss employers who are covered by FOIP, LA FOIP or The Health Information Protection Act (HIPA).

Can an employer ask an employee whether they have received the vaccination for COVID-19?

Some employers may be considering whether they will require their employees to receive the vaccine or provide a vaccination certificate for COVID-19. Employers have an obligation to make a workplace safe to work in within reasonable limits. The Saskatchewan Employment Act provides:

General duties of employer

3‑8 Every employer shall:

(a) ensure, insofar as is reasonably practicable, the health, safety and welfare at work of all of the employer’s workers;

(h) ensure, insofar as is reasonably practicable, that the activities of the employer’s workers at a place of employment do not negatively affect the health, safety or welfare at work of the employer, other workers or any self-employed person at the place of employment; and

Each employer will have to make a fundamental decision as to whether they need all employees to receive the vaccine or provide a vaccination certificate to make the workplace safer.

Prior to considering what privacy legislation might apply, employers need to seriously consider whether they want to require employees to receive the vaccine or provide a vaccination certificate. Because these vaccines are new, there will be questions about their use and effectiveness. There may be workplaces where social distancing, wearing masks and washing hands may be determined to be sufficient protection. These are considerations for the employer. Requiring employees to receive the vaccine is a fundamental issue and can be controversial. Requiring proof an employee has received the vaccine is less controversial, but does have privacy implications. It gets us into the issue of whether employers can or should require medical tests in the workplace. There has been considerable debate and court challenges over testing for drugs in the workplace. This particularly is a challenging issue for hospitals, medical clinics, long-term care and group homes. Employers need to know that requiring employees to receive the vaccine or provide a vaccination certificate, might result in a court challenge.

The OPC in “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century” stated:

Following the enactment of the Canadian Charter of Rights and Freedoms in 1982, the Supreme Court of Canada formulated a methodological test to determine whether the violation of a Charter right is nonetheless justifiable in a free and democratic society. Stemming from the case R. v. Oakes, this became known widely as the Oakes test. It requires:

  • Necessity: there must be a clearly defined necessity for the use of the measure, in relation to a pressing societal concern (in other words, some substantial, imminent problem that the security measure seeks to treat),
  • Proportionality: that the measure (or specific execution of an invasive power) be carefully targeted and suitably tailored, so as to be viewed as reasonably proportionate to the privacy (or any other rights) of the individual being curtailed,
  • Effectiveness: that the measure be shown to be empirically effective at treating the issue, and so clearly connected to solving the problem, and finally,
  • Minimal intrusiveness: that the measure be the least invasive alternative available (in other words, ensure that all other less intrusive avenues of investigation have been exhausted).

The balance of this Advisory presumes an employer has made the decision to require vaccinations and understands the legal risks of a challenge, but intends to proceed.

What questions might an employer ask?

If an employer decides to require vaccinations, what questions might the employer be asking? Possible questions include:

  • Are you planning to get vaccinated?
  • When will you receive your first injection?
  • Have you received your first injection?
  • When will you receive your second injection?
  • Have you received your second injection?
  • Do you have a vaccination certificate?
  • Will you show me a vaccination certificate?
  • Will you provide me with a vaccination certificate?

The least intrusive approach would be that an employer requests, “Please show me your vaccination certificate”. The employer looks at the certificate and does nothing else. Slightly more intrusive would be where the employer checks off on an employee list that this employee has a vaccination certificate.

What questions might be asked in a pre-employment interview?

The above questions could be asked of existing employees. Another question is what employers might want to as of people applying for a job. Employers will need to decide whether they ask any questions or no questions at all.

What privacy legislation might apply?

If an employer decides to require the employee to show or provide a vaccination certificate, the employer needs to know what privacy legislation applies. FOIP applies to government institutions which include Crown corporations, boards, agencies and other prescribed organizations. Part IV of FOIP deals with the collection, use, disclosure, storage and protection of personal information.

LA FOIP applies to local authorities which include cities, towns, villages, municipalities, universities and the Saskatchewan Health Authority. Part IV of LA FOIP deals with the collection, use, disclosure, storage and protection of personal information.

HIPA applies to health trustees which include government institutions, the Saskatchewan Health Authority, a licenced personal care home, a health professional licenced under an Act, a pharmacy, and licenced medical laboratories with custody or control of personal health information. Parts III and IV of HIPA deal with collection, use, disclosure, storage and protection of personal health information.

If an employer falls into one of the above categories, then that particular statute will apply to the collection, use, disclosure, storage and protection of personal information/personal health information. To be sure, an employer should check each of the Acts to see if it has any application to it. If in doubt, the employer should obtain legal advice.

Regulations under each of the Acts can also prescribe the organizations that are government institutions, local authorities or health trustees.

The Privacy Act may allow a lawsuit where a business, community based organization, employer or health trustee has breached someone’s privacy.

A further issue is that after the employee has received the vaccine, is the employee required to show or provide a proof of vaccination? Will the employer accept the employee’s word that the vaccination was taken? If the employee is required to provide proof, will the employer visually examine it or make a copy of it? If so, by whom and for what purpose? If a copy is made, the record may be accessible under HIPA, FOIP or LA FOIP.

If an employer is in doubt regarding requiring employees to get vaccinated or requiring a copy of the vaccination certificate, the employer should obtain legal advice.

What is the purpose of the employer asking whether an employee has gotten a vaccine or requiring a vaccination certificate?

Before embarking upon requiring vaccinations, the employer must determine the purpose for which it is requiring vaccinations and the purpose for an employee showing or providing a vaccination certificate. Is it to keep the workplace safe? More specifically, is it to prevent transmission of COVID-19 being spread from employee to employee, customer or patient? It is important that the employer define the purpose before starting and not change the purpose after starting.

How should employers notify its employees of the purpose?

Employers should be open and transparent. They should advise staff that they will be asking the employee to show or provide the vaccination certificate and inform them of the purpose and the purpose for so asking. Later, at the showing or providing of the vaccination certificate, tell employees the purpose of the collection, what will be collected, who it will be shared with and how long the information will be stored. Employees will particularly want to know if the employer is sharing the information with other third parties, why and under what legal authority.

The employer can provide other staff with statistical information, such as how many have been vaccinated. The employer should not give out names or identify the ones who were or were not vaccinated as this may be considered a privacy breach.

What information will the employer collect?

Asking an employee whether they have had the vaccination and requesting the showing or providing of a vaccination certificate is a collection of personal information/personal health information. Employers should collect the least amount of information necessary to achieve the purpose. If the employer is comfortable, they could choose to accept the employee’s verbal statement that they have had the vaccination. Alternatively, the employer could ask the employee to show a vaccination certificate, but choose not to make a copy of the vaccination certificate. This is referred to as the data minimization principle, that is, only collect what is needed to achieve the purpose.

What if an employee refuses to be vaccinated?

If an employee refuses to get the vaccination, refuses to confirm that they had the vaccination or refuses to show or provide a vaccination certificate, employers will need to decide if it will require the employee to wear a mask at work, stay home and self-isolate, send the employee home without pay or end the employment relationship.

Can the employer use the information for any other purpose?

The employer must determine its authority to collect for a defined purpose, and only collect personal information/personal health information for that purpose. This may include the employee providing the information for that purpose (indicating they had a vaccination and showing or providing a vaccination certificate). The employer should check the relevant legislation before using that information for any other purpose without getting the consent of the employee.

Who can the employer share the information with?

Since the employer has collected the information that the employee has received the vaccination or refused to get it, the employer needs to determine who in the organization needs to know. If the employee gets the vaccination, very few people need-to-know, but the employer can provide statistical information as to how many employees have received the vaccination. If the employee refuses to get the vaccination and is sent home, very few people need-to-know. Just like other sensitive health information, it is confidential, the employer should prohibit supervisors and HR employees from sharing the information with other staff. This does not prevent an individual employee from alerting others around them that they have been vaccinated (sticker, badge, lanyard, headband). An employer could promote this, but should not make it mandatory.

Where does an employer store this information?

The choices are storing on the employees HR personnel file, storing on the employee’s separate health information file or storing in a separate folder for all employees, containing all information regarding vaccination of employees or refusal to vaccinate. There is probably no need to store it anywhere else.

The information the employer has collected must be stored in a secure place. Once the employer collects personal information/personal health information about an employee, it is the employer’s obligation to ensure it is protected and only those with a need-to-know should be able to access it. Possibly the best practice is to set up a separate employee file to contain any personal health information collected. That would include COVID-19 vaccination and testing information.

Is an employer obliged to secure the information?

Under privacy legislation, there is an obligation for an employer to protect and secure the information collected and stored. If an employer is not subject to privacy legislation, best practice would suggest the information be protected. Other resources have made suggestions on securing information and a few tips are given by the British Columbia Information and Privacy Commissioner.

Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.

When should the employer destroy the information?

How long is an employer going to keep this information? Will it get destroyed in accordance with the employer’s destruction of documents policy? Should it have a special destruction period, shorter than the normal? Could it or should it be destroyed within six months? Employers need to decide whether they will develop a policy including destruction guidelines. Maybe the information collected can be destroyed earlier than an employer’s standard procedure.

Do employers need to develop a policy on COVID-19 vaccinations?

Once an employer has made a decision, the employer should consider developing a policy. In normal times, my office would recommend a privacy impact assessment (PIA). In these unique times, an employer might move very quickly and my office would still recommend either a shortened version of a PIA or a policy statement regarding COVID-19 vaccinations. Whatever the form of the document, it should contain:

  • authority for the collection;
  • a statement of the purpose;
  • a statement as to whether employees will be asked to show a vaccination certificate;
  • a statement on possible actions taken based on whether the employee has the vaccination or not;
  • a statement on where information will be stored;
  • a statement as to who it will be shared with (with public authorities or not); and
  • a statement on when the information will be destroyed.

Can a public body ask visitors whether they have had a vaccination for COVID-19?

Public bodies (government institutions and local authorities) have carried on their activities during the pandemic. As much as possible, communications have shifted to emails and telephone calls, but it is still possible that citizens or patients will attend at a public bodies’ front door or reception area. The question arises, can those public bodies ask questions about receipt of a vaccination for COVID-19? Secondly can public bodies insist on seeing a vaccination certificate? If a public body decides to ask the citizen or patient whether they had a vaccination, then many of the questions raised above would apply. Of course public bodies considering this issue should think about obtaining legal advice.

Can a health trustee ask whether patients or employees received a vaccination for COVID-19?

Health trustees are subject to HIPA. That Act contains principles similar to FOIP and LA FOIP when it comes to collection, use, protection or disclosure of information (in this case personal health information). Many of the questions posed and answered above will apply to health trustees.

Conclusion

The principles are simple: establish the purpose and authority, collect the least amount of information to meet the purpose, share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed. This is good advice whether a business, non profit, employer or health trustee is subject to privacy legislation or not.

The Information Commissioner’s Office in Great Britain has issued a document regarding “work testing – guidance for employers”. Although British legislation is different from the legislation in Saskatchewan, the principles set out are good ones and may have some application to public bodies and health trustees in Saskatchewan.

Ronald J. Kruzeniski, Q.C.
Information and Privacy Commissioner

Media contact:
Julie Ursu
jursu@oipc.sk.ca

 

UPDATED: IPC Advisory on questions regarding vaccines for organizations, employers and health trustees

 

Additional Resources 

UK Information Commissioner Office:
Data protection and coronavirus – advice for organizations
Data protection and coronavirus – six data protection steps for organizations
Health, social care organisations and coronavirus – what you need to know

Alberta Office of the Information and Privacy Commissioner:
Pandemic FAQ:  Customer Lists

British Columbia Office of the information and Privacy Commissioner:
Collecting Personal Information at Food and Drink establishments, gatherings, and events during COVID-19

Ontario Office of the Information and Privacy Commissioner:
COVID Alert and Your Privacy

 

Saskatchewan IPC finds ransomware attack results in one of the largest privacy breaches in this province involving citizens’ most sensitive data

An investigation by the Information and Privacy Commissioner of Saskatchewan has found that eHealth Saskatchewan (eHealth), the Saskatchewan Health Authority (SHA) and the Ministry of Health (Health) were the victims of a ransomware attack in late December 2019 and early January 2020, resulting in one of the largest privacy breaches in this province.

On December 20, 2019, an SHA employee opened an infected Microsoft Word document from their personal email account on their personal device while the personal device was being charged by a USB cord on their SHA workstation. The infected Microsoft Word document triggered the execution of ransomware on the workstation and a multi-phase exploit took place between December 20, 2019 and January 5, 2020. This ultimately led to a Ryuk ransomware attack on January 5, 2020, where the attackers made a ransomware demand. The attack affected fileshares with eHealth, the SHA and Health due to the shared infrastructure on which the fileshares reside.

On January 21, 2020, eHealth discovered that files were disclosed to malicious internet protocol (IP) addresses in Germany and the Netherlands. In total, approximately 40 gigabytes of encrypted data was extracted.

Through its investigation, eHealth advised my office that the affected servers contained approximately 50 million files across eHealth, the SHA and Health. eHealth conducted a metadata scan of those 50 million files and identified that approximately 5.5 million of those files may contain personal information and personal health information. eHealth developed a tool to scan the 5.5 million files and that tool identified a total of 547,145 files that potentially contain personal information and/or personal health information.

As there were a minimum of 547,145 files containing personal information and/or personal health information exposed to the ransomware (possibly more depending upon the accuracy of the tool developed by eHealth), the Commissioner concluded that personal information and personal health information of citizens of Saskatchewan was either exposed to the malware or maliciously stolen from eHealth, the SHA and Health.

Through the Commissioner’s investigation, it was discovered that there were three critical opportunities – two by eHealth and one by the SHA employee – where the ransomware may have been detected at an earlier stage. Had these opportunities not have been missed, eHealth may have been able to detect the ransomware, shut down its systems and stop the extraction of data.

“eHealth is charged with collecting, storing and protecting the most sensitive health data in our province,” says Information and Privacy Commissioner Ron Kruzeniski. “Each of us has personal health information in eHealth’s systems. It is absolutely reasonable that each citizen demand the very highest level of security on our health information. To accept less is irresponsible.”

The Commissioner found that eHealth failed in fully investigating the two early threat occurrences which may have prevented the malicious extraction of data that followed. He also determined that eHealth did not sufficiently provide notification and that the SHA and Health failed in their notification efforts due to the excessive delay in providing notification. Furthermore, the Commissioner found that the SHA did not provide the employee at the heart of the incident with training on its Acceptable Use of IT [Information Technology] Assets policy.

“Because we are dealing with the most sensitive personal health information, every person who has access to this information needs to be trained, retrained and trained again as to the things they can do and especially the things they cannot do,” says Information and Privacy Commissioner Ron Kruzeniski. “This incident reveals the tremendous cost of one employee doing something and other employees failing to follow up rigorously on the warnings given.”

The Commissioner made a number of recommendations, including:

  • that eHealth undertake a comprehensive review of its security protocols to include an in-depth investigation when early signs of suspicious activity are detected;
  • that the SHA and Health take immediate steps to provide mass notification including media releases, newspaper notices, website notices and social media alerts;
  • that eHealth, the SHA and Health work together and provide identity theft protection, including credit monitoring, to affected individuals for a minimum of five years from the date an affected individual’s information is discovered on the dark web or to any concerned citizen who requests this protection;
  • that eHealth review whether it should have IT security staff in place 24 hours a day, seven days a week to actively monitor and investigate potential threats;
  • that all eHealth and eHealth partners be required to complete cyber security and privacy refresher training on an annual basis; and
  • that the Minister of Health immediately commence an independent governance, management and program review of eHealth based upon the concerns put forward by SaskTel, the Provincial Auditor and this Report.

The Commissioner recognizes that organizations are under continued threat of cyber security attacks. Therefore, the organizations that hold the citizens most sensitive data must strive to have the best protected systems with the most thoroughly trained employees to mitigate the risks of these attacks happening.

The Commissioner acknowledges that, “eHealth, the SHA and Health have begun to take the necessary steps to ensure they are protecting the personal information and personal health information of the citizens of this province.”

Related Documents

Investigation Report 009-2020, 053-2020, 224-2020

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on eHealth Saskatchewan Potential Privacy Breach – January 16, 2020

Media Contact

Kara Philip (Manager of Communication)
kphilip@oipc.sk.ca
306-798-2260

 

IPC News Release on Ransomware Investigation Report

I need to do WHAT? Processing your first access to information request

So you just started your new job and you get your first access to information request. You might be asking yourself, what do I do with this thing?, while you toss it to the side and ask questions later. I know the feeling, trust me. What you might not know, is that the clock is ticking on that piece of paper you just tossed among the pile of other priority work you need to complete.

I get it, it’s overwhelming and even more so if you don’t know exactly what your obligations are and where to start. Don’t worry, I’m going to save you some grey hair and from stress eating that box of stale doughnuts sitting on the kitchen counter.

Whether you are subject to The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) or The Health Information Protection Act (HIPA), you have an obligation pursuant to section 7 of FOIP/LA FOIP  or section 36 of HIPA to consider processing the access to information request and a duty to assist under sections 5.1 of FOIP/LA FOIP or 35 of HIPA when issuing a response to the applicant. The following will hopefully assist in understanding your responsibilities regarding processing access to information requests from the public.

What it is

Check out our office’s resource Understanding the Duty to Assist, for a better understanding of a public bodies duty to assist regarding processing access to information requests.

Below, I’ve created a 5 step process you can follow that will hopefully guide you in understanding on how to process an access to information request from start to finish.

Step 1: Access to Information request is received/seek clarification    

  • If the request for information has all the necessary elements required and any applicable fees have been paid, don’t delay, get started right away. Remember, a request does not need to be on the prescribed form, if you have enough information to understand what it is the applicant is wanting access to, you can get started right away and save yourself from breathing into a brown paper bag later when you start running out of time.
  • Seek clarification. If you are unsure what the applicant is wanting or you feel there may be an opportunity to narrow the request, don’t be afraid to call and ask. In my experience, if an applicant is made aware that narrowing their search could speed up the process, they are more than happy to do so. However, ensure that you are both aware that should they want anything and everything, they have the right to ask for it regardless of whether it will be released or not.
  • While you are on the phone with the applicant seeking clarification, explain the process. A quick phone call explaining the process can go a long way. Remember, some applicants aren’t as well versed in the legislation as you and may not know that they need to wait up to 30 days to receive the requested information. If you can advise them of this up front, the chances of them calling you back before the records are ready or making contact with our office will be minimal. 

Step 2: Searching for records 

  • You may find it helpful to ensure that your office has a strategy for searching for records. If a review is submitted to our office in regard to a public body or trustees search efforts we will review whether a thorough search was completed based on the following elements found on pages 18-20 in Chapter 3 of our GUIDE TO FOIP found here and pages 19-21 in Chapter 3 of our GUIDE TO LA FOIP found here. Making thorough search efforts is very important in ensuring you have met your duty to assist.
  • Scroll through our resource directory on our website and check out our resource Responsive Records Search Checklist to make sure you’ve completed a thorough search for records.
  • If records pertain to an individual or third party other than the applicant, seek consent to release when appropriate.
  • If you were unable to find the records make sure you send a letter out to the applicant right away advising that either no records exist or that they were unable to be located. If you believe that the records in question may be held by a different organization, there is no harm in referring the applicant elsewhere. You will want to consider whether another public body has a greater interest in the records and transfer the application according to section 11 of FOIP/LA FOIP where applicable. This will need to be done within the first 15 days and notification sent to the applicant. For transfer under HIPA, see subsections 36(1)(d) and 36(2).

Step 3: Process the records for release

  • Processing the records for release all at once won’t only save you time but will prevent the applicant from contacting numerous times asking for additional information. Remember, you have 30 days to gather ALL the information they have requested and prepare it for release.
  • When determining what can or cannot be released, you will need to review all the records in your possession/custody or control that are responsive to the request, line by line and determine whether they will be released in full, part, or refused. Our office often gets questions about what information can be released. Unfortunately, we cannot guide you through this as it would affect our ability to remain impartial in the event of a review. The best advice we can give is to ensure that the release of information is in accordance with the legislation and that you have the authority to provide the information or withhold it. If you are unsure about whether you are applying the legislation correctly, you can use our guides to help. The guides will advise you of the tests our office uses if an applicant requests a review of exemptions and how decisions are made as to whether our office agrees with the information being withheld. The guides can be found below.
  • Prepare an index of records. This can be helpful in assisting the applicant in understanding what information was searched, what was located and what was provided, especially if they have requested a large number of records. This will also help you stay organized and ensure that you have located all pertinent information related to the access to information request. See 2-7 Index of Records in our Rules of Procedure for more information on our office’s procedure that requires an index of records to be submitted in the event of a review.

Step 4: Tick, Tock, Tick, Tock, You’re running out of time

  • If you are finding that you are running out of time while processing the request, you may have the ability to issue a notice of extension to the applicant. Extensions can be issued allowing a public body/trustee an additional 30 days to respond to a request. However, you will need to ensure you have the ability to do so under section 12 of FOIP or LA FOIP or section 37 of HIPA. Make sure to send an extension letter to the applicant right away to let them know that you require an additional 30 days to process their request.
  • Remember, extensions can only be granted in specific circumstances and you will need to make the applicant aware of this within the first 30 days. 

Step 5: Records are ready for Release, responding to the applicant

  • Once the records are ready for release, ensure you have issued a section 7 (FOIP or LA FOIP) or section 36 (HIPA) response to the applicant. The letter should reference the original access to information request and date received by your office, an explanation of the records included (if applicable) and whether they have been issued as full release, partial, or explaining that they are refused. Make sure you have referenced which piece of legislation was used in making your decision for partial release or refusal. In addition, if no records were found or they do not exist, you will need to respond appropriately to the applicant advising them of this outcome. Make sure to include that the applicant has the right to request a review of your decision from our office.
  • If you’ve prepared an index of records, it’s a good idea to send a copy of this in the response package to the applicant. This will provide them a thorough explanation of what information is included and in the event that information was not provided, they will have an understanding of why which may prevent a review with our office.
  • If you need help with preparing response letters to applicants in accordance with FOIP or LA FOIP, please check out some sample letter templates You can scroll through, select the letter which best suits your situation and start writing. Please note that we did not create these templates, but nonetheless, are a good starting point. Wow, what a timesaver!
  • If an applicant has questions about the response that has been provided, do your best to explain the information that was provided, why information may have been withheld completely, or in part under a certain section of the act, this too may save you from a review.

I hope these step by step instructions have been helpful in explaining how an access to information request works, your obligations under the applicable legislation and assists you in developing some of your own strategies to help save time and unnecessary stress.

Providing the record to my office

I attended a virtual conference of a Commissioner roundtable. One of the Commissioners addressed an issue regarding providing his office with the record when reviewing an appeal of the denial of an access request. He went on to say that the record was necessary to do the job of a review and that his office never releases the record. I thought it was timely to write about this in Saskatchewan.

The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), in section 5 of each Act, establish the principle that citizens can ask for records in the possession or control of government institutions or local authorities (public bodies). The record is to be provided to citizens, if requested, subject to certain exemptions. When a public body decides not to provide a record or portions thereof, the citizen can ask for a review of the decision by my office.

One of the first things we ask for is the record that is at issue. It is impossible to do what we have to do without seeing that record. This means we need to see a redacted and unredacted version. Some public bodies are at times reluctant to give us that record. They might ask why we need it. The answer is it is absolutely essential to doing our job. Some will say the record is very sensitive. We understand a record might be sensitive, but that does not change the job the Legislative Assembly requires us to do. Some might feel a particular record is embarrassing or affects the public body’s reputation, but that does not change our need for the record. Some might suggest they do not want the record to become public. My office is not going to release that document to anyone, including the Applicant. My office does not release documents that are at issue.

What we do is review the record and the representations of the public body, do an analysis and then write a report recommending that the public body release the record or withhold the record. It is then up to the public body to decide whether it will release or continue to withhold the record. If there is no appeal to court, my office will destroy the record or delete it electronically, six months after the report is issued. If there is an appeal to the Court, my office will hold the record until the court’s decision is issued.

All of this to say, to do our job we need the record and we NEVER, NEVER RELEASE RECORDS. That is the decision of the public body.

Responding to access to information requests during an election

As Saskatchewan prepares for both a provincial and municipal election this fall, it is a good time to remind everyone about their obligations under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA). This includes the importance of responding to access to information requests during election periods.

Civil servants can be nervous about responding to access to information requests during the writ period, especially requests that may relate to “hot topic” issues. Our office also recognizes that there are specific communication directives during the writ period that civil servants must follow.

However, during the writ period, your obligations under FOIP, LA FOIP and HIPA do not change.

Public bodies and trustees must respond to formal access to information requests during a writ period as they would any other time during the year. This means, you must respond to the request in writing within 30 days of receiving the request. You may extend the response time an additional 30 days only if a limited and specific circumstance exists as provided for in section 12 of FOIP, section 12 of LA FOIP and section 37 of HIPA. One of the reasons to extend a response time does not include a provision that covers elections or the writ period.

So, before the writ drops, our office would suggest having these internal conversations about FOIP, LA FOIP and HIPA obligations. That way, if you receive a “hot topic” request during the writ period, everyone is on the same page and you can carry on business as usual with your day to day FOIP, LA FOIP and HIPA obligations – before, during and after an election.

For further background, please see Review Report 064-2016 to 076-2016 where the Information and Privacy Commissioner, in part, looked at the issue of responding to access to information requests during an election.

UPDATED – Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan to Teachers, School Boards, Parents and Students

The pandemic initially resulted in classes being suspended and students staying at home. Now that September is here, schools are reopening, but schools are also offering students the option to learn remotely from home. School Divisions and teachers have been planning during August, selecting the online learning platforms and preparing to use those platforms for those students and parents who select online learning. There are many platforms from which a school division can choose and I expect each school division may select a different platform. Each platform comes with its privacy settings and each school division will have to make decisions as to which settings are selected. In analyzing each platform a school division needs to, among other things, apply a privacy lens and ensure they are protecting the privacy of a student.

Zoom, and other video conference platforms, have received a lot of publicity. I expect every platform has over the last six months examined its privacy settings. School divisions and teachers need to think through the privacy risks for students in using video conferencing or virtual meeting platforms.

There are many educational offerings through the web that teachers will be tempted to use to help instruct and fill the day. Again, school divisions and individual teachers need to know the privacy protections afforded their students by The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), which should cause school divisions to monitor closely what products are being used. This issue existed before the pandemic, but because of the current situation, the pressure to have online tools has increased. Teachers should only use the educational tools approved by their school divisions and should carefully review the privacy settings they can control, so as to reduce the risk of privacy breaches.

Before the pandemic, school divisions may have had a list of authorized or approved apps and educational products that the school division considered safe to use. I encourage school divisions to revisit the tools they have approved in the past to double check on privacy protections. Teachers should ensure that they are checking with the division with regard to any guidelines or restrictions on products they might want to use. Teachers need to consider which products are safe for use.

If school divisions have authorized virtual meeting/classroom platforms, they need to consider what information is collected and disclosed by use of the platform. For example, is the teacher seeing an image of the student and are all the students seeing images of the other students. As an individual’s image is personal information, displaying the images of students to other students is a disclosure of personal information. School divisions need to determine whether that disclosure is authorized.

To determine whether a disclosure is authorized, a school division needs to review LA FOIP. If the authority is not clear in LA FOIP, the best thing to do is obtain a consent from each student or parent. School divisions may have already obtained a written consent at the beginning of the school year and school divisions should review that consent to determine whether it is a consent that covers the streaming or broadcasting of a student’s image. Consent forms should be specific enough that parents or students know what they are consenting to.

I need to distinguish between the teachers seeing an image of each student in the class versus all students seeing the images of one another. The teacher seeing an image of a student is close to what the teacher would see if in a normal classroom. All students seeing the image of one another is a somewhat different issue because when this occurs, the images may be viewed by not only other students, but parents of the students, family members of the students, or caregivers of the students who are in the home. The streaming or broadcasting is potentially much broader than the teacher and other students in the class. Again, consent of a student or a parent can deal with this.

There are many questions for school divisions to consider in an online learning environment. What if a parent or student does not consent to the streaming or broadcasting of the student’s image to other students? Has the school division made provisions for students/parents to not consent to the streaming or broadcasting of the student’s image? Does the selected platform allow for students/parents opting out of streaming or broadcasting images? What if the student or parent turns off the camera on the home device? What if the student or parent puts masking tape over the lens of the camera? Should or does the school division encourage staff to advise students to turn off the camera and only turn on the microphone when a student is speaking?

The pandemic has given rise to many new privacy issues but, when one reflects, the principles that existed before the pandemic still apply. Does a school division have the authority to collect personal information? How will the school division/teacher use the personal information (student image)? Does the school division/teacher have authority to disclose (stream or broadcast) student personal information? Has the school division/teacher taken steps to safeguard the student’s personal information? These were all relevant questions before the pandemic and the questions remain relevant today.

For parents that have chosen distant education or online learning for the time being, the pressure is there to search for and use educational apps. My office has no jurisdiction over what parents do, but I would encourage parents to do some research on educational tools and the impact on their child’s privacy and ask questions if needed. One would not want your child’s profile, pictures, art work, and essays to show up in unexpected places.

Finally, students, you have some responsibility in this area too. As you work with various educational tools, you can check in to see how well your privacy is protected. Where you have concerns, you should let your parent, your teacher, or your school division know.

I would recommend that school divisions, teachers and students check the privacy policies, terms of use, and privacy settings of every educational app that they are considering using.

If any staff member has questions, I would suggest the staff member call the designated access and privacy officer for the school division.

For an advisory that looks at similar issues from a different point of view, you can check out my advisory on virtual meetings.

If a school division is evaluating a particular platform, it should consider a privacy impact assessment (PIA). If there is no time to do this, the questions they would be asked during such an assessment should be asked by the director, superintendents, or the access and privacy officer. For details regarding a PIA, see Privacy Impact Assessment: A Guidance Document.

For information on back to school plans see Saskatchewan School Board Association and for detailed information of access and privacy check out Privacy and Access in Saskatchewan Schools.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media Contact
Kara Philip, kphilip@oipc.sk.ca

Preparing and writing a submission

My office works with approximately 1,000 public bodies and trustees. Some are larger organizations and have many dealings with my office. These organizations have developed their procedures and precedents and make regular submissions to my office. Others maybe deal with my office once a year. It might be their first time having to respond to a complaint. I decided it was time to write about the best way to prepare for and write a submission to my office.

There is an old rule that when you write, you need to know your audience. In the case of submissions to my office, my office is the audience. I hope this Guide to Submissions will give the reader an idea of what my office is like and what is the best way of improving your chances of success.

As usual, this guide is a work in progress and any suggestions for clarifications or improvement are always appreciated.

 

Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on police collecting personal information through bodycams

The Prime Minister on June 9, 2020, stated he supported the use of bodycams by police forces. He indicated bodycams were an idea “that’s time has come”. The Minister of Public Safety, Bill Blair stated:

I believe that the presence of video evidence as can be made available under the right circumstances, following the appropriate policies respectful of Canadians’ privacy interests that that video evidence can provide the best possible evidence to help inform exactly what transpired.

There are arguments in favor of police forces using bodycams and there are arguments against them having bodycams. The decision as to whether a police force uses bodycams is not one that an information and privacy commissioner should or can make. This decision is up to police chiefs and boards of the police commissioners. Once a decision is made to use bodycams, access and privacy issues become important. In fact, prior to the decision being taken, there are access and privacy issues that should be taken into consideration in designing the bodycams’ program. The balance of this advisory deals with the questions that should be considered prior to and after the decision is made to use bodycams. This advisory outlines best practices for police forces when considering bodycams.

Can a police force use bodycams?

Webcams, bodycams, dash cams are all tools that exist in our society today. All tools can be used for good purposes or bad purposes. Police forces have the ability to inquire and use many different tools, bodycams are one such tool. The use of bodycams has been debated across our country. In fact police forces have undertaken pilot projects. Those opposed to the use of bodycams have made their position known. The cost to deploy body cams is known and is considerable. Keeping all this in mind, police forces and boards of police commissioners can decide whether they use this tool or not. Again, the balance of this advisory deals with the access and privacy issues that should be considered before and after the decision is made to utilize the tool of bodycams.

What access and privacy legislation might apply?

If a police force decides to deploy bodycams, police forces need to know what privacy legislation applies to that police force. The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities which include police forces in Saskatchewan. Part IV of LA FOIP deals with the collection, use, disclosure and protection of personal information.

What does The Police Act, 1990 say?

 A board of police commissioners and a police chief are governed by The Police Act, 1990 of Saskatchewan which provides:

31(1) Where a municipality has established a police service pursuant to section 26, the board is responsible:

(a) for the delivery of policing services within the municipality; and

(b) for:

(i) providing general direction, policy and priorities; and

(ii) developing long-term plans;

for the police service.

(2) For the purposes of this Act and Part VI of The Saskatchewan Employment Act:

(a) a board is deemed to be the employer of the personnel of the police service; and

(b) the chief and any person holding the position of deputy chief of police are deemed to be agents of the employer.

(3) Subject to subsection (4), a board may make directives that are not inconsistent with this Act or the regulations, setting general policy for the governing and administration of the police service.

The police chief’s responsibilities are set out as follows:

35(2) Subject to the general direction of the board and to this Act and the regulations, the chief is responsible for:

(a) the management, administration and operation of the police service;

(b) the maintenance of law and order in the municipality; and

(c) the maintenance of discipline within the police service.

(3) To carry out the responsibilities imposed on a chief of police by this Act and the regulations, the chief may:

(a) appoint any personnel to positions designated by the board and assign their duties;

(b) delegate to any member or civilian member any authority vested in the chief that, in the opinion of the chief, is required to properly manage the police service; and

(c) make directives necessary to carry out the daily administration and operations of the police service.

What is the purpose of police using bodycams?

Before embarking on a bodycam program, a police force needs to focus on the purpose for the bodycam program. LA FOIP provides:

24 No local authority shall collect personal information unless the information is collected for a purpose that relates to an existing or proposed program or activity of the local authority.

It is important that the police force define the purpose at this early stage. The purpose should not be expanded after the fact as this would be viewed as function creep and may not be authorized. Is the purpose to accurately depict interactions between a police officer and a citizen? Is the purpose to protect the police officer? Is the purpose to gather evidence for court? Is the purpose to assist Crown Prosecutors? Is the purpose to assist defendants and defense counsel? Or is the purpose for our society to have a fairer justice system? It is not for me to define that purpose, but one can see that a police force would be well advised to define that purpose early so that all involved in the justice system know why this is being done.

One of the best ways of defining the purpose is to do a privacy impact assessment (PIA). This allows the police force to spend time discussing the purpose and determining the impact the program will have on the collection, use, protection and disclosure of personal information.

How should police forces notify citizens of the purpose of bodycams?

Police forces should be open and transparent. At the time of launching the program, tell police officers the purpose of the bodycam, when the bodycam is to be used, what the officer does with the video footage at the end of the shift, where it is to be downloaded to, who will have access to it, whether LA FOIP applies to the video footage and how long the video footage will be stored. Since this will affect police officers directly, they need to know the rules.

Similarly, citizens will want to know the same things because it will be their images which will be captured in the video footage. Further those police officers will need to know when and if during a particular interaction whether the bodycam is operating or not. Police forces will have to decide whether they have bodycams operating all the time or whether the police officer has the discretion to turn the bodycam on or off.

Citizens and police officers will particularly want to know if the police force is sharing the personal information with other third parties and why.

What personal information will the police force collect?

Capturing a person’s image and voice is a collection of personal information. LA FOIP provides:

25(1) A local authority shall, where reasonably practicable, collect personal information directly from the individual to whom it relates.

(2) A local authority that collects personal information that is required by subsection (1) to be collected directly from an individual shall, where reasonably practicable, inform the individual of the purpose for which the information is collected.

(3) Subsections (1) and (2) do not apply where compliance with them might result in the collection of inaccurate information or defeat the purpose or prejudice the use for which the information is collected.

Police forces should collect the least amount of personal information necessary to achieve the purpose. This is referred to as the data minimization principle, that is, only collect what is needed to achieve the purpose.

Purpose becomes extremely important. The data minimization principle puts pressure on a police officer (data collector) to record the least amount of video footage. This clearly implies that police officers will have to make the decisions to turn the bodycam on and off. Giving a police officer this discretion runs the risk of allegations that a police officer manipulated the footage collected. There will be pressure, to avoid this criticism, to have a bodycam running from prior to the beginning of the interaction to well after the conclusion of the interaction. It would appear, depending on purpose, that it is in the interest of police forces and citizens that the entire, beginning to end, interaction be recorded.

Police forces will have to determine whether all interactions with citizens will have to be recorded. Are there categories of interactions where bodycams should be turned on or should be turned off? It will be an important part of policy development to determine whether there are categories of interaction where bodycams should be turned on or should be turned off.

Can the police force use the personal information for any other purpose?

The police force has defined a purpose, authority to collect and has collected personal information for that purpose. LA FOIP provides:

27 No local authority shall use personal information under its control without the consent, given in the prescribed manner, of the individual to whom the information relates, except:

(a) for the purpose for which the information was obtained or compiled, or for a use that is consistent with that purpose; or

(b) for a purpose for which the information may be disclosed to the local authority pursuant to subsection 28(2).

Definition of purpose becomes extremely important. Bodycam footage can be used for the purpose for which it was collected. If video footage might be used for other purposes, then the consent of the individual or individuals in the image would have to be obtained. That can be problematic when there are multiple individuals in the video footage, some of whom are not identified.

Who can the police force share the personal information with?

Since the police force has collected the video footage (personal information), the police force needs to determine who in the organization needs to know, in other words, who will have access to the video footage. LA FOIP provides:

28(1) No local authority shall disclose personal information in its possession or under its control without the consent, given in the prescribed manner, of the individual to whom the information relates except in accordance with this section or section 29.

(2) Subject to any other Act or regulation, personal information in the possession or under the control of a local authority may be disclosed:

(a) for the purpose for which the information was obtained or compiled by the local authority or for a use that is consistent with that purpose;

(b) for the purpose of complying with:

(i) a subpoena or warrant issued or order made by a court, person or body that has the authority to compel the production of information; or

(ii) rules of court that relate to the production of information;

(c) to the Attorney General for Saskatchewan or to his or her legal counsel for use in providing legal services to the Government of Saskatchewan or a government institution;

(d) to legal counsel for a local authority for use in providing legal services to the local authority;

(e) for the purpose of enforcing any legal right that the local authority has against any individual;

(g) to a prescribed law enforcement agency or a prescribed investigative body:

(i) on the request of the law enforcement agency or investigative body;

(ii) for the purpose of enforcing a law of Canada or a province or territory or carrying out a lawful investigation; and

(iii) if any prescribed requirements are met;

(h) pursuant to an agreement or arrangement between the local authority and:

(i) the Government of Canada or its agencies, Crown corporations or other institutions;

(ii) the Government of Saskatchewan or a government institution;

(iii) the government of another province or territory of Canada, or its agencies, Crown corporations or other institutions;

(iv) the government of a foreign jurisdiction or its institutions;

(v) an international organization of states or its institutions; or

(vi) another local authority;

for the purpose of administering or enforcing any law or carrying out a lawful investigation;

(h.1) for any purpose related to the detection, investigation or prevention of an act or omission that might constitute a terrorist activity as defined in the Criminal Code, to:

(i) a government institution;

(ii) the Government of Canada or its agencies, Crown corporations or other institutions;

(iii) the government of another province or territory of Canada, or its agencies, Crown corporations or other institutions;

(iv) the government of a foreign jurisdiction or its institutions;

(v) an international organization of states or its institutions; or

(vi) another local authority;

(i) for the purpose of complying with:

(i) an Act or a regulation;

(ii) an Act of the Parliament of Canada or a regulation made pursuant to an Act of the Parliament of Canada; or

(iii) a treaty, agreement or arrangement made pursuant to an Act or an Act of the Parliament of Canada;

(j) where disclosure is by a law enforcement agency:

(i) to a law enforcement agency in Canada; or

(ii) to a law enforcement agency in a foreign country;

pursuant to an arrangement, a written agreement or treaty or to legislative authority;

(k) to any person or body for research or statistical purposes if the head:

(i) is satisfied that the purpose for which the information is to be disclosed is not contrary to the public interest and cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates; and

(ii) obtains from the person or body a written agreement not to make a subsequent disclosure of the information in a form that could reasonably be expected to identify the individual to whom it relates;

(l) where necessary to protect the mental or physical health or safety of any individual;

(m) in compassionate circumstances, to facilitate contact with the next of kin or a friend of an individual who is injured, ill or deceased;

(n) for any purpose where, in the opinion of the head:

(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or

(ii) disclosure would clearly benefit the individual to whom the information relates;

(o) to the Government of Canada or the Government of Saskatchewan to facilitate the auditing of shared cost programs;

(p) if the information is publicly available, including information that is prescribed as publicly available;

(q) to the commissioner;

(r) for any purpose in accordance with any Act or regulation that authorizes disclosure; or

(s) as prescribed in the regulations.

The Local Authority Freedom of Information and Protection of Privacy Regulations (LA FOIP Regulations) provides:

10 Other disclosure of personal information 10 For the purposes of clause 28(2)(s) of the Act, personal information may be disclosed:

(b) to an individual or body providing consulting or other services to a local authority if the individual or body agrees not to make a subsequent disclosure of the information in a form that could reasonably be expected to identify the individual to whom it relates;

(c) where disclosure may reasonably be expected to assist in the provision of services for the benefit of the individual to whom the information relates;

(d) to a professional association or professional regulatory body for the purpose of carrying out the lawful activities of the association or body;

(f) for the purpose of commencing or conducting a proceeding or possible proceeding before a court or tribunal;

(h) with respect to health care information, in compassionate circumstances, unless the person to whom the information relates requests that the information not be disclosed;

(i) to another local authority or a third party in order to obtain information from that local authority or third party to respond to an inquiry from the individual to whom the information relates, to the extent necessary to respond to that inquiry;

(j) to another local authority or a government institution to enable that local authority or government institution to respond to an inquiry from the individual to whom the information relates, to the extent necessary to respond to that inquiry; or

(k) by forwarding to another local authority or government institution a correspondence received from an individual to enable that government institution or local authority to reply directly to the individual where a direct reply is considered more appropriate; or

(n) to the investigation observer appointed pursuant to section 91.1 of The Police Act, 1990.

When we talk about sharing, we are talking about sharing with other organizations. Section 28 lists many exceptions. It does allow police forces to share video footage containing personal information with other police forces under certain circumstances. When a police force receives a request from another police force, it needs to review section 28 to see if the request involves the circumstances where sharing is permitted. LA FOIP Regulations, section 9, lists those bodies that are law enforcement agencies including the RCMP, the Chief Coroners’ Office, the Special Investigations Unit of SGI, the Public Complaints Commission and the Saskatchewan Police Commission and board of commissioners under The Police Act, 1990.

Best practice would suggest that the bodycam policy developed by a police force indicate who, under normal circumstances, a police force might share video footage.

Best practice would suggest that a police force apply the data minimization rule. This rule says, provide the least amount of information (video footage) required to meet the request. Further, best practice would suggest that video images of persons other than those that are the subject matter of the request should be blurred or de-identified.

Is the police force obliged to protect the video footage?

The video footage with personal information the police force has collected must be protected. Once the police officer takes video footage with personal information, it is the police force’s obligation to ensure it is protected.  LA FOIP provides:

 23.1 Subject to the regulations, a local authority shall establish policies and procedures to maintain administrative, technical and physical safeguards that:

(a) protect the integrity, accuracy and confidentiality of the personal information in its possession or under its control;

(b) protect against any reasonably anticipated:

(i) threat or hazard to the security or integrity of the personal information in its possession or under its control;

(ii) loss of the personal information in its possession or under its control; or

(iii) unauthorized access to or use, disclosure or modification of the personal information in its possession or under its control; and

(c) otherwise ensure compliance with this Act by its employees.

Because we are talking about video and audio images, we are talking about electronic storage. This means storing the information on servers. A police force needs to make a decision as to whether servers are located in police force offices at an IT service provider in the province or Canada. This is generally referred to as the Cloud. Best practice would dictate a police service select the option that would give it the greatest amount of security and protection.

When should the police force destroy the video footage (personal information)?

How long is a police force going to keep bodycam footage which obviously contains personal information? Will it get destroyed in accordance with the destruction of records policy? Should it have a special destruction period, shorter or longer than the normal? Will the video footage be evidence in a Court case? Police forces will need to develop a policy which will specifically include destruction of video footage.

Do police forces need to be transparent about bodycams?

As with any tool used by an organization, it can have good effects and bad effects. The risk of bad effects creates fears of the misuse. Best practice would suggest to build trust and confidence. A police force should be transparent in its position on bodycams, their use and security of the information. The best way to do this is to provide information on its website about its bodycam program. Transparency would start with developing a policy on bodycams as discussed below.

Do police forces need to create a policy regarding bodycams?

Once a police force has made a decision, the police force should consider some documentation of the plan. Prior to a police force making its decision on bodycams, best practice would suggest they do a privacy impact assessment. This exercise will surface the privacy issues that a police force will encounter in designing the program, implementing the program, developing policies and communicating with the public.

One of the essential steps would be to develop and make public a policy on its bodycam program. The policy should contain:

  • a statement of the authority;
  • a statement of the purpose;
  • a statement on possible actions taken with video footage, its collection, storage, protection and use;
  • a statement on how and where video footage will be stored;
  • a statement as to who within the police force will have access to the video footage;
  • a statement that the video footage containing personal information will be shared will only those within the police force that need-to-know and will not be available within the police force;
  • a statement on how the video footage containing personal information will be protected;
  • a statement as to how and when it will be shared with other police forces and law enforcement agencies; and
  • a statement as to when the video footage containing personal information will be destroyed.

A policy should be made available to staff, and citizens and posted on the police forces’ website.

Can I request videos taken of me?

 30(1) Subject to Part III and subsections (2) and (3), an individual whose personal information is contained in a record in the possession or under the control of a local authority has a right to, and:

(a) on an application made in accordance with Part II; and

(b) on giving sufficient proof of his or her identity;

shall be given access to the record.

A citizen does have the right to request access to video footage concerning that citizen. There are exceptions to this rule and those exceptions can be found in Part III (sections 13-22) of LA FOIP. A citizen does not have the right to view images of other citizens that may be in the video footage. A video can easily capture multiple individuals and a citizen does not have the right to the images of other individuals. When an access request is made, a police force would have to carefully review the video footage, blur out the images and delete the audio track of others.

Conclusion

The principles are simple; establish the purpose, authority, and collect the least amount of personal information to meet the purpose, share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed. This is good advice for police forces or any other organization.

References

For more information on police and bodycams see:

 

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Saskatchewan Information and Privacy Commissioner Tables 2019-2020 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has submitted his office’s 2019-2020 Annual Report: Issues in a Pandemic, to the Legislative Assembly. Kruzeniski stated:

In this pandemic, issues have arisen which have created considerable discussion and debate. Freedom of information and privacy legislation is not suspended during a pandemic and public bodies are still required to follow these statutes. At the same time, some public bodies are operating in extremely difficult and stressful times. The temptation can be to ignore access rules and privacy rules because we are fighting COVID-19. Ignoring the rules is not an option.

In terms of the issues of concern to navigate during and after a pandemic, the Commissioner highlighted and provided guidance on the following:

  • Processing access requests;
  • Transparency;
  • Sharing personal information and personal health information to prevent the spread of COVID-19;
  • How to balance the public interest and privacy;
  • Documenting decisions;
  • Health Care Consultation Apps, Contact Notification and Tracing Apps;
  • Virtual Meetings;
  • Tips for Working at Home;
  • Research: Post Pandemic;
  • Travel Restrictions and Checkpoints;
  • Questions, Screening or Testing by Employers Regarding COVID-19; and
  • Health Screening of Staff and Visitors in Care Homes.

As a final thought, the Commissioner noted:

In conclusion, maintaining a sense of balance during these difficult times can be done. It just takes a bit of thinking through the principles.