RCMP plan to equip every Sask. Detachment

G20 leaders make privacy, AI declaration

Ontario: $988K settlement reached in Peterborough hospital

Three simple rules for managing your privacy

Global definitions for artificial intelligence

New guidance on sending bulk communications

The Essential Guide To Data Privacy

Office of the Privacy Commissioner of Canada offered its 2023 annual report

Who Signs for a Child? (updated)

Who Signs for a Child? (updated)

When it comes to obtaining the personal information of a child under the age of 18 years, it is commonly accepted that a child cannot sign for themselves.  So, who can sign for that child?

The Children’s Law Act, 2020 sections 3 and 4 provides:

  • The parents of a child are joint legal decision-makers with equal rights unless changed in a court order or an agreement;
  • Where parents have not lived together after the birth of a child, the parent with whom the child resides is the sole legal decision-maker;
  • If a parent dies, the surviving parent is the legal decision-maker of that child unless changed by a court order or an agreement.

The Freedom of Information and Protection of Privacy Act (FOIP), section 59 and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), section 49 both provide:

59 Any right or power conferred on an individual by this Act may be exercised

(d) where the individual is less than 18 years of age, by the individual’s legal custodian in situations where, in the opinion of the head, the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual; or

In effect, then the legal decision-makers can sign on behalf of the child.  This means two parents, sometimes one parent, or as directed in a court order, or agreed to in an agreement. For an analysis of this, see report Investigation Report 083-2022

The Health Information Protection Act (HIPA), has a similar provision, section 56 which provides as follows:

56 Any right or power conferred on an individual by this Act may be exercised:

(c) by an individual who is less than 18 years of age in situations where, in the opinion of the trustee, the individual understands the nature of the right or power and the consequences of exercising the right or power;

(d) where the individual is less than 18 years of age, by the individual’s legal custodian in situations where, in the opinion of the trustee, the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual;

 

These provisions caused a number of questions to be asked.

Q. What if the parents are separated?

A. If parents are separated, they both are still joint legal custodians unless changed by a court order or an agreement.  In a court order, a judge can order that one parent is the sole legal custodian.  In an agreement, one parent can give up his or her rights to be the joint legal custodian.  In these instances, the head or a trustee should ask for a copy of the court order or agreement and identify the clause that deals with legal custodianship.

Q. What if one of the separated parents has a girlfriend, boyfriend or new spouse?

A. The girlfriend, boyfriend or new spouse has no rights unless it has been directed in a court order or dealt with in an agreement.

Q. What if the child wants to exercise his or her rights?

A. FOIP and LA FOIP do not have a specific section that answers this question. When children get to the age of what may be considered a mature minor, heads should use their discretion to provide the personal information if the child, “understands the nature of the right or power and the consequences of exercising the right or power.” Heads should also look to their governing legislation to see if the Legislative Assembly has provided direction on the rights of the child.

HIPA does contemplate an individual under 18 years of age exercising a right under the Act such as requesting his or her personal information or making a decision with respect to it. When such a request is made, it is up to the trustee to determine whether the individual understands the nature of the right or power and the consequences of exercising the right or power.  There is no specific age when one can say that is a mature minor.

The head has to in each circumstance determine whether the child understands the nature of the right or power and the consequences of exercising the right or power.  In circumstances of uncertainty, the head might decide to acquire the signature of the legal custodian and the child.

Q. Can the legal custodian obtain all personal information or personal health information?

A. All three statutes provide that legal custodians can have the information, unless in the opinion of the head or trustee, providing the information would be an unreasonable invasion of privacy of the individual. The data minimization principle would still apply.

Doctors, nurses, social workers, teachers and guidance counsellors can run into this problem.  Parents may want all the information, but that information could include information on pregnancy, drug addiction, sexually transmitted disease, contemplated suicide, contemplated leaving home, gender identity or commission of a crime.  In addition, the child may have expressly asked that the information not be shared with their parents. In these instances, the professional involved, their supervisor, the head or the trustee must consider very carefully the words “unreasonable invasion of privacy.

Q. What if the child verbally or in writing tells the professional that they have shared the information in confidence and does not want their parents to know?

A. This adds to the challenges faced by the professional. Such a request by the child is a clear indication that the child wishes privacy and does not want the information to be shared with others.  It is an important factor in determining whether there would be an “unreasonable invasion of privacy.”

Releasing personal information under the new policy of the Ministry of Education

The Ministry of Education has issued a policy related to students request to change names or the pronoun they wish to be used. The policy provides as follows:

…Given the sensitivity of gender identity disclosure, when a student requests that their preferred name, gender identity, and/or gender expression be used, parental/guardian consent will be required for students under the age of 16.

For students 16 and over, parental consent is not required. The preferred first name and pronoun(s) will be used consistently in ways that the student has requested.

In situations where it is reasonably expected that gaining parental consent could result in physical, mental, or emotional harm to the student, the student will be directed to the appropriate school professional(s) for support. They will work with the student to develop a plan to speak with their parents when they are ready to do so.

Educational organizations collect personal information both directly and indirectly about individuals while providing educational services. Educational organizations should take all reasonable steps to protect this personal information from unauthorized uses and disclosures, and to protect the privacy of the individual…

It is not my position to approve or disapprove of a policy. Thus, I provide no comment on the policy itself. I can however comment on any access and privacy implications that might exist. First, the policy is directed at school boards and school boards are local authorities under LA FOIP. Further, I note, subsections 28(1) and (2) of LA FOIP provide:

28(1) No local authority shall disclose personal information in its possession or under its control without the consent, given in the prescribed manner, of the individual to whom the information relates except in accordance with this section or section 29.

(2) Subject to any other Act or regulation, personal information in the possession or under the control of a local authority may be disclosed:

(r) for any purpose in accordance with any Act or regulation that authorizes disclosure; or

Subsection 28(1) of LA FOIP prohibits disclosure of an individual’s personal information without their consent. There are exceptions contained in subsection (2). Clause (r) is one of those exceptions, which allows disclosure if provided for in an act or regulations. I note the clause does not refer to policy. Thus, the local authority disclosing information to a legal custodian (parents) would need to find authority in The Education Act or Regulations.

Section 49 of LA FOIP provides:

Exercise of rights by other persons 

49 Any right or power conferred on an individual by this Act may be exercised:

(d) where the individual is less than 18 years of age, by the individual’s legal custodian in situations where, in the opinion of the head, the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual; or

I note that a legal custodian (parents) has the right to request and receive personal information of their child, where in the opinion of the head (usually the Director of Education), providing the personal information would not be an unreasonable invasion of the privacy of the child. The Director of Education is required to form an opinion that it is not an unreasonable invasion of privacy before doing so.

In summary, a Director of Education can release personal information to the parents, if the child consents or in the Director’s opinion, it is not an unreasonable invasion of the child’s privacy.

Other helpful resources on this topic can be found at:

  1. Office of the Privacy Commissioner of Canada Form of Consent
  2. Best Practice for Gathering Informed Consent
  3. Alberta IPC Order F2012-21case on unreasonable invasion of privacy

 

Absurd Results (updated)

From time to time, when interpreting and applying legislation, one can end up with a result that will be absurd. This can happen from time to time with The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP) or The Health Information Protection Act (HIPA). These statutes are to be liberally interpreted and through court decision have been given a quasi-constitutional status. Because they are to be liberally interpreted, absurd results should be at a minimum, but in the application of the legislation to particular access requests, sometimes absurd conclusions can be reached.

For example, an applicant (citizen) applies for records and the request is denied, or part of the record is severed, because it is personal information. Section 29 of FOIP, section 28 of LA FOIP and section 27 of HIPA provide that personal information is not to be released except with consent (there are exceptions). So, a public body could say they won’t release the applicant’s personal information because of subsection 29(1) of FOIP. That is an absurd result when the public body is refusing to give the applicant their own personal information (unless there is another exemption that applies).

Another example is where a public body refuses to provide a document that is already public. If the request is for a book, then it is understandable that the public body does not want to photocopy the entire book but is not a legitimate reason not to provide. I would suggest in the instances where the document is on a website, that the public body either copy the document or advise the applicant where they can find the document. Advising the citizen/applicant of the URL for the document is just a helpful thing to do and if a formal access to information request is made, referring the applicant to the publication is required pursuant to subsection 7(2)(b) of FOIP/LA FOIP.

Another example is where a public body believes part of a document is non-responsive to the access request, but other parts of the document are responsive (relevant) to the request. A public body might decide to sever the non-responsive portion. This is a bit of a waste of time. The applicant has the right under section 5 of FOIP, section 5 of LAFOIP or section 12 of HIPA to any record the public body has (subject to exemptions).  If the applicant becomes suspicious because of the severing, they could submit a second access request and be entitled to the portion considered non-responsive (subject to exemptions). Why make citizens jump through unnecessary hoops to get to what they are otherwise entitled to get?

A final example is where an applicant has submitted something like a letter to a public body. Usually, the letters include complaints about someone else which is technically the other person’s personal information, so a public body often withholds the letter as personal information of a third party. The problem is the applicant provided the information to the public body thus, the applicant is already aware of it. In this instance, the public body should release the letter to the applicant because the applicant has previously provided it. See my office’s Review Report 155-2022 and Review Report 254-2022 where the applicant provided information to the police and participated in interviews with the police.

So, I would ask public bodies to take a liberal approach to these three statutes and if specific exemptions do not apply, to provide as much of the records as is possible. Such an approach will reduce frustration of applicants and increase trust in the public body that is trying to do the right thing and help citizens.

Third parties under FOIP and LA FOIP (updated)

In other blogs I have talked about public bodies and third parties (businesses). If a public body is a city, town or municipality, legislation like section 91of The Cities Act or section 117 of The Municipalities Act requires the release of contracts, and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) requires the same unless part of the contract falls under one of the exemptions. Public bodies like government ministries, boards, agencies and Crown corporations are bound by The Freedom of Information and Protection of Privacy Act (FOIP) and contracts are released unless they come under subsection 19(1).

As we provide advice or begin a review, it always seems the third party expects the entire agreement to be withheld because the third party does not want any of the information released.

Many clauses in an agreement do not disclose sensitive information. Clauses like the singular includes the plural and successors to the parties are bound to not disclose sensitive information. So, in many of the cases, the entire contract will never be withheld.

Third parties sometimes want all correspondence and reports related to the project withheld. Again, they have to show that individual items fall under subsection 19(1) of FOIP and subsection 18(1) of LA FOIP. Some rely on a clause in the contract that all will be kept confidential. I remind both public bodies and third parties they cannot contract out of the law of the province. FOIP and LA FOIP apply in spite of a confidentiality clause in a contract.

Public bodies and third parties sometimes are concerned that the applicant will distribute the documents or publish them. As a citizen, the applicant has the right to documents unless subsection 19(1) of FOIP or subsection 18(1) of LA FOIP applies. The intention or anticipated actions of the applicant are irrelevant in a FOIP or LA FOIP context. Some third parties are more concerned when it is the media applying. The media has the same right to the information. What might the media do with the documents? The answer is, obviously, they will analyze and might write a story. That is part of the democratic process.

If after thinking about the above, a third party intends to object to the release of documents, they will have to move quickly. They have 20 days after they receive notice. The public body is bound to give the applicant a response to the access request within 30 days (or 60 days if an extension is decided upon). If the public body failed to respond to the applicant in 30 days (or 60 days) my office will consider that the public body has decided not to respond, and it is treated as a deemed refusal.

Third parties should, where they enter into contracts involving taxpayer funds, not expect total confidentiality and should read subsection 19(1) of FOIP and subsection 18(1) of LA FOIP.

MySaskHealthRecord (updated)

On October 8, 2019, the Saskatchewan government and eHealth launched MySaskHealthRecord. The news release stated, “New Website Allows Saskatchewan Residents to Access Their Personal Health Information Anywhere, Anytime”. This is an exciting first step in allowing citizens to access their own personal health information. You can check the ehealth website to see what information you can access. As of the date of this blog, you can access:

  • laboratory test results
  • medical imaging reports
  • immunization history
  • prescription history
  • clinical visit history (displayed as inpatient, outpatient or emergency visits to a health care facility)
  • clinical documents (This displays notes from your doctor such as hospital admission, discharge summaries and consults.

It has always been accepted that my personal health information is my information but accessing it could be challenging. One of the benefits of technology is that it allows us to get that information easily and quickly.

For every benefit of a technical advancement there is an added responsibility imposed on us. Your password is very important. You should not share it with anyone. MySaskHealthRecord is only available to users to access their own data at this time. Put another way, one should not leave this pin or password laying around or casually share it with others. With such sensitive information within the app, a strong password is a must. For advice on developing a strong password, check out this link.

I am hopeful eHealth will continue to enhance MySaskHealthRecord in the future. For example, can I see who in the health care system has accessed my health record? Since my personal health information is my information, I have the right, and at times, the need to know who else is looking and question if it is for a legitimate purpose. The only people that should be looking are those I have consulted regarding my personal health situation or have a legitimate need-to-know.

To register for a MySaskHealthRecord account, click here.

 

Solicitor-Client Privilege/Litigation Privilege (updated)

On May 16, 2018, the Saskatchewan Court of Appeal released its decision in University of Saskatchewan v Saskatchewan (Information and Privacy Commissioner), 2018 SKCA 34 . The appeal addressed the statutory authority of the Information and Privacy Commissioner (IPC) under The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) to require the production of records over which a local authority asserts solicitor-client privilege in order to verify the claim. As a result, the IPC has developed procedures where solicitor-client privilege or litigation privilege is claimed.

Below is a succinct summary of the law related to solicitor-client privilege and litigation privilege.

Question 1:  Scope of Solicitor-client privilege

  • Solicitor-client privilege covers all communications between a lawyer and client directly related to the seeking, formulating, or giving of legal advice, along with communications within the “continuum” in which the solicitor tenders the advice. This includes records of such communications. These communications must, however, be in furtherance of legal advice and must occur within the framework of the relationship between a client and a lawyer acting in his or her capacity as a lawyer.
  • Solicitor-client privilege does not necessarily extend to all records in relation to a matter. For example, owing to the nature of the work of in-house government counsel (e., having both legal and non-legal responsibilities), the government institution will need to review, and the IPC should verify, that solicitor-client privilege is properly asserted in relation to each requested record “depending on the nature of the relationship, the subject matter of the advice and the circumstances in which it was sought and rendered”. Furthermore, solicitor-client privilege does not necessarily extend to the entirety of an individual record where portions of the record do not constitute or relate to legal advice (e.g., header and footer information and confidentiality notices in email communications).
  • Litigation privilege attaches to documents created for the dominant purpose of pending or apprehended litigation. Conceptually distinct from solicitor-client privilege, litigation privilege differs in at least three respects: 1) it arises even in the absence of a solicitor-client relationship; 2) it applies only in the context of litigation; and 3) unlike solicitor-client privilege, it is time-limited and comes to an end upon termination of the litigation or any closely related proceedings.
  • A party asserting solicitor-client privilege bears an evidentiary burden of establishing a prima faciecase for privilege. Courts have held that where a party has tendered evidence in support of a claim of privilege (e.g., an affidavit of documents and schedule), and in the absence of evidence to the contrary, the privilege claim should be sustained.

Question 2: Scope of the Information and Privacy Commissioner’s authority to verify claims of solicitor-client privilege under FOIP/LAFOIP?

  • While the courts have said that solicitor-client privilege must remain as close to absolute as possible, it is not absolute. It can be limited or abrogated by statute.  A statute purporting to limit or abrogate the privilege must be interpreted “restrictively”.
  • Following the U of Scase and pursuant to “the clear and unambiguous” language in FOIP and LA FOIP, the IPC possesses the express statutory authority to request full disclosure of disputed records to verify questionable claims but only to the extent that it is “absolutely necessary.” This threshold is very high. The IPC can likely require full production of a record only in narrow circumstances where the IPC has a reasonable basis in fact to believe that the government institution’s or local authorities’ claim of privilege is improperly or falsely asserted.
  • Short of requiring full production to verify claims of privilege, the “absolutely necessary” threshold requires the IPC to take a number of prior verification steps in incremental fashion before resorting to this last measure.
  • For example, the government institution or local authority could be required to support its privilege claim by:
    • Providing a sworn affidavit of documents along with a schedule of records containing requested information to the level of detail that accords with the usual or best practices expected of an affidavit of documents in the civil litigation context.
    • If the IPC is still unable to reasonably verify a claim of solicitor-client privilege after the provision of an affidavit of documents and schedule of records, containing the requested information, the IPC could then question the government institution on its affidavit or schedule.
    • If the IPC remains unsatisfied at this stage, the U of Scase gives the IPC the power to compel production of the full record in order to verify the claim on the basis of the record itself.
  • Even under this incremental approach, the IPC must have a reasonable basis for questioning the asserted claim in the circumstances before moving to the next stage.

As a result, whenever a public body claims solicitor-client privilege or litigation privilege, step one will be to request the public body to provide a copy of the original records, a redacted copy of the records provided to the applicant. Alternatively, the IPC will require an Affidavit of Records as set out in Form B of The Rules of Procedure and the redacted record provided to the applicant.  That Affidavit contains a Schedule, and the public body is required to list the documents over which privilege is claimed and indicate whether they are claiming solicitor-client privilege or litigation privilege. The government institution or local authority is expected to complete the schedule with all details. Failure to do so may cause the IPC to move to the next step.

The Rules of Procedure have been updated to reflect the current practice in this area.  Part 9 has been amended accordingly and the Affidavit of Records has been provided in Form B.  A representation or submission is optional and at the choice of the public body.  The Schedule has two columns which requires the public body to indicate whether they are claiming solicitor-client privilege or litigation privilege.

I hope this Blog and The Rules of Procedure clarify this issue and make the process somewhat simpler. I must emphasize, it makes our work much easier if the client provides my office with the original records over which they are claiming solicitor-client privilege or litigation privilege and the redacted record which was sent to the applicant. My office never releases these documents to the applicant or to anyone else and they are usual destroyed six months after the file is closed.

 

Privacy on the Prairies

In our office’s most recent annual report the focus was on data and the amount of data we generate online. With the rapid advancement of technology and the increase in the amount of business being conducted online, we need to be conscientious about what information we are providing and whether it is being used only for the intended purpose.

“There is an obligation on organizations either legislated or expected by society that the data we provide is fully protected.”

When it comes to understanding privacy, how do the prairie provinces measure up? In a recent public opinion survey from the Office of the Privacy Commissioner of Canada, the truth is in the numbers.

So, how do citizens feel about how their personal information is being handled? Among the respondents in the prairies, 39% indicated that they are extremely concerned about the protection of their privacy and over half of those surveyed believe that all of what they do online or on their smartphones is being tracked by companies and/or organizations. They are also more apprehensive in providing information to organizations or agreeing to new technology such as face and voice recognition.

When asked the same question of government institutions, this number dropped to 21%. Respondents indicated that they have more trust in how banks, law enforcement and government of Canada services (eg., passports, pensions and employment insurance) handle our information as opposed to social media, big tech companies (eg., Microsoft, Apple and Google) and various retailers. This could be a result of legislation that protects personal information and personal health information. Provincially, our province has three statutes; The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act and The Health Information Protection Act to address these concerns which  apply to government ministries, Crown corporations, school boards, universities, municipalities, cities, towns, villages and trustees among various others. However, we need to be cautious when providing information to organizations that operate outside our province or that have other legislation that governs them.

Luckily, when it comes to taking steps to control how our information is collected, used and disclosed, we have some options. First and foremost, don’t provide any information that is not necessary for the intended purpose. In many cases, you get to control the information you provide. Make sure you are reading through terms and conditions and ask questions if there is something you don’t understand. When it comes to things like social media accounts, make sure to review your privacy settings and set them as high as you can to protect yourself as much as possible. This is something that 76% of respondents to the survey have taken action on and even 53% have stopped using social media altogether.

The concern that was the most prevalent was that of identity theft. This was rated the highest with 65% saying that this is something they are very concerned with. Considering the percentage of individuals (57%) that acknowledge that they or someone they know has been impacted by a breach, they are right to be cautious, as a breach of this nature can have the potential to be damaging to many aspects of life and can take years to resolve fully.

With this level of concern, I question then why only 14% of respondents rated their knowledge of privacy rights as very good and whether this number is due to a lack of awareness and understanding. If so, what can we do to ensure that people are better informed? When 76% of respondents in the prairies state that they are not aware of any federal institutions that help Canadians deal with privacy and the protection of personal information, there is definitely room for improvement for both the parties offering these services and individuals educating themselves on the matter.

We need to ask how we can ensure that individuals who entrust us with their information are well informed on how that information will be collected, used and disclosed without over complicating things, and ensuring they clearly understand their rights. Would it surprise you to learn that when asked how often respondents read privacy policies, notices or pop ups when using mobile applications or conducting transactions online, 16% said always, 23% said never and 61% said sometimes. I have to admit, I am among the 61% and would give the same reasoning as 48% of respondents asked, they are just too long! One could also argue that they are seldom written in layman’s terms making them difficult to understand.

If you want more information on how to protect yourself, our office has various resources that can help educate you on safeguarding your information. If there is something you can’t find on our website or would like more information about, let us know by sending us a message on X, LinkedIn. You can also email us at webmaster@oipc.sk.ca (for website related inquiries) or intake@oipc.sk.ca (for general questions). For more information on the above survey results please see 2020-21 Survey of Canadians on Privacy-Related Issues – Office of the Privacy Commissioner of Canada

Privacy Audits (updated)

Your organization has undertaken a privacy impact assessment (PIA) as part of its process of designing and implementing a new program. So, what’s next?

Once the new program has gone live, your organization should plan regular privacy audits to ensure that the program is operating in a manner that complies with applicable access and privacy legislation.

When undertaking the PIA process, your organization would have identified privacy impacts and identified methods (controls) to manage and/or mitigate the privacy impacts of the program to ensure compliance with the applicable access and privacy legislation.

During a privacy audit, you will determine if the controls identified through the PIA process are adequate in managing and/or mitigating the privacy impacts. This will include identifying what personal information/personal health information is actually being collected, used, and disclosed; reviewing the information systems used to store and manage the information; and reviewing the program’s policies, procedures, and actual practices to ensure your organization is managing personal information and/or personal health information in compliance with the applicable access and privacy legislation. While time-consuming, it is a worthwhile exercise to hopefully minimize the impacts of potential privacy breaches.

Through the audit process, your organization may identify areas of the program that may not be in compliance with applicable access and privacy legislation; or areas that may be inviting privacy vulnerabilities. Examples could be:

  1. Collecting, using and/or disclosing more personal information/personal health information than is necessary.
  2. Storing more personal information/personal health information instead of disposing of information in accordance with records and disposition schedules.
  3. Inadequate safeguards in protecting personal information/personal health information, including de-activating the accounts of employees on leave or of former employees.

Once inadequacies in controls are identified, your organization should identify methods to manage and mitigate the privacy impacts.

Programs will inevitably evolve as time goes on. It’s always a good idea to schedule regular privacy audits to ensure privacy impacts are being managed and/or mitigated to reduce the likelihood of a privacy breach.

While my office has not conducted any formal privacy audits, my office has the ability to conduct audits pursuant to subsection 33(d) of The Freedom of Information and Protection of Privacy Act, subsection 32(d) of The Local Authority Freedom of Information and Protection of Privacy Act, and subsection 52(d) of The Health Information Protection Act.

 

 

Demystifying the Right to Privacy

Privacy is a deeply personal concept, and it means something a bit different to everyone – so how does Saskatchewan’s privacy legislation protect your personal information and personal health information?

Saskatchewan’s public sector access and privacy laws, The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) govern how public bodies (government institutions and local authorities) interact with your personal information. Saskatchewan’s health sector privacy law, The Health Information Protection Act (HIPA), for the most part controls how certain health professionals (called trustees under HIPA) interact with your personal health information.

The protection of privacy under these Acts includes setting rules for the collection, use and disclosure of the personal information or personal health information in question, and whether the public body or trustee’s actions are allowable under their respective Act.

Collection is when an organization assembles or obtains information about an individual.

Use is when an organization uses the information internally – the information is still under the control of the organization.

Disclosure is when information is shared with a separate entity outside of the organization, so the information passes out of the possession and control of the organization.

In order to fulfill their roles, public bodies and trustees may need to collect, use and/or disclose information about you. The legislation protects your privacy by placing boundaries around when collection, use and disclosure is appropriate, and by establishing obligations for organizations.  Some of these obligations include:

  • Collecting only as much of your information as is necessary to fulfill an authorized purpose (data minimization principle).
  • Where possible, collecting information directly from you.
  • Ensuring that the information they collect about you is as accurate and complete as possible.
  • Taking reasonable steps to safeguard the information under their control – this means having technical, physical or administrative safeguards in place to protect the information from unauthorized access, use, modification, etc.

If you feel that your personal information or personal health information has been collected, used or disclosed inappropriately by a public body or trustee in Saskatchewan, you have the right to make a complaint. The first step will be to make a written complaint to the organization that you feel breached your privacy – for more on this, please see our webpage How do I resolve a Complaint? and our previous blog post, How to Complain (Effectively). If you don’t receive a response from the organization, or if you are not satisfied with the response, you can make a complaint to our office.

Alternatively, when a breach occurs, you may receive notification from the public body or trustee. For more on this, please see our previous blog post What to do if you Receive a Privacy Breach Notification.

If you have questions about how your privacy is protected in Saskatchewan, you can contact our office for more information.

 

Confidentiality Clauses in Contracts (updated)

A lot of our work centers around a citizen wanting a contract that a ministry, city, town or municipality has entered into. The public body does not want to release it, for among other reasons, the contract has a confidentiality clause.

The Cities Act and The Municipalities Act specifically provides that a citizen can inspect a contract entered into. See Review Report 049-2021 at paragraph [89]. The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) both provide that a citizen has access to records unless a particular section exempts the public body having to release some of the clauses.  Section 19 of FOIP and section 18 of LA FOIP provide certain exemptions but there is no exemption just based on the parties wanting to keep the information confidential.  A confidentiality clause in a contract might bind the parties but the clause cannot override the law of the land.

Third parties and businesses need to know when they deal with public bodies supported by tax dollars that their contract will probably be released. No confidentiality clause, however well drafted, can override the law. See Review Report 205-2019, 255-2019 at paragraph [95].

Now I have mentioned there are some exemptions. Section19 allows for information regarding trade secrets; financial, commercial or labor relations information can be withheld.

If an exemption applies, like trade secrets information, that information can be withheld but that does not justify withholding the entire contract. The public body might be entitled to sever the exempted information but would be obliged to disclose the rest.

So I hope over time businesses dealing with public bodies come to accept that being transparent in a democracy is important and their contracts will be available to be examined by citizens.

 

 

3 Minutes for a Search (updated)

As public bodies have gone to doing the majority of their communicating by email, access requests for records of emails have increased. I expect such requests will continue. If the access request is for recent records (emails) an employee can perform a search in Outlook (or other email programs) and very quickly locate the emails related to the access request. If the requests are for older emails, which have been archived in the Outlook archive system, the search can still be done (it might take a little longer). If the access request is for emails that are no longer in the Outlook system, then the search might be more difficult depending on the technology used. Or, if the employee has left the organization, and their emails have been stored outside the Outlook system, the effort to get those emails could be difficult and time consuming. This can be hard work or expensive if IT resources are required.

The best solution is that emails be reviewed regularly by each employee. The emails that are part of the official record get stored in an organized electronic filing system, such as a shared drive that is accessible to authorized employees or an electronic document records management system (EDRMS). I know employees don’t always do this, but they should. An alternative solution is that an organization acquires an email management system that stores all emails, old and new, for current and former employees.

Those are two solutions. There may be other solutions and I encourage organizations to determine what solution works for them.

In the meantime, access requests for emails will be made. Organizations need to decide on a search strategy for finding those emails and then decide whether they will charge a fee. If an organization charges a fee for those emails, it is necessary to figure out what is a reasonable fee. My office has developed rules of thumb for searches such as 5 minutes per file drawer or 1 minute to review 12 pages. We have developed another rule of thumb. We will accept that it takes 3 minutes for an employee to search their email Outlook account for each search parameter. Of course, a public body is free to perform its own test and determine the length of time it takes to perform a search of an employee’s email account and store the results.

Our hope is that this new guideline will make it easier for public bodies to estimate a fee and easier for applicants to understand the fee being charged.

We think our 3 minutes is reasonable, but try it, search your email account and time how long it took your computer to deliver the search result and then the time to move those results to a separate file or flash drive. As you are working on a fee estimate, you should review section 9 of FOIP, section 6 and 7 of the FOIP Regulations or section 9 of LA FOIP and sections 5 and 6 of the LA FOIP Regulations. For a report that analyzes a fee estimate, see Review Report 119-2026.