Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Canadian privacy regulators pass resolutions on the privacy of young people and workplace privacy

Canadian privacy regulators pass resolutions on the privacy of young people and workplace privacy

QUÉBEC, QC, October 6, 2023 – Privacy authorities from across the country are calling on their respective governments to improve privacy legislation to protect young people and employees – groups that are significantly vulnerable, each in their own way to the growing influence of digital technologies.

Federal, provincial, and territorial information and privacy authorities met this week in Québec City for their annual meeting to discuss pressing concerns related to privacy and access to information. These discussions resulted in joint resolutions calling on governments to do more to protect the privacy rights of young people and workers.

For young people, the resolution focuses on the responsibility of organizations across all sectors to actively safeguard young people’s data through responsible measures, including minimized tracking, regulated data sharing, and stringent control over commercial advertising. It also calls on organizations to safeguard their rights to access, correction, and appeal regarding personal data.

The employee privacy resolution addresses the recent proliferation of employee monitoring software and how it has revealed that laws protecting workplace privacy are either out-of-date or absent altogether. In our increasingly digital work environments, there need to be robust and relevant privacy protections in place to safeguard workers from overly intrusive monitoring by employers.

Privacy of young people

Youth have a right to privacy and all sectors, including governments and businesses must put young people’s interests first by setting clear limits on when and how their personal information may be used or shared, the privacy authorities say. They called on their respective governments to review, amend or adopt legislation as necessary to ensure that it includes strong safeguards, transparency requirements and access to remedies for young people. They also called on government institutions to ensure that their practices prioritize a secure, ethical, and transparent digital environment for youth.

The resolution notes that while the digital environment presents many opportunities for young people, it has also brought well-documented harms, including the impact of social media on physical and mental health. Regulators say that special protections are essential for younger generations, because their information can live online for a long time, and may become a life-long reputational burden.

The resolution also calls on organizations to adopt practices that promote the best interests of young people, ensuring not only the safeguarding of young people’s data, but also empowering them with the knowledge and agency to navigate digital platforms and manage their data safely, and with autonomy. Initial steps include identifying and minimizing privacy risks at the design stage. Other recommendations include making the strongest privacy settings the default; turning off location tracking; and rejecting deceptive practices and incentives that influence young people to make poor privacy decisions or to engage in harmful behaviours.

Privacy in the workplace

With the shift towards increased remote work arrangements and use of monitoring technologies in this digital world, the privacy authorities called on governments to develop or strengthen laws to protect employee privacy. They also urged employers to be more transparent and accountable in their workplace monitoring policies and practices.

Employee monitoring has undergone substantial expansion in its use, technological capabilities and application in recent years. Many employers have accelerated the use of monitoring technologies as they seek new ways of tracking employee’s performance and activities on-premises or remotely, whether during work or off hours.

Although some level of information collection is reasonable and may even be necessary to manage the employer-employee relationship, the adoption of digital surveillance technologies can have disproportionate impacts on employees’ privacy and can significantly impact an employee’s career and overall well-being, including heightened stress levels and other adverse mental health effects, not to mention reduced autonomy and creativity.

The resolution calls for a collective effort from governments and employers to address statutory gaps, respect and protect employee rights to privacy and transparency, and ensure the fair and appropriate use of electronic monitoring tools and AI technologies in the modern workplace.

Related content:

Resolution: Putting best interests of young people at the forefront of privacy and access to personal information

Resolution: Protecting Employee Privacy in the Modern Workplace

For more information:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Canadian privacy regulators pass resolutions on the privacy of young people and workplace privacy

Federal, Provincial, and Territorial Information Regulators Unite in Resolution to Enhance Access to Government Information

FOR IMMEDIATE RELEASE

Federal, Provincial, and Territorial Information Regulators Unite in Resolution to Enhance Access to Government Information

(Quebec City, October 4, 2023) — Federal, provincial and territorial Information Commissioners and Ombudspersons, signed a joint resolution today aimed at reinforcing the public’s right to access government-held information.

Freedom of information regimes across Canada have faced persistent challenges in delivering timely responses to access to information requests, underscoring the need to implement alternative and efficient mechanisms for providing access to records, including through proactive disclosure.

It has never been more important for Canadians to have access to official government records, including historical records, if we are to maintain confidence in our democratic institutions. In our modern digital world, disinformation and misinformation spread very quickly. As recent news stories illustrate, timely access to accurate facts and reliable information is more critical than ever.

Recognizing the urgent need for change, the regulators are again calling upon their respective governments to modernize legislation, policies and information management practices to advance transparency and ensure the preservation and dissemination of Canada’s documentary heritage, so that all Canadians can better understand the nation’s past and present, and together chart a future path towards reconciliation.

Building on a joint resolution issued in 2019, the signing of this resolution by federal, provincial, and territorial Information Commissioners and Ombudspersons signals a renewed sense of urgency in a drastically changed context.

This resolution is a clarion call for federal, provincial and territorial governments to act swiftly and decisively in modernizing their respective laws, policies, and information management practices, to strengthen access to information regimes and support a culture of transparency across Canada.

Read the resolution.

-30-

 

For more information:
Commission d’accès à l’information du Québec
media@cai.gouv.qc.ca

Office of the Information Commissioner of Canada
communications@oic-ci.gc.ca

 

FPT Joint Access Resolution

Real Risk of Significant Harm (updated)

Amendments to The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act in 2018, require that once it is confirmed that a privacy breach occurred, the public body must consider if, as a result of the incident, there is a real risk of significant harm that may come to the affected individual. If so, then breach notification to the affected individual(s) is mandatory.

The wording of the provision in FOIP is as follows:

29.1 A government institution shall take all reasonable steps to notify an individual of an unauthorized use or disclosure of that individual’s personal information by the government institution if it is reasonable in the circumstances to believe that the incident creates a real risk of significant harm to the individual.

LA FOIP’s language is almost identical so it is not reproduced here.

What is a real risk of significant harm? It may, among other things, include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

The second consideration is whether or not there is a ‘real risk’ that the significant harm will occur.  Probability of harm and sensitivity of the personal information must be considered in making this determination.  When assessing whether there is a “real risk of significant harm,” the public body can consider the following factors:

  • Who obtained or could have obtained access to the information?
  • Is there a security measure in place to prevent unauthorized access, such as encryption?
  • Is the information highly sensitive?
  • How long was the information exposed?
  • Is there evidence of malicious intent or purpose associated with the breach, such as theft, hacking, or malware?
  • Could the information be used for criminal purposes, such as for identity theft or fraud?
  • Was the information recovered?
  • How many individuals are affected by the breach?
  • Are there vulnerable individuals involved, such as youth or seniors?

So, does this mean that public bodies only need to provide breach notification in these cases? Not at all.  A public body needs to make that call in the course of investigating any privacy breach.  And, in terms of whether or not to report to the IPC, this is always encouraged.  Generally, if proactively reported, this office will monitor the response to the incident by the public body and if issues are sufficiently addressed may resolve the matter informally.

In terms of providing notification to affected individuals, I draw your attention to a resource from this office titled Privacy Breach Guidelines for Government Institutions and Local Authorities, available on our website, www.oipc.sk.ca.

If you have any questions, feel free to contact our office.

 

 

“A” Trustee vs. “THE” Trustee (updated)

If you are reading this blog, I probably don’t need to tell you how complex the healthcare system is. When dealing with The Health Information Protection Act (HIPA), one of the most challenging brain teasers I have to deal with on files is who is the trustee in any given circumstance.

When we start to analyze a HIPA related case, we ask the following three questions to ensure that HIPA applies.

  • Is there personal health information?
  • Is there a trustee?
  • Is the personal health information in the custody or control of the trustee?

It is usually pretty straightforward to determine if data qualifies as personal health information.

It is also fairly simple to determine if an individual or organization can qualify as a trustee for the purposes of HIPA.  Subsection 2(1)(t) of HIPA defines a trustee – it is a succinct list of possibilities. Please note the list of trustees was expanded with amendments to the HIPA Regulations that came into force on August 1, 2023.

However, imagine the scenario where a physician works for the Saskatchewan Health Authority (SHA). Both can qualify as a trustee.  But who is ultimately the trustee responsible for the personal health information?

Determining who the trustee is hinges on who has custody or control of the personal health information in question.

Custody is the physical possession of the personal health information with a measure of control by a trustee.

Control connotes authority. A record containing personal health information is under the control of a trustee when the trustee has the authority to manage the record, including restricting, regulating and administering its use, disclosure or disposition. Custody is not a requirement.

By the way, for HIPA to apply, the personal health information in question does not have to be in recorded form.

Here are some scenarios for your consideration about the trustee:

  • If a medical resident or physician practices medicine only within the SHA, the SHA would be the trustee because the personal health information records would stay with the SHA if the physician left. In this case, the SHA has custody or control of those records.
  • If a physician had privileges with the SHA and performed surgery there, the personal health information created there would remain under the SHA’s custody or control. However, if the SHA provided the physician’s office with a copy of the personal health information for follow up purposes, the SHA would be the trustee of the original records and the physician would be the trustee of the copy.
  • If a physician joined other physicians to form a partnership, association, medical professional corporation or regular business corporation, it is imperative that those physicians determine, at the outset, how custody and control of personal health information will work. For example, the physicians may decide that the entity itself would be the trustee of the personal health information. In this case, if one of the physicians leaves the group, the personal health information that he/she has created would remain in the custody or control of the group. Perhaps the physicians are just sharing space and each physician is the trustee of the personal health information of the patients that he/she sees. Written agreements are key in these situations especially if a joint EMR is used.

The issue of who is the trustee is raised most commonly in two situations.  The first is when a trustee leaves a partnership, association or corporation and there is a dispute over the personal health information.  Secondly, the issue is raised when there is a privacy breach and it must be determined who had the ultimate responsibility for protection of the personal health information in question. Again, answering these questions would be easier if healthcare professionals working together and have written agreements in place. I encourage all trustees to consider this issue and ensure proper written agreements are in place.

Finally, it is important to note that the trustee is responsible to make sure its employees including contractors/information management service providers understand and are compliant with HIPA. If an employee or contractor causes a breach and was not adequately trained, the trustee is responsible.

 

Submission on Legislative Changes to The Saskatchewan Employment Act

The Government of Saskatchewan embarked upon a review of The Saskatchewan Employment Act (SEA) by issuing a discussion paper, on “Review of the Employment Standards Provisions of The Saskatchewan Employment Act and Associated Regulations.” The government has invited individuals and organizations to provide comments on changes to the Act and regulations.

I have been concerned that some employees who work for businesses or non-profit organizations in the province do not have any protection over the collection, use and disclosure of their information while other employees do have such protection. I believe it is important that all employees in the province have similar protection. Thus, I have provided the Ministry of Labour and Workplace Safety with proposals that would give employees similar protection to other employees covered by provincial or federal legislation. A submission has been submitted to those responsible for reviewing the legislation and recommending changes to the SEA.

 

Data Residency Outside Canada for Trustees

Trustees often ask our office about the use of an information management service provider (IMSP) to manage personal health information. Some want to know about using IMSPs linked to companies outside Canada.

Once personal health information leaves Canada, it becomes subject to the laws of the country where it resides. If an individual’s personal health information is stored on a server in the United States, for example, it becomes subject to whatever legislation exists in that country. Because of this, an unauthorized disclosure of someone’s personal health information can have greater ramifications for them than if that unauthorized disclosure occurred within Canada.

Section 16 of The Health Information Protection Act (HIPA) places a duty on trustees who have custody or control of personal health information to protect it. Under section 16, trustees must establish policies and procedures to maintain administrative, technical, and physical safeguards. Safeguards must protect the integrity, accuracy, and confidentiality of personal health information. Safeguards must also protect against any threat or hazard, loss, or any unauthorized access, use or disclosure of the personal health information.

If a trustee uses an IMSP to manage personal health information, section 18 of HIPA requires the trustee to enter into a written agreement with the IMSP. The agreement must outline how the IMSP will access, use, disclose, store, archive, modify, and destroy personal health information. The agreement must also outline how the IMSP will protect personal health information, and how the requirements of section 7 of The Health Information Protection Regulations, 2023 (regulations) will be met.

Before using an IMSP linked to a company outside Canada, a trustee should consider factors such as how sensitive the personal health information is, what volume exists, the possibility for an unauthorized use or disclosure and how the unauthorized use or disclosure will affect the individual. Trustees should also consider what foreign laws will come into play.

Because Canadian laws do not apply outside Canada, a trustee should undertake a Privacy Impact Assessment (PIA) if considering an IMSP linked to a company outside Canada. A PIA can help the trustee determine how closely the IMSP complies with HIPA and identify areas where there may be a privacy impact or risk. It can also help identify whether foreign laws can compel the disclosure of personal health information without the subject individual’s consent. In addition to conducting a PIA, trustees should consult with legal experts who specialize in data privacy.

Regardless of the safeguards put in place or outlined in an agreement, disclosure of personal health information outside Canada will always carry greater risks than disclosure of personal health information within Canada. Trustees must keep this in mind when considering the use of IMSPs linked to companies outside Canada, whether it stores data in Canada or not. The preference will always be to not use such companies.

The same considerations for using IMSPs apply to government institutions (under The Freedom of Information and Protection of Privacy Act) and to local authorities (under The Local Authority Freedom of Information and Protection of Privacy Act). Public bodies have a duty to protect personal information and to ensure proper safeguards are in place to manage and store it. They are under the same obligations as trustees to enter into written agreements with an IMSP and should also undertake a PIA to measure the risks of using one. And as with trustees, the preference will always be for public bodies to not use IMSPs linked to companies outside Canada.

For more information on conducting a PIA, see our office’s online resource, Privacy Impact Assessment Guidance and Supporting Documentation.

 

Who Signs for a Child? (updated)

When it comes to obtaining the personal information of a child under the age of 18 years, it is commonly accepted that a child cannot sign for themselves.  So, who can sign for that child?

The Children’s Law Act, 2020 sections 3 and 4 provides:

  • The parents of a child are joint legal decision-makers with equal rights unless changed in a court order or an agreement;
  • Where parents have not lived together after the birth of a child, the parent with whom the child resides is the sole legal decision-maker;
  • If a parent dies, the surviving parent is the legal decision-maker of that child unless changed by a court order or an agreement.

The Freedom of Information and Protection of Privacy Act (FOIP), section 59 and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), section 49 both provide:

59 Any right or power conferred on an individual by this Act may be exercised

(d) where the individual is less than 18 years of age, by the individual’s legal custodian in situations where, in the opinion of the head, the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual; or

In effect, then the legal decision-makers can sign on behalf of the child.  This means two parents, sometimes one parent, or as directed in a court order, or agreed to in an agreement. For an analysis of this, see report Investigation Report 083-2022

The Health Information Protection Act (HIPA), has a similar provision, section 56 which provides as follows:

56 Any right or power conferred on an individual by this Act may be exercised:

(c) by an individual who is less than 18 years of age in situations where, in the opinion of the trustee, the individual understands the nature of the right or power and the consequences of exercising the right or power;

(d) where the individual is less than 18 years of age, by the individual’s legal custodian in situations where, in the opinion of the trustee, the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual;

 

These provisions caused a number of questions to be asked.

Q. What if the parents are separated?

A. If parents are separated, they both are still joint legal custodians unless changed by a court order or an agreement.  In a court order, a judge can order that one parent is the sole legal custodian.  In an agreement, one parent can give up his or her rights to be the joint legal custodian.  In these instances, the head or a trustee should ask for a copy of the court order or agreement and identify the clause that deals with legal custodianship.

Q. What if one of the separated parents has a girlfriend, boyfriend or new spouse?

A. The girlfriend, boyfriend or new spouse has no rights unless it has been directed in a court order or dealt with in an agreement.

Q. What if the child wants to exercise his or her rights?

A. FOIP and LA FOIP do not have a specific section that answers this question. When children get to the age of what may be considered a mature minor, heads should use their discretion to provide the personal information if the child, “understands the nature of the right or power and the consequences of exercising the right or power.” Heads should also look to their governing legislation to see if the Legislative Assembly has provided direction on the rights of the child.

HIPA does contemplate an individual under 18 years of age exercising a right under the Act such as requesting his or her personal information or making a decision with respect to it. When such a request is made, it is up to the trustee to determine whether the individual understands the nature of the right or power and the consequences of exercising the right or power.  There is no specific age when one can say that is a mature minor.

The head has to in each circumstance determine whether the child understands the nature of the right or power and the consequences of exercising the right or power.  In circumstances of uncertainty, the head might decide to acquire the signature of the legal custodian and the child.

Q. Can the legal custodian obtain all personal information or personal health information?

A. All three statutes provide that legal custodians can have the information, unless in the opinion of the head or trustee, providing the information would be an unreasonable invasion of privacy of the individual. The data minimization principle would still apply.

Doctors, nurses, social workers, teachers and guidance counsellors can run into this problem.  Parents may want all the information, but that information could include information on pregnancy, drug addiction, sexually transmitted disease, contemplated suicide, contemplated leaving home, gender identity or commission of a crime.  In addition, the child may have expressly asked that the information not be shared with their parents. In these instances, the professional involved, their supervisor, the head or the trustee must consider very carefully the words “unreasonable invasion of privacy.

Q. What if the child verbally or in writing tells the professional that they have shared the information in confidence and does not want their parents to know?

A. This adds to the challenges faced by the professional. Such a request by the child is a clear indication that the child wishes privacy and does not want the information to be shared with others.  It is an important factor in determining whether there would be an “unreasonable invasion of privacy.”

Releasing personal information under the new policy of the Ministry of Education

The Ministry of Education has issued a policy related to students request to change names or the pronoun they wish to be used. The policy provides as follows:

…Given the sensitivity of gender identity disclosure, when a student requests that their preferred name, gender identity, and/or gender expression be used, parental/guardian consent will be required for students under the age of 16.

For students 16 and over, parental consent is not required. The preferred first name and pronoun(s) will be used consistently in ways that the student has requested.

In situations where it is reasonably expected that gaining parental consent could result in physical, mental, or emotional harm to the student, the student will be directed to the appropriate school professional(s) for support. They will work with the student to develop a plan to speak with their parents when they are ready to do so.

Educational organizations collect personal information both directly and indirectly about individuals while providing educational services. Educational organizations should take all reasonable steps to protect this personal information from unauthorized uses and disclosures, and to protect the privacy of the individual…

It is not my position to approve or disapprove of a policy. Thus, I provide no comment on the policy itself. I can however comment on any access and privacy implications that might exist. First, the policy is directed at school boards and school boards are local authorities under LA FOIP. Further, I note, subsections 28(1) and (2) of LA FOIP provide:

28(1) No local authority shall disclose personal information in its possession or under its control without the consent, given in the prescribed manner, of the individual to whom the information relates except in accordance with this section or section 29.

(2) Subject to any other Act or regulation, personal information in the possession or under the control of a local authority may be disclosed:

(r) for any purpose in accordance with any Act or regulation that authorizes disclosure; or

Subsection 28(1) of LA FOIP prohibits disclosure of an individual’s personal information without their consent. There are exceptions contained in subsection (2). Clause (r) is one of those exceptions, which allows disclosure if provided for in an act or regulations. I note the clause does not refer to policy. Thus, the local authority disclosing information to a legal custodian (parents) would need to find authority in The Education Act or Regulations.

Section 49 of LA FOIP provides:

Exercise of rights by other persons 

49 Any right or power conferred on an individual by this Act may be exercised:

(d) where the individual is less than 18 years of age, by the individual’s legal custodian in situations where, in the opinion of the head, the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual; or

I note that a legal custodian (parents) has the right to request and receive personal information of their child, where in the opinion of the head (usually the Director of Education), providing the personal information would not be an unreasonable invasion of the privacy of the child. The Director of Education is required to form an opinion that it is not an unreasonable invasion of privacy before doing so.

In summary, a Director of Education can release personal information to the parents, if the child consents or in the Director’s opinion, it is not an unreasonable invasion of the child’s privacy.

Other helpful resources on this topic can be found at:

  1. Office of the Privacy Commissioner of Canada Form of Consent
  2. Best Practice for Gathering Informed Consent
  3. Alberta IPC Order F2012-21case on unreasonable invasion of privacy

 

Absurd Results (updated)

From time to time, when interpreting and applying legislation, one can end up with a result that will be absurd. This can happen from time to time with The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP) or The Health Information Protection Act (HIPA). These statutes are to be liberally interpreted and through court decision have been given a quasi-constitutional status. Because they are to be liberally interpreted, absurd results should be at a minimum, but in the application of the legislation to particular access requests, sometimes absurd conclusions can be reached.

For example, an applicant (citizen) applies for records and the request is denied, or part of the record is severed, because it is personal information. Section 29 of FOIP, section 28 of LA FOIP and section 27 of HIPA provide that personal information is not to be released except with consent (there are exceptions). So, a public body could say they won’t release the applicant’s personal information because of subsection 29(1) of FOIP. That is an absurd result when the public body is refusing to give the applicant their own personal information (unless there is another exemption that applies).

Another example is where a public body refuses to provide a document that is already public. If the request is for a book, then it is understandable that the public body does not want to photocopy the entire book but is not a legitimate reason not to provide. I would suggest in the instances where the document is on a website, that the public body either copy the document or advise the applicant where they can find the document. Advising the citizen/applicant of the URL for the document is just a helpful thing to do and if a formal access to information request is made, referring the applicant to the publication is required pursuant to subsection 7(2)(b) of FOIP/LA FOIP.

Another example is where a public body believes part of a document is non-responsive to the access request, but other parts of the document are responsive (relevant) to the request. A public body might decide to sever the non-responsive portion. This is a bit of a waste of time. The applicant has the right under section 5 of FOIP, section 5 of LAFOIP or section 12 of HIPA to any record the public body has (subject to exemptions).  If the applicant becomes suspicious because of the severing, they could submit a second access request and be entitled to the portion considered non-responsive (subject to exemptions). Why make citizens jump through unnecessary hoops to get to what they are otherwise entitled to get?

A final example is where an applicant has submitted something like a letter to a public body. Usually, the letters include complaints about someone else which is technically the other person’s personal information, so a public body often withholds the letter as personal information of a third party. The problem is the applicant provided the information to the public body thus, the applicant is already aware of it. In this instance, the public body should release the letter to the applicant because the applicant has previously provided it. See my office’s Review Report 155-2022 and Review Report 254-2022 where the applicant provided information to the police and participated in interviews with the police.

So, I would ask public bodies to take a liberal approach to these three statutes and if specific exemptions do not apply, to provide as much of the records as is possible. Such an approach will reduce frustration of applicants and increase trust in the public body that is trying to do the right thing and help citizens.

Third parties under FOIP and LA FOIP (updated)

In other blogs I have talked about public bodies and third parties (businesses). If a public body is a city, town or municipality, legislation like section 91of The Cities Act or section 117 of The Municipalities Act requires the release of contracts, and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) requires the same unless part of the contract falls under one of the exemptions. Public bodies like government ministries, boards, agencies and Crown corporations are bound by The Freedom of Information and Protection of Privacy Act (FOIP) and contracts are released unless they come under subsection 19(1).

As we provide advice or begin a review, it always seems the third party expects the entire agreement to be withheld because the third party does not want any of the information released.

Many clauses in an agreement do not disclose sensitive information. Clauses like the singular includes the plural and successors to the parties are bound to not disclose sensitive information. So, in many of the cases, the entire contract will never be withheld.

Third parties sometimes want all correspondence and reports related to the project withheld. Again, they have to show that individual items fall under subsection 19(1) of FOIP and subsection 18(1) of LA FOIP. Some rely on a clause in the contract that all will be kept confidential. I remind both public bodies and third parties they cannot contract out of the law of the province. FOIP and LA FOIP apply in spite of a confidentiality clause in a contract.

Public bodies and third parties sometimes are concerned that the applicant will distribute the documents or publish them. As a citizen, the applicant has the right to documents unless subsection 19(1) of FOIP or subsection 18(1) of LA FOIP applies. The intention or anticipated actions of the applicant are irrelevant in a FOIP or LA FOIP context. Some third parties are more concerned when it is the media applying. The media has the same right to the information. What might the media do with the documents? The answer is, obviously, they will analyze and might write a story. That is part of the democratic process.

If after thinking about the above, a third party intends to object to the release of documents, they will have to move quickly. They have 20 days after they receive notice. The public body is bound to give the applicant a response to the access request within 30 days (or 60 days if an extension is decided upon). If the public body failed to respond to the applicant in 30 days (or 60 days) my office will consider that the public body has decided not to respond, and it is treated as a deemed refusal.

Third parties should, where they enter into contracts involving taxpayer funds, not expect total confidentiality and should read subsection 19(1) of FOIP and subsection 18(1) of LA FOIP.

MySaskHealthRecord (updated)

On October 8, 2019, the Saskatchewan government and eHealth launched MySaskHealthRecord. The news release stated, “New Website Allows Saskatchewan Residents to Access Their Personal Health Information Anywhere, Anytime”. This is an exciting first step in allowing citizens to access their own personal health information. You can check the ehealth website to see what information you can access. As of the date of this blog, you can access:

  • laboratory test results
  • medical imaging reports
  • immunization history
  • prescription history
  • clinical visit history (displayed as inpatient, outpatient or emergency visits to a health care facility)
  • clinical documents (This displays notes from your doctor such as hospital admission, discharge summaries and consults.

It has always been accepted that my personal health information is my information but accessing it could be challenging. One of the benefits of technology is that it allows us to get that information easily and quickly.

For every benefit of a technical advancement there is an added responsibility imposed on us. Your password is very important. You should not share it with anyone. MySaskHealthRecord is only available to users to access their own data at this time. Put another way, one should not leave this pin or password laying around or casually share it with others. With such sensitive information within the app, a strong password is a must. For advice on developing a strong password, check out this link.

I am hopeful eHealth will continue to enhance MySaskHealthRecord in the future. For example, can I see who in the health care system has accessed my health record? Since my personal health information is my information, I have the right, and at times, the need to know who else is looking and question if it is for a legitimate purpose. The only people that should be looking are those I have consulted regarding my personal health situation or have a legitimate need-to-know.

To register for a MySaskHealthRecord account, click here.