Seasons Greetings and a Happy New Year to all!

Save the Date –Top of Mind webinar -privacy commissioners from across Canada – January 31 noon Eastern

Ontario -updated guidelines re: automated license Plate Readers

Consultation – federal Directive on Automated Decision Making

Life Labs investigation report, Ontario and BC

Privacy cases summarized – Osler, Hoskin & Harcourt

Ontario’s IPC has podcast on indigenous data prospectives

Canada’s privacy Commissioner investigates CRA

Resources - Protection of Privacy

Protection of Privacy FAQ

I recently discovered a coworker has been viewing patient records without any need-to-know; who would I report this to?

If you suspect or have proof that a co-worker has been viewing patient records without a need-to-know, see what your internal policies and procedures say regarding reporting such incidents. If you are not sure, speak to your supervisor or Privacy Officer to learn the proper procedure. You may also wish to contact our office to request assistance on how to formally report an alleged breach of privacy and how our office can become involved. For more information on responding to privacy breaches, please refer to our Privacy Breach Guidelines for Trustees resource available on our website in the Resource Directory, under the Resource Tab.

I feel my privacy has been breached and I would like your office to look into it because I don't feel that the public body will thoroughly investigate the breach.

Our office is an office of last resort, meaning we would not normally become involved with a breach of privacy complaint until the public body and/or trustee under our jurisdiction (FOIP, LA FOIP, HIPA) first has the opportunity to investigate. If you feel your privacy has been breached (improperly collected, used or disclosed) you must first write to the public body and/or trustee you believe breached your privacy and request they complete an investigation into the matter. You need to be very specific with what you believe is a breach of your privacy so that they have enough information to conduct an adequate investigation (i.e. where the breach occurred, date, time, people involved, how the breach occurred). Our office suggests including as much detail as possible when making your complaint such as; whether personal information, personal health information or both have been compromised as well as whether you believe unlawful collection, use, or disclosure has occurred. Include evidence or proof you have that the breach occurred, keep a copy of the written complaint and forward your complaint to the applicable privacy officer.

Public bodies and/or trustees must comply with the access and privacy legislation to which they are subject. The public body and/or trustee will then have approximately 30 days to respond to you in writing. Once the internal investigation is complete, if you are not satisfied with the outcome of the investigation, or if you do not receive a response within 30 days, you may contact our office.

If you would like our office to look into a privacy matter, please include a copy of the written complaint you made to the public body and/or trustee, a copy of the response you received from the public body and/or trustee (if you received one) and our completed Alleged Breach of Privacy Reporting Form.

If the complaint is currently being investigated by a regulatory body (i.e. College of Physicians and Surgeons), our office may still proceed to open an investigation. If a complaint has not been filed with a regulatory body, you may wish to also contact them regarding your concerns.

I work in the public sector; why is my salary not considered my personal information?

When you work for a public body where your salary is paid with tax-payer dollars, there is a legal responsibility of the public body to make public expenditures more transparent. Under subsection 24(2)(a) of The Freedom of Information and Protection of Privacy Act (FOIP) and subsection 23(2)(a) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) “salary” of employees is not considered personal information. For more information on this topic, please refer to our blog “When Salary is Open to Public Scrutiny”.

I work in the public sector and there has been an access request for information which is contained in my work emails. Is it a breach of my privacy to release information from my email?

This is one of those questions that begins with, “that depends”. It depends on the email itself – was it sent from your work email? Who is the email to? What is the content of the email? Review Report 096-2015 and 097-2015 provides very good examples of how emails in possession of a public body are not the property of that public body.

Just because you are emailing your spouse or family members from your work email does not mean that those emails would be considered releasable. If it is an email from one coworker to another, discussing only their weekend plans, that email may not be considered releasable. If the content of emails constitutes work product, no privacy interests are engaged.

To protect yourself, send personal emails form your personal email account and work related emails from your work account. For more information please review our resource Best Practices for Managing the Use of Personal Email Accounts, Text Messaging and Other Instant Messaging Tools | IPC (oipc.sk.ca)

I am concerned that my family doctor breached my privacy. How do I make a complaint?

If you feel that your personal health information has been breached (improperly collected, used, disclosed or disposed of) by your doctor, first make your complaint in writing to your family doctor as he/she is most likely a trustee of your personal health information under The Health Information Protection Act. Be sure to outline the reason you believe your privacy was breached and include evidence or proof you have that the breach occurred. Keep a copy of the written complaint. You should allow the doctor around 30 days to respond to you.

If you do not receive a response or are not satisfied by the response you receive, forward your concern to the appropriate regulatory body and make a formal complaint using their processes. In the case of a family doctor, that would be The College of Physicians and Surgeons of Saskatchewan. Include, as background information, the original complaint and the response you received from your doctor.

If you are not satisfied with the response you receive from the College, you can then bring your complaint to our office. We will require the complaint to be in writing. We will also ask for the background information you have on the complaint, such as the original complaint made to the doctor and College and any responses you received back.

If you feel the breach was extremely egregious or harmful, you may wish to contact our office first at 306-787-8350 or 1-877-748-2298 to discuss.

I work in a special care home. I am worried about families of my patients secretly taping me at work. Are they allowed to do that?

The laws that this office oversees only apply to organizations and their employees, not individuals. This office does not have the power to force an individual to stop recording or to investigate after the fact.

Nevertheless, if the special care home is a trustee for the purposes of The Health Information Protection Act, it does have a duty to protect the personal health information of those in its care. If family members are making recordings, it may compromise the privacy of its patients. First, discuss the issue with your supervisor who can determine whether the organization is a trustee and can do anything to safeguard personal health information. Also, see our blog Surveillance in Personal Care Homes: A Case Study.

We are wanting to install video surveillance at our organization. Are there any steps to take regarding the potential privacy implications of this?

Our office has a blog titled Privacy Concerns with Video Surveillance that contains helpful information to refer to when you are considering installing video surveillance.

Our organization has discovered a potential privacy breach. What should we do?

Our office has many resources that may contain helpful information for an organization regarding a potential privacy breach. We have a Privacy Breach Guidelines for Health Trustees resource and a Privacy Breach Guidelines for Government Institutions and Local Authorities resource that contain very helpful information around the steps to take when a breach has occurred. This includes containing the breach, notifying the affected individuals, investigating the breach and preventing future breaches. Another resource that our office has that may be helpful is our Guide to Creating an Internal Privacy Breach Investigation Report.

When a privacy breach occurs with a public body/trustee that our office has jurisdiction over, although it is not mandatory, our office encourages the public body/trustee to proactively report the privacy breach to us. Information on the advantages of proactively reporting a privacy breach, what the possible outcomes are and what to expect if our office becomes involved can be found on page 8 of our Privacy Breach Guidelines for Health Trustees resource and page 8 of our Privacy Breach Guidelines for Government Institutions and Local Authorities resource.

If it is determined that our office has jurisdiction over the organization and you decide to proactively report the potential privacy breach to us, you can fill out the Proactively Reported Breach of Privacy Reporting Form and submit it to our office via mail or send by email to intake@oipc.sk.ca.

Once our office receives the completed form we will be able to open an investigation file and will contact you for any additional information that we require.