Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 104 encryption software is being used in combination with other security measures is the best approach. IPC Findings In Investigation Report 226-2017, the Commissioner investigated a breach of privacy involving the theft of a laptop belonging to Saskatchewan Legal Aid Commission (SLAC). The laptop contained a DVD with personal information/personal health information. The laptop was password protected but the DVD inside the laptop was not encrypted and/or password protected. SLAC received the DVD through disclosure from the Provincial Crown Prosecutor’s office. The laptop, containing the DVD, was left on the front seat of a vehicle, and was not locked in a briefcase. The vehicle was left unlocked with the laptop in it all weekend. Despite having privacy policies in place regarding the transport of personal information/personal health information outside the office, the lawyer did not follow the policy. The Commissioner recommended SLAC ensure all mobile devices and storage devices that are transported outside of the office be properly encrypted and password protected. It should also be always kept with the employee in a locked briefcase. In Investigation Report 009-2020, 053-2020, 224-2020, the Commissioner dealt with a very large data breach involving eHealth Saskatchewan, Saskatchewan Health Authority and the Ministry of Health. All three organizations were the victims of a ransomware attack in December 2019 and January 2020. The attack resulted in 40 gigabytes of data being encrypted by Ryuk ransomware and access being blocked until a ransom was paid. The ransom demand indicated a ransom needed to be paid using bitcoin to get decryption of the stolen data. No ransom was paid as there was no guarantee a copy of the data would not be kept. The data was ultimately stolen and could not be recovered. Among several recommendations, the Commissioner recommended that eHealth, the SHA and Health require cyber security training for employees and partners as the breach in this case was caused by an employee clicking on a phishing email about a job advertisement which allowed the systems to become infected. Physical Physical safeguards are physical measures, policies, and procedures to protect personal information and related buildings and equipment, from unauthorized intrusion and natural