Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 9 • Hacking ATMs and point-of-sale devices to steal your payment card information. • Installing malware on your personal computing devices. • Tricking you into visiting fraudulent websites via phishing messages. • Intercepting and eavesdropping on your Wi-Fi communications.25 Government institutions should take all reasonable measures to protect personal information to reduce the risk of identity theft. This Chapter will set out several ways that government institutions can achieve this by having administrative, technical, and physical safeguards in place that protect personal information in the government institution’s possession or control.26 See section 24.1 later in this Chapter. IPC Findings In Investigation Report 009-2020, 053-2020, 224-2020, the Commissioner investigated a ransomware attack on eHealth Saskatchewan (eHealth), the Saskatchewan Health Authority (SHA) and the Ministry of Health (Health). As a result of the ransomware attack in late December 2019 and early January 2020, approximately 40 gigabytes of encrypted data were stolen from eHealth by malicious actors. Personal information and personal health information of individuals was involved. The Commissioner made several recommendations to assist eHealth, the SHA and Health against future attacks. This included that eHealth utilize key network security logs and scans to effectively monitor the eHealth IT network and detect malicious activity, undertake a comprehensive review of eHealth’s security protocols to include in depth investigation when early signs of suspicious activity are detected, and eHealth require cyber security and privacy training be required for eHealth and its partners as part of new employee orientation and onboarding. In addition, the Commissioner recommended that eHealth, the SHA and Health review and amend IT acceptable use policies to include examples of current threats that employees should be aware of. In Investigation Report 089-2021, the Commissioner investigated a ransomware attack on Saskatoon Obstetric & Gynecologic Consultants (SOGC). The attack affected 20,000 patients. Due to a lack of retention of system logs, SOGC was unable to fully investigate the breach and recommended SOGC develop and implement a policy and procedure or ensure the agreements with its IT service providers contain language regarding the retention of firewall 25 ON IPC resource, Ensuring your privacy is protected. Available at https://www.ipc.on.ca/privacyindividuals/ensuring-your-privacy-is-protected/. Accessed on October 18, 2022. 26 Section 24.1 of FOIP requires government institutions to establish policies and procedures to maintain administrative, technical, and physical safeguards that protect personal information in its possession or control. See section 24.1 later in this Chapter for more detail.

RkJQdWJsaXNoZXIy MTgwMjYzOA==