Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 360 The privacy implications when employees use personal email accounts to conduct government business must also be considered. Personal email accounts pose information security risks for government records. For example, records could end up stored on email servers that are outside of Canada. In instances where webmail services are used, such as “Gmail” or “Hotmail”, email content is scanned and read to provide targeted advertising. Personal information in those records is not only stored outside Canada but it is also disclosed to the webmail provider. Government institutions are required under FOIP to take reasonable security measures to protect personal information from unauthorized access, collection, use or disclosure. When government records are stored in a personal email account with data servers located outside of Canada, the government no longer has control of how that information will be protected, disclosed, or accessed.859 The risks are not just with “Gmail” or “Hotmail” accounts. Email accounts with SaskTel (“sasktel.net”) also have privacy considerations. SaskTel stores some data outside of Canada. It uses Google Apps for email and collaboration and stores some data in the Google Cloud. As some data is being stored outside of Canada, it may be subject to the laws of the countries where it resides.860 With the increased use of government assigned mobile devices and Bring Your Own Device (BYOD) programs, public servants are shifting from using the device for personal and government business increasing the risks of co-mingling information. Many public servants are unclear how to protect government records in such environments. Email is not confidential by default, and personal information included in an email could be subject to a breach or unauthorized disclosure. It is important to note that in many instances, the technology used to send and receive email is not protected. Each delivery point between the recipient and the sender will store and forward the email and may do so in a plain, clear, and readable format. While it may only be technical people at each delivery point who would have the ability to read the email, there is a possibility that the delivery point could be breached, resulting in personal information being exposed.861 859 SK OIPC Investigation Report 101-2017 at [26]. 860 SK OIPC Investigation Report 101-2017 at [27]. 861 The Canadian Health Informatics Association (COACH) Guidelines, Putting it into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records – 2010 Guidelines for the Protection of Health Information Special Edition, Canada’s Health Informatics Association, 2020, p. 55. See also, SK OIPC Investigation Report 101-2017 at [29].
RkJQdWJsaXNoZXIy MTgwMjYzOA==