Table of Contents 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 340

Guide to LA FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 1 GUIDE TO LA FOIP The Local Authority Freedom of Information and Protection of Privacy Act Chapter 6 Protection of Privacy

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 2 TABLE OF CONTENTS Overview.......................................................................................................................................................................8 The Right of Privacy .................................................................................................................................................9 Privacy as a Charter Right ............................................................................................................................... 11 Privacy versus Confidentiality........................................................................................................................ 12 The Threat of Identity Theft ........................................................................................................................... 13 10 Fair Information Principles............................................................................................................................ 17 Accountability...................................................................................................................................................... 19 Identifying Purposes ......................................................................................................................................... 19 Consent.................................................................................................................................................................. 20 Limiting Collection............................................................................................................................................. 20 Limiting Use, Disclosure and Retention..................................................................................................... 20 Accuracy ................................................................................................................................................................ 21 Safeguards ............................................................................................................................................................ 21 Openness .............................................................................................................................................................. 22 Individual Access ................................................................................................................................................ 22 Challenging Compliance ................................................................................................................................. 22 Need-to-Know Principle...................................................................................................................................... 23 Data Minimization Principle ............................................................................................................................... 24 De-identified information ................................................................................................................................... 25 Necessary, Effective & Proportional................................................................................................................ 31 Consent Requirements......................................................................................................................................... 32 Best Practice Steps for Consent Forms ...................................................................................................... 36 Section 23: Definition of Personal Information........................................................................................... 37 What is not Personal Information?.............................................................................................................. 42 Subsection 23(1)(a)............................................................................................................................................ 45 Subsection 23(1)(b) ........................................................................................................................................... 49 Subsection 23(1)(c) ............................................................................................................................................ 52 Subsection 23(1)(d) ........................................................................................................................................... 55

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 3 Subsection 23(1)(e)............................................................................................................................................ 57 Subsection 23(1)(f)............................................................................................................................................. 60 Subsection 23(1)(g) ........................................................................................................................................... 63 Subsection 23(1)(h) ........................................................................................................................................... 66 Subsection 23(1)(i) ............................................................................................................................................. 68 Subsection 23(1)(j) ............................................................................................................................................. 71 Subsection 23(1)(k)............................................................................................................................................ 73 Subsection 23(1)(k)(i) ............................................................................................................................. 74 Subsection 23(1)(k)(ii) ............................................................................................................................ 76 Subsection 23(1.1) ............................................................................................................................................. 77 Subsection 23(2)(a)............................................................................................................................................ 80 Subsection 23(2)(b) ........................................................................................................................................... 83 Subsection 23(2)(c) ............................................................................................................................................ 85 Subsection 23(2)(d) ........................................................................................................................................... 87 Subsection 23(2)(e)............................................................................................................................................ 90 Subsection 23(2)(f)............................................................................................................................................. 93 Subsection 23(3)................................................................................................................................................. 93 Section 23.1: Duty of local authority to protect ......................................................................................... 96 Safeguards ............................................................................................................................................................ 97 Administrative .......................................................................................................................................... 98 Technical...................................................................................................................................................103 Physical......................................................................................................................................................111 Subsection 23.1(a) ...........................................................................................................................................114 Subsection 23.1(b) ...........................................................................................................................................116 Subsection 23.1(b)(i) ............................................................................................................................116 Subsection 23.1(b)(ii) ...........................................................................................................................119 Subsection 23.1(b)(iii) ..........................................................................................................................120 Subsection 23.1(c)............................................................................................................................................123 Section 23.2: Information Management Service Provider ....................................................................125

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 4 Subsection 23.2(1) ...........................................................................................................................................126 Subsection 23.2(2) ...........................................................................................................................................127 Subsection 23.2(3) ...........................................................................................................................................130 Subsection 23.2(4) ...........................................................................................................................................131 Section 24: Purpose of Information ..............................................................................................................132 Over collection ..................................................................................................................................................135 Unsolicited Information.................................................................................................................................137 Section 25: Manner of Collection...................................................................................................................139 Subsection 25(1): Direct Collection ...........................................................................................................139 Subsection 25(2): Inform Individual ..........................................................................................................140 Subsection 25(3): Exception to Informing ..............................................................................................143 Section 26: Standard of Accuracy ..................................................................................................................146 Section 27: Use of Personal Information.....................................................................................................150 Subsection 27(a) ...............................................................................................................................................153 Subsection 27(b)...............................................................................................................................................157 “Use” Involving Contracted Third Parties................................................................................................159 Subcontracting by Outsourcers .......................................................................................................160 Section 28: Disclosure of Personal Information........................................................................................161 Subsection 28(1)...............................................................................................................................................164 Subsection 28(2)(a)..........................................................................................................................................166 Subsection 28(2)(b) .........................................................................................................................................168 Subsection 28(2)(b)(i)...........................................................................................................................169 Subsection 28(2)(b)(ii)..........................................................................................................................171 Subsection 28(2)(c) ..........................................................................................................................................173 Subsection 28(2)(d) .........................................................................................................................................174 Subsection 28(2)(e)..........................................................................................................................................175 Subsection 28(2)(f)...........................................................................................................................................178 Subsection 28(2)(g) .........................................................................................................................................180 Subsection 28(2)(h) .........................................................................................................................................182

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 5 Subsection 28(2)(h.1) ......................................................................................................................................187 Subsection 28(2)(i) ...........................................................................................................................................192 Subsection 28(2)(j) ...........................................................................................................................................196 Subsection 28(2)(k)..........................................................................................................................................201 Subsection 28(2)(l) ...........................................................................................................................................206 Subsection 28(2)(m) ........................................................................................................................................210 Subsection 28(2)(n) .........................................................................................................................................212 Subsection 28(2)(n)(i)...........................................................................................................................212 Subsection 28(2)(n)(ii)..........................................................................................................................220 Subsection 28(2)(o) .........................................................................................................................................221 Subsection 28(2)(p) .........................................................................................................................................223 Subsection 28(2)(q) .........................................................................................................................................225 Subsection 28(2)(r) ..........................................................................................................................................226 Subsection 28(2)(s) ..........................................................................................................................................229 Section 28.1: Notification ..................................................................................................................................231 Privacy Breaches ...................................................................................................................................................234 Best Practice Steps for Breaches ................................................................................................................236 Contain the breach ...............................................................................................................................236 Notify .........................................................................................................................................................237 Investigate................................................................................................................................................238 Prevent ......................................................................................................................................................243 How IPC Investigations are Initiated.........................................................................................................243 Process for Proactively Reported Breaches............................................................................................243 Section 29: Personal information of deceased individual.....................................................................245 Subsection 29(1)...............................................................................................................................................245 Subsection 29(2)...............................................................................................................................................247 Section 30: Access to personal information...............................................................................................250 Subsection 30(1)...............................................................................................................................................251 Subsection 30(2)...............................................................................................................................................252

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 6 Subsection 30(3)...............................................................................................................................................258 Subsection 30(3)(a) ...............................................................................................................................259 Subsection 30(3)(b) ..............................................................................................................................263 Section 31: Right of correction .......................................................................................................................266 Subsection 31(1)...............................................................................................................................................268 Subsection 31(2)...............................................................................................................................................270 Subsection 31(2)(a)..........................................................................................................................................272 Subsection 31(2)(b) .........................................................................................................................................276 Subsection 31(2)(c) ..........................................................................................................................................278 Subsection 31(3)...............................................................................................................................................279 Section 38: Application for review.................................................................................................................280 Subsection 38(1)(a.4): Privacy complaints...............................................................................................280 Subsection 38(1)(c): Correction reviews ..................................................................................................283 Subsection 38(2): 1 Year Deadline.............................................................................................................284 Section 39: Review or refusal to review .......................................................................................................284 Subsection 39(2)(a.6): Insufficient evidence...........................................................................................285 Validity Test .............................................................................................................................................285 Privacy Impact Assessments (PIAs)................................................................................................................286 Records & Information Management (RIM) ..............................................................................................290 Basic RIM Concepts.........................................................................................................................................290 RIM Best Practices ...........................................................................................................................................292 Record Retention .............................................................................................................................................303 Record Disposal ................................................................................................................................................306 Best Practices for the Secure Destruction of Personal Information ...................................308 Preserving Records..........................................................................................................................................319 Focus on Issues in Privacy.................................................................................................................................321 Big Data and Predictive Analytics ..............................................................................................................321 Biometrics and Facial Recognition ............................................................................................................324 Body Worn Cameras .......................................................................................................................................325

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 7 Data Brokers.......................................................................................................................................................327 Personal Email Use for Business .................................................................................................................329 Snooping.............................................................................................................................................................334 Surveillance ........................................................................................................................................................337

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 8 Overview The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) provides a right of access to all records under the possession or control of local authorities, subject to limited and specific exemptions. Some of the records to which LA FOIP applies contain personal information, such as the employment history, family status or sexual orientation of an individual. Applicants often ask local authorities for access to records that contain the personal information of someone other than the applicant. LA FOIP establishes several obligations on local authorities in terms of protecting personal information that the local authority collects, uses or discloses. This Chapter will assist with explaining those obligations and how to handle situations where an individual’s privacy may have been breached. What follows is non-binding guidance. Every matter should be considered on a case-by-case basis. This guidance is not intended to be an exhaustive authority on the interpretation of these provisions. Local authorities may wish to seek legal advice. Local authorities should keep section 51 of LA FOIP in mind. Section 51 places the burden of proof for establishing that access to a record may or must be refused on the local authority. For more on the burden of proof, see the Guide to LA FOIP, Chapter 2, “Administration of LA FOIP”. This is a guide. The tests, criteria and interpretations established in this Chapter reflect the precedents set by the current and/or former Information and Privacy Commissioners in Saskatchewan through the issuing of Review Reports. Court decisions from Saskatchewan affecting The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) will be followed. Where this office has not previously considered a section of LA FOIP, the Commissioner looked to other jurisdictions for guidance. This includes other Information and Privacy Commissioners’ Orders, Reports and/or other relevant resources. In addition, court decisions from across the country are relied upon where appropriate. This Chapter will be updated regularly to reflect any changes in precedent. This office will update the footer to reflect the last update. Using the electronic version directly from our website will ensure you are always using the most current version.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 9 The Right of Privacy LA FOIP has two fundamental components: the right to access information and the protection of personal privacy. Part II of LA FOIP deals with access to records. Part IV of LA FOIP deals with protection of personal privacy. Privacy is defined as the general right of the individual to be left alone, to be free from interference, from surveillance and from intrusions. It is the right of an individual to be able to control access to, as well as, the collection, use and disclosure of their personal information. Privacy captures both security and confidentiality of personal information.1 Privacy connotes concepts of intimacy, identity, dignity, and integrity of the individual.2 Protection of personal privacy means that individuals have a right to privacy of their personal information that is held by local authorities. To achieve this, LA FOIP establishes restrictions on the collection, use and/or disclosure of personal information. The provisions that address these restrictions are found at Part IV of LA FOIP. LA FOIP promotes transparency, openness and accountability. Holding local authorities to account is important for democracy. Decision-makers must balance this important objective with the competing objective of the right to privacy. Privacy rights and the role of protection of personal information also play a role in a free and democratic society.3 In R. v. Dyment, 1988 CanLII 10 (SCC), [1988] 2 SCR 417, Justice LaForest stated: 22. Finally, there is privacy in relation to information. This too is based on the notion of the dignity and integrity of the individual. As the Task Force put it (p. 13): "This notion of privacy derives from the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain for himself as he sees fit." In modern society, especially, retention of information about oneself is extremely important. We may, for one reason or another, wish or be compelled to reveal such information, but situations abound where the reasonable expectations of the individual that the information shall remain confidential to the persons to whom, and restricted to the purposes for which it is divulged, must be protected. Governments at all levels have in recent years recognized this and have devised rules and regulations to restrict the uses of 1 Office of the Saskatchewan Information and Privacy Commissioner (SK OIPC) 2012-2013 Annual Report at Appendix 3, Definitions p. 100. See also SK OIPC Dictionary. 2 Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157 (CanLII), [2007] 1 FCR 203 at [52]. 3 Hans v. STU, 2016 NBKB 49 (CanLII) at [20].

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 10 information collected by them to those for which it was obtained; see, for example, the Privacy Act, S.C. 1980-81-82-83, c. 111. 23. One further general point must be made, and that is that if the privacy of the individual is to be protected, we cannot afford to wait to vindicate it only after it has been violated. This is inherent in the notion of being secure against unreasonable searches and seizures. Invasions of privacy must be prevented, and where privacy is outweighed by other societal claims, there must be clear rules setting forth the conditions in which it can be violated … Here again, Dickson J. made this clear in Hunter v. Southam Inc. After repeating that the purpose of s. 8 of the Charter was to protect individuals against unjustified state intrusion, he continued at p. 160: That purpose requires a means of preventing unjustified searches before they happen, not simply of determining, after the fact, whether they ought to have occurred in the first place. This, in my view, can only be accomplished by a system of prior authorization, not one of subsequent validation.4 Privacy is regarded as a fundamental right that is essential to safeguard the autonomy and dignity of an individual.5 Privacy is protected in LA FOIP by: • Giving individuals a right of access to their own personal information and the opportunity to request corrections to it (s. 30 and s. 31). • Requiring local authorities to collect personal information only where authorized by law (s. 24). • Requiring local authorities to collect personal information directly from the individual, unless where authorized to collect it indirectly (s. 25). • Requiring local authorities to inform individuals of the purpose for which the information is collected (when collected directly) (s. 25(2)). • Requiring that local authorities use personal information that is accurate and complete when making a decision about an individual (s. 26). • Requiring local authorities to establish policies and procedures to maintain administrative, technical and physical safeguards for personal information (s. 23.1). • Limiting a local authority’s use and disclosure of personal information to the purpose for which it was collected, a consistent purpose, another purpose with consent or a purpose set out in LA FOIP (s. 27). 4 R. v. Dyment, 1988 CanLII 10 (SCC), [1988] 2 SCR 417 at [22] and [23]. 5 SK OIPC Investigation Report F-2005-001 at [22].

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 11 • Enabling individuals to make complaints to the Commissioner and empowering the Commissioner to investigate complaints regarding possible collection, use or disclosures in contravention of Part IV of LA FOIP (s. 32 and s. 38(1)(a.4)). • Requiring local authorities to notify individuals of an unauthorized use or disclosure of the individual’s personal information if there is a real risk of significant harm to the individual (s. 28.1). • Providing fines and/or imprisonment to any person who knowingly collects, uses or discloses personal information in contravention of LA FOIP (s. 56).6 Privacy as a Charter Right The Supreme Court of Canada has considered the concept of privacy in several different contexts and determined that the Canadian Charter of Rights and Freedoms guarantees all Canadians a right of privacy.7 The right of privacy is founded on sections 7 and 8 of the Charter. Those sections provide as follows: 7. Everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice. 8. Everyone has the right to be secure against unreasonable search or seizure.8 Section 8 of the Charter is intended to protect individuals from unjustified state intrusions upon their privacy. The scope of section 8 is limited by the reasonableness of the individual’s expectation of privacy in a given set of circumstances.9 The Supreme Court of Canada has recognized several kinds of privacy namely, physical, or bodily privacy, territorial privacy, privacy of communications and information privacy. For purposes of LA FOIP, the focus is only on information privacy. The Supreme Court of Canada has quoted with approval the following statement: 6 Adapted from Service Alberta, FOIP Guidelines and Practices: 2009 Edition, Chapter 7, pp. 2 to 3. 7 SK OIPC Investigation Report F-2005-001 at [21]. 8 The Constitution Act, 1982, Schedule B to the Canada Act 1982 (UK), 1982, c 11. Also quoted in SK OIPC Investigation Report F-2005-001 at [23]. 9 Hunter et al. v. Southam Inc., 1984 CanLII 33 (SCC), [1984] 2 SCR 145 at p. 160.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 12 This notion of privacy derives from the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain for himself as he sees fit.10 For the privacy rights to be engaged at Part IV of LA FOIP, the information must constitute personal information under subsection 23(1) of LA FOIP. To help determine this, see Definition of Personal Information later in this Chapter. IPC Findings In Review Report F-2005-001, the Commissioner investigated the practice of the Automobile Injury Appeal Commission (AIAC) of publishing on its website the full text of its decisions. Those decisions included a good deal of personal information of those persons applying for compensation. The Commissioner found that there was no legislative requirement that the AIAC publish decisions on its website and that such publication falls short of privacy ‘best practices’. Part of the investigation involved the Commissioner considering whether “privacy” was a right under the Canadian Charter of Rights and Freedoms. Privacy versus Confidentiality The words “confidentiality” and “privacy” do not mean the same thing: Confidentiality is the protection of personal information, once obtained, against improper or unauthorized use or disclosure. This is just one aspect of privacy and is not synonymous with “privacy”. It is the duty to protect personal information.11 Privacy is a broad concept that involves the right of the individual to exercise a measure of control over their personal information. It involves the decision of the individual as to what personal information will be disclosed to a local authority and for what purposes. Privacy captures both the security and confidentiality of personal information.12 Privacy is the general right of the individual to be left alone, to be free from interference, from 10 R.v. Dyment 1988 CanLII 10 (SCC), [1988] 2 S.C.R. 417 at [22]. Also quoted in SK OIPC Investigation Report F-2005-001 at [25]. 11 SK OIPC Glossary of Common Terms: The Health Information Protection Act (HIPA). See also SK OIPC 2009-2010 Annual Report at Appendix 1 – Definitions, p. 53. 12 SK OIPC Investigation Report H-2013-001 at [193]. Originated from SK OIPC Glossary of Common Terms: The Health Information Protection Act (HIPA).

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 13 surveillance and from intrusions.13 It is about the individual being able to control access to, as well as collection, use and disclosure of, their personal information.14 Privacy may be defined as an individual’s right to determine for themselves, when, how and to what extent they will release personal information about themselves. Privacy thus connotes concepts of intimacy, identity, dignity, and integrity of the individual.15 The Threat of Identity Theft Identity theft refers to the collection or acquisition of someone else’s personal information to conduct criminal activities.16 Identity fraud is the actual use of another person’s information in connection with fraud. This includes impersonation and the misuse of debit or credit card information.17 Identity theft is one of the most serious crimes in Canada and one that has significantly increased in frequency and sophistication. Identity thieves will steal wallets, redirect mail, rummage through garbage, set up telemarketing schemes, break into computers to take money out of bank accounts, go on shopping sprees, apply for loans, credit cards and social benefits, rent apartments and even commit more serious crimes – all in the victim’s name.18 13 R. v. Edwards (1996), 103 C.C.C. (3d) 136 (S.C.C.) at paras. 49-50. 14 Privacy and Confidentiality of Health Information at CIHI: Principles and Policies for the Protection of Personal Health Information and Policies for Institution-Identifiable Information, 3rd Edition, Ottawa: Canadian Institute for Health Information, April 2002, a p. 52. Referenced in SK OIPC Investigation Report H-2005-002 at p. 23. 15 Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157 (CanLII), [2007] 1 FCR 203 at summary on p. 2. 16 Office of the Ontario Information and Privacy Commissioner (ON IPC) resource, Ensuring your privacy is protected. Available at https://www.ipc.on.ca/privacy-individuals/ensuring-your-privacy-isprotected/. Accessed on October 18, 2022. 17 ON IPC resource, Ensuring your privacy is protected. Available at https://www.ipc.on.ca/privacyindividuals/ensuring-your-privacy-is-protected/. Accessed on October 18, 2022. 18 Originated from former Saskatchewan Justice Minister, Frank Quennell’s news release, “Saskatchewan Supports Identity Theft Initiatives”, March 12, 2004. Cited in SK OIPC Investigation Report H-2007-001 at [41].

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 14 In addition to names, addresses and telephone numbers, identity thieves look for social insurance numbers, driver’s licence numbers, credit card and banking information, bankcards, calling cards, birth certificates and passports.19 This personal information enable’s an identity thief to commit various forms of fraud using the victim’s identity, such as: • Access bank accounts • Apply for loans, credit cards and other goods and services • Obtain new identity documents, such as passports • Receive local authority benefits • Hide criminal activities20 Once they steal the information they need, identity thieves can manipulate it and invade their victim’s personal and financial lives. Victims of identity theft may incur damaged credit cards, unauthorized charges on credit cards and unauthorized withdrawals from bank accounts. In many cases, victims must change their address, telephone number and even their social insurance numbers.21 It can take months or years to correct, and the consequences can be serious: • Poor credit ratings • Ruined reputations • Lost jobs and other opportunities • Services denied • Loss of freedom to travel22 From the perspective of identity theft, one of the most important kinds of personal information is that which is contained in “cradle to grave” type information. Birth and death certificates are frequently used as foundation documents to establish identity. According to 19 Originated from former Saskatchewan Justice Minister, Frank Quennell’s news release, “Saskatchewan Supports Identity Theft Initiatives”, March 12, 2004. Cited in SK OIPC Investigation Report H-2007-001 at [41]. 20 ON IPC resource, Ensuring your privacy is protected. Available at https://www.ipc.on.ca/privacyindividuals/ensuring-your-privacy-is-protected/. Accessed on October 18, 2022. 21 Originated from former Saskatchewan Justice Minister, Frank Quennell’s news release, “Saskatchewan Supports Identity Theft Initiatives”, March 12, 2004. Cited in SK OIPC Investigation Report H-2007-001 at [41]. 22 ON IPC resource, Ensuring your privacy is protected. Available at https://www.ipc.on.ca/privacyindividuals/ensuring-your-privacy-is-protected/. Accessed on October 18, 2022.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 15 the Royal Canadian Mounted Police (RCMP), two of the three “key pieces of information” sought by the suspects to build a profile are name and date of birth.23 The RCMP has noted that the following are pieces of information identity thieves seek: • Full name • Date of birth • Social Insurance Number • Full address • Mother’s maiden name • Username and password for online services • Driver’s licence number • Personal identification numbers (PIN) • Credit card information (numbers, expiry dates and the last three digits printed on the signature panel) • Bank account numbers • Signature • Passport number24 Identity thieves use a variety of methods to obtain personal information: Low-tech methods include: • Searching through the garbage. • Stealing or re-directing postal mail. • Pretending to be someone else and requesting it, for example, telemarketing schemes. • Opportunistic theft: accessing personal information sent to the wrong fax number, email address or voice mailbox. High-tech methods include: • Searching the internet; “friending” you on social media. 23 Originated from former Saskatchewan Justice Minister, Frank Quennell’s news release, “Saskatchewan Supports Identity Theft Initiatives”, March 12, 2004. Cited in SK OIPC Investigation Report H-2007-001 at [41]. 24 SK OIPC Investigation Report H-2013-002 at [18]. Originated from the Royal Canadian Mounted Police (RCMP) Identity Theft and Identity Fraud.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 16 • Hacking ATMs and point-of-sale devices to steal your payment card information. • Installing malware on your personal computing devices. • Tricking you into visiting fraudulent websites via phishing messages. • Intercepting and eavesdropping on your Wi-Fi communications.25 Local authorities should take all reasonable measures to protect personal information to reduce the risk of identity theft. This Chapter will set out several ways that local authorities can achieve this by having administrative, technical, and physical safeguards in place that protect personal information in the local authority’s possession or control.26 See Section 23.1 later in this Chapter. IPC Findings In Investigation Report 009-2020, 053-2020, 224-2020, the Commissioner investigated a ransomware attack on eHealth Saskatchewan (eHealth), the Saskatchewan Health Authority (SHA) and the Ministry of Health (Health). As a result of the ransomware attack in late December 2019 and early January 2020, approximately 40 gigabytes of encrypted data were stolen from eHealth by malicious actors. Personal information and personal health information of individuals was involved. The Commissioner made several recommendations to assist eHealth, the SHA and Health against future attacks. This included that eHealth utilize key network security logs and scans to effectively monitor the eHealth IT network and detect malicious activity, undertake a comprehensive review of eHealth’s security protocols to include in depth investigation when early signs of suspicious activity are detected, and eHealth require cyber security and privacy training be required for eHealth and its partners as part of new employee orientation and onboarding. In addition, the Commissioner recommended that eHealth, the SHA and Health review and amend IT acceptable use policies to include examples of current threats that employees should be aware of. In Investigation Report 089-2021, the Commissioner investigated a ransomware attack on Saskatoon Obstetric & Gynecologic Consultants (SOGC). The attack affected 20,000 patients. Due to a lack of retention of system logs, SOGC was unable to fully investigate the breach and recommended SOGC develop and implement a policy and procedure or ensure the agreements with its IT service providers contain language regarding the retention of firewall 25 ON IPC resource, Ensuring your privacy is protected. Available at https://www.ipc.on.ca/privacyindividuals/ensuring-your-privacy-is-protected/. Accessed on October 18, 2022. 26 Section 24.1 of FOIP requires local authorities to establish policies and procedures to maintain administrative, technical, and physical safeguards that protect personal information in its possession or control. See section 24.1 later in this Chapter for more detail.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 17 and network security logs, and that regular reviews of those logs are conducted to enable monitoring of SOGC’s system. Several other recommendations were also made including ensuring it has a written agreement with its new IT service provider clearly outlining the services the IT service provider will provide. 10 Fair Information Principles In 1980, the Organization for Economic Co-operation and Development (OECD) developed Guidelines for the Protection of Privacy and Trans-border flows of Personal Data (OECD Guidelines). The OECD Guidelines represented an international effort to balance effective privacy protection with the free flow of personal data between different countries.27 The OECD Guidelines included eight principles: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and accountability. In 1984, Canada committed itself to privacy protection by signing on to these internationally recognized guidelines. In 1995, the European Union (EU) issued a directive on data protection called the European Union Data Protection Directive (also known as EC.95.46). The EC.95.46 was adopted by the EU to protect the personal data collected for or about citizens of the EU.28 The Directive was based on the 1980 OECD Guidelines. The Directive effectively prohibited the trade by EU member nations with any jurisdiction that did not have adequate privacy protection. This put pressure on the international community to have adequate privacy protections in place or risk trading opportunities with the EU. These early guidelines (OECD Guidelines and EC.95.46) and Canada’s commitment to them formed the basis for the development of the Canadian Standards Association Model Code for the Protection of Personal Information (Model Code) in 1995. The Model Code was intended to be a voluntary tool to assist private businesses and organizations with managing the personal information of Canadians. When it was issued, it contained 10 principles that were referred to 27 Organization for Economic Co-Operation and Development (OECD), OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Available at http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpers onaldata.htm. Accessed June 2, 2020. 28 EUR-Lex, Access to European Union Law, Summaries of EU Legislation, Protection of personal data. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=LEGISSUM:l14012. Accessed June 2, 2020.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 18 as ‘Fair Information Principles’. It was thought that by implementing nationally recognized fair-handling practices for personal information, organizations could demonstrate their commitment to the protection of personal information in a material way.29 The Model Code came out of a collaborative effort by representatives of government, consumers, and business groups. These groups met and discussed the development of a code as a way of enhancing the business environment. These groups recognized protecting customers' privacy rights and treating personal information with respect offered a competitive advantage.30 The Model Code was initially designed for use by Canadian private businesses. However, the federal government incorporated the Model Code into the Personal Information Protection and Electronic Documents Act (PIPEDA) as Schedule 1 in April 2000. Canada was the first country in the world to have private sector privacy legislation that was based on a collaboratively developed national standard.31 As well, the Model Code influenced the underlying concepts for all provincial access and privacy legislation in Canada, including Saskatchewan’s LA FOIP Act. The Model Code addresses two broad issues: 1. the way organizations collect, use, disclose, and protect personal information; and 2. the right of individuals to have access to personal information about themselves, and, if necessary, to have the information corrected.32 29 Canadian Standards Association (CSA), Model Code for the Protection of Personal Information (Q830). Available at https://www.csagroup.org/store/search-results/?search=all~~Q830. Accessed June 2, 2020. 30 Office of the Privacy Commissioner of Canada, An Overview of the Personal Information Protection and Electronic Documents Act for Businesses and Organizations. 31 Office of the Privacy Commissioner of Canada, An Overview of the Personal Information Protection and Electronic Documents Act for Businesses and Organizations. 32 Canadian Standards Association (CSA), Model Code for the Protection of Personal Information (Q830). Available at https://www.csagroup.org/store/search-results/?search=all~~Q830 . Accessed June 2, 2020.

RkJQdWJsaXNoZXIy MTgwMjYzOA==