Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 330 Personal email accounts pose information security risks for local authority records. For example, records could end up stored on email servers that are outside of Canada. In instances where webmail services are used, such as “Gmail” or “Hotmail”, email content is scanned and read to provide targeted advertising. Personal information in those records is not only stored outside Canada but it is also disclosed to the webmail provider. Local authorities are required under LA FOIP to take reasonable security measures to protect personal information from unauthorized access, collection, use or disclosure. When local authority records are stored in a personal email account with data servers located outside of Canada, the local authority no longer has control of how that information will be protected, disclosed, or accessed.774 The risks are not just with “Gmail” or “Hotmail” accounts. Email accounts with SaskTel (“sasktel.net”) also have privacy considerations. SaskTel stores some data outside of Canada. It uses Google Apps for email and collaboration and stores some data in the Google Cloud. As some data is being stored outside of Canada, it may be subject to the laws of the countries where it resides.775 With the increased use of local authority assigned mobile devices and Bring Your Own Device (BYOD) programs, public servants are shifting from using the device for personal and local authority business increasing the risks of co-mingling information. Many public servants are unclear how to protect local authority records in such environments. Email is not confidential by default, and personal information included in an email could be subject to a breach or unauthorized disclosure. It is important to note that in many instances, the technology used to send and receive email is not protected. Each delivery point between the recipient and the sender will store and forward the email and may do so in a plain, clear, and readable format. While it may only be technical people at each delivery point who would have the ability to read the email, there is a possibility that the delivery point could be breached, resulting in personal information being exposed.776 Personal email providers might not have adequate protections for personal information. If the information is sensitive, encryption can ensure the email is not readable along its journey. 774 SK OIPC Investigation Report 101-2017 at [26]. 775 SK OIPC Investigation Report 101-2017 at [27]. 776 The Canadian Health Informatics Association (COACH) Guidelines, Putting it into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records – 2010 Guidelines for the Protection of Health Information Special Edition, Canada’s Health Informatics Association, 2020, p. 55. See also, SK OIPC Investigation Report 101-2017 at [29].
RkJQdWJsaXNoZXIy MTgwMjYzOA==