Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

News Releases

Updated Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on COVID-19

April 20, 2020 - Ron Kruzeniski, Information and Privacy Commissioner

Privacy in the Context of COVID-19

Privacy laws are not a barrier to appropriate information sharing in an epidemic.

It is important that public bodies, health trustees and private sector organizations know how personal information or personal health information may be shared during an epidemic.

How Information May be Shared under Saskatchewan’s Privacy Laws

Saskatchewan has three privacy laws:

  • The Freedom of Information and Protection of Privacy Act (FOIP) applies to government institutions;
  • The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities such as municipalities, universities and school boards; and
  • The Health Information Protection Act (HIPA) applies to health trustees.

These Acts and accompanying Regulations govern the collection, use and disclosure of personal information or personal health information in most situations.

Each Act contains provisions to allow for the sharing of personal information or personal health information in the event of an emergency by public bodies and trustees.

All three Acts require that any collection, use or disclosure of personal information or personal health information be limited to that which is needed to achieve the purpose of the collection, use or disclosure. This is referred to as the “data minimization principle.”

FOIP

FOIP applies to government institutions or “public bodies”, which include provincial government ministries, Crown corporations, boards, agencies and commissions.

FOIP permits public bodies to collect personal information if the collection is expressly authorized by another statute or if the collection relates directly to and is necessary for an operating program or activity of the public body.

FOIP generally requires public bodies to collect personal information directly from the individual the information is about. Public bodies may collect information about an individual from other sources with the individual’s consent, or without consent in specific circumstances, such as when the collection is authorized by law or the individual is not able to provide the information directly in a health or safety emergency.

Public bodies may disclose personal information in emergency situations with the consent of the individual, or without consent in certain circumstances, including:

  • where necessary to protect the mental or physical health or safety of any individual; or
  • the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or
  • disclosure would clearly benefit the individual to whom the information relates; or
  • if the disclosure is authorized by a statute of Saskatchewan or Canada.

LA FOIP

LA FOIP applies to local authorities, including municipalities, universities and school boards. Basically, the same rules apply as outlined above for FOIP.

HIPA

HIPA applies to personal health information in the custody or control of health trustees. Trustees include the Saskatchewan Health Authority, nursing homes, ambulance operators, physicians, pharmacists and certain other health professionals with custody or control of personal health information. HIPA authorizes trustees to collect and use personal health information for the purposes of providing health services among others.

HIPA also allows trustees to disclose personal health information with the consent of the individual, or without consent in specific circumstances, including:

  • where the trustee believes, on reasonable grounds, that the disclosure will avoid or minimize a danger to the health or safety of any person; or
  • to family members or other individuals in a close relationship with the individual so they may be notified that the individual is ill, injured or deceased, providing the disclosure is not contrary to the expressed wishes of the individual; or
  • to another health trustee for the provision of health services; or
  • to a person responsible for continuing treatment and care for the individual; or
  • if the disclosure is authorized or required by a statute of Saskatchewan.

The Private Sector

Except for trustees under HIPA, Saskatchewan does not have legislation that applies to the private sector. Private sector organizations might be covered by federal legislation and should check the federal privacy commissioner’s website: https://www.priv.gc.ca/en/. If the private sector however is contracting with a public body or trustee (e.g. information management service provider), contractual agreements should be checked for language that might actually put personal information or personal health information that the private sector has in its physical possession instead in the control of the public body or trustee.

General Principles

The Canadian Privacy Commissioner, Daniel Therrien, has issued A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19. In that framework, he establishes key principles which can be applied by public bodies when making decisions on collection in Saskatchewan. He summarizes those principles in his News Release April 17, 2020. These principles should be applied in Saskatchewan. With some editing, these principles are:

  • legal authority: the proposed measures must have a clear legal basis;
  • the measures must be necessary and proportionate, and, therefore, be science-based and necessary to achieve a specific identified purpose;
  • purpose limitation: personal information and personal health information must be used to protect public health and for no other purpose;
  • use de-identified or aggregate data whenever possible;
  • exceptional measures should be time-limited and data collected during this period should be destroyed when the crisis ends; and
  • transparency and accountability: public bodies should be clear about the basis and the terms applicable to exceptional measures, and be accountable for them.

The Public Health Act, 1994

The Minister of Health or the Chief Medical Officer have powers under The Public Health Act, 1994 (P.37.1) which can be viewed here: https://publications.saskatchewan.ca/#/products/786. In particular, section 45 sets out the powers of the minister and the medical officer. Further, this Act contains mandatory reporting provisions of certain health care professionals in certain circumstances (e.g. sections 32, 34 and 36).

The Information and Privacy Commissioner

The Office will continue to work on matters during this time, but will be closed to the public. People seeking information can call 306-787-8350 or the toll free number 1-877-748-2298 or email us at webmaster@oipc.sk.ca.

There may be delays getting back to those who contact us, but we will get back to you.

My office usually requests that public bodies respond with information within certain timelines. We know other offices may be experiencing difficulties in getting back to us. Thus, we will be flexible regarding tight timelines. We do ask that you call us so that we can set a different timeline if one is required.

Ronald J. Kruzeniski, Q.C.
Saskatchewan Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

Download PDF

Categories: News Releases

Back to News Releases