Our goal is to advance Ontarians’ privacy and access rights by working with public institutions to develop bedrock principles and comprehensive governance frameworks for the responsible and accountable deployment of digital technologies.
News of cyberattacks continues to dominate headlines across the country. From individual instances of identity theft to large-scale ransomware attacks involving millions of people, these malicious assaults on our personal data systems show no sign of abating. As their tactics become more sophisticated, cybercriminals are finding increasingly insidious ways to lure victims. Now, during a time in which a worldwide pandemic has forced us to conduct most of our lives online, the need to be vigilant has never been more important.
October is Cyber Security Awareness Month. This month-long, international campaign is intended to inform the public about the importance of cyber security, and provide education on the steps to take to become more secure online. This year, Cyber Security Awareness Month will focus on how we can better protect our personal devices.
The IPC has developed a number of resources designed to help public sector organizations, health professionals, and the public safeguard personal information online and better protect themselves from falling prey to cyberattacks.
Safeguarding personal information online is crucial in preventing identity theft. Minimizing the amount of personally identifiable information on social media and using strong passwords are just some of the online protections we explore in Identity Theft: a Crime of Opportunity.
Phishing can happen in an instant - you open an email with an infected attachment, click on an innocent-looking link that downloads malware, and within moments, you’ve exposed your most sensitive personal or confidential information to attackers. Our fact sheet, Protect against Phishing, contains guidance for institutions and the public on how to recognize phishing messages, protect against phishing attacks, and limit the damage in the event of an attack.
Ransomware attacks often involve bad actors infiltrating large-scale information systems to kidnap (quite literally) huge volumes of client data and hold it for ransom. Victim organizations must choose between paying large sums of money being demanded or seeing all the data released online, resulting in devastating privacy breaches and loss of public trust. To help public organizations and healthcare facilities protect themselves from ransomware, our office published Protecting against Ransomware, which outlines various strategies for protecting information and responding to attacks.
Privacy Rights of Children and Teens, a lesson plan produced by MediaSmarts for Canada’s federal, provincial and territorial data protection authorities, examines the potential privacy risks of online engagement and how young people can protect their personal information through better knowledge of their personal privacy rights.
By being aware of the risks, we can better protect ourselves from falling into the traps of bad actors who try to use our personal devices against us — particularly at a time when we have become so highly dependent on technology to work, go to school, shop, attend appointments and socialize online.
I hope you will take some time this month to review these IPC resources on cyber security and check out the Cyber Security Awareness Month website on a weekly basis to learn some new tips on how to better secure your devices.
Adopting that old carpenter’s adage, we should always remember to “read twice, click once.”
This is my first Right to Know Week as Ontario’s Information and Privacy Commissioner. I am excited to join my fellow commissioners from across the country in raising awareness about access rights and freedom of information from September 28 to October 4.
Freedom of information is essential to democracy and good governance, helping citizens gain a better understanding of government decision-making and the policies and issues that matter to them.
As we navigate the enormous challenges associated with COVID-19, the need for openness, transparency, and accountability has never been more important. People are looking for insight into the decisions and actions being taken by governments and institutions to keep their families and communities safe. They are also looking for telling numbers, trends and statistics to try and understand where the hot spots are and why. During these challenging times, institutions must continue to do all they can not only to respond to access requests, but to be proactive in disclosing non-identifiable information that’s important for the public to know in times like these.
I am especially proud of the work the IPC does every day to help Ontarians exercise their access rights. The IPC kicked off 2020 with an expanded mandate under the Child, Youth and Family Services Act. We now support children – as well as adults – looking to access records of their personal information held by children’s aid societies and other family service providers. Outreach materials like our It’s About You brochure are just one of the ways we help to de-mystify the process for young people.
In addition to our work with the public, we publish a number of guides and fact sheets to help public sector institutions understand their obligations under Ontario’s access laws. For example, our recent guide, the Labour Relations and Employment Exclusion, explains how public sector organizations should interpret and apply the exclusion for information about labour relations and employment matters under Ontario’s access laws.
On September 30 from 2 to 3 pm (EST) I will participate in a virtual panel to discuss the issues and challenges associated with being a newly appointed commissioner during this pandemic.
During Right to Know Week, Canadians can tune into a variety of virtual events to learn more about freedom of information and their right to access government information. You can find out about what’s going on across the country by visiting righttoknow.ca.
Another way to join the conversation about access rights is by following the #RTK2020 hashtag on Twitter.
I’m looking forward to the engaging discussions that will take place during Right to Know Week. I hope you will find the time to tune in and be a part of the conversation.
Patricia
The new work-from-home reality hit many of us like a ton of bricks - bricks and mortar, that is. From a usual Friday afternoon at our office desks, surrounded by familiar people and things... to a Monday morning email instructing us to stay home for the sake of our own health and safety.
With no playbook to follow, many organizations had to turn on a dime to get staff the informational assets they needed to continue to be productive and maintain operations from home. Admittedly, access to information and privacy were not top of mind.
However, what may not have been obvious then, should be abundantly clear now: Ontario’s access and privacy laws continue to apply even when working from home.
To help organizations and their staff navigate the “new normal,” the IPC has released a new access and privacy fact sheet specifically adapted for the work-from-home context. It includes best practices and strategies for adopting new virtual communication channels while continuing to protect personal information and responsibly manage data.
As we settle in for the long ride, it’s essential that corporate policies and practices related to access, privacy, and security, be adapted, as needed, to ensure continued compliance when working from home. Staff must be reminded of their responsibilities, which include:
diligently following all work-from-home information security protocols,
remaining particularly vigilant of new phishing attacks
immediately reporting any data breaches, and
properly preserving and cataloguing records so they can be found when responding to access requests.
As the province begins to reopen and remote working conditions continue to evolve, let’s keep the conversation going, so organizations and their staff know how to mitigate risks to access, privacy and security even from home.
If you have questions about reducing the risks of remote work or other access and privacy topics, please feel free to contact us. Our offices may be physically closed right now, but we’re always available to help - virtually, that is.
News stories and alerts about data breaches are popping up on our news feeds and social media channels with increased regularity. To help Ontario’s public sector organizations manage and prevent privacy breaches, the IPC has updated its guidance.
A privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws.
The most common privacy breaches occur when unauthorized persons gain access to personal information. For example, personal information may be seized in a cyberattack, stolen from a portable device, or accessed by an employee for improper purposes.
The updated guidance provides the steps that public sector organizations should follow immediately upon learning of a privacy breach. It also outlines the IPC investigation process and practical measures organizations can implement to reduce the risk of future privacy breaches.
Ontario’s freedom of information law is based on the principle that every individual has a right to access government information. This right exists to ensure the public has the information it needs to participate meaningfully in the democratic process, and that politicians and bureaucrats remain accountable to the public.
There are, understandably, some necessary exceptions to the law. Those exceptions, written into the Freedom of Information and Protection of Privacy Act as “exemptions,” are designed to strike a balance between Ontarians’ fundamental right to know and the privacy and safety of individuals. They are also meant to be limited and specific. Labour relations, solicitor-client, and certain law enforcement records are examples of information that may be exempt from disclosure. The law also allows (rightly so) for the Premier and his cabinet to engage in free discussion of sensitive issues, in private. As such, cabinet documents cannot be disclosed if they reveal the substance of deliberations of the Executive Council or its committees.
Order PO-3973, which I issued on July 15, dealt with a request for the mandate letters sent by Premier Ford to all Ontario government ministers. Cabinet Office denied access to the letters based on the premise that, as cabinet documents, they are automatically exempt from disclosure. Mandate letters have become common across Canada as a means to provide direction to ministers of incoming governments. They are frequently made public.
After reviewing the mandate letters, I determined that they do not reveal government deliberations, the substance of any meetings, discussions, or any other options considered by the Premier’s Office. That is why I found that the exemption did not apply, and in Order PO-3973, I directed Cabinet Office to disclose the letters by August 16.
The purpose of our freedom of information law is to support the public’s ‘right to know.’ Unless government records are exempt, they should be disclosed to the public. In this case, the mandate letters do not qualify for exemption as cabinet documents. I ordered their release because Ontarians have a right to know what the government’s policy priorities are.
On August 14, my office received notice that the government intends to challenge my decision in court and prevent the release of the letters. Because it is now subject to a judicial review, I will not comment further on Order PO-3973, except to say that I stand by my decision, and hope to see a swift resolution.
