Our goal is to advance Ontarians’ privacy and access rights by working with public institutions to develop bedrock principles and comprehensive governance frameworks for the responsible and accountable deployment of digital technologies.
The new work-from-home reality hit many of us like a ton of bricks - bricks and mortar, that is. From a usual Friday afternoon at our office desks, surrounded by familiar people and things... to a Monday morning email instructing us to stay home for the sake of our own health and safety.
With no playbook to follow, many organizations had to turn on a dime to get staff the informational assets they needed to continue to be productive and maintain operations from home. Admittedly, access to information and privacy were not top of mind.
However, what may not have been obvious then, should be abundantly clear now: Ontario’s access and privacy laws continue to apply even when working from home.
To help organizations and their staff navigate the “new normal,” the IPC has released a new access and privacy fact sheet specifically adapted for the work-from-home context. It includes best practices and strategies for adopting new virtual communication channels while continuing to protect personal information and responsibly manage data.
As we settle in for the long ride, it’s essential that corporate policies and practices related to access, privacy, and security, be adapted, as needed, to ensure continued compliance when working from home. Staff must be reminded of their responsibilities, which include:
diligently following all work-from-home information security protocols,
remaining particularly vigilant of new phishing attacks
immediately reporting any data breaches, and
properly preserving and cataloguing records so they can be found when responding to access requests.
As the province begins to reopen and remote working conditions continue to evolve, let’s keep the conversation going, so organizations and their staff know how to mitigate risks to access, privacy and security even from home.
If you have questions about reducing the risks of remote work or other access and privacy topics, please feel free to contact us. Our offices may be physically closed right now, but we’re always available to help - virtually, that is.
News stories and alerts about data breaches are popping up on our news feeds and social media channels with increased regularity. To help Ontario’s public sector organizations manage and prevent privacy breaches, the IPC has updated its guidance.
A privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws.
The most common privacy breaches occur when unauthorized persons gain access to personal information. For example, personal information may be seized in a cyberattack, stolen from a portable device, or accessed by an employee for improper purposes.
The updated guidance provides the steps that public sector organizations should follow immediately upon learning of a privacy breach. It also outlines the IPC investigation process and practical measures organizations can implement to reduce the risk of future privacy breaches.
Ontario’s freedom of information law is based on the principle that every individual has a right to access government information. This right exists to ensure the public has the information it needs to participate meaningfully in the democratic process, and that politicians and bureaucrats remain accountable to the public.
There are, understandably, some necessary exceptions to the law. Those exceptions, written into the Freedom of Information and Protection of Privacy Act as “exemptions,” are designed to strike a balance between Ontarians’ fundamental right to know and the privacy and safety of individuals. They are also meant to be limited and specific. Labour relations, solicitor-client, and certain law enforcement records are examples of information that may be exempt from disclosure. The law also allows (rightly so) for the Premier and his cabinet to engage in free discussion of sensitive issues, in private. As such, cabinet documents cannot be disclosed if they reveal the substance of deliberations of the Executive Council or its committees.
Order PO-3973, which I issued on July 15, dealt with a request for the mandate letters sent by Premier Ford to all Ontario government ministers. Cabinet Office denied access to the letters based on the premise that, as cabinet documents, they are automatically exempt from disclosure. Mandate letters have become common across Canada as a means to provide direction to ministers of incoming governments. They are frequently made public.
After reviewing the mandate letters, I determined that they do not reveal government deliberations, the substance of any meetings, discussions, or any other options considered by the Premier’s Office. That is why I found that the exemption did not apply, and in Order PO-3973, I directed Cabinet Office to disclose the letters by August 16.
The purpose of our freedom of information law is to support the public’s ‘right to know.’ Unless government records are exempt, they should be disclosed to the public. In this case, the mandate letters do not qualify for exemption as cabinet documents. I ordered their release because Ontarians have a right to know what the government’s policy priorities are.
On August 14, my office received notice that the government intends to challenge my decision in court and prevent the release of the letters. Because it is now subject to a judicial review, I will not comment further on Order PO-3973, except to say that I stand by my decision, and hope to see a swift resolution.
There’s a new sensor on the block. Or at least there could be, if you’re living in the urban jungle of a smart city.
For those not familiar with it, smart city is a term to describe a community that uses connected technologies to collect and analyze data to improve services for citizens. An example could be energy conservation sensors that dim the streetlights when no pedestrians or cars are around. Or a real-time parking app that maps out where the nearest available public parking spot can be found.
The possibilities of smart city projects may seem endless, but the need for strong privacy protections must be a constant. This was the message our office and privacy protection authorities from across the country recently delivered to the minister in charge of the Government of Canada’s Smart Cities Challenge. The challenge invites communities from across Canada to submit proposals for projects and compete for funding to make their smart city dreams a reality.
It’s very exciting stuff, but it’s important that we don’t get too carried away. While evidence-based decision-making has the potential to move us forward, personal privacy rights cannot be an afterthought. Smart city technologies can collect, use and generate large amounts of data. Without strong safeguards in place, this could include sensitive personal information. This information could be used to track people as they go about their daily activities or fall into unscrupulous hands as the result of a cyberattack.
The aim of the letter is to engage in conversation with the minister’s office about the privacy risks associated with smart city initiatives and to raise awareness about what can be done to mitigate those risks. We also want to ensure that if financial support is provided for smart city proposals, it is limited to those that will be carried out in a privacy-protective way. To help achieve this, Canada’s access and privacy offices have also collectively offered to support the development of selection criteria and the evaluation of project scoring in this area.
Some municipalities are already implementing smart city technologies, highlighting the need for leadership in ensuring the protection of privacy rights. Our office will continue to engage on this very important issue in the months ahead.
