Our goal is to advance Ontarians’ privacy and access rights by working with public institutions to develop bedrock principles and comprehensive governance frameworks for the responsible and accountable deployment of digital technologies.
This document highlights the key issues to consider when de-identifying personal information in the form of structured data and it provides a step-by-step process that institutions can follow when removing personal information from data sets.
The IPC has prepared this new guidance document, Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions, to help institutions evaluate whether cloud computing services are suitable for their information management needs. In particular, it seeks to raise awareness of the risks associated with using cloud computing services and outlines some strategies to mitigate those risks.
Recommended mitigation strategies include appropriate project planning, co-ordination, and documentation, undertaking risk analyses, applying data minimization measures, due diligence investigation of the cloud provider, negotiating effective contracts, and having an incident management plan in place.
It is the responsibility of all public institutions in Ontario to maintain effective control of, and be fully accountability for, the personal information entrusted to them by the public they serve.
Many institutions turn to video surveillance to help them fulfil their obligations to protect the safety of individuals and the security of their equipment and property. Video footage captured by cameras is regularly used to assist in the investigation of wrongdoing. However, the use of these surveillance technologies can put individuals’ privacy at risk. Therefore, it is important to carefully consider both whether it is appropriate to install video surveillance and how it is used.
This publication brings together our previous guidance on video surveillance and responds to new issues and factors, including appropriate retention periods, notices of collection and disclosures to law enforcement agencies. By following these guidelines, institutions can use video surveillance technologies, while protecting individuals’ privacy in accordance with their obligations under Ontario’s privacy legislation.
Proactive disclosure of procurement records strengthens clarity and accountability around government spending. It can also provide tangible benefits to institutions by reducing the number of procurement-related freedom of information requests, appeals and associated costs.
This resource details the benefits of proactive disclosure and offers tips on designing and implementing a transparent procurement process, while still protecting confidentiality where appropriate.
Municipalities are turning to the Internet as a means of making information public in an effort to improve accessibility, transparency and accountability. This may include publishing records directly to their website or including records in searchable databases that can be accessed online. Publishing materials online is an effective means of ensuring that the public has access to a municipality’s information. However, when publicly available records include personal information, there are privacy implications that should be considered before that information is made available on the Internet.
Municipalities should balance the need to protect the privacy of their community members, in compliance with the provincial privacy legislation and the need to meet their other legislated obligations. This new IPC guide describes a number of policy, procedural and technical options available to municipalities to mitigate the privacy risks associated with publishing personal information on the Internet.
Information is becoming far more valuable as businesses seek to learn more about their customers and those of their competitors, and as advertisers seek to gain a competitive advantage by finding new and innovative ways to use information to target advertisements that are most relevant to their consumers.
Information is also increasingly being sought for secondary uses that are seen to be in the public interest. For example, the health sector is seeking to use information to support evidence-based decision-making, to improve the quality of care provided, and to identify and achieve cost efficiencies.
However, if organizations do not strongly protect the privacy of individuals in the information being sought out, there may be far-reaching implications for both the individuals and the organizations involved. For example, when individuals lose trust and confidence in the ability of an organization to protect their privacy, the reputation of that organization may be irreparably damaged in the process.
One of the most effective ways to protect the privacy of individuals is through strong de-identification. Despite suggestions to the contrary, de-identification, using proper de-identification techniques and re-identification risk management procedures, remains one of the strongest and most important tools in protecting privacy.
