Protecting privacy, safeguarding information, and providing access to information can be challenging, especially in a quickly evolving digital world.
As one of our stakeholders, you might be seeking feedback or guidance on new programs, projects, technologies, or processes that you are considering. To the extent our resources permit and subject to our discretion, we would be pleased to offer comment on the privacy and transparency implications of proposed legislative schemes and government programs or the information practices of custodians and children service providers.[1] Through consultation, the IPC can provide meaningful comments and general guidance to help you manage privacy and information security risks. We can also direct you to resources to help you safeguard information and better understand your obligations under the applicable access and privacy laws.
Our office oversees compliance with several provincial laws, which protect the access and privacy rights of Ontarians. These laws include the:
Freedom of Information and Protection of Privacy Act (FIPPA)
Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
Personal Health Information Protection Act (PHIPA)
Part X of the Child, Youth, and Family Services Act (CYFSA)
Anti-Racism Act (ARA)
If you are a stakeholder subject to one or more of these laws, a consultation with the IPC may assist you. Some examples of our stakeholders include:
public institutions, such as provincial or municipal government or agencies of government
health care providers, including hospitals, long-term care facilities, mental health and addiction treatment facilities, dental clinics, or other health care practitioners and providers
police services (provincial and municipal)
school boards and universities
children’s aid societies, Indigenous child well-being societies, and other child and family service providers
Consultations can benefit us all.
You receive general guidance and best practices from IPC subject-matter experts during the critical development stage of a program, project or initiative and before its implementation.
We increase our awareness and understanding of new initiatives that may affect privacy or access and the kinds of practical challenges you face on the ground.
Ontarians benefit from enhanced compliance with access and privacy laws.
We welcome the chance to engage with you. While we cannot provide legal advice and do not endorse or approve any specific technology, device, or proposal, we can provide valuable general guidance and best practices to help you manage privacy risks, enable public access to information, and comply with applicable laws.
Read our FAQs to learn how to prepare for, and what to expect from, a consultation with us.
To learn more about the consultation process or to request a consultation, please contact us at [email protected]. For general inquiries about the IPC, please email [email protected].
Consultation at the early stages of developing a new program, project, policy, device, technology, or other proposal can often identify and address privacy, security, and access issues upfront and help avoid problems later. We can provide general guidance and best practices about privacy, security, and access issues and recommend improvements to current practices. We may also direct you to additional resources for further guidance.
As a result, you can learn how to lower the risks of privacy and security breaches and get answers to questions about statutory privacy protection and access to information requirements as well as general best practices. Consultations allow you to access our experience and expertise and clarify your responsibilities under Ontario’s access and privacy laws.
2. What types of projects or proposals can I consult on? What kinds of questions can I ask?
You may wish to consult with us on a wide range of data-related projects or proposals that involve personal information, personal health information, or even de-identified information and synthetic data, or on potential projects that may involve some form of digital identification or artificial intelligence, or affect or facilitate access to information. This is particularly the case where the proposal relates to a high-risk or precedent setting initiative. You may have questions about a new project, program, service, policy, device, technology, system, or other proposal. You may even want us to review and provide feedback on a privacy impact assessment (PIA) that you have conducted for a proposal.
We encourage you to ask about potential risks to privacy and security related to your proposal and ask about best practices to protect information and appropriately safeguard it to prevent breaches. We can help you understand your responsibilities under applicable privacy and access laws and suggest best practices for protecting privacy or enhancing access to information. For general questions about Ontario’s access and privacy laws, you can visit IPC’s website at www.ipc.on.ca or email the IPC’s information service at [email protected].
Our stakeholders typically include organizations subject to one or more of Ontario’s access and privacy laws, such as public institutions, health care providers, police services, and children’s aid societies.
Private sector organizations that provide services to the above organizations and handle personal information or personal health information can also ask us questions, to the extent they too may be subject to laws under our jurisdiction. We may also consult with:
technology and electronic service providers
health app developers
developers of software or novel technologies
innovators applying emerging technologies, such as artificial intelligence, to benefit existing health care, law enforcement, system planning, research, or other systems.
Private sector organizations may be subject to the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Questions about compliance with federal legislation should generally be directed to the Office of the Privacy Commissioner of Canada.
4. Will the IPC certify that my proposal, or the vendor I am considering, is compliant with the applicable access and privacy law(s)?
A consultation with the IPC cannot validate or certify that you are acting in compliance with Ontario’s access and privacy laws. However, it can help identify issues and address questions that strengthen your awareness of specific risks about a proposal and your responsibilities to lower those risks, resulting in enhanced compliance with the applicable laws.
While we welcome the opportunity to consult with you, we do not provide legal advice. We do not endorse, approve, or certify any proposal, program, service, device, or technology. However, we can provide general guidance and best practices about privacy, security, and access issues or recommend improvements to current practices. For example, we can address specific questions about privacy risks associated with a proposal, or review a privacy impact assessment or draft policy and provide feedback. We may also direct you to additional resources for further guidance.
The feedback and guidance provided during a consultation with our policy staff does not bind the IPC’s tribunal. Our tribunal staff who work in a separate division may be called upon to independently investigate and decide upon an individual complaint or appeal related to these programs, technologies, services, and information practices, based on their specific application and the particular circumstances of a given case.
5. How do I prepare for a consultation? What is involved in the consultation process?
IPC consultations are a flexible and relatively informal process. They generally involve either a one-time meeting or a series of meetings, as requested or necessary. Many organizations choose to make a presentation to the IPC staff, followed by a discussion.
Preparation is often the key to a successful and productive consultation with our office. You might want to take the following steps before the consultation:
Identify data flows and associated considerations. In some cases, setting out the intended data flows for an initiative — even informally — may help you prepare to answer common consultation questions, including:
What information will be collected? By whom? From whom?
How will the information be used and for which purposes?
To whom will the information be disclosed (or shared) and for what purposes?
How will the information flow through the proposed program, project, technology, or process you are considering?
How is the information being protected at each step?
Are you or another organization performing each step within the data flow, and under what authority?
How are individuals being notified about the process? How can they exercise their rights, such as to access their information?
We do not expect you to have a perfect data flow map at the time of consultation, particularly where an initiative is still under development. However, it is often very helpful if you have carried out this preliminary exercise.
Provide materials in advance. We generally avoid providing immediate feedback the first time we hear of an initiative. We consider it more responsible to take time for reflection. As such, if you provide us with key materials, including privacy impact assessments (PIAs) or draft PIAs, at least three business days in advance of a scheduled consultation (or more, depending on the complexity), we can come to the meeting better prepared for an active discussion and dialogue.
Consider your goals for the consultation. Are there specific questions you need answers to? Are you looking for overall impressions and a discussion about general risks and obligations or detailed comments on specific aspects of a proposal? If you can define the scope of your consultation, you will likely receive feedback that is more targeted to your needs. To enhance the consultation process, we suggest you prepare the questions or concerns you want to discuss and send them to us in advance.
Consultation meetings can be held virtually, at the organization’s premises, if practical and necessary to view an on-site demonstration, for example, or at the IPC’s office located in Toronto.[2]
7. When should I consult with the IPC? What should I think about before approaching the IPC for a consultation?
While timing is flexible, it is often most productive to engage us after your proposed project is past the initial idea stage but prior to implementation. Ideally, you will have already conducted a PIA or have a draft PIA well underway. Consultations with the IPC should not be approached as a ‘check box’ exercise — you should come both expecting and looking for meaningful feedback on a proposal.
To make the process meaningful, it is important that you build time for a consultation with the IPC into your project plan. This helps to avoid last-minute requests and ensures you have adequate time to consult with us and incorporate any necessary changes based on the feedback or recommendations we have provided.
Before requesting a consultation with the IPC, you may want to think about the following:
Can you clearly describe relevant aspects of the proposal, such as what personal information or personal health information will be collected and used, by whom, and for which purposes? Will it be disclosed (shared) with others? If so, to whom and for what purposes?
What legal authority will your organization be relying on to collect, use, or disclose personal information or personal health information? (You should consult with your organization’s advisors, such as privacy officers or legal counsel. Provincial government institutions may wish to first consult with the Information, Privacy and Archives division of the Ministry of Government and Consumer Services.)
How do you plan to safeguard the information?
Are you clear on what you would like to get out of the consultation, and are you looking for answers to specific questions?
If you can answer the above questions, you are likely in a good position to start the consultation process. You may also want to refer to Planning for Success: Privacy Impact Assessment Guide for additional guiding questions.
If you are unsure if your proposal is at the right stage for a consultation, you can reach out to us for an initial conversation. We would rather hear from you too early than too late (or not at all), even if we can only provide some initial resources and recommend you come back for further discussion once the project is more advanced.
8. What happens to the information I provide the IPC during a consultation?
During a consultation, you might provide — either proactively or at our request — information for our review, such as background materials, project plans, privacy impact assessments, or draft policies. We will not disclose this information, unless it is necessary to exercise our statutory functions or you agree to the disclosure.
If we are asked whether we were consulted on a matter that is publicly known, in most cases we will be transparent about the fact that a consultation did or did not occur, and will inform you as a matter of courtesy. We may also describe considerations and recommendations relevant to the topic in general. If details are sought about the specific substance of your consultation, we would refer the requester back to your organization.
As well, each year we publish in our annual report a list of significant consultations and engagements that were undertaken in the past year. Each entry on this list includes the name of the organization and the general topic of the consultation, but not any details. As an example, please see our annual report, under the heading “Advice and Consultations.”
9. How should I characterize my consultation with the IPC in my public-facing documents or communications?
Like many of our stakeholders, you may want to refer to your consultation with us in public-facing statements or documents (such as media statements or board reports). We do not object to this as long as you characterize the scope and nature of the engagement accurately. For instance, you may stipulate as follows: “While developing this program, we received and took into account comments from the Office of the Information and Privacy Commissioner of Ontario.”
We ask that you provide us with advance notice if you intend to reference the consultation you had with the IPC when speaking in a public forum, such as at media briefings or industry conferences.
Since we do not endorse, approve, or certify any proposal, program, service, system, device, or technology as part of our consultations, you must not state or imply that any of these have occurred. Our staff can assist you in characterizing your consultations with us appropriately.
10. How do I contact the IPC to request a consultation?
Many of our stakeholders already have regular or occasional contact with our office. If this includes you, please feel free to request a consultation through your regular correspondence with our office or through your established contact person.
For stakeholders who are new to the consultation process or who simply want to ask questions about the consultation process, please send a message to [email protected].
To help us direct your request, please consider including some high-level information about your proposal, including:
your sector (health, law enforcement, education, children’s services, government, or private sector with clients in one of these areas)
a brief description of your proposed initiative
the scope of your request (e.g., an overall review of a new project, a question on a specific point of compliance, etc.)
We look forward to hearing from you and will respond as soon as possible.
At the request of an organization or other stakeholder, the IPC may offer general guidance and best practices on the access to information and privacy issues related to specific programs, technologies, services and information practices. The IPC does not endorse or approve programs, technologies, services, and information practices in providing general guidance and best practices to organizations and other stakeholders.
Consultations with the IPC and the general guidance and best practices provided are for informational purposes only. They should not be relied upon as a substitute for the legislation itself or as legal advice. Consultations are intended to help enhance understanding of rights and obligations under Ontario’s access and privacy laws. Consultations with the IPC and the general guidance and best practices provided do not bind the IPC’s tribunal that may be called upon to independently investigate and decide upon an individual complaint or appeal based on the specific facts and unique circumstances of a given case.
[1] The IPC’s statutory power to provide comment is found in s.59(a) of FIPPA, s.46(a) of MFIPPA, s.66(d) of PHIPA, and s.326(d) of the CYFSA.
[2] Please refer to the IPC website for updates on any physical office closures due to the pandemic.
