Guest blog by Teresa Scassa
From September 2022 until the end of June 2023, I had the privilege of being the first Scholar-in-Residence at the Office of the Information and Privacy Commissioner of Ontario (IPC). My goal was to learn more about privacy and access issues from a regulator’s perspective while being exposed to the many complex and challenging issues faced by the IPC. I was not disappointed. Through this unique in-house experience, the commissioner and her teams brought me into key internal and external meetings to seek my views and perspectives. They involved me in strategic planning sessions, asked me to critique and peer-review draft papers on leading-edge privacy and transparency topics, and to mentor junior staff as they developed legal and policy research skills, and more.
I end my term having learned a great deal that will enrich my thinking on many issues about which I research and write. The IPC’s mandate is broad and diverse, covering privacy and access to information issues in Ontario’s provincial, municipal, health, and child and family services sectors. I have had the opportunity to witness some of the strategic thinking and planning that goes into realizing a complex mandate with limited resources in a dramatically evolving technological landscape. I’ve also had the pleasure of building strong working relationships with members of the talented and committed team at the IPC, and I hope this will lead to ongoing cooperation and collaboration.
The idea to have a scholar in residence was part of Commissioner Kosseim’s ambitious vision for a “modern and effective regulator” articulated in the IPC’s just-published 2022 annual report. A regulator’s resources are always limited and must be deployed wisely to achieve maximum positive benefit. Although investigations, tribunal decisions and orders are usually the most highly publicized aspects of the work of any information and privacy commissioner, they are not the exclusive focus of attention. Similarly, while addressing privacy breaches is essential, it is far preferable if breaches never occur. To this end, a modern and effective regulator should direct significant efforts toward ensuring that regulated parties adopt careful and compliant practices. There are many ways to do this, including through timely guidance, engagement, and the creation of incentives that go beyond box-checking and substantively improve practices. On the access side, while addressing complaints over denials of access to information remains a vital part of the regulator’s role, the regulator can also encourage and support efforts to be transparent on a more proactive and systematic basis. One interesting initiative from the IPC this year was the Transparency Challenge that encouraged entities subject to Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA), and its municipal counterpart, MFIPPA, to submit their best efforts at proactive transparency, which the IPC curated as part of a virtual showcase.
A modern and effective regulator is open to advice and input. The IPC has a 25-member Strategic Advisory Council, and a new Youth Advisory Council offering input and advice on issues of particular interest to youth in Ontario. A modern and effective regulator can also develop tools and guidance to help organizations make better choices about the technologies they adopt. They can also educate and empower citizens to understand and exercise their rights. This year, the IPC developed and published new lesson plans for Ontario schools to teach children about privacy. Commissioner Kosseim also reaches out to the public with regular blog posts on important privacy and access issues, and a great podcast series, Info Matters, featuring engaging interviews with experts on important privacy and access issues.
The rapid pace of technological change — and the dramatic nature of some of these changes — has become a major challenge for both legislators and regulators. For the IPC, these changes may require developing new knowledge or skills through training and hiring; planning and strategically forecasting to anticipate changes and their impacts; conducting research to develop policy and guidance for emerging technologies; working with government to provide input on evolving law and policy; and liaising with other regulators — not just in the access/privacy area but also in related fields. The recent joint statement by the IPC and the Ontario Human Rights Commission on the need to develop appropriate AI governance for Ontario is an example of the IPC’s ongoing work to collaborate with other regulators on issues of mutual concern. Another example is the joint resolution on Digital ID issued by the federal, provincial and territorial access and privacy commissioners, which called on governments to ensure “that privacy and transparency rights are respected throughout the design, operation, and evolution of digital identity ecosystems in Canada.” The IPC is also involved in developing recommendations and guidance that can shape how public bodies address privacy and transparency when they adopt new technologies or approaches.
This brief account can only capture a small amount of the day-to-day work of the IPC to meet its multi-faceted mandate in a responsive and accountable way during a time of significant technological change. I step away from my term as scholar-in-residence with new knowledge and insights, with some ideas for new collaborative research ideas for the future — and with a great deal of respect for an outstanding team with a genuine commitment to privacy and access in the public interest.
Dr. Teresa Scassa is the Canada Research Chair in Information Law and Policy at the University of Ottawa, Faculty of Law. She served as IPC’s first Scholar-in-Residence from September 1, 2022 until June 30, 2023.
This post is also available in: French