Our goal is to advance Ontarians’ privacy and access rights by working with public institutions to develop bedrock principles and comprehensive governance frameworks for the responsible and accountable deployment of digital technologies.
Our work to further this goal includes the resources below.
May 19, 2021 – Privacy should be front and centre as governments and businesses consider COVID-19 vaccine passports as a tool to help Canadians return to normal life, say Canada’s privacy guardians.
Vaccine passports would allow people to travel and gather again and could support economic recovery while protecting public health. They would, however, require individuals to disclose personal health information about their vaccine or immunity status in exchange, potentially, for access to goods and services, for example, restaurants, sporting events and airline travel.
“While this may offer substantial public benefit, it is an encroachment on civil liberties that should be taken only after careful consideration,” federal, provincial and territorial privacy commissioners and the ombuds of Manitoba and New Brunswick say in a joint statement issued today.
“Vaccine passports must be developed and implemented in compliance with applicable privacy laws. They should also incorporate privacy best practices in order to achieve the highest level of privacy protection commensurate with the sensitivity of the personal health information that will be collected, used or disclosed,” the statement says.
The statement was endorsed during the annual meeting of federal, provincial and territorial access to information and privacy guardians. The Manitoba Ombudsman hosted the meeting, which took place virtually given the pandemic.
This statement outlines fundamental privacy principles that should be adhered to in the development of vaccine passports.
In particular, it notes that, in light of the significant privacy risks involved, the necessity, effectiveness and proportionality of vaccine passports must be established for each specific context in which they will be used.
In other words, vaccine passports need to be shown to be necessary to achieve the intended public health purpose; they need to be effective in meeting that purpose; and the privacy risks must be proportionate to the purpose, i.e. the minimum necessary to achieve it.
Further, vaccine passports, whether introduced by governments or public bodies for public services, or by private organizations, need to have clear legal authority. In addition, organizations considering vaccine passports should consult with the privacy commissioners in their jurisdiction as part of the development process.
The statement also notes that any personal health information collected through vaccine passports should be destroyed and vaccine passports decommissioned when the pandemic is declared over by public health officials or when vaccine passports are determined not to be a necessary, effective or proportionate response to address their public health purposes. Vaccine passports should not be used for any purpose other than COVID-19.
News of cyberattacks continues to dominate headlines across the country. From individual instances of identity theft to large-scale ransomware attacks involving millions of people, these malicious assaults on our personal data systems show no sign of abating. As their tactics become more sophisticated, cybercriminals are finding increasingly insidious ways to lure victims. Now, during a time in which a worldwide pandemic has forced us to conduct most of our lives online, the need to be vigilant has never been more important.
October is Cyber Security Awareness Month. This month-long, international campaign is intended to inform the public about the importance of cyber security, and provide education on the steps to take to become more secure online. This year, Cyber Security Awareness Month will focus on how we can better protect our personal devices.
The IPC has developed a number of resources designed to help public sector organizations, health professionals, and the public safeguard personal information online and better protect themselves from falling prey to cyberattacks.
Safeguarding personal information online is crucial in preventing identity theft. Minimizing the amount of personally identifiable information on social media and using strong passwords are just some of the online protections we explore in Identity Theft: a Crime of Opportunity.
Phishing can happen in an instant - you open an email with an infected attachment, click on an innocent-looking link that downloads malware, and within moments, you’ve exposed your most sensitive personal or confidential information to attackers. Our fact sheet, Protect against Phishing, contains guidance for institutions and the public on how to recognize phishing messages, protect against phishing attacks, and limit the damage in the event of an attack.
Ransomware attacks often involve bad actors infiltrating large-scale information systems to kidnap (quite literally) huge volumes of client data and hold it for ransom. Victim organizations must choose between paying large sums of money being demanded or seeing all the data released online, resulting in devastating privacy breaches and loss of public trust. To help public organizations and healthcare facilities protect themselves from ransomware, our office published Protecting against Ransomware, which outlines various strategies for protecting information and responding to attacks.
Privacy Rights of Children and Teens, a lesson plan produced by MediaSmarts for Canada’s federal, provincial and territorial data protection authorities, examines the potential privacy risks of online engagement and how young people can protect their personal information through better knowledge of their personal privacy rights.
By being aware of the risks, we can better protect ourselves from falling into the traps of bad actors who try to use our personal devices against us — particularly at a time when we have become so highly dependent on technology to work, go to school, shop, attend appointments and socialize online.
I hope you will take some time this month to review these IPC resources on cyber security and check out the Cyber Security Awareness Month website on a weekly basis to learn some new tips on how to better secure your devices.
Adopting that old carpenter’s adage, we should always remember to “read twice, click once.”
This is my first Right to Know Week as Ontario’s Information and Privacy Commissioner. I am excited to join my fellow commissioners from across the country in raising awareness about access rights and freedom of information from September 28 to October 4.
Freedom of information is essential to democracy and good governance, helping citizens gain a better understanding of government decision-making and the policies and issues that matter to them.
As we navigate the enormous challenges associated with COVID-19, the need for openness, transparency, and accountability has never been more important. People are looking for insight into the decisions and actions being taken by governments and institutions to keep their families and communities safe. They are also looking for telling numbers, trends and statistics to try and understand where the hot spots are and why. During these challenging times, institutions must continue to do all they can not only to respond to access requests, but to be proactive in disclosing non-identifiable information that’s important for the public to know in times like these.
I am especially proud of the work the IPC does every day to help Ontarians exercise their access rights. The IPC kicked off 2020 with an expanded mandate under the Child, Youth and Family Services Act. We now support children – as well as adults – looking to access records of their personal information held by children’s aid societies and other family service providers. Outreach materials like our It’s About You brochure are just one of the ways we help to de-mystify the process for young people.
In addition to our work with the public, we publish a number of guides and fact sheets to help public sector institutions understand their obligations under Ontario’s access laws. For example, our recent guide, the Labour Relations and Employment Exclusion, explains how public sector organizations should interpret and apply the exclusion for information about labour relations and employment matters under Ontario’s access laws.
On September 30 from 2 to 3 pm (EST) I will participate in a virtual panel to discuss the issues and challenges associated with being a newly appointed commissioner during this pandemic.
During Right to Know Week, Canadians can tune into a variety of virtual events to learn more about freedom of information and their right to access government information. You can find out about what’s going on across the country by visiting righttoknow.ca.
Another way to join the conversation about access rights is by following the #RTK2020 hashtag on Twitter.
I’m looking forward to the engaging discussions that will take place during Right to Know Week. I hope you will find the time to tune in and be a part of the conversation.
Patricia
The new work-from-home reality hit many of us like a ton of bricks - bricks and mortar, that is. From a usual Friday afternoon at our office desks, surrounded by familiar people and things... to a Monday morning email instructing us to stay home for the sake of our own health and safety.
With no playbook to follow, many organizations had to turn on a dime to get staff the informational assets they needed to continue to be productive and maintain operations from home. Admittedly, access to information and privacy were not top of mind.
However, what may not have been obvious then, should be abundantly clear now: Ontario’s access and privacy laws continue to apply even when working from home.
To help organizations and their staff navigate the “new normal,” the IPC has released a new access and privacy fact sheet specifically adapted for the work-from-home context. It includes best practices and strategies for adopting new virtual communication channels while continuing to protect personal information and responsibly manage data.
As we settle in for the long ride, it’s essential that corporate policies and practices related to access, privacy, and security, be adapted, as needed, to ensure continued compliance when working from home. Staff must be reminded of their responsibilities, which include:
diligently following all work-from-home information security protocols,
remaining particularly vigilant of new phishing attacks
immediately reporting any data breaches, and
properly preserving and cataloguing records so they can be found when responding to access requests.
As the province begins to reopen and remote working conditions continue to evolve, let’s keep the conversation going, so organizations and their staff know how to mitigate risks to access, privacy and security even from home.
If you have questions about reducing the risks of remote work or other access and privacy topics, please feel free to contact us. Our offices may be physically closed right now, but we’re always available to help - virtually, that is.
News stories and alerts about data breaches are popping up on our news feeds and social media channels with increased regularity. To help Ontario’s public sector organizations manage and prevent privacy breaches, the IPC has updated its guidance.
A privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws.
The most common privacy breaches occur when unauthorized persons gain access to personal information. For example, personal information may be seized in a cyberattack, stolen from a portable device, or accessed by an employee for improper purposes.
The updated guidance provides the steps that public sector organizations should follow immediately upon learning of a privacy breach. It also outlines the IPC investigation process and practical measures organizations can implement to reduce the risk of future privacy breaches.
