Policy consultations

Consultation at the early stages of developing a new program, project, policy, device, technology, or other proposal can often identify and address privacy, security, and access issues upfront and help avoid problems later. We can provide general guidance and best practices about privacy, security, and access issues and recommend improvements to current practices. We may also direct you to additional resources for further guidance.

As a result, you can learn how to lower the risks of privacy and security breaches and get answers to questions about statutory privacy protection and access to information requirements as well as general best practices. Consultations allow you to access our experience and expertise and clarify your responsibilities under Ontario’s access and privacy laws.

You may wish to consult with us on a wide range of data-related projects or proposals that involve personal information, personal health information, or even de-identified information and synthetic data, or on potential projects that may involve some form of digital identification or artificial intelligence, or affect or facilitate access to information. This is particularly the case where the proposal relates to a high-risk or precedent setting initiative. You may have questions about a new project, program, service, policy, device, technology, system, or other proposal. You may even want us to review and provide feedback on a privacy impact assessment (PIA) that you have conducted for a proposal.

We encourage you to ask about potential risks to privacy and security related to your proposal and ask about best practices to protect information and appropriately safeguard it to prevent breaches. We can help you understand your responsibilities under applicable privacy and access laws and suggest best practices for protecting privacy or enhancing access to information. For general questions about Ontario’s access and privacy laws, you can visit IPC’s website at www.ipc.on.ca or email the IPC’s information service at @email.

Our stakeholders typically include organizations subject to one or more of Ontario’s access and privacy laws, such as public institutions, health care providers, police services, and children’s aid societies.

Private sector organizations that provide services to the above organizations and handle personal information or personal health information can also ask us questions, to the extent they too may be subject to laws under our jurisdiction. We may also consult with:

• technology and electronic service providers
• health app developers
• developers of software or novel technologies
• innovators applying emerging technologies, such as artificial intelligence, to benefit existing health care, law enforcement, system planning, research, or other systems.

Private sector organizations may be subject to the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Questions about compliance with federal legislation should generally be directed to the Office of the Privacy Commissioner of Canada.

A consultation with the IPC cannot validate or certify that you are acting in compliance with Ontario’s access and privacy laws. However, it can help identify issues and address questions that strengthen your awareness of specific risks about a proposal and your responsibilities to lower those risks, resulting in enhanced compliance with the applicable laws.

While we welcome the opportunity to consult with you, we do not provide legal advice. We do not endorse, approve, or certify any proposal, program, service, device, or technology. However, we can provide general guidance and best practices about privacy, security, and access issues or recommend improvements to current practices. For example, we can address specific questions about privacy risks associated with a proposal, or review a privacy impact assessment or draft policy and provide feedback. We may also direct you to additional resources for further guidance.

The feedback and guidance provided during a consultation with our policy staff does not bind the IPC’s tribunal. Our tribunal staff who work in a separate division may be called upon to independently investigate and decide upon an individual complaint or appeal related to these programs, technologies, services, and information practices, based on their specific application and the particular circumstances of a given case.

IPC consultations are a flexible and relatively informal process. They generally involve either a one-time meeting or a series of meetings, as requested or necessary. Many organizations choose to make a presentation to the IPC staff, followed by a discussion.

Preparation is often the key to a successful and productive consultation with our office. You might want to take the following steps before the consultation:

Identify data flows and associated considerations. In some cases, setting out the intended data flows for an initiative — even informally — may help you prepare to answer common consultation questions, including:

• What information will be collected? By whom? From whom?
• How will the information be used and for which purposes?
• To whom will the information be disclosed (or shared) and for what purposes?
• How will the information flow through the proposed program, project, technology, or process you are considering?
• How is the information being protected at each step?
• Are you or another organization performing each step within the data flow, and under what authority?
• How are individuals being notified about the process? How can they exercise their rights, such as to access their information?

We do not expect you to have a perfect data flow map at the time of consultation, particularly where an initiative is still under development. However, it is often very helpful if you have carried out this preliminary exercise.

Provide materials in advance. We generally avoid providing immediate feedback the first time we hear of an initiative. We consider it more responsible to take time for reflection. As such, if you provide us with key materials, including privacy impact assessments (PIAs) or draft PIAs, at least three business days in advance of a scheduled consultation (or more, depending on the complexity), we can come to the meeting better prepared for an active discussion and dialogue.

Consider your goals for the consultation. Are there specific questions you need answers to? Are you looking for overall impressions and a discussion about general risks and obligations or detailed comments on specific aspects of a proposal? If you can define the scope of your consultation, you will likely receive feedback that is more targeted to your needs. To enhance the consultation process, we suggest you prepare the questions or concerns you want to discuss and send them to us in advance.

Consultation meetings can be held virtually, at the organization’s premises, if practical and necessary to view an on-site demonstration, for example, or at the IPC’s office located in Toronto.^[2]

While timing is flexible, it is often most productive to engage us after your proposed project is past the initial idea stage but prior to implementation. Ideally, you will have already conducted a PIA or have a draft PIA well underway. Consultations with the IPC should not be approached as a ‘check box’ exercise — you should come both expecting and looking for meaningful feedback on a proposal.

To make the process meaningful, it is important that you build time for a consultation with the IPC into your project plan. This helps to avoid last-minute requests and ensures you have adequate time to consult with us and incorporate any necessary changes based on the feedback or recommendations we have provided.

Before requesting a consultation with the IPC, you may want to think about the following:

• Can you clearly describe relevant aspects of the proposal, such as what personal information or personal health information will be collected and used, by whom, and for which purposes? Will it be disclosed (shared) with others? If so, to whom and for what purposes?
• What legal authority will your organization be relying on to collect, use, or disclose personal information or personal health information? (You should consult with your organization’s advisors, such as privacy officers or legal counsel. Provincial government institutions may wish to first consult with the Information, Privacy and Archives division of the Ministry of Government and Consumer Services.)
• How do you plan to safeguard the information?
• Are you clear on what you would like to get out of the consultation, and are you looking for answers to specific questions?

If you can answer the above questions, you are likely in a good position to start the consultation process. You may also want to refer to Planning for Success: Privacy Impact Assessment Guide for additional guiding questions.

If you are unsure if your proposal is at the right stage for a consultation, you can reach out to us for an initial conversation. We would rather hear from you too early than too late (or not at all), even if we can only provide some initial resources and recommend you come back for further discussion once the project is more advanced.

During a consultation, you might provide — either proactively or at our request — information for our review, such as background materials, project plans, privacy impact assessments, or draft policies. We will not disclose this information, unless it is necessary to exercise our statutory functions or you agree to the disclosure.

If we are asked whether we were consulted on a matter that is publicly known, in most cases we will be transparent about the fact that a consultation did or did not occur, and will inform you as a matter of courtesy. We may also describe considerations and recommendations relevant to the topic in general. If details are sought about the specific substance of your consultation, we would refer the requester back to your organization.

As well, each year we publish in our annual report a list of significant consultations and engagements that were undertaken in the past year. Each entry on this list includes the name of the organization and the general topic of the consultation, but not any details. As an example, please see our annual report, under the heading “Advice and Consultations.”

Like many of our stakeholders, you may want to refer to your consultation with us in public-facing statements or documents (such as media statements or board reports). We do not object to this as long as you characterize the scope and nature of the engagement accurately. For instance, you may stipulate as follows: “While developing this program, we received and took into account comments from the Office of the Information and Privacy Commissioner of Ontario.”

We ask that you provide us with advance notice if you intend to reference the consultation you had with the IPC when speaking in a public forum, such as at media briefings or industry conferences.

Since we do not endorse, approve, or certify any proposal, program, service, system, device, or technology as part of our consultations, you must not state or imply that any of these have occurred. Our staff can assist you in characterizing your consultations with us appropriately.

Many of our stakeholders already have regular or occasional contact with our office. If this includes you, please feel free to request a consultation through your regular correspondence with our office or through your established contact person.

For stakeholders who are new to the consultation process or who simply want to ask questions about the consultation process, please send a message to @email.

To help us direct your request, please consider including some high-level information about your proposal, including:

• your sector (health, law enforcement, education, children’s services, government, or private sector with clients in one of these areas)
• a brief description of your proposed initiative
• the scope of your request (e.g., an overall review of a new project, a question on a specific point of compliance, etc.)

We look forward to hearing from you and will respond as soon as possible.