Ontario public sector institutions must meet high standards of care and trust whenever collecting, using and disclosing personal and other sensitive information. Any public institution considering new information technologies, systems, and program services that may affect privacy are strongly
The Toronto Zoo experienced a ransomware attack that compromised the personal information of a significant number of employees, volunteers, donors, members, and guests. This unauthorized access led to data being encrypted, stolen, and then posted on the dark web. The breach revealed gaps in the Zoo
Neurotechnologies can be used for medical and therapeutic interventions, as diagnostic and preventative tools, to enhance cognitive functions, and advance research on the brain. The IPC commissioned Verónica Arroyo, a privacy lawyer and policy advisor on emerging technology, to develop this
Workplace surveillance can take many forms, from monitoring employee productivity, tracking online activity or even as part of the hiring process. The IPC commissioned Dr. Adam Molnar, Assistant Professor, Sociology and Legal Studies at the University of Waterloo, to produce an overview of workplace
Case of Note: File MR23-00112 Background In November 2023, the Toronto Public Library (TPL) reported a cybersecurity breach to the Office of the Information and Privacy Commissioner of Ontario (IPC). The breach, which related to a ransomware attack, was first detected in October 2023 when TPL
A cybersecurity attack on Innomar Strategies’ systems resulted in the exfiltration of a significant number of individuals’ personal health information. The threat actor(s) gained access to an affiliate through a system vulnerability and moved laterally to gain access to Innomar’s systems. Read the
On January 28, 2025, the IPC had the pleasure of hosting Ontarians at a public event in celebration of Data Privacy Day. The theme was the Power of PETs: Privacy Enhancing Technologies. A recording of the event is available on our YouTube channel and my opening remarks, for those of you interested
A social engineering attack at a TDSB high school led to the unauthorized access of personal information belonging to current and former students, parents and staff across several schools. The threat actor gained unauthorized access to the affected schools’ systems by obtaining the login credentials
A cyberattack on the Toronto Public Library exposed vulnerabilities in its systems that contained a significant number of individuals’ personal information. Read the closing letter to learn about how the case was settled at the Early Resolution Stage.
This publication outlines the key obligations of police under privacy legislation in their use of ALPR systems. This is an update of the guidance document originally published in 2017, and provides recommendations, including best practices, on using these systems in a privacy-protective manner
