IPC - Office of the Information and Privacy Commissioner/Ontario | What's New http://www.ipc.on.ca en-us Recommendations for the Strategy for a Safer Ontario http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=439 Today our office submitted a set of <A href="https://www.ipc.on.ca/english/Resources/Reports-and-Submissions/Reports-and-Submissions-Summary/?id=1661">eight recommendations</A> to the Ministry of Community Safety and Correctional Services on its <A href="https://www.ontario.ca/page/strategy-safer-ontario-public-discussion-paper">Strategy for a Safer Ontario</A> consultation, which includes a review of the Police Services Act (PSA). We are pleased the Ministry is openly engaging with the public and other stakeholders on this important initiative. <BR> <BR> The Ministry’s consultation paper considers the use of surveillance technologies and practices to strengthen public safety. These measures involve the collection, use and disclosure of personal information, for which police services are accountable under Ontario’s access and privacy legislation. While the goal of enhancing public safety is laudable, the Ministry must ensure that access and privacy rights are protected. <BR> <BR> In this submission, we call for: <BR> <UL> <LI>strong governance frameworks that meet transparency and privacy best practices for programs that involve&nbsp;sharing of personal information among multiple agencies <LI>province-wide standards for police use of surveillance technologies <LI>amendments to the PSA to ensure transparency and accountability in outcomes of police misconduct complaints&nbsp;and Special Investigation Unit matters <LI>engagement with our office and other key stakeholders on new programs or initiatives, or legislative reform, that&nbsp;may impact privacy or access rights </LI> </UL> Fri, 29 Apr 2016 00:00:00 GMT When Are Councillors’ Records Subject to Access? http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=438 Freedom of information legislation provides Ontarians with rights of access to records held by government institutions. Government transparency and access to information are vital for a free and functioning democracy because they allow for meaningful participation in the democratic process and accountability of public officials. <BR> <BR> Our office is sometimes required to decide access to information appeals relating to requests for records held by municipal councillors. Unfortunately, the <A href="https://www.ontario.ca/laws/statute/90m56"><EM>Municipal Freedom of Information and Protection of Privacy Act </EM></A>(<EM>MFIPPA</EM>) does not expressly refer to records of municipal councillors. Our office has been calling for amendments to <EM>MFIPPA</EM> to bring clarity to when it applies to councillors’ records. In August 2015 we <A href="https://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=392">wrote to the Minister of Municipal Affairs and Housing</A> advocating for amendments. <BR> <BR> In the absence of the changes to the law, we have issued a new <A href="https://www.ipc.on.ca/english/Resources/Best-Practices-and-Professional-Guidelines/Best-Practices-and-Professional-Guidelines-Summary/?id=1657 ">fact sheet</A> which explains when and how councillors’ records are subject to <EM>MFIPPA</EM>. <BR> <BR> The determination of whether councillors’ records are subject to <EM>MFIPPA</EM> depends largely on the context. It involves a consideration of a number of factors and circumstances. The fact sheet outlines the relevant factors and our findings in a number of cases. We hope it will assist municipalities in educating councillors about their responsibilities and in developing comprehensive policies and procedures regarding the appropriate management of records. <BR> <BR> This Freedom of Information Fact Sheet is the first in a new series to inform institutions, individuals and organizations about access to information laws. Each fact sheet in the series will help parties navigate the access to information process and understand how the IPC views the exemptions and exclusions in the acts, and highlight key decisions, findings and updates. <BR> Fri, 22 Apr 2016 00:00:00 GMT The IPC takes part in the 2016 GPEN “Privacy Sweep” http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=437 Our office is pleased to announce that we will be participating in the Global Privacy Enforcement Network’s (GPEN) annual “Privacy Sweep” (Sweep) initiative, where privacy enforcement authorities work together to protect the privacy rights of individuals around the world. <BR> <BR> This year’s theme is the Internet of Things and Accountability, with a focus on health-related devices. As the oversight agency for Ontario's health privacy legislation, we will be taking part by surveying a number of medical devices available for sale and use in our province. As part of the sweep, the IPC will consult with nearly two dozen device manufacturers on how their devices operate, what information is collected, how it is used and disclosed when in use, how it may be protected, and what options are available to users to exercise control over their personal health information. <BR> <BR> The Sweep initiative will help us to better understand the information flows of devices that are intended for remote use by individuals. Survey results will be used to generate a GPEN Sweep report on privacy practices of “Internet of Things” devices and services, and will be made public this fall. <BR> <BR> GPEN promotes cross-border collaboration among privacy enforcement authorities that oversee privacy laws. <BR> <BR> To learn more about GPEN, please visit: <A href="https://www.privacyenforcement.net/">https://www.privacyenforcement.net/</A>. Fri, 15 Apr 2016 00:00:00 GMT Job Posting: Legal Counsel http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=436 Job posting: Legal Counsel Wed, 13 Apr 2016 00:00:00 GMT Reaching Out to Ontario: Kingston http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=435 <P>As part of our Reaching Out to Ontario outreach program, the Information and Privacy Commissioner is pleased to announce a special event we will be hosting at <A href="http://www.queensu.ca/">Queen’s University</A> on May 4. Commissioner Brian Beamish and other IPC leaders will use this occasion to update Ontarians on the access and privacy emerging issues facing the province’s health and public sectors.<BR> <BR> Among the topics that will be discussed, include:</P> <UL type=disc> <LI>the burgeoning challenges of conducting business on personal devices; <LI>protecting patient privacy; <LI>recent developments in access to information; &nbsp;and <LI>whether cloud computing services are suitable for institutions’ information management needs. </LI> </UL> <P>For more details and to <A href="https://www.ipc.on.ca/english/Resources/Events/Events-Summary/?id=217">RSVP</A></P> <P><STRONG>Event Details</STRONG>:<BR> <STRONG>Date</STRONG>: Wednesday, May 4, 2016<BR> <STRONG>Time</STRONG>: 9:00 to 11:00 a.m.<BR> <STRONG>Location: <BR> </STRONG><A href="http://www.queensu.ca/" target=_blank>Queen’s University</A><BR> School of Kinesiology and Health Studies (<A href="http://www.queensu.ca/skhs/contact/location" target=_blank>Map</A>) <BR> 28 Division Street <BR> Kingston, ON </P> Thu, 24 Mar 2016 00:00:00 GMT Submission to the Standing Committee on Bill 119 – Health Information Protection Act, 2015 http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=434 Ontario’s Information and Privacy Commissioner, Brian Beamish, submitted his comments this afternoon to the Standing Committee on Justice Policy on the&nbsp;<EM><A href="http://www.ontla.on.ca/web/bills/bills_detail.do?locale=en&amp;BillID=3438">Health Information Protection Act, 2015</A></EM>. The Commissioner’s <A href="/site_documents/2016-03-03 Bill-119.pdf">submission </A>is divided into two distinct sections. The first relates to proposed amendments to the <EM><A href="https://www.ontario.ca/laws/statute/04p03">Personal Health Information Protection Act </A></EM>(<EM>PHIPA</EM>) and the second addresses the proposal to repeal and replace the <A href="https://www.ontario.ca/laws/statute/04q03"><EM>Quality of Care Information Protection Act</EM> </A>(<EM>QCIPA</EM>). <BR> <BR> Given that the proposed amendments to <EM>PHIPA</EM> were developed in close consultation with our office, the Commissioner is supportive of the proposed amendments to <EM>PHIPA</EM>, which will create a governance framework for the shared provincial Electronic Health Record. <BR> <BR> While our office has no direct oversight of <EM>QCIPA</EM>, we adjudicate disputes where access may be refused on the ground that records are shielded by <EM>QCIPA</EM>. The Commissioner believes that the new version of <EM>QCIPA</EM> should be amended to enhance accountability and transparency. More specifically, our office should have the express authority to review records claimed to be shielded by <EM>QCIPA</EM>. Further, individuals should continue to have a right of access to facts in respect of all incidents that may be subject to review under the new version of <EM>QCIPA</EM>. <BR> <BR> We look forward to working with the Ministry of Health and Long-Term Care on the implementation of these important amendments, and the regulations giving effect to these amendments, that will strengthen privacy and accountability for all Ontarians. <BR> Thu, 03 Mar 2016 00:00:00 GMT Memorandum of Understanding: OPC http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=432 The IPC signed the Memorandum of Understanding below with the <A href="https://www.priv.gc.ca/index_e.asp">Office of the Privacy Commissioner of Canada</A> (OPC) related to the administration and enforcement of the <EM>Personal Health Information Protection Act </EM>(<EM>PHIPA</EM>) and the <EM>Personal Information Protection and Electronic Documents Act</EM> (<EM>PIPEDA</EM>). <BR> <BR> <STRONG>MEMORANDUM OF UNDERSTANDING BETWEEN THE OFFICE OF THE PRIVACY COMMISSIONER OF CANADA AND THE OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER OF ONTARIO ON MUTUAL ASSISTANCE IN THE ADMINISTRATION AND ENFORCEMENT OF LAWS PROTECTING <BR> PERSONAL INFORMATION </STRONG><BR> <BR> <BR> The Office of the Privacy Commissioner of Canada (“OPC”) and the Office of the Information and Privacy Commissioner of Ontario (“OIPC”) (“the Participants”): <BR> <BR> RECOGNIZING that the OPC and OIPC have oversight responsibilities with respect to the protection of personal information in their respective jurisdictions; <BR> <BR> RECOGNIZING that the OPC, pursuant to the <EM>Personal Information Protection and Electronic Documents Act</EM>, S.C. 2000, c. 5 (“PIPEDA”), is responsible for protecting personal information in the private sector in Canada; <BR> <BR> RECOGNIZING that the OIPC, pursuant to the <EM>Personal Health Information Protection Act</EM>, 2004, S.O. 2004, c. 3, Sch A (“PHIPA”), is responsible for protecting personal health information in Ontario; <BR> <BR> RECOGNIZING that <EM>PHIPA</EM> has been found to be substantially similar to <EM>PIPEDA</EM>; <BR> <BR> RECOGNIZING that there are circumstances where the Participants may have a mutual interest in a matter pursuant to their respective mandates; <BR> <BR> RECOGNIZING that s. 23 of <EM>PIPEDA </EM>authorizes the OPC to consult, coordinate its activities and share information with a person who, under provincial laws, has similar functions and duties with respect to the protection of personal information; <BR> <BR> RECOGNIZING that s. 66(e) of <EM>PHIPA </EM>authorizes the OIPC to assist in investigations and similar procedures conducted by a person who performs similar functions to the OIPC under the laws of Canada, except that in providing assistance, the OIPC shall not use or disclose information collected by or for the OIPC under <EM>PHIPA</EM>; <BR> <BR> RECOGNIZING that s. 68(3) of <EM>PHIPA</EM> permits the OIPC to disclose information in the course of exercising the OIPC’s functions under <EM>PHIPA</EM>, where the disclosure is required for the purpose of exercising those functions; <BR> <BR> RECOGNIZING that the Participants have similar functions and duties with respect to the protection of personal information; and <BR> <BR> RECOGNIZING the benefits of consultation, co-ordination and information sharing (where not prohibited) with respect to their mandates under <EM>PIPEDA </EM>and <EM>PHIPA</EM>;<BR> &nbsp;<BR> HAVE REACHED THE FOLLOWING UNDERSTANDING: <BR> I. Objective <BR> <BR> The objective of this Memorandum is to establish a framework to allow the Participants to consult, co-operate and share relevant information with respect to matters arising under <EM>PIPEDA</EM> and <EM>PHIPA</EM> in which the Participants are mutually interested. <BR> <BR> II. Procedures Relating to Mutual Assistance <BR> <BR> A. Each Participant will designate a primary contact for the purposes of requests for assistance and other communications under this Memorandum. <BR> <BR> B. Participants may communicate and co-operate with each other, as appropriate, about matters arising under <EM>PIPEDA </EM>and <EM>PHIPA</EM>, in which they are mutually interested. <BR> <BR> C. Subject to Section III, the Participants may share information that could be relevant to an ongoing or potential investigation of a complaint or audit under <EM>PIPEDA </EM>or <EM>PHIPA</EM>, or that could assist the Participants in the exercise of their functions or duties with respect to the protection of personal information. <BR> <BR> D. The Participants will notify each other, without delay, if they become aware that information shared under this Memorandum is not accurate, complete, and up-to-date. <BR> <BR> E. Subject to Section III, Participants may, as appropriate and subject to relevant legal restrictions, refer complaints to each other, or provide each other notice of possible contraventions. <BR> <BR> F. Participants will use their best efforts to resolve any disagreements related to co-operation that may arise under this Memorandum through the contacts designated under Section II A, and, failing resolution in a reasonably timely manner, by discussion between the heads of the Participants. <BR> <BR> III. Limitations on Assistance and Use <BR> <BR> A. For greater certainty, nothing in this Memorandum requires Participants to provide assistance where it is outside the scope of this Memorandum or, more generally, where it would be inconsistent with applicable laws, or important interests or priorities. <BR> <BR> B. Participants will only share personal information pursuant to this Memorandum to the extent that it is necessary for fulfilling the purposes of this Memorandum and will use best efforts to obtain the consent of the individual(s) concerned before doing so. <BR> <BR> C. The Participants acknowledge that nothing in this memorandum is to be construed as authorizing the OIPC to share information collected by or for the OIPC under <EM>PHIPA</EM> unless the disclosure is required for the purpose of exercising the OIPC’s own functions under <EM>PHIPA</EM>; <BR> <BR> D. Participants will not use any information obtained pursuant to this Memorandum for purposes other than those for which the information was originally shared. <BR> <BR> IV. Confidentiality <BR> <BR> A. Information shared under this Memorandum is to be treated as confidential and will not be further disclosed without the consent of the Participant who provided it. <BR> <BR> B. Each Participant will use best efforts to safeguard the security of any information received under this Memorandum and respect any safeguards agreed to by the Participants. In the event of any unauthorized access or disclosure of the information, the affected Participant will take all reasonable steps to prevent a recurrence of the event and will promptly notify the other Participant of the occurrence. <BR> <BR> C. The Participants will oppose, to the fullest extent possible consistent with applicable laws, any application by a third party for disclosure of confidential information or materials received under this Memorandum, unless the Participant who provided the information or materials consents to its release. The Participant who receives such an application will notify forthwith the Participant that provided it with the information or materials. <BR> <BR> V. Retention of Information <BR> <BR> Information received under this Memorandum will not be retained for longer than is required to fulfill the purpose for which it was shared or than is required by applicable laws. The Participants will use best efforts to return any information that is no longer required if the Participant who provided the information makes a written request that such information be returned at the time it is shared. If no request for return of the information is made, the Participants will dispose of the information using methods prescribed by the Participant who provided the information, or if no such methods have been prescribed, by other secure methods as soon as practicable after the information is no longer required. <BR> <BR> VI. Duration of Cooperation <BR> <BR> A. This Memorandum takes effect on the date it is signed. <BR> <BR> B. Assistance in accordance with this Memorandum will be available concerning matters occurring before as well as after this Memorandum is signed. <BR> <BR> C. This Memorandum may be terminated at any time on written notice by either Participant. However, prior to providing such notice, each Participant will use best efforts to consult with the other Participant. <BR> <BR> D. On termination of this Memorandum, the Participants will, in accordance with Section IV, maintain the confidentiality of any information communicated to them by the other Participant in accordance with this Memorandum, and return or destroy, in accordance with the provisions of Section V, information obtained from the other Participant in accordance with this Memorandum. <BR> <BR> VII. Legal Effect <BR> <BR> Nothing in this Memorandum is intended to: <BR> <BR> A. Create binding legal obligations. <BR> <BR> B. Create obligations or expectations of co-operation that would exceed a Participant’s jurisdiction. <BR> <BR> Signed in duplicate in the English and French languages, each version being equally authentic. <BR> <BR> Brian Beamish <BR> Information and Privacy Commissioner&nbsp;of Ontario&nbsp;<BR> At: Toronto, ON <BR> Date: September 23, 2014 <BR> <BR> Daniel Therrien&nbsp;<BR> Privacy Commissioner of Canada <BR> At : Gatineau, QC&nbsp;<BR> Date: August 15, 2014 Mon, 22 Feb 2016 00:00:00 GMT New Privacy Protective E-Petition System Recommended http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=431 This week, the Standing Committee on the Legislative Assembly presented its <A href="http://www.ontla.on.ca/committee-proceedings/committee-reports/files_html/SCLA E-petitions Report - Final (English).htm">report</A> recommending an e-petition system be added to the Assembly’s existing petition procedures. The report highlights many of the recommendations presented by Commissioner Beamish in his <A href="https://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=409">October 21, 2015 submission</A>. In this submission, he expressed support for an e-petition process since it has the potential to increase government transparency, accountability and public engagement. He also outlined the necessary controls which should be in place to manage personal information and protect the privacy of individuals. The Standing Committee’s report highlights these suggestions and recommends that Assembly staff work closely with our office to ensure best practices are observed. We look forward to working with the Assembly staff on the development and implementation of the new process in a manner that protects the privacy and security of personal information. Fri, 19 Feb 2016 00:00:00 GMT Thinking About Clouds? http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=430 Cloud computing is a method of providing information and communication technology resources to individuals and organizations as an online service. It allows organizations with broad network access to tap into a shared pool of virtually unlimited computing resources hosted elsewhere, whether maintained by them or by a third party, paying only for what software and other services are actually needed or used. Cloud computing is an attractive option for many public sector institutions because it can reduce operating costs and improve operational capabilities and efficiencies. <BR> <BR> However, moving personal information and processing operations into the cloud also raises concerns about information security, individual privacy and legal compliance. Information security risks may include new insider threats, and challenges to effective breach detection, remediation and reporting. Privacy risks include the potential for covert surveillance, and unauthorized access and disclosure of personal information. Compliance risks include the possibility that the laws of another jurisdiction may apply to the contract with the cloud provider. These and other risks must be addressed. <BR> <BR> The IPC has prepared a new guidance document, <A href="https://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1655">Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions</A>, to help institutions evaluate whether cloud computing services are suitable for their information management needs. In particular, it seeks to raise awareness of the risks associated with using cloud computing services and outlines some strategies to mitigate those risks. <BR> <BR> Recommended mitigation strategies include appropriate project planning, co-ordination, and documentation, undertaking risk analyses, applying data minimization measures, due diligence investigation of the cloud provider, negotiating effective contracts, and having an incident management plan in place. <BR> <BR> It is the responsibility of all public institutions in Ontario to maintain effective control of, and be fully accountability for, the personal information entrusted to them by the public they serve. <BR> Tue, 16 Feb 2016 00:00:00 GMT Toronto Star – Commissioner orders City of Oshawa to issue access decision about an email sent on personal account http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=429 In a decision that will be of interest to public institutions across Ontario, the IPC has ordered the city of Oshawa to issue an access decision about&nbsp;an email that Councillor Nancy Diamond sent using her personal email account. The email asked an investigator for feedback on the terms of his eventual hiring by the city. The city argued that since the Councillor did not use the city’s server to send the email, the email was not covered by Ontario’s access-to-information laws. In an interview with the <A href="http://www.thestar.com/news/city_hall/2016/02/03/email-from-oshawa-councillors-private-account-ordered-released.html">Toronto Star</A>, Commissioner Beamish said, "It's not a matter of what email was used or what device was used. If the matter relates to city business, it's subject to the act. I think this will help clarify for everybody that you're not avoiding access-to-information legislation simply because you use your own device or your own private email account." <BR> <BR> The Commissioner further added that there is a need for greater education so that elected officials, government staff and public employees understand their obligation to make relevant information available to the public. "If it's public business, the basic principle is it should be accessible or potentially accessible to the public through the freedom-of-information process.” <BR> <BR> For further information, please see IPC municipal order <A href="https://www.ipc.on.ca/english/Decisions-and-Resolutions/Decisions-and-Resolutions-Summary/?id=10005">MO-3281</A>. Thu, 04 Feb 2016 00:00:00 GMT