IPC - Office of the Information and Privacy Commissioner/Ontario | What's New http://www.ipc.on.ca en-us Commissioner Interviewed by TV Ontario http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=447 Commissioner Beamish was interviewed by TV Ontario’s John Michael McGrath about the direction he wants to take as Commissioner, where there is still work to be done with regards to transparency and privacy in Ontario and how public attitudes and expectations have changed when it comes to accessing government-held information. <BR> <BR> Read the full interview <A href="http://tvo.org/article/current-affairs/the-next-ontario/brian-beamish-cynicism-towards-government-comes-from-a-feeling-of-being-alienated">here</A>. Fri, 22 Jul 2016 00:00:00 GMT Protecting Against Ransomware http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=446 <P><SPAN>Ransomware is a type of malicious software, or “malware,” that encrypts files on your device or computer and then demands payment in exchange for the key needed to decrypt the files. It essentially locks you out of your data and holds the means of regaining access for ransom. <BR> <BR> </SPAN><SPAN>In recent months, large Canadian institutions such as universities and hospitals have reported having their computer networks or systems attacked by some form of ransomware. Clearly, this software has become an increasingly common and serious threat to the security of electronic records. To help public organizations and healthcare facilities protect themselves, we have published a new technology <SPAN style="TEXT-DECORATION: underline"><A href="https://www.ipc.on.ca/english/Resources/Best-Practices-and-Professional-Guidelines/Best-Practices-and-Professional-Guidelines-Summary/?id=1677">fact sheet</A></SPAN> outlining various strategies for protecting information and how to respond to an attack. <BR> <BR> </SPAN><SPAN>We recommend a number of administrative and technological approaches organizations may take to help meet their legislative requirements as outlined in Ontario’s freedom of information and privacy laws. These approaches include employee training, limiting user privileges, software protections and more.&nbsp; </SPAN></P> <P>This fact sheet is the first in a new series to provide institutions and organizations with information about how new and emerging technologies may affect the privacy and access rights of individuals. Each fact sheet will introduce the basic concepts and techniques of a particular technology and outline key issues to consider.</P> Fri, 15 Jul 2016 00:00:00 GMT Focus Ontario: A Year of Outreach, Engagement and Collaboration http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=445 <P><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>Today we released our <SPAN style="TEXT-DECORATION: underline"><A href="https://www.ipc.on.ca/english/Resources/Annual-Reports/Annual-Reports-Summary/?id=1674">2015 Annual Report – Focus Ontario: A Year of Outreach, Engagement and Collaboration</A></SPAN>. The report contains a comprehensive review of the year in access and privacy issues, and detailed statistics about freedom of information requests, compliance rates, appeals and privacy complaints. <BR> <BR> </SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>In the report, Commissioner Brian Beamish has made four significant recommendations to modernize access and privacy legislation.&nbsp; He is asking the government to conduct a comprehensive review of the province’s access and privacy laws to ensure Ontarians’ rights are better protected.&nbsp; A public review and update of the acts will ensure greater transparency and accountability of government institutions, meet the growing expectations of the public and ensure that Ontarians benefit from the same access and privacy rights as other Canadians.&nbsp; <BR> <BR> </SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>It has been almost thirty years since the <I>Freedom of Information and Protection of Privacy Act </I>(<I>FIPPA</I>) and the <I>Municipal Freedom of Information and Protection of Privacy Act </I>(M<I>FIPPA)</I> became law. Since that time, public expectations, technologies and the ways in which government does business have changed. In other provinces, access and privacy laws have been strengthened to meet the challenges of modern society. <BR> <BR> </SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>To keep pace with these changes, the Commissioner’s recommendations are:&nbsp; <BR> <BR> </SPAN><B><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>Expand Coverage</SPAN></B><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>: Decisions about which organizations are covered by the two acts have been made sporadically and case-by-case, resulting in inconsistent levels of accountability and transparency. Unless there are unique and compelling reasons not to, an organization should be subject to these laws if:<BR> </SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'><BR> &nbsp;&nbsp;&#8226; it receives a significant amount of its operating funds from the government,<BR> </SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>&nbsp;&nbsp;&#8226; it delivers a program designed to support government objectives, or&nbsp;<BR> </SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>&nbsp;&nbsp;&#8226; the government plays a significant role in its policy development and operational </SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>direction.<BR> <BR> </SPAN><B><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>Enact Privacy Complaint Order-Making Power</SPAN></B><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>: The IPC has order-making power in relation to access requests, but this power is not extended to privacy complaints.&nbsp; Amending the law would enable the IPC to better protect the privacy rights of Ontarians by issuing binding orders to institutions that violate them. <BR> <BR> </SPAN><B><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>Mandatory Proactive Disclosure of Identified Categories of Records</SPAN></B><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>: The legislation should be amended so that specific categories of information are identified for proactive disclosure, including, for example, procurement records. The public has a right to be informed about government procurement processes, including how contracts are awarded, what has been contracted for, how the successful bidders were chosen, what the costs of the contract are and who is responsible for decision-making. Disclosure of these records will bring increased transparency to public spending.<BR> </SPAN><B><SPAN style='FONT-FAMILY: "Calibri", sans-serif'><BR> Address Changing Technologies</SPAN></B><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>: A comprehensive review is needed to address:</SPAN></P> <P style="TEXT-ALIGN: left" align=left><SPAN style="FONT-FAMILY: Symbol"><SPAN>&nbsp;&nbsp; &#183;<SPAN style='FONT: 7pt "Times New Roman"'>&nbsp;</SPAN></SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>the need for collaborative service delivery models and data sharing to support research and analysis, <BR> </SPAN><SPAN style="FONT-FAMILY: Symbol"><SPAN>&nbsp;&nbsp; &#183;<SPAN style='FONT: 7pt "Times New Roman"'>&nbsp;</SPAN></SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>public expectations about access to information and services online, and&nbsp;<BR> </SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'><SPAN style="FONT-FAMILY: Symbol"><SPAN>&nbsp;&nbsp; &#183;<SPAN style='FONT: 7pt "Times New Roman"'>&nbsp;</SPAN></SPAN></SPAN>the need to ensure that new technologies are used in a transparent and accountable manner, and do not negatively&nbsp;<BR> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;impact&nbsp;access and privacy rights.<BR> <BR> </SPAN><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>Ontario was one of the first provinces in Canada to create access and privacy legislation. Now, <I>FIPPA</I> and <I>MFIPPA</I> lag behind the standards established in other Canadian jurisdictions.&nbsp; It is time to ensure that the access and privacy rights of Ontarians align with the rights of other Canadians.&nbsp; </SPAN></P> <P><SPAN style='FONT-FAMILY: "Calibri", sans-serif'>&nbsp;</SPAN></P> </SPAN></SPAN> Tue, 28 Jun 2016 00:00:00 GMT De-Identification: Basic Concepts and Techniques http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=444 As the demand for government-held data increases, institutions require effective processes and techniques for removing personal information. An important tool in this regard is de-identification. “De-identification” is the general term for the process of removing personal information from a record or data set. <BR> <BR> De-identification protects the privacy of individuals because once de-identified, a data set is considered to no longer contain personal information. If a data set does not contain personal information, its use or disclosure cannot violate the privacy of individuals. Accordingly, the privacy protection provisions of the <EM>Freedom of Information and Protection of Privacy Act </EM>(<EM>FIPPA</EM>) and the <EM>Municipal Freedom of Information and Protection of Privacy Act</EM> (<EM>MFIPPA</EM>) would not apply to de-identified information. <BR> <BR> Today, we have published guidelines, <A href="https://www.ipc.on.ca/english/Resources/Best-Practices-and-Professional-Guidelines/Best-Practices-and-Professional-Guidelines-Summary/?id=1669">De-identification Guidelines for Structured Data</A>, which introduce the basic concepts and techniques of de-identification. The document outlines the key issues to consider when de-identifying personal information in the form of structured data and it provides a step-by-step process that institutions can follow when removing personal information from data sets. <BR> Wed, 08 Jun 2016 00:00:00 GMT Personal Email Accounts and Instant Messaging http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=443 Some of Ontario’s public servants, elected officials and political staff use instant messaging services and personal or political party email accounts, in addition to their institution-issued email accounts, while doing business. <BR> <BR> It is important to note that records relating to an institution’s business are subject to the access and privacy provisions of the <EM>Freedom of Information and Protection of Privacy Act</EM> (<EM>FIPPA</EM>) and the <EM>Municipal Freedom of Information and Protection of Privacy Act</EM> (<EM>MFIPPA</EM>), even if they are created, sent or received through instant messaging tools or personal email accounts. <BR> <BR> The use of instant messaging and personal email accounts can create a number of challenges for institutions in meeting their administrative and legal obligations under Ontario’s access and privacy laws. The guidance document, <A href="https://www.ipc.on.ca/english/Resources/Best-Practices-and-Professional-Guidelines/Best-Practices-and-Professional-Guidelines-Summary/?id=1666">Instant Messaging and Personal Email Accounts: How to Meet Your Access and Privacy Obligations </A>was developed to help Ontario’s public institutions meet those obligations. <BR> <BR> The IPC recommends that leaders of public institutions strictly control the use of instant messaging and personal email accounts for conducting business. If it necessary to use these tools, institutions must plan for compliance by implementing appropriate policy and technical measures to ensure that records are saved. <BR> <BR> It is the responsibility of all institutions subject to <EM>FIPPA</EM> and <EM>MFIPPA</EM> to ensure that they are in compliance with those Acts, and to remember that access to information requests cannot be evaded by using instant messaging or personal email accounts. <BR> Tue, 07 Jun 2016 00:00:00 GMT Commissioner Brian Beamish recipient of Award for Excellence in Privacy Law http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=442 Information and Privacy Commissioner Brian Beamish has been named as the 2016 recipient of the Ontario Bar Association’s (OBA) prestigious <A href="https://www.oba.org/Sections/Privacy-Law/Awards/OBA-Karen-Spector-Memorial-Award">Karen Spector Memorial Award for Excellence in Privacy Law</A>. This award is in recognition for exceptional achievements by a member of the OBA who is working in the field of privacy. The award is named in honour of the late Karen Spector for her innovative work in the practice of privacy law. <BR> <BR> During his time at the IPC, Commissioner Beamish has consistently worked to uphold and advance the protection of personal privacy in Ontario. As Assistant Commissioner he led many precedent-setting investigations that resulted in improving privacy protections, such as the <A href="https://www.ipc.on.ca/images/Findings/po-2826.pdf">inquiry</A> into the province’s jury selection process, the <A href="https://www.ipc.on.ca/english/Resources/News-Releases/News-Releases-Summary/?id=1468">review</A> of systemic breaches of health privacy at the Rouge Valley Health System and the <A href="https://www.ipc.on.ca/images/resources/indiscriminate_disclosure.pdf">investigation</A> into sharing of mental health information between police and border officials. Since becoming Commissioner in 2014, Commissioner Beamish has pushed for strong measures to help ensure that police surveillance and <A href="https://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=333">police record checks</A> are conducted in a manner that respects privacy rights. Additionally, he has also overseen ongoing efforts with the Ontario government on developing <A href="https://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=380">amendments to PHIPA</A> that address privacy issues in the emerging eHealth environment.<BR> Mon, 06 Jun 2016 00:00:00 GMT IPC orders release of doctors’ names in OHIP billing appeal http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=441 On June 1st, 2016, IPC Adjudicator John Higgins released his decision (<A href="https://www.ipc.on.ca/english/Decisions-and-Resolutions/Decisions-and-Resolutions-Summary/?id=10092">PO-3617</A>) in a case involving OHIP billings. <BR> <BR> This case arose from an access to information request to the Ministry of Health and Long-Term Care for the names, specialities and payments made to OHIP’s top 100 billers in each of the past five years. The ministry disclosed all payment amounts and the specialties of some physicians from these lists. However, the ministry withheld the names of the physicians and some of the identified specialties based on the personal privacy exemption in Ontario’s <EM>Freedom of Information and Protection of Privacy Act</EM>. <BR> <BR> The requester, a journalist with the Toronto Star, appealed that decision to the IPC. After receiving submissions from the Ontario Medical Association and two doctors’ associations, in addition to 79 doctors – some on their own behalf and others through counsel – the adjudicator overruled the ministry’s decision and ordered full disclosure of the requested information, including the names of the physicians. <BR> <BR> The adjudicator found that the payment amounts related to the physicians in their professional or business capacity and did not reveal anything that is “inherently personal in nature.” He therefore concluded that the withheld information was not “personal information” and did not qualify for the personal privacy exemption. The adjudicator also found that a further exemption designed to protect third party business information did not apply because the withheld information would not reveal informational assets that the physicians had supplied to the ministry. <BR> <BR> The adjudicator also considered whether, even if the information had been found to be exempt, there was a compelling public interest in disclosure of the information which clearly outweighed the personal privacy and third party informational interests in the information. The adjudicator found that there is a compelling public interest in the disclosure of the names of OHIP’s top 100 billers that would clearly outweigh the purposes of these exemptions. He stated:&nbsp;<BR> <BR> "I am aware that these payments do not reflect the physicians’ personal income, as they represent gross revenue&nbsp;that does not take overhead expenses or payments to other physicians or staff members into account.&nbsp;Nevertheless, it is an inescapable fact that these payments consume a substantial amount of the Ontario&nbsp;government’s budget, and regardless of the fact that the physicians are not public servants, these amounts reflect&nbsp;payments for public services provided to the public and paid for by taxpayers."<BR> <BR> Adjudicator Higgins went on in his order to conclude:&nbsp;<BR> <BR> "In my view, the concept of transparency, and in particular, the closely related goal of accountability, requires the identification of parties who receive substantial payments from the public purse, whether they are providing&nbsp;services to public bodies under contract or, as in this case, providing services to the public through their own business activities under an umbrella of public funding."<BR> <BR> The ministry has until July 8, 2016, to disclose a full copy of the record. <BR> Fri, 03 Jun 2016 00:00:00 GMT Recommendations for the Strategy for a Safer Ontario http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=439 Today our office submitted a set of <A href="https://www.ipc.on.ca/english/Resources/Reports-and-Submissions/Reports-and-Submissions-Summary/?id=1661">eight recommendations</A> to the Ministry of Community Safety and Correctional Services on its <A href="https://www.ontario.ca/page/strategy-safer-ontario-public-discussion-paper">Strategy for a Safer Ontario</A> consultation, which includes a review of the Police Services Act (PSA). We are pleased the Ministry is openly engaging with the public and other stakeholders on this important initiative. <BR> <BR> The Ministry’s consultation paper considers the use of surveillance technologies and practices to strengthen public safety. These measures involve the collection, use and disclosure of personal information, for which police services are accountable under Ontario’s access and privacy legislation. While the goal of enhancing public safety is laudable, the Ministry must ensure that access and privacy rights are protected. <BR> <BR> In this submission, we call for: <BR> <UL> <LI>strong governance frameworks that meet transparency and privacy best practices for programs that involve&nbsp;sharing of personal information among multiple agencies <LI>province-wide standards for police use of surveillance technologies <LI>amendments to the PSA to ensure transparency and accountability in outcomes of police misconduct complaints&nbsp;and Special Investigation Unit matters <LI>engagement with our office and other key stakeholders on new programs or initiatives, or legislative reform, that&nbsp;may impact privacy or access rights </LI> </UL> Fri, 29 Apr 2016 00:00:00 GMT When Are Councillors’ Records Subject to Access? http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=438 Freedom of information legislation provides Ontarians with rights of access to records held by government institutions. Government transparency and access to information are vital for a free and functioning democracy because they allow for meaningful participation in the democratic process and accountability of public officials. <BR> <BR> Our office is sometimes required to decide access to information appeals relating to requests for records held by municipal councillors. Unfortunately, the <A href="https://www.ontario.ca/laws/statute/90m56"><EM>Municipal Freedom of Information and Protection of Privacy Act </EM></A>(<EM>MFIPPA</EM>) does not expressly refer to records of municipal councillors. Our office has been calling for amendments to <EM>MFIPPA</EM> to bring clarity to when it applies to councillors’ records. In August 2015 we <A href="https://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=392">wrote to the Minister of Municipal Affairs and Housing</A> advocating for amendments. <BR> <BR> In the absence of the changes to the law, we have issued a new <A href="https://www.ipc.on.ca/english/Resources/Best-Practices-and-Professional-Guidelines/Best-Practices-and-Professional-Guidelines-Summary/?id=1657 ">fact sheet</A> which explains when and how councillors’ records are subject to <EM>MFIPPA</EM>. <BR> <BR> The determination of whether councillors’ records are subject to <EM>MFIPPA</EM> depends largely on the context. It involves a consideration of a number of factors and circumstances. The fact sheet outlines the relevant factors and our findings in a number of cases. We hope it will assist municipalities in educating councillors about their responsibilities and in developing comprehensive policies and procedures regarding the appropriate management of records. <BR> <BR> This Freedom of Information Fact Sheet is the first in a new series to inform institutions, individuals and organizations about access to information laws. Each fact sheet in the series will help parties navigate the access to information process and understand how the IPC views the exemptions and exclusions in the acts, and highlight key decisions, findings and updates. <BR> Fri, 22 Apr 2016 00:00:00 GMT The IPC takes part in the 2016 GPEN “Privacy Sweep” http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=437 Our office is pleased to announce that we will be participating in the Global Privacy Enforcement Network’s (GPEN) annual “Privacy Sweep” (Sweep) initiative, where privacy enforcement authorities work together to protect the privacy rights of individuals around the world. <BR> <BR> This year’s theme is the Internet of Things and Accountability, with a focus on health-related devices. As the oversight agency for Ontario's health privacy legislation, we will be taking part by surveying a number of medical devices available for sale and use in our province. As part of the sweep, the IPC will consult with nearly two dozen device manufacturers on how their devices operate, what information is collected, how it is used and disclosed when in use, how it may be protected, and what options are available to users to exercise control over their personal health information. <BR> <BR> The Sweep initiative will help us to better understand the information flows of devices that are intended for remote use by individuals. Survey results will be used to generate a GPEN Sweep report on privacy practices of “Internet of Things” devices and services, and will be made public this fall. <BR> <BR> GPEN promotes cross-border collaboration among privacy enforcement authorities that oversee privacy laws. <BR> <BR> To learn more about GPEN, please visit: <A href="https://www.privacyenforcement.net/">https://www.privacyenforcement.net/</A>. Fri, 15 Apr 2016 00:00:00 GMT