Guidance

This publication replaces the guidance document, What to do When Faced With a Privacy Breach: Guidelines for the Health Sector.

This fact sheet provides guidance on how Ontario public institutions and health information custodians can securely destroy personal information when disposing of electronic media.

Comments from the Information and Privacy Commissioner on the proposed regulation under Part X of the Child, Youth and Family Services Act.

This guidance document outlines the key obligations of police under privacy legislation in their use of ALPR systems and provides guidance, including best practices, on using these systems in a privacy-protective manner.  It addresses the use of ALPR systems for public safety purposes, in particular for the purpose of alerting an officer in an ALPR-equipped vehicle to the...

This fact sheet answers some frequently asked questions about reasonable searches for records.

Commissioner Brian Beamish presented his submission on Bill 89, Supporting Children, Youth and Families Act, 2017 to the Standing Committee on Justice Policy on Thursday, March 30, 2017.

Commissioner Brian Beamish presented this submission to the Standing Committee on Finance and Economic Affairs on March 23, 2017.

The IPC strongly supports Open Government initiatives and encourages Ontario institutions to be more open and transparent, and to enhance their engagement with the public. This document offers guidance for institutions on how to move towards increased government transparency without negatively affecting individuals’ privacy.

PHIPA Code of Procedure

Commissioner Brian Beamish submitted comments to the Standing Committee on Social Policy on Bill 59, Schedule 2 of Bill 59, Putting Consumers First Act, 2016.

The emergence of big data as a tool to manage and analyze large and complex data sets offers great promise and opportunity, but also raises serious privacy challenges and considerations, especially to personal privacy. Public and health sector institutions increasingly use big data tools to improve programs and public services and ensure they are supported by better...

 

This submission addresses the privacy implications of the proposed Bill. The goal of our recommendations is to enhance the protection of personal health information of Ontarians.

This fact sheet highlights the important factors an institution must consider before implementing a video surveillance system.

This guidance is designed to help institutions implement better record and information management practices and enhance the public’s ability to access information.

This fact sheet explains the meaning of the term “personal information,” and answers frequently asked questions.

This fact sheet outlines what to expect when an institution contacts you about an access request, your options for appeal, and other frequently asked questions. This document is part of a series designed to keep the public and professionals up to date with the IPC’s interpretations of access and privacy laws.

Full report on the Commissioner’s investigation into the records management practices of the Toronto Organizing Committee for the 2015 Pan American and Parapan American Games (TO2015).

This fact sheet seeks to answer some of the common questions you may have about the freedom of information process. This document is part of a series designed to keep the public and professionals up to date with the IPC’s interpretations of access and privacy laws.

This fact sheet describes the risks of using email and custodians’ obligations under the Personal Health Information Protection Act. It outlines some of the technical, physical and administrative safeguards needed to protect personal health information when communicating by email and the policies, procedures and training custodians should have in place.

This guidance document provides institutions with an overview of important factors to consider when implementing Open Government including the need for institutional leadership, commitment, governance and resources to support culture change and sustain the program over time, learning from others, engaging both internal and external users, and meeting legal requirements.

This guidance paper is intended as a starting point for institutions considering Open Government and highlights two critical goals: enhancing access to government-held information and public participation.  It includes a discussion about making government-held information open by default and at little or no cost, and ways to enable a true two-way dialogue with the public.

This Fact Sheet from the IPC discusses how ransomware has become an increasingly dangerous threat to the security of electronic records and provides guidance on how public institutions and healthcare organizations can protect themselves against it.

This document highlights the key issues to consider when de-identifying personal information in the form of structured data and it provides a step-by-step process that institutions can follow when removing personal information from data sets.

This document was developed to help Ontario’s public institutions manage the use of instant messaging and personal email accounts when doing business. All public servants should be aware records relating to an institution’s business that are created, sent or received through instant messaging or personal email accounts are subject to Ontario’s access and privacy laws. The...

Submission to the Ministry of Community Safety and Correctional Services on its Strategy for a Safer Ontario

Our office is sometimes required to decide access to information appeals relating to requests for records held by municipal councillors. Unfortunately, the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) does not expressly refer to records of municipal councillors.

Submission of the Information and Privacy Commissioner of Ontario to the Standing Committee on Justice Policy on Bill 119: The Health Information Protection Act, 2015.

The IPC has prepared this new guidance document, Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions, to help institutions evaluate whether cloud computing services are suitable for their information management needs. In particular, it seeks to raise awareness of the risks associated with using cloud computing services...

Common misunderstandings about privacy are frequently cited as reasons for not sharing information with a children’s aid society (CAS) about a child who may be at risk. In fact, Ontario law permits professionals working with children to share this information. To help professionals understand that privacy is not a barrier to disclosing this important information, the IPC...

Bill 8, the Public Sector and MPP Accountability and Transparency Act, 2014, will come into effect on January 1, 2016.

Letter and submission from the IPC to the the Honourable Yasir Naqvi, Minister of Community Safety and Correctional Services, the Commissioner offers recommendations on the draft regulation proposed on October 28, 2015, which seeks to regulate the practice of police street checks across the province.

Submission from the IPC to the the Honourable Yasir Naqvi, Minister of Community Safety and Correctional Services, the Commissioner offers recommendations on the draft regulation proposed on October 28, 2015, which seeks to regulate the practice of police street checks across the province.

Use this Workbook and Guide as a “how to” tool to complete the statistical report for the Information and Privacy Commissioner/Ontario about requests made under the Personal Health Information Protection Act, 2004 (PHIPA).

This workbook and guide is designed to provide step-by-step instructions for the completion of the Information and Privacy Commissioner’s (IPC) Year-End Statistical Report as required by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).

This workbook and guide is designed to provide step-by-step instructions for the completion of the Information and Privacy Commissioner’s (IPC) Year-End Statistical Report as required by the Freedom of Information and Protection of Privacy Act (FIPPA).

This revised FAQ has a new look and feel and has been rewritten with cleaner, easy to understand, gender-neutral language. Also included are a few additions to the original publication:

Our frequently asked questions on health cards and health numbers clarify who may collect, use or disclose health numbers for health care purposes, as well as the use of health cards as a proof of identity. The guidance covers: Who may require individuals to produce their health cards? Who may collect, use or disclose health numbers and under what circumstances? ...

Many institutions turn to video surveillance to help them fulfil their obligations to protect the safety of individuals and the security of their equipment and property. Video footage captured by cameras is regularly used to assist in the investigation of wrongdoing. However, the use of these surveillance technologies can put individuals’ privacy at risk. Therefore, it is...

Proactive disclosure of procurement records strengthens clarity and accountability around government spending. It can also provide tangible benefits to institutions by reducing the number of procurement-related freedom of information requests, appeals and associated costs.

This document was thoroughly reviewed and updated in August, 2015, introducing clear and easy to understand gender-neutral language. Updated: August 2015

Municipalities are turning to the Internet as a means of making information public in an effort to improve accessibility, transparency and accountability. This may include publishing records directly to their website or including records in searchable databases that can be accessed online. Publishing materials online is an effective means of ensuring that the public has access...

Ontario public sector institutions must meet high standards of care and trust whenever collecting, using and disclosing personal and other sensitive information. Any public institution considering new information technologies, systems, and program services that may affect privacy are strongly encouraged to complete a privacy impact assessment (PIA).

 

This guidance document aims to identify some of the privacy considerations law enforcement authorities should take into account when deciding whether to outfit law enforcement officers with body-worn cameras. Published by the federal Privacy Commissioner and privacy and personal information protection Ombudspersons and Commissioners in all provinces and territories, the...

Unauthorized access continues to be a growing problem in the health sector in Ontario. The province’s Personal Health Information Protection Act, (PHIPA), permits health information custodians (HIC) to collect, use and disclose personal health information for the purposes of providing or assisting in the provision of health care based on implied or assumed implied consent but...

In this paper, we apply a Privacy by Design approach to exploring new ideas and solutions that can lead to deployment of privacy-protective and secure biometric one-to-many systems. We showed that new advances in Biometric Encryption (BE) can be complemented with other innovative solutions, such as Cryptographically Secure Biometric Architectures and Biometric Setbase/Weak...

Properly applied de-identification is an effective tool to protect privacy, but recent criticisms have suggested the opposite. The perpetuation of this myth has the potential to adversely impact health research, innovation and Big Data insights. In order to address the misconceptions surrounding de-identification, the paper examines a select group of articles that are often...

This IPC paper is aimed at government organizations but the guidelines can be used by all organizations, providing guidance on how to identify and contain a privacy breach, who to notify, and what proactive steps to take to avoid one.

More than 27 million Canadians use mobile computing devices such as laptops, smartphones and tablets and that number continues to grow. Consequently, Canadian employers are confronted with the workplace challenge of Bring Your Own Device (BYOD). This phenomenon poses new challenges to data security, effective corporate oversight, and employee privacy. To provide guidance on...

This paper provides an update on recent de-identification developments and looks ahead to new, up-and-coming, issues related to the topic of de-identification. Our objective is to encourage innovative de-identification techniques and to promote knowledge sharing and de-identification best practices. The numerous recently published de-identification papers and guidance documents...

As portable storage devices become increasingly prevalent in the health care sector, concerns also arise regarding the privacy and security of personal health information (PHI). Medical professionals in high-availability data environments, from family doctors to large hospitals, need to ensure data security and protect information through encryption as the default, as the...

There are many myths surrounding how information may be collected, used and disclosed under the Personal Health Information Protection Act. Working with our partners in the health care community, we have created this one-page document to dispel some of the more common myths.

In Order HO-011, the Information and Privacy Commissioner of Ontario (IPC) ordered Cancer Care Ontario to discontinue its practice of transferring records of personal health information relating to its colon cancer screening program in paper format, after several courier packages containing the personal health information of over 7,000 individuals were lost. Cancer Care Ontario...

Practical information about identity theft, how to avoid it, and what to do if you find you are a victim.

Personal health information comprises some of the most sensitive and intimate details of one’s life, such as those relating to one’s physical or mental health and the health history of one’s family. As such, it requires strong protections to ensure the privacy of the individual to whom it relates. Personal health information must also be accurate, complete, and accessible...

A Report on the State of PbD to the 33rd International Conference of Data Protection and Privacy Commissioners.

Privacy by Design Lesson

Other Resources: Grade 11/12 Fact Sheet

Recently, the value of de-identification of personal information as a tool to protect privacy has come into question. Repeated claims have been made regarding the ease of re-identification. We consider this to be most unfortunate because it leaves the mistaken impression that there is no point in attempting to de-identify personal information, especially in cases where...

Tracking individuals online for marketing and other purposes has become a contentious public policy issue for consumers, regulators and advertisers. The stakes are high, and the technologies complex, but by applying Privacy by Design principles early and systematically, privacy, consumer trust, personalization, innovation and economic benefits may all be achieved. This is...

The purpose of this Fact Sheet is to provide organizations that are defined as both health information custodians under the Personal Health Information Protection Act (PHIPA) and institutions under public sector privacy and access to information legislation, namely the provincial Freedom of Information and Protection of Privacy Act (FIPPA) or its municipal counterpart the...

A submission in response to the Department of Commerce Internet Policy Task Force’s proposed framework for Commercial Data Privacy and Innovation in the Internet Economy.

Submission in response to the Federal Trade Commission’s December 2010 preliminary staff report Framework for Protecting Consumer Privacy in an Era of Rapid Change.

Other Resources: Grade 10 Fact Sheet

A Research Report on the use of Biometric Encryption to Limit “Self-Excluded” Problem Gambler Access to Gaming Venue.

Calls for greater openness and transparency are exerting increasing pressure on governments to transform their traditional, reactive information dissemination methods into a mode that facilitates proactive disclosure. Furthermore, governments around the world are recognizing the value of sharing information with the public in accessible, open formats. They understand that...

The Office of the Information and Privacy Commissioner, in Order HO-004 and Order HO-007, required that health information be safeguarded at all times, specifically by ensuring that any personal health information stored on any mobile devices (e.g., laptops, memory sticks, PDAs) be strongly encrypted.This Fact Sheet paper provides a working definition of strong encryption and...

Access by Design: The 7 Fundamental Principles

The idea that privacy – an individual’s right to control the collection, use and disclosure of information about him or herself – may present risk, seems to be a new one to many. That it should be a novel concept to those responsible for managing risk, however, needs to be addressed. Personal information is an asset, the value of which is protected and enhanced by a suite...

The purpose of the Manual For The Review and Approval of Prescribed Persons and Prescribed Entities is to outline the new process that will be followed by the Information and Privacy Commissioner of Ontario, commencing on January 31, 2010, in reviewing the practices and procedures implemented by prescribed persons and prescribed entities to protect the privacy of individuals...

Health information custodians frequently rely on de-identification when using or disclosing health information – a measure that can protect individual privacy, but often at the expense of data quality (zero-sum paradigm). Dr. Khaled El Emam, a senior investigator at the Children’s Hospital of Eastern Ontario Research Institute (CHEO), has resolved this dilemma through the...

The following is a chapter on Biometric Encryption excerpted from the Springer Encyclopedia of Biometrics.

This is joint publication between Commissioner, Dr. Ann Cavoukian and Robert Johnson, Executive Director of the National Association for Information Destruction (NAID). This publication was borne out of a particular Health Order (HO-006) which Commissioner Cavoukian issued this past summer regarding records containing personal health information being found scattered on...

This useful sheet outlines The 7 Foundational Principles of Privacy by Design – a concept that Commissioner Cavoukian developed back in the 90’s, to address the ever-growing and systemic effects of Information and Communication Technologies, and of large-scale networked data systems. Privacy by Design asserts that the future of privacy cannot be assured solely by...

Commissioner Cavoukian and Max Snijder, CEO, European Biometrics Forum co-authored this vision paper that discusses the need for secure storage and privacy protection for biometric reference data. Their discussion is meant to touch on the distinguishing features of the algorithmic process defined by BE, the terminology that best describes this process, and to provide a...

The toolkit was prepared by the IPC and Dr. Peter Rossos (UHN) to help physicians minimize  the risk of privacy and security breaches, before, during and after making the transition to electronic records of personal health information.

Profound technological and social forces are reshaping the public sector, its governance structures, and constituent relationships. Government adoption of Web 2.0 “social” technologies will empower citizens on an unprecedented mass scale. What does this mean to privacy and personal data protection? This paper explores what could happen to government and its institutions;...

This paper is a chronicle describing the IPC’s work to enhance awareness about the privacy challenges youth face on the Internet.

(Speaking Notes)

Submission made to the Standing Committee on Social Policy.

Abstract – How to Preserve Freedom and Liberty: Design Intelligent Agents to be Smart and Respectful of Privacy

Your Rights under Ontario’s Freedom of Information Laws

The Commissioner was asked to provide feedback on the U.S. Federal Trade Commission’s proposed self-regulatory principles for online behavioural advertising.

RFID and Privacy: Guidance for Health-Care Providers. RFID technology can help save lives – and preserve privacy.

Social networking websites such as Facebook are now so popular that they are being used by employers to screen prospects. Information you post on your profile for the amusement of you and your friends may, therefore, be viewed in a different light. This short paper cautions users of these sites about this growing trend in use of these sites and offers tips on how to reduce the...

A brochure outlining suggested best practices for securing mobile devices (PDAs, laptops, etc.) and protecting the information carried out of the workplace on them. Steps are organized into sections: Before you Walk out of the Workplace, While you are Out and When You have Completed Your Work. Includes a checklist and list of IPC resources. Revised: May 2014

Fact Sheet about the use of wireless CCTV cameras.

This is a checklist of tasks for dealing with records of personal health information in compliance with the requirements under the Personal Health Information Protection Act (PHIPA) and adherence to privacy and access best practices, when there is a change in practice, such as death, bankruptcy, retirement and relocation. The companion guidelines are Guidelines on the...

This is an outline of procedures for dealing with records of personal health information in compliance with the requirements under the Personal Health Information Protection Act, 2004 (PHIPA) and adherence to privacy and access best practices, when there is a change in practice, such as death, bankruptcy, retirement and relocation. The companion document is Checklist for Health...

The Office of the Information and Privacy Commissioner provided its perspective on privacy protections in the handling of personal information in the context of election law reform, including information contained in voters’ dates of birth and government identification.

The Information and Privacy Commissioner of Ontario, Ann Cavoukian, Ph.D., and Biometrics Scientist, Alex Stoianov, Ph.D., jointly released a white paper entitled Biometric Encryption: A Positive Sum Technology that Achieves Strong Authentication, Security AND Privacy. The authors wish to appeal to a broader audience in considering the merits of Biometric Encryption (BE)...

Submissions regarding the proposed Identity Screening Regulations (“the Regulations”) and the interrelated Passenger Protect Program (“the Program”).

This document assists organizations in making key decisions about notifying individuals after a privacy breach occurs by presenting checklists covering factors affecting whether to notify, when and how to notify, what to include in a notification and other organizations that should be contacted. The document was produced jointly by the Office of the Information and Privacy...

This document is intended to serve as privacy “best practices” guidance for organizations when designing and operating Radio-Frequency Identification (RFID) information technologies and systems

Practice Direction #1 – Providing records to the IPC during an appeal

Practice Direction #10 – Appeal fees

Revised February 2012

Information on how to file an access to information request under FIPPA or MFIPPA.

A generic request form for filing a request to correct your personal health information held by a health information custodian. This request form should be submitted directly to the health information custodian.

This guide focuses on introducing students to the importance of the public values of access to government-held information and personal privacy.

A review and commentary on the necessity of open meetings law in Ontario. Looking specifically at why a comprehensive open meetings law is needed in Ontario; and How Bill 123 satisfies key requirements of an effective open meetings law.

A form to be signed by an appellant who is represented by someone other than a lawyer in an appeal relating to a request for general information or for the appellant’s personal information/correction of personal information.

A form to be signed by a complainant who is represented by someone other than a lawyer.

Short Notices to the Public under the Personal Health Information Protection Act

Short Notices to the Public under the Personal Health Information Protection Act

Short Notices to the Public under the Personal Health Information Protection Act

Short Notices to the Public under the Personal Health Information Protection Act

Short Notices to the Public under the Personal Health Information Protection Act

Short Notices to the Public under the Personal Health Information Protection Act

Revised October 2012

Revised Sept. 2014.

A generic request form for filing a request for access to your personal health information held by a health information custodian. This request form should be submitted directly to the health information custodian.

This brochure provides information on complaints about access or correction of personal health information under PHIPA.

This review was launched in response to a complaint about the program.

This brochure provides information about collection, use, disclosure and other complaints under PHIPA.

This guide is a tool to help health information custodians understand their rights and obligations under the Personal Health Information Protection Act, (PHIPA).

[Revised July 2014]

The brochure explains the IPC’s outreach program to schools in Ontario, specifically for grades 11/12

Program focuses on introducing students to the importance of the public values of access to government-held information and personal privacy. Expanded program for Grade 11/12.

A form for filing an appeal of a decision by a government organization relating to a request made under the provincial or municipal Freedom of Information and Protection of Privacy Act.

A Joint Project of the Office of the Information and Privacy Commissioner of Ontario and the Ministry of the Attorney General.

A form for filing a privacy complaint under the provincial or municipal Freedom of Information and Protection of Privacy Act, if you feel your personal information has been improperly collected, used or disclosed by a government organization

For requests under the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act: Guidelines for Government Institutions. This paper provides a reference tool to assist government institutions in determining the what, when and how of claiming and calculating fees.

Tip sheet for government organizations on handling information

Tip sheet for government organizations on handling information.

A form that should be used by institutions when responding to a request under the provincial or municipal Act or providing information to the IPC during the course of an appeal. It is a listing of all of the enclosed records being released by the institution.

Tip sheet for government organizations on handling information

Tip sheet for government insitutions on handling information.

A generic request form for filing a request for information held by a government organization or to request a correction of your personal information held by a government organization.

A joint project of the Office of the Information and Privacy Commissioner/Ontario and the Ministry of Health and Long-Term Care, Freedom of Information and Protection of Privacy Office.

A joint project of the Information and Privacy Commissioner of Ontario, the Upper Grand District School Board and the Peterborough, Victoria, Northumberland and Clarington Catholic District School Board. These best practices focus on issues frequently dealt with by schools and school boards and offer guidance when posting information to their websites.

A form to be signed by a complainant who is represented by someone other than a lawyer in a privacy complaint.

Concerns regarding the CCRA’s traveller-surveillence database’s possible expansion to include the collection of personal information from individuals arriving to Canada by trains, ships & buses. As well as permitting the RCMP to use passenger information.

April 22, 2002.

Each provincial and municipal government organization has a Co-ordinator. This backgrounder looks at ways Co-ordinators can help staff integrate an awareness and understanding of access and privacy into their daily work.

The PDT is an instrument that uses a series of questions to give businesses a ‘read’ on how well they manage their customers’ personal information. The PDT uses internationally recognized fair information practices as its basis.

Provides best practices and tips to assist government organizations in developing policies that address the privacy obligations of employees who are working in locations outside the traditional office setting.

An educative tool designed to help companies identify and implement appropriate practices for protecting the privacy of their online customers.

A review and commentary on the privacy implications of proposed legislation, Bill 159, the Personal Health Information Privacy Act, 2000

January 24, 2001

Symposium on the Protection of Information in Local Governments. The Administration and Use of Personally Identifiable Information in a Global Society. Tokyo, October 2000.

Consumer information regarding appeals of a decision made to an access request under FIPPA or MFIPPA. [Revised August 2014]

Consumer information regarding procedure to file access requests to police departments.

A quick overview of the key points of the provincial Act. [Revised July 2014]

Examines the privacy implications of using biometric technologies and includes a call to action to the data protection community to ensure that these technologies are used in a way that conforms to the expectations of a privacy-minded society.

Each provincial and municipal government organization has a Co-ordinator. This Backgrounder looks at the critically important role that Co-ordinators play.

Comments to the Standing Committee on Industry on Bill C-54, the Personal Information Protection and Electronic Documents Act, that identifies a number of privacy-related issues the IPC has, as well as outlining the IPC’s suggested action or wording.

The brochure explains the IPC’s outreach program to schools in Ontario, specifically for grade 5

Tip sheet for government organizations on handling information.

Tip sheet for government organizations on handling personal information with regards to social insurance numbers.

Tip sheet for government institutions on information management.

Tip sheet for government organizations on information management.

Tip sheet for government institutions on handling personal information. Revised July, 2009.

A quick overview of the key points of the municipal Act. [Revised July 2014]

Discusses the importance of using encrpytion to protect personal information on open communication networks such as the Internet. Specifically looking at encryption for the purposes of striking a balance between the interests of law enforcement, civil lib

Provides a template designed for insertion into contracts drawn up when a government function is transferred over to the private sector. The model contract will provide assurances to the public that their personal information will be kept secure and their right to privacy preserved when government functions are transferred over to the private sector.

Consists of eleven access success stories solicited from institutions covered by the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act. The stories provide concrete, everyday examples of how government organizations are bringing routine disclosure and active dessemination (RD/AD) to life.

Foreword

Municipal Guidelines on Applications to the Office of the Information and Privacy Commissioner/Ontario for Authorization of Indirect Collection by Institutions Covered Under the Municipal Freedom of Information and Protection of Privacy Act.

Provincial Guidelines on Applications to the Office of the Information and Privacy Commissioner/Ontario for Authorization of Indirect Collection by Institutions Covered Under the Freedom of Information and Protection of Privacy Act.

TECHNICAL

Provides background information and definition of terms, a discussion of the flow of HIV/AIDS-related information in the Ontario public health sector, the consequences of disclosing HIV/AIDS- related personal information, and a discussion of privacy in th

Contains background information about HIV and AIDS, a discussion of the issues around the collection, use and disclosure of HIV/AIDS-related personal information, and outlines a set of privacy protection principles that should be addressed in workplace po