Guidance

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

Our frequently asked questions on health cards and health numbers clarify who may collect, use or disclose health numbers for health care purposes, as well as the use of health cards as a proof of identity. Originally published November 2004.

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

Backgrounder: Information and Privacy Commissioner of Ontario’s comments on key areas for reform in a made-in-Ontario private sector privacy law

This post is also available in: French

This post is also available in: French

This post is also available in: French

Letter to The Honourable Peter Bethlenfalvy

This post is also available in: French

Use this Workbook and Guide as a “how to” tool to complete the statistical report for the Information and Privacy Commissioner/Ontario about requests made under the Personal Health Information Protection Act, 2004 (PHIPA).

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

Print double-sided (flip on short edge) on legal size paper, fold on dotted lines

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

A form for filing a privacy complaint under the provincial or municipal Freedom of Information and Protection of Privacy Act, if you feel your personal information has been improperly collected, used or disclosed by a government organization

This post is also available in: French

This post is also available in: French

This post is also available in: French

Privacy Complaint MC17-32

This post is also available in: French

Guidelines for service providers under Part X of the Child, Youth and Family Services Act

Guidelines for service providers under Part X of the Child, Youth and Family Services Act

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This publication replaces the guidance document, What to do When Faced With a Privacy Breach: Guidelines for the Health Sector.

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This fact sheet provides guidance on how Ontario public institutions and health information custodians can securely destroy personal information when disposing of electronic media.

This post is also available in: French

Comments from the Information and Privacy Commissioner on the proposed regulation under Part X of the Child, Youth and Family Services Act.

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This guidance document outlines the key obligations of police under privacy legislation in their use of ALPR systems and provides guidance, including best practices, on using these systems in a privacy-protective manner.  It addresses the use of ALPR systems for public safety purposes, in particular for the purpose of alerting an officer in an ALPR-equipped vehicle to the...

This post is also available in: French

This post is also available in: French

This fact sheet answers some frequently asked questions about reasonable searches for records.

Commissioner Brian Beamish presented his submission on Bill 89, Supporting Children, Youth and Families Act, 2017 to the Standing Committee on Justice Policy on Thursday, March 30, 2017.

Commissioner Brian Beamish presented this submission to the Standing Committee on Finance and Economic Affairs on March 23, 2017.

The IPC strongly supports Open Government initiatives and encourages Ontario institutions to be more open and transparent, and to enhance their engagement with the public. This document offers guidance for institutions on how to move towards increased government transparency without negatively affecting individuals’ privacy.

This post is also available in: French

PHIPA Code of Procedure

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

Commissioner Brian Beamish submitted comments to the Standing Committee on Social Policy on Bill 59, Schedule 2 of Bill 59, Putting Consumers First Act, 2016.

The emergence of big data as a tool to manage and analyze large and complex data sets offers great promise and opportunity, but also raises serious privacy challenges and considerations, especially to personal privacy. Public and health sector institutions increasingly use big data tools to improve programs and public services and ensure they are supported by better...

This post is also available in: French

This submission addresses the privacy implications of the proposed Bill. The goal of our recommendations is to enhance the protection of personal health information of Ontarians.

This fact sheet highlights the important factors an institution must consider before implementing a video surveillance system.

This guidance is designed to help institutions implement better record and information management practices and enhance the public’s ability to access information.

This fact sheet explains the meaning of the term “personal information,” and answers frequently asked questions.

This fact sheet outlines what to expect when an institution contacts you about an access request, your options for appeal, and other frequently asked questions. This document is part of a series designed to keep the public and professionals up to date with the IPC’s interpretations of access and privacy laws.

Full report on the Commissioner’s investigation into the records management practices of the Toronto Organizing Committee for the 2015 Pan American and Parapan American Games (TO2015).

This fact sheet seeks to answer some of the common questions you may have about the freedom of information process. This document is part of a series designed to keep the public and professionals up to date with the IPC’s interpretations of access and privacy laws.

This fact sheet describes the risks of using email and custodians’ obligations under the Personal Health Information Protection Act. It outlines some of the technical, physical and administrative safeguards needed to protect personal health information when communicating by email and the policies, procedures and training custodians should have in place.

This guidance document provides institutions with an overview of important factors to consider when implementing Open Government including the need for institutional leadership, commitment, governance and resources to support culture change and sustain the program over time, learning from others, engaging both internal and external users, and meeting legal...

This guidance paper is intended as a starting point for institutions considering Open Government and highlights two critical goals: enhancing access to government-held information and public participation.  It includes a discussion about making government-held information open by default and at little or no cost, and ways to enable a true two-way dialogue with the...

This post is also available in: French

This Fact Sheet from the IPC discusses how ransomware has become an increasingly dangerous threat to the security of electronic records and provides guidance on how public institutions and healthcare organizations can protect themselves against it.

This document highlights the key issues to consider when de-identifying personal information in the form of structured data and it provides a step-by-step process that institutions can follow when removing personal information from data sets.

This document was developed to help Ontario’s public institutions manage the use of instant messaging and personal email accounts when doing business. All public servants should be aware records relating to an institution’s business that are created, sent or received through instant messaging or personal email accounts are subject to Ontario’s access and privacy laws....

Submission to the Ministry of Community Safety and Correctional Services on its Strategy for a Safer Ontario

Our office is sometimes required to decide access to information appeals relating to requests for records held by municipal councillors. Unfortunately, the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) does not expressly refer to records of municipal councillors.

Submission of the Information and Privacy Commissioner of Ontario to the Standing Committee on Justice Policy on Bill 119: The Health Information Protection Act, 2015.

The IPC has prepared this new guidance document, Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions, to help institutions evaluate whether cloud computing services are suitable for their information management needs. In particular, it seeks to raise awareness of the risks associated with using cloud computing...

Common misunderstandings about privacy are frequently cited as reasons for not sharing information with a children’s aid society (CAS) about a child who may be at risk. In fact, Ontario law permits professionals working with children to share this information. To help professionals understand that privacy is not a barrier to disclosing this important information, the IPC...

Bill 8, the Public Sector and MPP Accountability and Transparency Act, 2014, will come into effect on January 1, 2016.

Letter and submission from the IPC to the the Honourable Yasir Naqvi, Minister of Community Safety and Correctional Services, the Commissioner offers recommendations on the draft regulation proposed on October 28, 2015, which seeks to regulate the practice of police street checks across the province.

Submission from the IPC to the the Honourable Yasir Naqvi, Minister of Community Safety and Correctional Services, the Commissioner offers recommendations on the draft regulation proposed on October 28, 2015, which seeks to regulate the practice of police street checks across the province.

This workbook and guide is designed to provide step-by-step instructions for the completion of the Information and Privacy Commissioner’s (IPC) Year-End Statistical Report as required by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).

This workbook and guide is designed to provide step-by-step instructions for the completion of the Information and Privacy Commissioner’s (IPC) Year-End Statistical Report as required by the Freedom of Information and Protection of Privacy Act (FIPPA).

This post is also available in: French

This revised FAQ has a new look and feel and has been rewritten with cleaner, easy to understand, gender-neutral language. Also included are a few additions to the original publication:

This post is also available in: French

This document was thoroughly reviewed and updated in August, 2015, introducing clear and easy to understand gender-neutral language.

Municipalities are turning to the Internet as a means of making information public in an effort to improve accessibility, transparency and accountability. This may include publishing records directly to their website or including records in searchable databases that can be accessed online. Publishing materials online is an effective means of ensuring that the public has...

This post is also available in: French

Ontario public sector institutions must meet high standards of care and trust whenever collecting, using and disclosing personal and other sensitive information. Any public institution considering new information technologies, systems, and program services that may affect privacy are strongly encouraged to complete a privacy impact assessment...

This guidance document aims to identify some of the privacy considerations law enforcement authorities should take into account when deciding whether to outfit law enforcement officers with body-worn cameras. Published by the federal Privacy Commissioner and privacy and personal information protection Ombudspersons and Commissioners in all provinces and territories, the...

Unauthorized access continues to be a growing problem in the health sector in Ontario. The province’s Personal Health Information Protection Act, (PHIPA), permits health information custodians (HIC) to collect, use and disclose personal health information for the purposes of providing or assisting in the provision of health care based on implied or assumed implied consent...

Information is becoming far more valuable as businesses seek to learn more about their customers and those of their competitors, and as advertisers seek to gain a competitive advantage by finding new and innovative ways to use information to target advertisements that are most relevant to their consumers.

Privacy and cybersecurity professionals, creators of digital property, and countless policy-makers have spent decades fighting to civilize the digital world, but they have lacked the most fundamental tool they need to succeed, namely — information systems engineering that enables true control of digital data.

It is now possible to change the paradigm of the...

As a small business becomes more networked and data-intensive, personal information and customer trust are critical assets that must be protected. This paper was written to help small business avoid data breaches that are harmful to both brand reputation and costly. Privacy policies and procedures alone, without a concrete strategy for implementation, will not protect an...

Since the recent revelations of the NSA’s sweeping surveillance of the public’s metadata, the term “metadata” has been regularly used in the media, frequently without any explanation of its meaning. Metadata’s reach can be extensive – including information that reveals the time and duration of a communication, the particular devices used, email addresses, or...

There are many myths surrounding how information may be collected, used and disclosed under the Personal Health Information Protection Act. Working with our partners in the health care community, we have created this one-page document to dispel some of the more common myths.

Privacy policies and procedures alone, without a concrete strategy for implementation, will not protect an organization from privacy risks. The policies and procedures must be actively communicated, and staff must be educated about measures that need to be in place, so that policies will be reflected in actions. This paper sets out a series of seven steps that organizations...

Unmanned Aerial Vehicles (UAV) present unique challenges due to their ability to use a variety of sensors to gather information from unique vantage points – often for long periods and on a continuous basis. The prospect of having our every move monitored, and possibly recorded, raises profound civil liberty and privacy concerns. At the same time, there are many desirable...

In Order HO-011, the Information and Privacy Commissioner of Ontario (IPC) ordered Cancer Care Ontario to discontinue its practice of transferring records of personal health information relating to its colon cancer screening program in paper format, after several courier packages containing the personal health information of over 7,000 individuals were lost. Cancer Care...

Practical information about identity theft, how to avoid it, and what to do if you find you are a victim.

This paper examines Near Field Communications (NFC) technologies and their growing deployment in mobile devices. Four consumer use cases illustrate NFC functionalities and benefits. Privacy and security risks are identified, and solutions are offered for NFC mobile device and application developers that are informed by the Privacy by Design Foundational Principles. ...

Other Resources: Grade 11/12 Fact Sheet

This post is also available in: French

The purpose of this Fact Sheet is to provide organizations that are defined as both health information custodians under the Personal Health Information Protection Act (PHIPA) and institutions under public sector privacy and access to information legislation, namely the provincial Freedom of Information and Protection of Privacy Act (FIPPA)...

Other Resources: Grade 10 Fact Sheet

The Office of the Information and Privacy Commissioner, in Order HO-004 and Order HO-007, required that health information be safeguarded at all times, specifically by ensuring that any personal health information stored on any mobile devices (e.g., laptops, memory sticks, PDAs) be strongly encrypted.This Fact Sheet paper provides a working definition of strong encryption...

The purpose of the Manual For The Review and Approval of Prescribed Persons and Prescribed Entities is to outline the new process that will be followed by the Information and Privacy Commissioner of Ontario, commencing on January 31, 2010, in reviewing the practices and procedures implemented by prescribed persons and prescribed entities to protect the privacy of individuals...

Health information custodians frequently rely on de-identification when using or disclosing health information – a measure that can protect individual privacy, but often at the expense of data quality (zero-sum paradigm). Dr. Khaled El Emam, a senior investigator at the Children’s Hospital of Eastern Ontario Research Institute (CHEO), has resolved this dilemma through...

Prepared for The Eighth Workshop on the Economics of Information Security University College, London, England June 24, 2009

This is joint publication between Commissioner, Dr. Ann Cavoukian and Robert Johnson, Executive Director of the National Association for Information Destruction (NAID). This publication was borne out of a particular Health Order (HO-006) which Commissioner Cavoukian issued this past summer regarding records containing personal health information being found scattered on...

This paper is a chronicle describing the IPC’s work to enhance awareness about the privacy challenges youth face on the Internet.

This discussion paper describes the IPC’s work in toward the implementation of an on/off device allowing holders of an Enhanced Drivers Licence (EDL) to prevent the Radio Frequency Identification (RFID) from being read by unauthorized third parties and disengage the RFID when not required for border-crossing purposes

In emergency situations, privacy laws in Ontario and British Columbia1 do not prohibit universities, colleges or other educational institutions from responsibly disclosing a student’s

Your Rights under Ontario’s Freedom of Information Laws

RFID and Privacy: Guidance for Health-Care Providers. RFID technology can help save lives – and preserve privacy.

This post is also available in: French

Social networking websites such as Facebook are now so popular that they are being used by employers to screen prospects. Information you post on your profile for the amusement of you and your friends may, therefore, be viewed in a different light. This short paper cautions users of these sites about this growing trend in use of these sites and offers tips on how to reduce...

Commissioner Ann Cavoukian prepared these Guidelines to provide Ontario municipalities with a framework to meet the privacy requirements under MFIPPA.

A brochure outlining suggested best practices for securing mobile devices (PDAs, laptops, etc.) and protecting the information carried out of the workplace on them. Steps are organized into sections: Before you Walk out of the Workplace, While you are Out and When You have Completed Your Work. Includes a checklist and list of IPC resources.

A brochure outlining suggested best practices for securing mobile devices (PDAs, laptops, etc.) and protecting the information carried out of the workplace on them. Steps are organized into sections: Before you Walk out of the Workplace, While you are Out and When You have Completed Your Work. Includes a checklist and list of IPC resources. Revised: May 2014 ...

Fact Sheet about the use of wireless CCTV cameras.

This post is also available in: French

This post is also available in: French

This post is also available in: French

This document assists organizations in making key decisions about notifying individuals after a privacy breach occurs by presenting checklists covering factors affecting whether to notify, when and how to notify, what to include in a notification and other organizations that should be contacted. The document was produced jointly by the Office of the Information and Privacy...

Practice Direction #1 – Providing records to the IPC during an appeal

Practice Direction #10 – Appeal fees

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

This post is also available in: French

Revised February 2012

Revised March 2014

Information on how to file an access to information request under FIPPA or MFIPPA.

This post is also available in: French

This post is also available in: French

This post is also available in: French

Tip sheet for government organizations on handling information

This post is also available in: French

A generic request form for filing a request to correct your personal health information held by a health information custodian. This request form should be submitted directly to the health information custodian.

This post is also available in: French

This guide focuses on introducing students to the importance of the public values of access to government-held information and personal privacy.

A form to be signed by an appellant who is represented by someone other than a lawyer in an appeal relating to a request for general information or for the appellant’s personal information/correction of personal information.

A form to be signed by a complainant who is represented by someone other than a lawyer.

This post is also available in: French

This post is also available in: French

Updated: December 2006.

Revised October 2012

Revised Sept. 2014.

This post is also available in: French

This post is also available in: French

A generic request form for filing a request for access to your personal health information held by a health information custodian. This request form should be submitted directly to the health information custodian.

This brochure provides information on complaints about access or correction of personal health information under PHIPA.

This brochure provides information about collection, use, disclosure and other complaints under PHIPA.

This guide is a tool to help health information custodians understand their rights and obligations under the Personal Health Information Protection Act, (PHIPA).

This post is also available in: French

This post is also available in: French

[Revised February 2019]

The brochure explains the IPC’s outreach program to schools in Ontario, specifically for grades 11/12

Program focuses on introducing students to the importance of the public values of access to government-held information and personal privacy. Expanded program for Grade 11/12.

A form for filing an appeal of a decision by a government organization relating to a request made under the provincial or municipal Freedom of Information and Protection of Privacy Act.

An IPC paper prepared for the Symposium on E-Governance for the 21st Century, sponsored by the Saskatchewan Institute of Public Policy. It has been included as a chapter in E-Government Reconsidered: Transformation of Governance for the Knowledge Age, a book published in April, 2004.

Produced by the Ministry of Natural Resources and the Office of the Information and Privacy Commissioner of Ontario.

A Joint Project of the Office of the Information and Privacy Commissioner of Ontario and the Ministry of the Attorney General.

Tip sheet for government organizations on handling information

Tip sheet for government organizations on handling information.

A form that should be used by institutions when responding to a request under the provincial or municipal Act or providing information to the IPC during the course of an appeal. It is a listing of all of the enclosed records being released by the institution.

Tip sheet for government organizations on handling information

Tip sheet for government institutions on information management.

Tip sheet for government organizations on handling information

Tip sheet for government insitutions on handling information.

A generic request form for filing a request for information held by a government organization or to request a correction of your personal information held by a government organization.

This joint paper produced by IPC Ontario and Deloitte & Touche provides hands-on advice for developing strategies for information security and privacy protection.

This paper examines the role that electronic records and document management systems (ERDMSs) can play in enhancing the public’s right to access information from government institutions in Ontario.

A joint project of the Town of Newmarket and the IPC

This post is also available in: French

This updated paper sets out guidelines for government institutions to consider when developing systems and procedures to maintain the confidentiality and integrity of information transmitted by fax.

A form to be signed by a complainant who is represented by someone other than a lawyer in a privacy complaint.

Examines the potential impact of PKI on the protection of personal privacy and makes recommendations for officials establishing such systems.

A form to be used where a researcher has requested access to records that contain personal information and are in the custody or under the control of an institution subject to the municipal Act.

A form to be used where a researcher has requested access to records that contain personal information and are in the custody or under the control of an institution subject to the provincial Act. (PDF format)

A joint project of the Office of the Information and Privacy Commissioner/Ontario and the Information and Privacy Unit, Ministry of Natural Resources, this publication provides a selection of strategies when dealing with voluminous requests. September 2002.

Provides institutions with an outline of what constitutes a valid exercise of discretion in the application of section 38(b), and some practical tips on how to properly exercise discretion when dealing with a specific category of records.

This post is also available in: French

The PDT is an instrument that uses a series of questions to give businesses a ‘read’ on how well they manage their customers’ personal information. The PDT uses internationally recognized fair information practices as its basis.

Provides best practices and tips to assist government organizations in developing policies that address the privacy obligations of employees who are working in locations outside the traditional office setting.

An educative tool designed to help companies identify and implement appropriate practices for protecting the privacy of their online customers.

This post is also available in: French

Consumer information regarding appeals of a decision made to an access request under FIPPA or MFIPPA.

A quick overview of the key points of the provincial Act.

Each provincial and municipal government organization has a Co-ordinator. This Backgrounder looks at the critically important role that Co-ordinators play.

The brochure explains the IPC’s outreach program to schools in Ontario, specifically for grade 5

This post is also available in: French

Tip sheet for government organizations on handling information.

Tip sheet for government organizations on handling personal information with regards to social insurance numbers.

Tip sheet for government institutions on information management.

Tip sheet for government organizations on information management.

Tip sheet for government institutions on handling personal information. Revised July, 2009.

A quick overview of the key points of the municipal Act.

Provides a template designed for insertion into contracts drawn up when a government function is transferred over to the private sector. The model contract will provide assurances to the public that their personal information will be kept secure and their right to privacy preserved when government functions are transferred over to the private sector.

Examines privacy issues surrounding the use of voice mail in the workplace and outlines a number of general principles for organizations to consider in their development of corporate privacy protection policies regarding the use of voice mail. The related Highlight is Privacy Protection Principles for Voice Mail Systems. October 1995.

This post is also available in: French

This post is also available in: French

Municipal Guidelines on Applications to the Office of the Information and Privacy Commissioner/Ontario for Authorization of Indirect Collection by Institutions Covered Under the Municipal Freedom of Information and Protection of Privacy Act.

Provincial Guidelines on Applications to the Office of the Information and Privacy Commissioner/Ontario for Authorization of Indirect Collection by Institutions Covered Under the Freedom of Information and Protection of Privacy Act.