Guest blog by Teresa Scassa
It is no secret that Ontario faces many challenges when it comes to privacy and data governance today. Some of these relate to ongoing efforts to ensure that our personal data and personal health information are properly stewarded in the public and healthcare sectors, even as technologies advance and new cybersecurity threats emerge. Others may require changes to how we deal with personal data – possibly even new forms of governance. We will need to think about how to securely share personal data, including health information, to support research and innovation in the public interest. We will have to ensure that automated decision-making systems in the public sector are appropriate, transparent, fair, and free of bias. Ontarians will expect to be able to access and receive more government services online, and these systems will need to be secure and privacy-protective. The Ontario government has put forward a number of initiatives that seek to harvest the power of data while protecting privacy and ensuring trust. The Data Authority, the Ontario Health Data Platform, an AI governance framework, and Digital ID have all been identified by the government as areas of importance, as has the potential for a private sector data protection law for Ontario. In this new post-election phase, it will be interesting to see which projects move forward and how they take shape.
Technology and innovation have a way of disrupting government and institutional policy agendas. The use by some police services of Clearview AI’s massive facial recognition database prompted urgent discussions about when and how these powerful technologies, prone to bias, should be used by police and what governance measures should be in place. The surge in remote schooling during the pandemic cast a spotlight on educational technologies and their implications for children’s privacy. The growth in the adoption and use of AI for monitoring and surveillance in the workplace where we spend so much of our daily lives, has raised concerns that Ontario does not have the statutory protections to guard against excessive intrusion on privacy — and potentially biased decision-making. The challenges of managing public health in a pandemic also put a spotlight on the use of data, whether it is de-identified personal health data that can support medical research or anonymized private sector data that may inform government policy choices. These are just a few examples. There are so many ways in which emerging and evolving technologies challenge how we think about privacy, how our data are collected and used, and how we can maintain some form of agency and autonomy.
Information and privacy regulators like Ontario’s Information and Privacy Commissioner (IPC) have a statutory mandate, an array of powers, and a budget to enable them to confront and address existing and emerging challenges. Yet, staff and budget are limited, and rapidly evolving technologies require constant vigilance and adaptations of practice. The challenge is to set and prioritize goals and identify and find ways to meet them. In 2021, the IPC developed, through a consultative process, a set of strategic priorities to shape its activities over the next five years. The priority areas are: Privacy and Transparency in a Modern Government; Children and Youth in a Digital World; Next-Generation Law Enforcement; and Trust in Digital Health. These priorities shape an agenda that will require not just addressing particular issues, but also reflecting on how best to do so within the constraints of resources and mandate.
There has been a great deal of emphasis lately in public discourse on punishing those who breach privacy norms with sanctions commensurate with the gravity of the breach. This is not surprising, given the number and serious nature of many recent privacy breaches. In addition, regulation should also be effective in helping to avoid breaches by offering guidance, encouraging compliance, and correcting issues before they can become critical. In a rapidly evolving technological environment, it is important to consider new tools and techniques to protect privacy, dignity, and autonomy while allowing innovators to use data to support the public good.
This is a challenging context for regulators, and it is one of the reasons why I am delighted to have an opportunity to better understand the regulator’s perspective through an innovative new program launched by the IPC. I am privileged to be the IPC’s first Scholar-in-Residence, starting this month. This role will enable me to regularly engage with Commissioner Patricia Kosseim and her excellent team throughout my sabbatical year. Although I know I will benefit enormously from an insider’s practical perspective on privacy regulation, the program is meant to be a two-way street. I hope to provide strategic policy input and advice that can help the IPC move from its strategic priorities to strategic outcomes. This experience will build upon what I have learned from participating as a member of the IPC’s new Strategic Advisory Council. It will also allow me to engage more deeply on some of the regulatory issues that have long intrigued me as an academic working in this area.
I look forward to this exciting year ahead with the IPC. I hope this new Scholar-in-Residence program charts a path that other scholars studying in this field might wish to consider as a sabbatical opportunity in future years to bring different perspectives to bear on Ontario’s most complex privacy and access challenges.
Dr. Teresa Scassa is the Canada Research Chair in Information Law and Policy at the University of Ottawa, Faculty of Law. She will be serving as IPC’s first Scholar-in-Residence from September 1, 2022 until June 30, 2023.
This post is also available in: French