Date: Nov 18 2020
Speakers:
Patricia Kosseim | Commissioner
Summary:

Patricia Kosseim, Information and Privacy Commissioner of Ontario
Infonex – Legal Issues in Privacy and Cybersecurity

Check against delivery

 

Thank you, Imran, for your kind introduction, and to the organizers for inviting me to speak at your Privacy and Cybersecurity conference today.

As I find myself repeating quite often, I would have wished for us to be meeting in person, but as with everything else in our lives, this is the new virtual reality we have to roll with nowadays.

I started my mandate July 1st, in the middle of the pandemic which was anything but a normal transition.

I came to this position with enormous, long-standing passion for privacy and access issues.

I have had the privilege of working for the federal privacy regulator for many years, but have also worked in the health and health research sectors, for the public sector, the not-for-profit sector, and the private sector, representing clients with many different interests.

I have had the great honour of interacting with very astute practitioners who have a real, practical sense of the concrete challenges at play; very smart academics who have devoted their careers to this important field; and very dedicated consumer and civil society groups who play such a vital role in advancing access and privacy rights for the benefit of us all.

If anything, this broad-based experience has taught me to appreciate the many diverse perspectives that come to bear on the complex issues we deal with.

It has instilled in me a great sense of humility with which I approach my work and a natural predisposition to listen to others.

My first 100 days on the job were very much focused on learning, meeting, and planning.

Learning about Ontario’s access and privacy laws in greater detail, recent amendments, IPC processes, people, and culture.

For all of this I owe a tremendous gratitude to my great team who welcomed me so warmly.

Meeting with many stakeholders across various sectors, my federal / provincial / territorial counterparts, other officers of the legislature, and other regulators.

And planning. Planning some early directions of my mandate and setting in motion a process that will help me identify our office’s strategic priorities for the next five years – the duration of my tenure.

From the outset, I established a few early directions for my mandate, including to:

  • focus on issues that matter most to Ontarians, informed by the broader global policy context, which in a world of trans-border data flows, inevitably has tremendous impact on us, and offers many lessons and examples to learn from
  • For example, Ontario IPC co-sponsored an international resolution on Accountability in AI at the most recent annual meeting of the Global Privacy Assembly
  • Collaborate with Canadian and international counterparts on cross-jurisdictional matters and other matters of common interest, such as education and guidance…
  • For example, we collaborated with the Federal OPC on the launch of the COVID-Alert App in Ontario; we continue to collaborate with our BC colleagues on the follow up to the LifeLabs breach investigation; and we are working with our F/P/T colleagues on developing guidelines for the use of facial recognition technologies in the law enforcement context.
  • Take a fair, practical and balanced approach to interpreting and applying new statutory provisions under PHIPA, FIPPA, and Part X of the CYFS
  • Continue to build on IPC’s strong legacy of public outreach and education.
  • For example, through my blog, virtual conferences like these, and other outreach means we are working on as we adapt to the new reality.
  • Connect with as many Ontarians as possible, y compris les Franco-Ontariennes et les Franco-Ontariens.
  • Je tiens à m’assurer que nous traduisons nos ressources en français autant que possible, et j’aimerai trouver et /ou créer des occasions spéciales à rejoindre la communauté francophone dans les mois qui suivent.

While these are some of my early directions, my office also recently launched a process by which we hope to identify what will be our strategic priorities for the next five years.

The purpose of this exercise is to focus our resources and energies on advancing access and privacy issues:

  • that matter most to Ontarians
  • that fall squarely within our mandate
  • that the IPC is best-suited to lead given our strengths, our capacity, and our ability to partner with others, and
  • on which we can realistically and feasibly have positive impact

That does not mean that we will stop doing what we are statutorily required to do, like receiving and processing access appeals and privacy complaints.

But it does mean that we will be guided by our strategic priorities when we make discretionary choices like what research projects to undertake, what guidelines or educational materials to develop, what issues to advocate for, and what topics to write or speak about at events and conferences.

For this purpose, we are working on a draft consultation paper which sets out a number of potential strategic priorities – a potential shortlist, so to speak.

The draft paper so far is based on our own research and environmental scanning of access and privacy issues.

It’s informed by the valuable intelligence gathered by experienced IPC staff who deal with complainants, stakeholders, and the general public on a daily basis and have their finger on the pulse of Ontarians’ concerns.

And it’s been guided by an ad hoc, independent group of experts from various sectors, disciplines, and perspectives who are serving as an external sounding board for us.

The composition and the terms of reference of our ad hoc advisory committee have been posted on our website for those of you interested to learn more.

The second meeting of the advisory committee is scheduled for this Friday, after which we hope to complete the draft consultation paper, and post it on our website in the coming weeks for comment.

I invite all of you to provide your input into the process and very much welcome your comments.

We will compile the feedback received, consider it carefully, and integrate what we heard into a final paper, which we intend to release, along with our final slate of strategic priorities, in the early part of 2021.

Let me now pivot, and give you a few concrete examples of some significant issues I have been dealing with since I started my mandate four months ago.

The very first issue I had to address, and which was, quite literally, urgently awaiting me on my first day was the COVID-Alert app.

As many of you know, this is a voluntary exposure notification app.

Unlike a contact tracing app, it does not involve the collection of personal information or geolocation information.

Although the app is supported by a federally-developed infrastructure, some aspects are particular to the province or territory in which it is used.

Because Ontario was the first province to launch the app, our office, along with our Federal OPC counterpart, was heavily involved in reviewing its privacy and security features.

While the OPC worked with the federal government to review the technical infrastructure and platform, the IPC worked with our provincial government to review the Ontario-specific features, like how the app interacts with our public health information systems, which are subject to oversight by my office.

We also both worked at our respective ends to influence the negotiations of the Federal-Ontario Memorandum of Understanding to ensure it included strong and robust undertakings on the part of both governments to protect and secure the information gathered from the app.

This was especially important knowing that the MOU would likely be used as a template model agreement for other provinces that would eventually come on board.

Our review was based on the F/P/T joint privacy principles for contact tracing and similar apps that had been developed in the early months of the pandemic.

The Ontario government agreed to all of our recommendations – very much to their credit, including undertakings to ensure:

  • that the app remains voluntary
  • that measures are in place to assess its ongoing effectiveness
  • that the app be decommissioned if it is no longer achieving its purpose
  • and that we be notified of any changes to the app that may affect its privacy and security safeguards.

In the end, as you well know, the IPC and OPC supported the use of the exposure notification app, conditional on its continued voluntariness and ongoing evaluation of its effectiveness, and we issued a joint press release to that effect.

I drew a few lessons from this early experience:

First, how incredibly effective it was to collaborate with another regulator and coordinate our reviews, particularly as we were each working with our respective governments to strengthen the complementary components of the app and influence their MOU negotiations literally in real time.

Second, how helpful it was to be able to base our review on principles that had been already been proactively developed by the f/p/t community a few months earlier and served as the guardrails against which to assess the initiative.

Third, how important and influential our voices are as regulators.

It was not lost on me how vital it was (and is) for the app to be widely adopted in order to maximize its effectiveness.

Anything we stated publicly would likely affect that level of confidence.

So, while we could never provide full-proof, 100% guarantees that nothing will ever go wrong, as a regulator, you need to work hard to satisfy yourself that all reasonable and necessary measures have been taken to reduce all anticipated risks and sufficiently protect Ontarians’ information.

And at some point, you have to have the courage to publicly stand by that assessment.

Let me give you a second example of an issue I have had to grapple with since the beginning of my mandate, and that is, the issue of body-worn cameras by police.

While this is an issue I have worked on in the past when I was involved in the development of the OPC’s 2015 guidelines on BWCs, what was interesting was to see how my views have changed since.

Whereas, I once approached this issue from a very privacy centric perspective, I find myself now, as a result of my new mandate to champion both privacy protection and access to information, recalibrating the weight ascribed to these important values, and am much more attuned to the access side of the equation.

Moreover, there is no question that the onset of the Black Lives Matter movement and the recent spotlight on tragic deaths and injuries to Indigenous peoples in the course of police-civilian encounters has mounted public demand for police accountability and transparency.

I have further come to realize that even taking into account both privacy and access still doesn’t provide a full picture.

There are other fundamental issues underlying the state of policing today, including civil rights, potential discrimination against individuals and marginalized groups, and a much broader conversation about appropriate funding levels for police, and how their role in the community should evolve to better integrate and become more effective in ensuring public safety.

Despite these considerable challenges, my view is that, with the necessary governance framework in place, BWC systems can be implemented in a manner that achieves the appropriate balance between respect for privacy rights of individuals and the need for access, accountability, and transparency.

We are currently working with the Toronto Police Service and its oversight board to develop a governance framework for implementation of its BWC program.

This includes a policy and accompanying procedures to ensure that the use of body-worn cameras by police to enhance community safety, police accountability, and public confidence, is carried out in a manner that respects Ontarians’ rights to privacy and access to information.

This involves clear, accountable, and transparent rules on when the cameras will be used to record images and when they should be turned off, depending on the sensitivity (e.g. people in a state of undress) and the context (e.g. in hospital settings that are inherently more sensitive).

It also encompasses clear guidelines on notices to be given to the public regarding the use of BWCs and when they’re turned on, access to the recordings, appropriate retention periods, restrictions on secondary use, and security safeguards required to be built into the cameras by the third party manufacturer.

We obtained an undertaking on the part of the TPS and the Board not to fully deploy their full BWC program until all the pieces of the governance framework are completed and officers have been properly trained on the rules.

We also got their agreement to adhere to a moratorium on the use of any facial recognition features of their BWC program until after the federal, provincial, and territorial privacy authorities have issued their guidelines on the issue, and the IPC is properly consulted.

We are hoping that all of this hard work with the TPS will serve as useful model for other police services in Ontario.

I draw several lessons from this experience.

First, societal values are not static. They evolve with time, circumstance, context, and perspective.

Second, issues are sometimes much broader than the piece that falls within the four corners of our mandate and it behooves us to work with others, like human rights commissions and civil society groups, to make sure our advice is supplemented by other necessary voices and perspectives.

And thirdly, given limited resources, we may not have the luxury of investing this much time and effort with all police services across Ontario. But if we can work with the service furthest along in its development of a BWC program, then our hope is to recoup that investment by providing a template model for others to follow.

Let me give you with a third example of a significant issue I (and many others) have been dealing with since joining the IPC.

That is, the accelerated digitization driven by the pandemic.

If anything, COVID-19 has sped up the digitization plans that many organizations were already thinking about before the pandemic, and are now certain to become part of our permanent reality for the foreseeable future.

A study by McKinsey Digital shows that the rate of business digital adoption already accelerated five years forward in just eight weeks following the onset of the pandemic.[1]

Also, as a result of COVID-19, remote working has shot up, particularly in certain sectors more than others, and recent studies suggest that remote working is here to stay, with only one in five employees wanting to return to the office full time.[2]

The Ontario government’s commitment to a “digital first” approach to service delivery has, by necessity, been bolstered by the current pandemic.

The government’s budget plan, released earlier this month, has set ambitious targets to increase the percentage of services that will be digitally accessible to Ontarians in the next two years — services like enhanced virtual health care, business permit approvals, and drivers’ license renewals….

Last week, the government announced it would invest $500 million over four years into the Ontario Onwards Acceleration Fund, as an important step towards its goal of making Ontario the leading digital jurisdiction in the world.

The COVID-19 pandemic has further led to a significant increase in remote health care.

The Canadian Medical Association found that as of May 2020 almost half of Canadians had accessed a physician using virtual care options.[3]

From March to April 2020 the Centre for Addiction and Mental Health (CAMH) saw a 750% increase in virtual care visits[4]  and that figure has very likely increased since.

Similarly, online learning is on the rise in Ontario. Since the onset of the COVID-19 pandemic, 92% of postsecondary students surveyed reported that some or all of their courses were moved online.[5]

When secondary schools reopened in September 2020, approximately 70% of students in Ontario began the year with a combination of in-school and remote learning days,[6] with students from 24 school boards spending as much as 50% of their time in virtual class settings.[7]

Again, that figure is highly likely to have risen further with school closures resulting from the second wave of the pandemic.

Unfortunately, cyberattacks and data breaches are also on the rise following the pandemic.

A recent survey of 251 Canadian security professionals found that cyberattack frequency has reached unprecedented levels.[8]

Of those surveyed, 99% said the volume of attacks they encountered has increased[9] and 86% found that attacks have increased in sophistication.[10]

New threats are taking advantage of the public’s heightened interest in COVID-19, by using information related to the virus to lure individuals into clicking on malicious links and attachments, such as fake statistics on infection rates and spread, public health updates, so-called cures and treatment information.

In April, the Canadian Centre for Cyber Security (CCCS) reported over a thousand of these COVID-19 type lures involving malicious imitations of the Government of Canada website[11] and anticipates that the use of such traps will only rise as the pandemic continues.[12]

As a result, our office has issued privacy and security guidance for public sector employees working from home.

We have reissued our phishing guidance from 2019 given its heightened relevance and importance.

We are consulting with various health stakeholders on virtual health guidelines, and we expect to be working closely with the Ontario Government on its digital identity and other digital first related initiatives.

Furthermore, we are taking our own, internal measures to support all of our employees working from home, facilitate online access to our tribunal services, and strengthen our information security posture in this new virtual environment.

Finally, let me address legislative reform, which has been particularly active on several fronts.

As many of you know, FIPPA was amended in 2019 to add a new data integration scheme (Part III.1).

The new provisions enable data integration units (DIUs) to indirectly collect personal information and link it with other information — within or across different ministries, and even with designated entities outside government — for the purpose of planning and evaluating government programs and services.

These new provisions also define requirements related to notice of collection, data minimization, limits on use and disclosure, de-identification, and security, among others.

The Minister of Government and Consumer Services is responsible for preparing data standards to establish additional rules for data integration, including:

  • how to link and de-identifying personal information
  • publicly reporting on the use of personal information
  • securely retaining and disposing of personal information

Data integration units cannot begin collecting personal information until the data standards have been approved by the IPC.

Currently, we are actively engaged with the Ministry of Government and Consumer Services and the working group of DIUs, providing detailed comments and recommendations on the draft data standards.

The IPC has also been given the power under this new scheme to review DIUs’ practices and procedures, order them to start, stop or change a practice or procedure, as well as to destroy personal information.

PHIPA has also undergone very significant amendments as of late.

Under Bill 119, Part V.1 was added to PHIPA to introduce a new governance regime for the provincial electronic health record. Although the Bill was passed in May 2016 (in the Health Information Protection Act, 2016), it only came into force last month.

As of October 1, 2020, Part V.1 designates Ontario Health as the prescribed organization responsible for the EHR.

As the prescribed organization, Ontario Health’s practices and procedures must be reviewed and approved by the IPC within one year (October 2021) and every three years afterwards.

Part V.1 set outs the following requirements for the EHR, including:

  • new rules setting out the shared obligations and accountabilities of multiple custodians collecting and using PHI from the EHR
  • logging instances where PHI is viewed, handled, or otherwise dealt with by the various health information custodians involved
  • consent directives for individuals to be able to withhold or withdraw consent to the collection, use or disclosure of their PHI in the EHR
  • conditions under which custodians may be permitted to override consent directives in certain circumstances, and subject to notice
  • new provisions setting out notification requirements in the event of breach in the context of the EHR, and
  • directions by the Minister of Health to disclose PHI to prescribed registries, prescribed entities, certain public health authorities or for research purposes.

Also, other PHIPA regulations have recently been adopted and will come into force on January 1, 2021.

These set out a framework for establishing, monitoring, and enforcing compliance with interoperability specifications that apply to a custodian’s digital health assets – essentially any electronic means chosen by a custodian to process PHI.

Pursuant to these new regulations, Ontario Health must establish these interoperability standards, at the direction of the minister.

If those standards pertain to privacy, security or right of access or correction, Ontario Health must consult with the IPC and take into consideration our recommendations before providing them to the minister for approval.

Ontario Health must publish interoperability specifications, develop a certification process to green light digital health assets that meet the required specifications, and monitor custodians’ compliance with the standards.

Ontario Health may refer cases of non-compliance to the IPC in the form of complaints, which we would then investigate.

Other extremely important PHIPA changes brought about by Bill 188 last spring, but are not yet operable pending the adoption of regulations which we anxiously await, are:

  • the administrative penalties scheme which would allow my office to issue fines against non-compliant organizations in accordance with the amounts prescribed in the regulations
  • deidentification definition that would prescribe the rules for information to be considered properly de-identified
  • electronic audit logs that custodians must maintain, audit, and monitor to keep track of every instance in which records are viewed, handled, modified or otherwise dealt with
  • and new rules that will apply to consumer electronic service providers that provide digital health apps, portals and/or platforms for consumers to be able to access, view and manage their own PHI

Finally, of course, there is the government’s ongoing consultation on a made-in-Ontario private sector privacy law.

My office filed a submission generally supporting an Ontario private sector privacy law and addressing the eight key areas the government invited comment on.

Our submission is available on our website.

The government is certainly awaiting to see what will happen with PIPEDA reform, and is, just like everyone else no doubt, combing through the 100+ pages of the new Federal Digital Charter Implementation Act, 2020 tabled just yesterday, to determine its implications for Ontarians.

This is a significant reform which, if adopted, will certainly strengthen some aspects of consumer privacy protection for the benefit of all Canadians.

However, as I stated in my submission, I still hope the Ontario government will pursue its own reflections on whether Ontarians might be better off with a substantially similar private sector privacy law that:

  • broadens the scope of the law’s application to include the nearly 5 million employees of provincially regulated private sector organizations which continue to operate in a legislative vacuum due to the constitutional limits of PIPEDA
  • levels the playing field with greater certainty and more predictable rules that work interoperably with those of other jurisdictions, by incentivizing responsible use and respectful treatment of data, while prohibiting unfair and inappropriate data management practices
  • designs a more comprehensive and coherent regime, with a better integrated, streamlined, and agile oversight mechanism to address complex data challenges that lie at the intersection of public, private and health sectors
  • creates a forward-looking, world-class private sector privacy law capable of rising to the emerging challenges of a digital age in a manner which accords with local values and culture, and ultimately, works best for the people and organizations of Ontario, including its significant proportion of small and medium enterprises

I can’t overemphasize how critically important it is for Canada to get this right.

I wish parliamentarians well in their careful deliberations of the Federal Bill C-11, and I look forward to participating in thoughtful, parallel discussions with our government here, about what will ultimately be best for Ontarians.

Thank you.

-30-

 

[1]  McKinsey Digital, “The COVID-19 recovery will be digital: A plan for the first 90 days” (14 May 2020), retrieved on October 29, 2020.

[2] PwC Canada, “Canadian Workforce of the Future Survey” (15 September 2020), retrieved on October 29, 2020.

[3] Canadian Medical Association “Virtual Care is Real Care: National Poll Shows Canadians are Overwhelmingly Satisfied with Virtual Health Care” (8 June 2020), retrieved on October 31, 2020.

[4] Centre for Addiction and Mental Health, “CAMH Enhances Virtual Capacity to Respond to Demand for Mental Health Services” (4 May 2020), retrieved on October 31, 2020.

[5] Statistics Canada, “How are Postsecondary Students in Canada Impacted by the COVID-19 Pandemic?” (12 May 2020), retrieved on October 31, 2020.

[6] Ontario Government, “COVID19: Reopening Schools” (8 October 2020), retrieved on October 31, 2020.

[7] Ontario Government, “Guide to Reopening Ontario’s Schools” (28 August 2020), retrieved on October 31, 2020.

[8] VMware Carbon Black, “Canada Threat Report: Extended Enterprise under Threat” (June 2020), retrieved on November 1, 2020.

[9] VMware Carbon Black, “Canada Threat Report: Extended Enterprise under Threat” (June 2020), retrieved on November 1, 2020.

[10] VMware Carbon Black, “Canada Threat Report: Extended Enterprise under Threat” (June 2020), retrieved on November 1, 2020.

[11] Canadian Centre for Cyber Security, “Cyber Threat Bulletin: Impact of COVID-19 on Cyber Threat Activity” (10 June 2020), retrieved on November 1, 2020.

[12] Canadian Centre for Cyber Security, “Cyber Threat Bulletin: Impact of COVID-19 on Cyber Threat Activity” (10 June 2020), retrieved on November 1, 2020.

This post is also available in: French

This post is also available in: French