• About
  • Offices
  • Careers
  • Students
  • Alumni
Background Image
Logo Bennett Jones
  • People
  • Expertise
  • Resources
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All

FEATURED AREAS

Energy
Funds & Finance
Mining
Capital Projects
All Industries
Crisis & Risk Management
Environmental, Social & Governance
Governmental Affairs & Public Policy
All Practices
Insights
Media
Events
Subscribe
COVID-19 Resource Centre
Business Law Talks Podcast
Kickstart
New Energy Economy Series
People
Featured Areas
All Practices
All Industries
About
Offices
Careers
Insights
Events
Search
Search
 
Blog

New Report from the Ontario Privacy Commissioner: Key Takeaways for Ontario Businesses

July 16, 2019

Written by Ruth Promislow and Katherine Rusk

The Office of the Information and Privacy Commissioner of Ontario (OIPC) released its 2018 Annual Report: Privacy and Accountability for a Digital Ontario on Wednesday, July 10, 2019. This report signals a move toward increased regulatory oversight and expectations from the provincial commissioner. Ontario organizations can likely expect increased scrutiny of how they collect, use, transfer, and disclose personal information.

Some of the key takeaways for Ontario businesses from the report include:

Cyberattacks

The OIPC reports a rise in the frequency of ransomware incidents, with Ontario municipalities and health care institutions being particular targets of such attacks.

The OIPC underscores the need for organizations to regularly update "measures in place to secure their systems and enable early detection" as well as a protocol to deal with the attack once it happens. Outsourcing data processing to third parties does not relieve the original organization of their accountability for protecting the personal information.

Surveillance

The OIPC flags the increased use of video surveillance by both the public and the private sector as a risk to Ontario's privacy. The OIPC guides organizations to limit surveillance and the amount of personal information collected and retained in order to balance individual privacy with security.

Smart Cities

Referring to the development of “smart cities” and in particular the federal government’s Smart Cities Challenge, the OIPC states that data and technology should "not come at the expense of privacy". Privacy should not be treated as an afterthought—it must be built into the plan from the beginning.

For businesses involved with smart cities, the OIPC recommends the following considerations: avoid "tech for tech's sake"; remember that accountability rests with the original institution when outsourcing; de-identify personal data when possible; engage the community; and be transparent.

Artificial Intelligence

The report remarks favourably on a pilot project where "artificial intelligence was used to detect and interpret network activity in ways that would not be possible through manual auditing and other preventative mechanisms". In particular, the OIPC is optimistic about the use of artificial intelligence to improve detection rates, improve accuracy, and address unauthorized access—all of which could result in fewer data breaches.

Fax Machines

6,000 of the reported 11,000 health information privacy breaches in 2018 were the result of misdirected faxes. The OIPC recommends Ontario's health care organizations "reduce or eliminate dependence on fax machines". Ontario private businesses may also wish to consider following this guidance.

Conclusion

This recent guidance from the OIPC reflects the increasing trend in Canada (and worldwide) toward increased regulatory oversight of privacy matters, and the heightened expectation of public and private organizations. A high-level overview of these expectations includes the following:

  • ingrain privacy into your operations;
  • regularly assess your risks and vulnerabilities so that you understand the potential sources of an attack (hostile outsider; disgruntled employee; negligent employee; etc), and how those risk could materialize;
  • ask the pertinent questions such as:
    • Do you regularly train employees about privacy and cybersecurity?
    • Do you have a password policy? Is your password policy up-to-date?
    • Do you encrypt sensitive data?
    • Do you require multi-factor authentication for remote access?
    • Are hard copy files containing personal information secured?
    • Can you exclude outsiders from your physical premises and detect them if they enter?
    • Do you limit the collection of personal information as much as possible?
    • Do you limit access to personal information to those who need to know?
    • Do you have valid and meaningful consent from individuals regarding the collection, use, transfer and disclosure of their personal information?
    • Do you destroy all personal information once you no longer require it?
    • Do you know what safeguards are employed by all third parties with whom you contract to process or store personal information you have collected?
    • Do you know whom to call in the event of a data breach or security incident?
  • take reasonable steps to address your risks and vulnerabilities;
  • recognize that a failure by a third party retained to process personal information remains your responsibility, and address that risk through contractual terms;
  • implement measures for early detection of an attack; and
  • have an incident response plan in place so you have a well-thought-out and rehearsed plan for how to deal with a breach.

Address these critical business risks with the assistance of legal and forensic experts in advance of an attack. It will save your organization the expense of being caught off-guard. Being pro-active not only reduces the potential for being subject to an attack; it also reduces the potential exposure from an attack.

If you would like further information or advice in respect of privacy and cybersecurity matters, the Data Protection and Privacy team at Bennett Jones is available to assist.

Author

  • Ruth E. Promislow Ruth E. Promislow, Partner

Read the Fall 2020 Economic Outlook

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Canada Border Services Agency Publishes Update of [...]

January 20, 2021
       

Blog

Ontario Employers Need to Review their Employment [...]

January 20, 2021
       

Blog

Are You Ready for Your CEWS Audit?

January 18, 2021
       

Blog

Advancing Alberta's New Liability Management Framework

January 11, 2021
       

Blog

Supreme Court of Canada: Silence Can Breach the Contractual [...]

January 05, 2021
       

The firm that businesses trust with their most complex legal matters.

  • Privacy Policy
  • Disclaimer
  • Terms of Use

© Bennett Jones LLP 2021 All rights reserved. Bennett Jones refers collectively to the Canadian legal practice of Bennett Jones LLP and the international legal practices and consulting activities of various entities which are associated with Bennett Jones LLP

Logo Bennett Jones