The Office of the Information and Privacy Commissioner of Ontario (OIPC) released its 2018 Annual Report: Privacy and Accountability for a Digital Ontario on Wednesday, July 10, 2019. This report signals a move toward increased regulatory oversight and expectations from the provincial commissioner. Ontario organizations can likely expect increased scrutiny of how they collect, use, transfer, and disclose personal information.
Some of the key takeaways for Ontario businesses from the report include:
The OIPC reports a rise in the frequency of ransomware incidents, with Ontario municipalities and health care institutions being particular targets of such attacks.
The OIPC underscores the need for organizations to regularly update "measures in place to secure their systems and enable early detection" as well as a protocol to deal with the attack once it happens. Outsourcing data processing to third parties does not relieve the original organization of their accountability for protecting the personal information.
The OIPC flags the increased use of video surveillance by both the public and the private sector as a risk to Ontario's privacy. The OIPC guides organizations to limit surveillance and the amount of personal information collected and retained in order to balance individual privacy with security.
Referring to the development of “smart cities” and in particular the federal government’s Smart Cities Challenge, the OIPC states that data and technology should "not come at the expense of privacy". Privacy should not be treated as an afterthought—it must be built into the plan from the beginning.
For businesses involved with smart cities, the OIPC recommends the following considerations: avoid "tech for tech's sake"; remember that accountability rests with the original institution when outsourcing; de-identify personal data when possible; engage the community; and be transparent.
The report remarks favourably on a pilot project where "artificial intelligence was used to detect and interpret network activity in ways that would not be possible through manual auditing and other preventative mechanisms". In particular, the OIPC is optimistic about the use of artificial intelligence to improve detection rates, improve accuracy, and address unauthorized access—all of which could result in fewer data breaches.
6,000 of the reported 11,000 health information privacy breaches in 2018 were the result of misdirected faxes. The OIPC recommends Ontario's health care organizations "reduce or eliminate dependence on fax machines". Ontario private businesses may also wish to consider following this guidance.
This recent guidance from the OIPC reflects the increasing trend in Canada (and worldwide) toward increased regulatory oversight of privacy matters, and the heightened expectation of public and private organizations. A high-level overview of these expectations includes the following:
Address these critical business risks with the assistance of legal and forensic experts in advance of an attack. It will save your organization the expense of being caught off-guard. Being pro-active not only reduces the potential for being subject to an attack; it also reduces the potential exposure from an attack.
If you would like further information or advice in respect of privacy and cybersecurity matters, the Data Protection and Privacy team at Bennett Jones is available to assist.