The Office of the Information and Privacy Commissioner of Ontario (OIPC) released its 2018 Annual Report: Privacy and Accountability for a Digital Ontario on Wednesday, July 10, 2019. This report signals a move toward increased regulatory oversight and expectations from the provincial commissioner. Ontario organizations can likely expect increased scrutiny of how they collect, use, transfer, and disclose personal information.

Some of the key takeaways for Ontario businesses from the report include:

The OIPC reports a rise in the frequency of ransomware incidents, with Ontario municipalities and health care institutions being particular targets of such attacks.

The OIPC underscores the need for organizations to regularly update "measures in place to secure their systems and enable early detection" as well as a protocol to deal with the attack once it happens. Outsourcing data processing to third parties does not relieve the original organization of their accountability for protecting the personal information.

The OIPC flags the increased use of video surveillance by both the public and the private sector as a risk to Ontario's privacy. The OIPC guides organizations to limit surveillance and the amount of personal information collected and retained in order to balance individual privacy with security.

Referring to the development of “smart cities” and in particular the federal government’s Smart Cities Challenge, the OIPC states that data and technology should "not come at the expense of privacy". Privacy should not be treated as an afterthought—it must be built into the plan from the beginning.

For businesses involved with smart cities, the OIPC recommends the following considerations: avoid "tech for tech's sake"; remember that accountability rests with the original institution when outsourcing; de-identify personal data when possible; engage the community; and be transparent.

The report remarks favourably on a pilot project where "artificial intelligence was used to detect and interpret network activity in ways that would not be possible through manual auditing and other preventative mechanisms". In particular, the OIPC is optimistic about the use of artificial intelligence to improve detection rates, improve accuracy, and address unauthorized access—all of which could result in fewer data breaches.

6,000 of the reported 11,000 health information privacy breaches in 2018 were the result of misdirected faxes. The OIPC recommends Ontario's health care organizations "reduce or eliminate dependence on fax machines". Ontario private businesses may also wish to consider following this guidance.

Conclusion

This recent guidance from the OIPC reflects the increasing trend in Canada (and worldwide) toward increased regulatory oversight of privacy matters, and the heightened expectation of public and private organizations. A high-level overview of these expectations includes the following:

  • ingrain privacy into your operations;
  • regularly assess your risks and vulnerabilities so that you understand the potential sources of an attack (hostile outsider; disgruntled employee; negligent employee; etc), and how those risk could materialize;
  • ask the pertinent questions such as:
    • Do you regularly train employees about privacy and cybersecurity?
    • Do you have a password policy? Is your password policy up-to-date?
    • Do you encrypt sensitive data?
    • Do you require multi-factor authentication for remote access?
    • Are hard copy files containing personal information secured?
    • Can you exclude outsiders from your physical premises and detect them if they enter?
    • Do you limit the collection of personal information as much as possible?
    • Do you limit access to personal information to those who need to know?
    • Do you have valid and meaningful consent from individuals regarding the collection, use, transfer and disclosure of their personal information?
    • Do you destroy all personal information once you no longer require it?
    • Do you know what safeguards are employed by all third parties with whom you contract to process or store personal information you have collected?
    • Do you know whom to call in the event of a data breach or security incident?
  • take reasonable steps to address your risks and vulnerabilities;
  • recognize that a failure by a third party retained to process personal information remains your responsibility, and address that risk through contractual terms;
  • implement measures for early detection of an attack; and
  • have an incident response plan in place so you have a well-thought-out and rehearsed plan for how to deal with a breach.

Address these critical business risks with the assistance of legal and forensic experts in advance of an attack. It will save your organization the expense of being caught off-guard. Being pro-active not only reduces the potential for being subject to an attack; it also reduces the potential exposure from an attack.