Information and Privacy Commissioner Re-Affirms Call for Ontario Private Sector Privacy Law

TORONTO, June 14, 2022 /CNW/ – In the IPC’s 2021 annual report, released today, Ontario’s Information and Privacy Commissioner, Patricia Kosseim, renewed her call for a provincial private sector privacy law and updates to the province’s existing privacy and access regime.

“Ontario’s access and privacy laws were enacted long before any of the current technological solutions were even imaginable,” wrote Commissioner Kosseim. “As we hurtle toward a progressively digital world, Ontario’s access and privacy laws must catch up to these technological advances and ensure they reflect the society they are meant to regulate.”

Access and privacy rights for all Ontarians play a vital role in ensuring that the very cornerstones of an equitable digital Ontario are of solid construction, built to support the weight of the ever-expanding digital infrastructure of our online existence.

“Privacy laws that do not incentivize proactive risk mitigation, require notification in the event of data breaches, or regulate the increasing role of private sector actors are no longer fit for today’s realities,” added Commissioner Kosseim. “An access to information regime that takes years to process requests and obtain data that may have entirely lost its relevance is not a sustainable basis on which to build Ontario’s promising digital future.”

Some of the IPC’s major recommendations in its 2021 annual report include:

A made-in-Ontario private sector privacy law

In today’s increasingly digital landscape, Ontario needs its own modern, efficient, and effective private sector privacy law with enhanced privacy protections tailored to meet the needs of the people and businesses of Ontario. The government’s consultations on a made-in-Ontario private sector privacy law last year were promising but remain incomplete. It’s now up to the new government to pick up the mantle and actively pursue these efforts by leveraging the momentum toward stronger and more integrated privacy protection for all Ontarians.

Story continues

Support digital literacy skills in schools

While digital technologies offer undeniable opportunities for young people to connect, learn, and collaborate in ways that never existed before, the benefits also come with real world safety and privacy risks. It is essential to equip children and youth with the skills they need to navigate the digital environment safely and ethically. This includes a solid understanding of their privacy rights, taught as part of the Ontario primary and secondary school curricula.

Move forward with administrative penalties under the Personal Health Information Protection Act (PHIPA)

Significant amendments to PHIPA were introduced in 2020, but have yet to take effect, pending the adoption of regulations. One of those amendments sets out the IPC’s power to impose administrative monetary penalties for serious breaches of Ontario’s health privacy law. We urge the government to set forth the details of the administrative penalty scheme in regulations without further delay. Ontarians urgently need the assurance of knowing there will be real consequences imposed on the few bad actors who undermine the confidence of our province’s health care system.

The commissioner’s full recommendations, the year in review, and comprehensive statistics, including freedom of information requests, compliance rates, appeals and privacy complaints, are available at www.ipc.on.ca/about-us/annual-reports.

Additional resources:

IPC 2021 Annual Report
Key Statistics and Trends

Requests under the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act

• There were 55,578 freedom of information (FOI) requests filed across Ontario in 2021, a 26 per cent increase from 2020 when 44,167 were filed. This represents a near return to 2019 pre-pandemic levels when 60,394 FOI requests were filed.

• Overall, the provincial sector completed just under 64 per cent of FOI requests within 30 days, representing a 3 per cent decrease from last year.

• In 2021, the three provincial institutions with the most FOI requests were the Ministry of Environment, Conservation and Parks (8,820), the Ministry of the Solicitor General (6,329), and the Ministry of Children, Community, and Social Services (3,251).

• In the municipal sector, institutions completed 80 per cent of FOI requests within 30 days, representing a 2 per cent increase from the previous year.

• In 2021, the three municipal institutions with the most FOI requests were the Toronto Police Service (3,626), the City of Toronto (2,870), and Durham Regional Police Service (1,521).

Requests under the Personal Health Information Protection Act

• There were 137,481 requests for access to personal health information in 2021, a 2.5 per cent decrease from 2020 when 140,950 requests were received.

• Health institutions completed 137,234 requests for access to personal health information in 2021, representing a 30-day compliance rate of 92 per cent. This represents a decrease of 5 per cent from 2020.
  

• Health institutions provided full access to personal health information for 96 per cent of requests in 2021.

Health privacy breaches

• According to annual statistics reported by health information custodians, there were 11,263 breaches of personal health information in 2021.

• Unauthorized disclosure continued to be a leading cause of health privacy breaches, with 4,848 resulting from misdirected faxes. While this represents a decrease from 2020, misdirected faxes still account for the majority of unauthorized disclosure breaches in the health sector.

Requests under Part X of the Child, Youth and Family Services Act

• Child and family services providers subject to Part X received 9,980 requests for personal information in 2021, a 42 per cent increase from 2020, when 7,037 were received.

• Overall, the child and family services sector completed 6,929 requests within 30 days, a 72 per cent compliance rate.
  

• Full access to records was provided for 4,381 requests for personal information in 2021.

Privacy breaches in the child, youth, and family services sector

• The child and family services sector reported 508 breaches of personal information under Part X in 2021, compared to 588 in 2020.

• Unauthorized disclosure was the cause of 469 breaches. Of these, misdirected emails accounted for 275, 50 were due to misdirected faxes, and 144 were through other means.

IPC tribunal statistics

Overall, the IPC opened 2,923 files in 2021 and closed 2,976 files.

Access appeals opened, closed

• In 2021, the IPC opened 1,406 access appeals. Appeals relating to requests under the municipal access law represented 56 per cent of appeals, and 44 per cent were provincial.
  

• In total, appeals for access to general records made up the majority of all appeals, at 73 per cent.

• The IPC closed 1,356 appeals in 2021, compared to 1,136 the year before.

• In 2021, 20 per cent of appeals were resolved at early resolution and 56 per cent through mediation. Less than a quarter of appeals proceeded to adjudication.

Outcome of appeals

• Of the 233 appeals closed by an order by an IPC adjudicator in 2021, 54 per cent upheld the institution’s decision, 28 per cent partially upheld the institution’s decision, 17 per cent did not uphold the institution’s decision, and 1 per cent were dismissed after representations.
  

FIPPA/MFIPPA privacy complaints and self-reported breaches

• The IPC opened 359 files related to privacy complaints and breaches reported by institutions in 2021. Of those, 238 related to the municipal sector, and 121 related to the provincial sector. Overall, the IPC resolved 373 privacy files in 2021.

PHIPA health files

• The IPC opened more than 980 files related to health privacy files in 2021. Of those, 535 related to privacy breaches, including 177 related to misdirected or lost personal information, 170 related to unauthorized collection, use or disclosure, and 112 related to snooping. Cyberattacks were the cause of 32 breaches reported to the IPC by the health sector, representing a 45 per cent increase over the previous year.
  

• Of the remaining health privacy files, 205 related to access or correction complaints and 199 related to collection, use or disclosure complaints. The IPC initiated 41 files related to collection, use, and disclosure. The IPC closed 1,079 health privacy files in 2021.

Part X of CYFSA files

• In 2021, the IPC opened 165 privacy-related files under the CYFSA. Of those, 77 files related to privacy breaches reported by the child and family services sector, including misdirected or lost personal information (47 per cent), general unauthorized disclosure (35 per cent), and snooping (9 per cent).

• Of the remaining CYFSA privacy files opened in 2021, 64 were access or correction complaints, and 24 were collection, use or disclosure complaints.

• In 2021, we issued two decisions under Part X of CYFSA. These represent our first decisions under this legislation which set important precedents by helping to determine what constitutes the provision of service covered by Part X and defining the scope of adoption records excluded from the law.

Additional resources:

SOURCE Office of the Information and Privacy Commissioner/Ontario

View original content to download multimedia: http://www.newswire.ca/en/releases/archive/June2022/14/c1122.html