Patricia Kosseim, Ontario’s information and privacy commissioner (IPC), has called on the provincial government to fill legislative and regulatory gaps relating to cybersecurity attacks threatening Ontarians’ personal information and ensure clear rules and oversight over artificial intelligence (AI) technologies.
The IPC included this call to action in its 2024 annual report, “From Vision to Impact: Five Years of Privacy and Transparency in a Digital Ontario,” released this month.
“In a world where trust is increasingly hard to come by, Ontarians deserve clear rules, strong safeguards, and full transparency from their institutions,” Kosseim said in the IPC’s news release.
“Whether it’s how decisions are made, how personal data is used, or how emerging technologies are governed, our office will continue pushing for real accountability, because public trust is the foundation of a healthy democracy,” Kosseim added.
The IPC urged the Ontario government to introduce meaningful and enforceable regulations tackling the gaps resulting from Bill 194, which enacted the Enhancing Digital Security and Trust Act (EDSTA) and amended the Freedom of Information and Protection of Privacy Act (FIPPA).
Specifically, the IPC asked the province to:
- independently oversee the public sector’s AI utilization
- impose safeguards on such use
- introduce robust cybersecurity measures protecting Ontarians’ sensitive data
- strongly protect children’s digital information
- amend the Municipal Freedom of Information and Protection of Privacy Act to align with the FIPPA changes
The IPC noted that failing to align the two enactments could lead to confusion for organizations and frustration for Ontarians, who expect consistent privacy rights across the province’s public sector.
In health arena
Regarding the digital health system, the IPC encouraged the provincial government to:
- incorporate stronger accountability measures within the Personal Health Information Protection Act (PHIPA)
- ensure that any accompanying regulations in the future promote meaningful access and protections for Ontarians’ health information
- maintain individuals’ full access rights to their health records
- include privacy-enhancing principles in designing digital health IDs
- ensure strong governance and oversight, especially when third-party vendors deliver digital health services
In the government’s news release, the IPC acknowledged the potential benefits of enhancing access to the electronic health record system via digital health IDs. However, the IPC noted the risk that the system would lack the needed clarity, transparency, and other safeguards.
On government decisions
Regarding government decision-making, the IPC urged Ontario to:
- improve its record-keeping policies and practices
- ban the use of personal devices and accounts for government-related business
- regularly monitor compliance
- legislate a duty to document communications, decisions, and actions
- explicitly codify an institutional requirement to define and implement the proper retention measures
The IPC found systemic issues in the government’s practices. These include using personal devices and email accounts for government-related business, using code words that led to challenging freedom of information (FOI) searches, poor information retention practices, and insufficient documentation of significant government decisions.
In the government’s news release, the IPC noted that these practices could threaten transparency and the public trust in government institutions.