The Information and Privacy Commissioner of Ontario (IPC) has expressed concern regarding the slow progress of the Ministry of Health’s inter-ministerial data integration unit (MOH IMDIU) toward complying with applicable data standards over the three years since the initial review.
The findings in IPC’s first three-year review of the MOH IMDIU’s practices and procedures from 2022–25 focused on whether the unit complied with applicable privacy and security obligations and responded appropriately to IPC’s orders and recommendations from the initial review in 2022.
The IPC ordered the MOH IMDIU to refrain from recommencing its operations until the IPC was satisfied that it complied with certain requirements regarding its practices and procedures under Part III.1 of the Freedom of Information and Protection of Privacy Act, 1990 (FIPPA) and the Ontario Public Service data integration standards.
Among other requirements, the IPC ordered the MOH IMDIU to:
- Conduct a privacy impact assessment (PIA) to identify, analyze, and mitigate potential privacy risks where required
- Conduct threat and risk assessments and keep and review audit logs as reasonable in the circumstances
- Implement retention requirements for personal information and coded information
- Implement security measures reasonable in the circumstances to protect personal information and coded information retained and/or transferred in electronic format from theft, loss, and unauthorized use and disclosure
- Execute a data sharing agreement or obtain a written acknowledgement when collecting or disclosing personal information, coded information, and/or de-identified information, where required
- Ensure the backing up of personal information and coded information in a manner that allows its full recovery, and ensure that the data integration unit (DIU) has an effective business continuity and disaster recovery plan
- Verify the secure disposal or destruction of personal information, coded information, and the storage media containing the information
- Publish a report on the use of personal information and an annual report
Background
According to the report on the review, Part III.1 of the FIPPA intends to set a balance between the objectives of:
- safeguarding Ontarians’ sensitive personal information and enabling governmental data analysis to manage or allocate resources
- planning the delivery of programs and services and evaluating such programs and services
To attain these objectives, Part III.1 establishes DIUs, which under strict conditions can collect, link, de-identify, and analyze sensitive personal information that the government would otherwise need to separate by law.
Part III.1 requires DIUs to impose robust privacy and security protections and meet strong checks and balances, including IPC’s periodic assessment and evaluation of whether some DIUs were meeting privacy and security rules under the law.
The MOH IMDIU is one of three types of DIUs, with the other two being the ministry data integration unit (MDIU) and the inter-ministerial data integration unit (IMDIU).
IPC reviews an IMDIU’s practices and procedures before it can start collecting personal information. IPC then reviews it again at least once every three years afterward.
Editor's Note: This article was corrected to clarify that the unit was not directed to stop operations but was instead ordered to not to resume operations.