Effective, mandatory, and tracked privacy training and the consistent requirement and tracking of confidentiality agreements for all staff (including physicians) are essential operational necessities to ensure compliance with PHIPA, prevent unauthorized access and breaches caused by a lack of understanding, and demonstrate to the regulator that your organization has taken reasonable steps to protect personal health information. Taking these steps not only meets legal obligations but can also significantly mitigate the regulatory consequences if a breach were to occur.

Legal privilege can be a powerful tool during a data breach, but it’s not a catch-all shield. The LifeLabs v IPC (2024) case shows that facts must still be disclosed under privacy laws, and simply involving legal counsel doesn’t guarantee protection. To navigate these limits, organizations need a strong Incident Response Plan that guides communication, supports privilege claims, and ensures compliance from the outset.

Do you have a plan when it comes to Data Subject Requests (DSRs)? The frequency that I hear “what is a DSR” or “what is a data subject” is astounding, particularly for companies that are business-to-consumer (B2C). This leads me to think that leaders in these organizations are not prepared for a very large and very public compliance gap in their businesses.

In today's digital work environment, companies have more tools than ever to boost productivity and efficiency. However, this shift also brings important questions about employee privacy, especially regarding information on company-owned devices.

Many employers and IT personnel believe that if they provide employees with a company-owned device (COD), employees should not have an expectation of privacy on that device. In other words, any activity taken on the COD or any information stored on the COD is fair game for the company to view and own. Being under this mistaken assumption can be a risk to the business and IT personnel who are not familiar with what a “reasonable expectation of privacy” is, and put the company at risk of a privacy breach.

Understanding the legal aspects and potential risks is essential as businesses develop monitoring practices. This article will help employers and IT staff navigate the complexities of employee privacy in Canada, with practical examples and steps to protect your business while respecting employee rights.

Clinic Managers who have been delegated the task of Privacy Officer often feel overwhelmed with understanding privacy laws, operationalizing privacy best practices across the organization, and building a privacy culture. Here are 5 must do’s for clinic managers who are grappling with the new role in privacy.

If 61% of breaches are a result of third-party vendors, what can companies do to mitigate this risk? Developing a vendor due diligence process can help sift through the risky vendors. Reviewing your vendor’s privacy and security practices is not just a good business practice, but a legal requirement.

In Part 3 of the ABC’s of Bill 194, we outline what organizations need to know to be compliant with cybersecurity and artificial intelligence requirements.

In Part 2 of the ABC’s of Bill 194, we delve into the intricate balance of safeguarding children’s privacy and how institutions like Children’s Aid Societies and School Boards can prepare for the onset of regulations that will follow.

On November 25, 2024, Ontario's Bill 194, also known as the Strengthening Cyber Security and Building Trust in the Public Sector Act, reached royal assent. The passing of this Bill marks a significant milestone in Ontario's efforts to enhance digital security and trust within the public sector.

The wave of new and updated U.S. state privacy laws is propelling the country towards stronger data protection standards as of January 2025. Evolving state laws are beginning to align with more seasoned privacy regulations of California and other jurisdictions worldwide, creating a unified and robust framework for data privacy.

The Office of the Privacy Commissioner (OPC) and the Global Privacy Enforcement Network (GPEN) recently embarked on a sweep focusing on “Deceptive Design Patterns” (DDPs, also known as “Dark Patterns”) in websites and mobile apps, hunting for manipulative and deceptive designs that undermine users’ privacy.

This article examines the EU AI Act, which introduces a risk-based regulatory framework for artificial intelligence (AI) by categorizing applications into four risk levels: unacceptable, high, limited, and minimal risk. It highlights the need to balance innovation and safety, particularly for high-risk systems that require stringent compliance measures. Additionally, the article discusses tiered regulations for general-purpose AI models based on their risks. Ultimately, the EU AI Act aims to create a secure environment for AI innovation while providing clear guidelines to protect users and adapt to evolving technologies.

Quebec's Law 25 now comes with the right to data portability. This article dives into what this right is and how to implement it in compliance with legislation. The article dives into 10 practical action items to get you started on your data portability journey.

Google’s plans to follow suit with other big browsers like Safari and Firefox and remove third-party cookies (TPCs) from Chrome has come to a crashing stop. The decision to move forward with keeping TPCs on their web browser is the culmination of many years of back-and-forth discussion on Google’s end (since the year 2020), however, they have ultimately decided to simply enhance their privacy settings without losing an advertising penny from their large pockets. Their solution – the Privacy Sandbox.

With the increased use of AI, particularly in the workplace, and legislation coming in (irrespective of whether legislation governs the use of AI right now), there is a risk to your business if you do not regulate how your employees use it.

Breach notification plays out differently within various sectors in Ontario. From health legislation to municipal regulations, incident obligations can vary and sometimes operate in a gray area or piggyback off “best practice” approaches.

Hashing is a popular tool in data analysis for businesses, known for its ability to convert personal data into an anonymous format. However, hashed data is not truly anonymized and can be vulnerable to attacks that may re-identify the original data. To ensure data privacy, it's important to use hashing alongside other methods like encryption and tokenization, and to understand privacy regulations and best practices. This approach provides a more robust way to safeguard sensitive information. Explore advanced techniques to protect your data assets while maintaining privacy and security.

Data clean rooms have emerged as a pivotal solution for retailers seeking to harness the power of data collaboration without compromising privacy. For retailers, the advantages are numerous: from gaining deeper insights into customer behaviour to enhancing targeted marketing strategies, data clean rooms offer a treasure trove of opportunities. However, the journey has its challenges. Retailers must navigate issues such as data integration complexities, compliance with privacy regulations, and the need for robust security measures. Choosing the right data clean room is crucial and involves evaluating factors such as scalability, ease of use, and the ability to integrate with existing systems. This article delves into the intricacies of data clean rooms, exploring their benefits, challenges, and key considerations for retailers aiming to leverage this innovative technology.

As a non-profit, you will likely collect and have access to highly sensitive data, be it from members, supported individuals, minors, volunteers or donors – you are privy to quite a lot. You may be exempt from several onerous pieces of legislation however non-profit organizations are not automatically exempt from PIPEDA. The Office of the Privacy Commissioner of Canada (OPC) has said that “Whether an organization is a non-profit business for purposes of taxation is not determinative of whether its collection, use or disclosure of personal information is carried out in the course of commercial activity”. So is it a ”maybe?”. Over the years there have been several cases in Ontario trying to determine this question.