Privacy watchdog gets more teeth in PC’s mini-budget bill

By Sabrina Nanji April 2, 2020

Ontario’s privacy watchdog is lauding changes in last week’s mini-budget bill that bolster data governance in the province. 

Bill 188, the spring fiscal plan that passed last week, doled out headline-grabbing financial aid related to the COVID-19 crisis, but also quietly overhauled freedom of information and health privacy laws. 

“The provisions here are good, I think for the most part they’re really positive, but I’m hard pressed to say that they’re connected to the pandemic response,” information and privacy commissioner Brian Beamish told Queen’s Park Today by phone Tuesday. 

The changes empower the commissioner to levy fines for privacy violations and establish rules for third-party organizations that can collect and use data. 

Beamish noted his office will be “carefully” scrutinizing the regulatory details to ensure Ontarians’ privacy is protected and to quash the potential for “commercialization of health data.” 

“This is where the details of the regulation are going to be crucial,” Beamish said. “It all depends on risk, who is going to use [the data], and what they’re going to use it for.” 

The government is drafting a new standard for “de-identification” — the process of stripping personal identifiers from data sets — that will guide the collection and use of information. 

“If you’re talking about a company that wants to take data and sell it to a pharmaceutical company, there the risk is high,” Beamish said, adding that regulations must be “rigorous” so that “re-identification” is not easy. 

Bill 188 allows the government to designate any entity as an “extra-ministerial data integration unit.” 

Organizations outside the public sector, including non-profits, private firms and even Sidewalk Labs, could be authorized to both collect personal data from Ontarians with their permission and obtain data from the province, but rules and penalties surrounding this will be managed by Beamish’s office. 

“As long as the government is careful about who they designate, I think this is quite workable,” he said. 

Consumer electronic service providers, such as medical apps, will also fall under the watchdog’s purview. 

“The principle is good, that people should be able to access their health data through apps, but the safeguards around that — what the companies can do with that information, what they can collect — will be left to regulation … We’re really going to have to scrutinize carefully,” he said. 

The public can take “comfort that there will be really good rules in place to make sure that’s not abused,” he added. 

Beamish can now slap fines to prevent “a person from deriving, directly or indirectly, any economic benefit as a result of a contravention.” 

Ontario is the first province in Canada to enshrine administrative penalties for breaching privacy law, something the other federal and provincial commissioners have been pushing for. (Specific administrative fines will be determined via regulation; the fines for convictions under the health privacy act have been doubled.)

The bill also enables Beamish’s office to better track who is accessing medical records, in order to catch health-care workers who may be snooping. 

A senior government official, speaking on background, said the changes will enable information sharing, such as lab results, between public health units and hospitals, which is critical during an outbreak.

This article was updated to include a response from the government.