February 2024

1. Governing Texts

The Office of the Information and Privacy Commissioner of Ontario's ('OIPC') role is to ensure that Ontario public institutions and health information custodians abide by privacy laws and principles. The OIPC assists with resolving privacy complaints and has broader powers to investigate and research privacy and data protection issues. The OIPC also publishes guidance documents to promote compliance with Ontario's privacy laws.

In Ontario, public organizations are governed by the following access and privacy laws:

• the Freedom of Information and Protection of Privacy Act, RSO 1990 c F.31 ('FIPPA');
• the Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. M.56 ('MFIPPA');
• the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A ('PHIPA');
• Part X of the Child, Youth and Family Services Act, 2017, S.O. 2017, c. 14, Sched. 1 ('CYFSA'); and
• The Anti-Racism Act, 2017, S.O. 2017, c. 15.

These acts help to protect personal information and data held by Ontario public institutions. More information on these acts is found below.

1.1. Key acts, regulations, directives, bills

There are five main statutes that the OIPC oversees:

• FIPPA and associated regulations protect the privacy of individuals with respect to personal information about themselves that is held by provincial institutions and provide individuals with a right of access to that information;
• the MFIPPA and associated regulations protect the privacy of individuals with respect to personal information about themselves that is held by municipal institutions and provide individuals with a right of access to that information;
• The PHIPA and the associated regulation establish rules for the collection, use, and disclosure of personal health information, provide individuals with a right to access their personal health information, and provide for independent review and resolution of complaints with respect to personal health information;
• Part X of the CYFSA and associated regulations establish rules to protect the privacy and confidentiality of personal information in the custody or control of service providers and to enable access to personal information; and
• The Anti-Racism Act authorizes or requires select public sector organizations to collect and use personal information for the purposes of eliminating systemic racism and sets out privacy obligations to protect that personal information.

The Office of the Privacy Commissioner of Canada ('OPC') administers the two federal privacy statutes which are applicable in Ontario:

• Privacy Act, R.S.C., 1985, c. P-21 ('the Privacy Act'); and
• Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA').

The Privacy Act and associated regulations apply to the Government of Ontario's ('the Government') collection, use, and disclosure of personal information while providing services such as old age security pensions, employment insurance, and tax collection and refunds. PIPEDA and associated regulations establish the rules for how private-sector organizations collect, use, and disclose personal information during for-profit, commercial activities across Canada.

On June 17, 2021, the Government released the Modernizing Privacy in Ontario white paper outlining its proposals on modernising Ontario's privacy regimes and enhancing the public's confidence in Ontario's digital economy. The white paper suggests that the proposed new legislation would be supplementary to the PHIPA. On 14 June 2022, the OIPC's current commissioner, Patricia Kosseim, reiterated the need for an Ontario private sector privacy law and updates to Ontario's existing privacy and access regime.

On June 16, 2022, the Government introduced Bill C-27, the Digital Charter Implementation Act, 2022. If passed, Bill C-27 would:

• enact the Consumer Privacy Protection Act ('CPPA'), which would replace parts of PIPEDA that regulate the processing of personal information;
• enact the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions made under the CPPA and impose penalties for contravention of its provisions; and
• enact the Artificial Intelligence and Data Act, which introduces rules to regulate high-impact artificial intelligence systems.

This bill has just passed its second reading and is currently being considered by the Standing Committee on Industry and Technology in the House of Commons.

The focus of this summary will be on FIPPA, the MFIPPA, and PIPEDA, with more limited information on PHIPA, the CYFSA, and the Privacy Act.

Healthcare

The Ontario Personal Health Information Protection Act, 2004 ('PHIPA') and Ontario Regulation 329/04 under PHIPA ('the Regulation') apply to the healthcare sector and organisations who receive or process personal health information.

1.2. Guidelines

Both the OIPC and the OPC regularly publish guidance materials on their websites to inform organisations and the public about their rights and responsibilities under Ontario's and Canada's privacy laws.

1.3. Case law

The OIPC and OPC will, from time to time, publish reports related to their enforcement actions on their website. Such enforcement reports are complemented by case law in order to provide direction to organizations and individuals with respect to privacy compliance requirements.

A specific note to take into account is the Jones v. Tsige, 2012 ONCA 32 case under Canadian common law. In this case, the Ontario Court of Appeal ('the Court of Appeal') recognized a right of action for intrusion upon seclusion, which is essentially a common law tort of invasion of privacy. Both parties worked at different branches of the Bank of Montreal ('BMO'). Tsige, the defendant, became involved with Jones' former husband, and Tsige used her workplace computer to access Jones' personal BMO accounts over 100 times in the span of four years. Jones became suspicious and reported Tsige to the BMO. Tsige has since apologized for her actions. Jones brought an action against Tsige for the tort of invasion of privacy.

The motion judge dismissed Jones' motion, and Jones appealed to the Court of Appeal. The Court of Appeal reviewed Canadian and American common law and legislation and held that recognizing a right of action for intrusion upon seclusion was appropriate. The main elements of such an action include whether:

• the defendant's conduct was intentional;
• the defendant must have invaded the plaintiff's private affairs or concerns without lawful justification; and
• a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish.

The Court of Appeal also fixed the range of damages for intrusion upon seclusion at up to CAD 20,000 (approx. $14,810).

The Court of Appeal found that Tsige committed the tort of intrusion upon seclusion as her actions satisfied the three elements of the action. In determining damages, the Court of Appeal considered the deliberateness of Tsige's actions balanced by the fact that Jones suffered no public embarrassment or financial harm and Tsige's apology for her conduct. The Court of Appeal fixed the damages award at CAD 10,000 (approx. $7,400).

The common law tort of intrusion upon seclusion established in Jones v. Tsige has been limited by the Court of Appeal to cases where the defendant itself has deliberately invaded the plaintiff's privacy.

On November 25, 2022, the Court of Appeal released a trio of decisions which held that the tort of intrusion upon seclusion is not an available cause of action against a defendant who failed to prevent a privacy breach from a third-party threat actor. Owsianik v. Equifax Canada Co., 2022 ONCA 813, Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814, and Winder v. Marriott International, Inc., 2022 ONCA 815 were proposed class actions arising from cyberattacks to commercial defendants who collected and stored personal information.

In all three decisions, the plaintiffs pleaded the tort of intrusion upon seclusion in the context of third-party threat actors accessing or using the plaintiffs' personal information, which the commercial defendants had collected in the course of business. The plaintiffs alleged that under the tort of intrusion upon seclusion, the defendants were liable for failing to take adequate steps to protect the personal information from the threat actors.

The Court of Appeal relied on the test for certification as a class proceeding under Section 5(1)(a) of the Ontario Class Proceedings Act, 1992, whereby a plaintiff must establish that the pleading discloses a cause of action.

After applying the Section 5(1)(a) test, the Court of Appeal found that it was plain and obvious that the claim for intrusion upon seclusion could not succeed on the facts of the case since the 'intrusion' flowed from the threat actor's conduct in illegally accessing the stored information, rather than the defendant's alleged failure to protect the information. The Court of Appeal further stated that extending the tort of intrusion upon seclusion to circumstances involving a third-party threat actor would be a 'giant step in a very different direction' since defendants would be liable for the intentional torts of third parties.

The Court of Appeal reiterated that victims of a data breach have other remedies in their toolkit, including suing the threat actors for breach of privacy or pursuing a claim in contract, negligence, or statute against the defendant company that was subject to the data breach. In all three decisions, applications for leave to appeal to the Supreme Court were rejected.

On January 31, 2024, the Ontario Court of Appeal confirmed its earlier analysis in the trilogy. In Del Giudice v. Thompson, 2024 ONCA 70, the Court again dismissed a class action in which the plaintiffs sued Capital One and Amazon Web Services for having been hacked and, as a result, exposing the public's personal and confidential information.  While the appellants sought to distinguish their case from the trilogy on the grounds that their complaint was not based on negligent custodianship but concerned the improper retention and use of data, the Court of Appeal held that the faults alleged by Capital One and Amazon could not satisfy one of the key elements of invasion of privacy. The information that was violated was not offensive and could not be considered humiliating by a reasonable person.

While recent Court of Appeal decisions denied the extension of the tort of intrusion upon seclusion to data breaches by third-party threat actors, victims of data breaches may soon be able to rely on a statutory cause of action for damages against companies that are subject to the proposed CPPA under Bill C-27.

2. Scope of Application

2.1. Personal scope

FIPPA applies to institutions. These are defined in Section 2(1) of the FIPPA as the Legislative Assembly, a ministry of the Government, a service provider organization under Section 17.1 of the Ministry of Government Services Act 1990, a hospital, and any other body designated as an institution in the regulations (including universities and colleges).

The MFIPPA applies to institutions. The municipality, a municipal board including but not limited to a city board, school board, transit commission, police services board, and any other body designated as an institution in the regulations (Section 2(1) of the MFIPPA).

PHIPA applies to the collection of personal health information by a health information custodian ('HIC') and the use or disclosure of personal health information by an HIC or a person to whom an HIC disclosed the information. The HIC is defined to include a health care practitioner, a person who operates a hospital, long-term care home, retirement home, pharmacy, or home for special care, the Minister of Health and Long-Term Care, and any other person that has custody or control of personal health information (Section 3 of the PHIPA).

Part X of the CYFSA applies to service providers. In particular, the Minister of Children and Youth Services, a licensee under the CYFSA, is defined as a person or entity that provides a service funded under the Act, a prescribed person or entity, or a lead agency designated by the Minister (Sections 2(1) and 281 of the CYFSA). Institutions subject to FIPPA or the MFIPPA (Section 285(2) of the CYFSA) and health information custodians subject to PHIPA are exempt from Part X of the CYFSA.

The Privacy Act applies to the Federal Government of Canada ('the Federal Government') institutions listed in Schedule 3.

PIPEDA applies to organizations, including associations, partnerships, not-for-profit organizations, persons, and trade unions. Organizations captured under PIPEDA include those that collect, use, or disclose personal information during commercial activities. PIPEDA also applies to organizations that collect, use, or disclose personal information about an employee or an applicant for employment with the organization in connection with the operation of a federal work, undertaking, or business (Sections 2 and 4 of the PIPEDA). Essentially, PIPEDA applies to federally regulated organizations and private sector organizations operating in Ontario.

However, as Ontario has enacted PHIPA (which is substantially similar to PIPEDA), organizations subject to PHIPA are generally exempt from PIPEDA with respect to the collection, use, or disclosure of personal health information.

Generally, FIPPA and MFIPPA prevail over any other Ontario legislation (with a few exceptions). Other laws must expressly state that it prevails over FIPPA or MFIPPA.

2.2. Territorial scope

The territorial scope of the laws mentioned in this note is Ontario, with PIPEDA also being applicable, given that it is federal legislation.

2.3. Material scope

Personal information means recorded information about an identifiable individual, including ethnicity, age, sex, marital status, education, employment history, identifying numbers, address, personal opinions, or criminal history (Section 2(1) of the FIPPA and Section 2(1) of the MFIPPA). The personal information has the same meaning as it does in FIPPA (Section 2(1) of the CYFSA).

The personal health information means identifying information about an individual in oral or recorded form where such information is a plan of service or health number, identifies a health care provider or substitute decision-maker, is derived from the testing of bodily substances, or relates to either the individual's physical or mental condition, the provision of health care, eligibility for health care, or donation of body parts (Section 4 of the PHIPA).

Under PIPEDA, personal information means information about an identifiable individual, whether factual or subjective, recorded or not, which includes age, name, identification numbers, ethnicity, social status, employee files, loan records, medical records, or evaluations (Section 2 of the PIPEDA).

The personal information means information about a piece of identifiable information that is recorded in any form. Examples include race, religion, age, marital status, medical history, criminal history, address, fingerprints, or opinions (Section 3 of the Privacy Act).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The OIPC was established in 1987 under FIPPA to provide independent oversight of Ontario's access and privacy laws. The OIPC is an officer of the Legislature and is appointed by and reports to the Legislative Assembly of Ontario. The appointed OIPC is independent of the Government of the day.

The OPC was established in 1983 following the passing of the Privacy Act. The mission of the OPC is to protect and promote privacy rights, and the mandate of the OPC is to oversee compliance with the Privacy Act and PIPEDA. The OPC is independent of the Government and reports directly to the Parliament of Canada ('the Federal Parliament').

3.2. Main powers, duties and responsibilities

Apart from overseeing Ontario's access and privacy laws, the OIPC also investigates privacy complaints related to personal information, ensures compliance with legislation, reviews privacy policies and information management practices, and comments on proposed Government legislation.

The OPC carries out its mission to protect and promote the privacy rights of individuals by investigating complaints, conducting audits, pursuing court action under the federal privacy laws, publicly reporting on the personal information handling practices of public and private sector organizations, researching privacy issues, and promoting public awareness of privacy issues. The Economic and Fiscal Update Act of 2020 ('the Fiscal Act') was enacted on March 25, 2020, and amends PHIPA to add additional regulation-making power to the OPC, including a new power to inspect records of personal health information without consent by the OPC where the records may have been abandoned (Section 60 of the PHIPA).

Individuals can make complaints to the organization, which must investigate all complaints. Individuals are encouraged to resolve their complaints with the organization directly first, but they can file a formal complaint with the OPC if the issue cannot be resolved. The complaint will be reviewed by the Investigations and Inquiries Branch of the OPC and recommend an outcome to the OIPC, who will make the ultimate decision.

4. Key Definitions

Data controller:  Data controller and 'data user' are not explicitly defined in Ontario and federal statutes. Instead, FIPPA and the MFIPPA refer to 'institutions,' PHIPA refers to 'health care custodians', and the CYFSA refers to 'service providers'. PIPEDA refers to 'organizations,' and the Privacy Act refers to 'government institutions'.

See the section on personal scope above for descriptions of these terms.

Data processor: Data processor is not explicitly defined in Ontario and federal statutes. Instead, FIPPA and the MFIPPA refer to 'institutions,' PHIPA refers to 'health care custodians', and the CYFSA refers to 'service providers'. PIPEDA refers to 'organizations,' and the Privacy Act refers to 'government institutions'.

See the section on personal scope above for descriptions of these terms.

Personal data: 'Personal information' is defined slightly differently under Ontario and federal Canadian privacy laws but generally means information about an identifiable individual (specified as recorded information in some statutes). Examples include race, ethnicity, age, sex, family status, criminal, or employment history, address, telephone numbers, and opinions of the individual.

See the section on material scope above for additional details on each statute.

Sensitive data: There is no definition of sensitive data in Ontario laws and regulations.

Health data: There is no definition of health data in Ontario laws and regulation.

Biometric data: There is no definition of biometric data in Ontario laws and regulation.

Pseudonymisation: 'Pseudonymisation' is not defined in Ontario and federal statutes. However, FIPPA contains provisions on data integration to allow the sharing of information between the Government and agencies and introduces the concept of de-identification, which is the process of removing information that identifies an individual and information that could be used, alone or with other information, to identify an individual based on what is reasonably foreseeable.

Health Number: 'Health number' means the number, the version code, or both assigned to an insured person within the meaning of the Health Insurance Act, RSO 1990, c. H.6 by the General Manager within the meaning of that Act (from PHIPA).

5. Legal Bases

5.1. Consent

Organizations under PIPEDA must obtain the knowledge and meaningful consent of the individual for the collection, use, or disclosure of personal information, except where inappropriate to do the same. Some situations where consent might be inappropriate include legal, medical, or security reasons that make it impractical to seek consent, obtaining personal information for fraud or law enforcement purposes, or where the individual lacks mental capacity. Individuals under PIPEDA also have the right to access personal information held by an organization, challenge its accuracy, and have it amended as appropriate.

5.2. Contract with the data subject

To comply with identifying purposes requirements under PIPEDA, organizations are to identify and document why personal information is needed and notify individuals of the purposes for collection. Under the consent principle, organizations are to obtain the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where inappropriate to do the same. Under the limiting collection principle, organizations are not to collect personal information indiscriminately or deceive individuals about the reasons for collection.

5.3. Legal obligations

Ontario's privacy legislation does not explicitly provide for the concept of a 'data controller.' Instead, the legislation governs how institutions and regulated entities can collect, use, and disclose personal information. Under FIPPA and the MFIPPA, no person can collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for law enforcement purposes, or necessary to the proper administration of a lawfully authorized activity.

Personal information must be collected directly from the individual, except in limited circumstances. The notice must be provided to individuals when personal information is collected on behalf of the institution, informing the individual of the legal authority for the collection, principal use for the information, and contact information of a public official who can answer the individual's questions about the collection.

Personal information that is collected under FIPPA and the MFIPPA can only be used or disclosed for the purposes for which it was collected, subject to certain circumstances, for example, with the individual's consent, for the purpose of complying with other laws, and for compassionate circumstances. Institutions must ensure that personal information records are accurate and retain personal information for at least one year after its use, subject to certain exceptions. Institutions must also ensure the security and confidentiality of personal information records, and the transfer and destruction of personal information must also meet security requirements.

Under PHIPA, HICs are generally required to obtain an individual's consent to collect, use, or disclose personal health information unless PHIPA allows otherwise. A HIC must ensure that personal health information is accurate and protected against theft, loss, and unauthorized use and disclosure. In addition, HICs must ensure that records of personal health information are transferred and disposed of in a secure manner. Notably, the Fiscal Act creates a new obligation for HICs that use electronic means to collect, use, disclose, modify, retain, or dispose of personal health information to maintain, audit, and monitor an electronic audit log (Section 10.1 of the PHIPA).

An amendment to Subsection 52(1.1) of the PHIPA now provides individuals with the right to access a record of personal health information in an electronic format that meets the prescribed requirements or a format that is specified in accordance with the regulations.

In addition, section 34 of the PHIPA is also amended to allow prescribed persons and health information custodians that are providing health care to a person, to collect or use the person's health number, with the person's consent, for certain verification and linking purposes. Section 39 is amended to permit the disclosure of personal health information for purposes related to the Immunization of School Pupils Act 2017.

Part X of the CYFSA requires service providers to have an individual's consent to collect, use, or disclose personal information unless otherwise authorized. Service providers must ensure that the personal information is accurate and take reasonable steps to protect personal information in their custody or control against theft, loss, or unauthorized collection, use, or disclosure.

5.4. Interests of the data subject

Under PIPEDA, consent is not required if the collection and use of information is clearly in the interests of the individual and consent cannot be obtained in a timely way. This exemption, however, has limited application in practice as there is a paucity of guidance regarding the meaning of what is in the interests of the individual (except in situations involving threats to health or safety).

5.5. Public interest

Under PIPEDA, consent is not required where it is reasonable to expect that the collection with the consent of the individual would compromise the availability of the information, and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of Canada's federal or provincial laws.

Further, consent is not required if the collection of the information is for the purpose of disclosing the information as required by law or made to a Government or Government institution that has identified its lawful authority and has indicated that it suspects the information relates to national security, the defense of Canada, or the conduct of international affairs.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Publicly available information

Regulations under PIPEDA provide that consent is not required for the collection, use, and disclosure of certain publicly available information, e.g., published information and court decisions, although some restrictions apply. In general terms, for the exemption to apply, the collection, use, or disclosure must be related to the purpose for which the information is publicly available.

Employment

Canadian privacy statutes governing the private sector generally allow for the collection, use, and disclosure of employee personal information without consent if solely for the purposes reasonably required to establish, manage, or terminate an employment relationship between the organization and that individual.

While the statutes allow for the collection of personal information without consent within the bounds of reasonableness, they nonetheless require the employer to be transparent. Accordingly, organizations must generally notify employees that such data collection is occurring and explain the purpose(s) for the collection (such as employee safety).

In addition to the data protection statutes that can apply to employee personal information, workplace privacy issues have long been addressed in the labour and employment context by arbitrators and the courts. A significant body of law has been built up in that context in respect of privacy-based limitations on management rights, for example, drug and alcohol testing, workplace surveillance, and investigations.

6. Principles

A code that organizations must follow for the protection of personal information (Schedule 1 of PIPEDA).

The code consists of ten principles for the protection of personal information, which are as follows:

• accountability;
• identifying purposes;
• consent;
• limiting collection;
• limiting use, disclosure, and retention;
• accuracy;
• safeguards;
• openness;
• individual access; and
• challenging compliance.

7. Controller and Processor Obligations

7.1. Data processing notification

Institutions under FIPPA, PHIPA, the MFIPPA, and the CYFSA are generally not required to notify the OIPC about their data collection, use, or disclosure activities. However, these acts also provide that those institutions, HICs, and service providers can seek permission from the OIPC to collect data indirectly from individuals (generally, data must be collected directly).

Under PIPEDA, organizations also do not generally have a requirement to notify the OPC about the collection or use of personal information. However, organizations who wish to use personal information for statistical, scholarly study, or research purposes where it is impractical to obtain the consent of individuals must inform the OPC before the information is used (Section 7(2) of the PIPEDA).

7.2. Data transfers

When an organization transfers personal information to a third-party service provider who acts on behalf of the transferring organization, the transferring organization remains accountable for the protection of that personal information and ensuring compliance with the applicable legislation. In particular, the transferring organization is responsible for ensuring that the third-party service provider appropriately safeguards the data and would also be required under the notice and openness/transparency provisions to reference the use of third-party service providers in and outside of Canada in their privacy policies and procedures.

There are different approaches to protecting personal information that is being transferred for processing. The European Union ('EU') Member States have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers 'adequate' protection for personal information.

In contrast to this state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy. PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.

However, under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement. The OPC can investigate complaints and audit the personal information handling practices of organisations.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Privacy Impact Assessments ('PIA') have long been part of Canadian public sector privacy law. However, they have not been required under Canada's private sector privacy statutes and, as a result, may be unfamiliar to many Canadian businesses and other private organizations. Notably, there is a mandatory requirement to undertake a PIA if an organization is classified as a health information network provider (Section 6(3) of the Regulation').

All health information network providers must conduct a PIA. A health information network provider is defined as a person (which includes organizations) who provides service to two or more health information custodians where the services are provided primarily to health information custodians to enable the health information custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians (Section 6(2) of the Regulation).

The Planning for Success: PIA Guide ('PIA Guide') and the PIA Guidelines for the PHIPA ('the PIA Guidelines') have templates for questionnaires that can be used when conducting a PIA, and outlines the information that should be included in a PIA. In addition, the IPC has issued worksheets to aid organizations in conducting PIAs.

7.5. Data protection officer appointment

The concept of a 'data protection officer' does not exist in Ontario legislation or Canadian federal legislation.

To comply with accountability requirements under PIPEDA, organizations are required to appoint an individual responsible for the organization's compliance with PIPEDA and develop personal information policies and practices. Further, under the accountability principle, an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. However, a data controller is not explicitly defined in PIPEDA.

However, FIPPA and the MFIPPA use the term 'head,' which refers to the official at an institution accountable and responsible for overseeing the administration of the privacy laws, ensuring compliance with the privacy laws, and making decisions regarding the privacy laws. Under FIPPA, the head of Ontario ministries is the Minister presiding over the ministry, the chair of the board of the hospital for public hospitals, the superintendent for private hospitals, and the person designated in the regulations for other institutions. Under the MFIPPA, institutions can designate a head through by-law or in writing as applicable. Under both the FIPPA and the MFIPPA, the head of an institution can delegate its powers or duties to another officer of the institution in writing.

Furthermore, HICs under PHIPA that are not natural persons are to designate a contact person who will, among other things, facilitate the custodian's compliance with PHIPA, respond to public inquiries about the custodian's information practices, and respond to requests from individuals to access or correct personal health information.

Under the accountability principle in PIPEDA, organizations are to designate an individual to be accountable for the organization's compliance with PIPEDA.

7.6. Data breach notification

According to the OIPC, privacy breaches may occur when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with the legislation. Individuals may make complaints to the OIPC about privacy breaches. Institutions can also self-report privacy breaches and incidents to the OIPC, but it is not required under the FIPPA or the MFIPPA. However, institutions are encouraged to alert appropriate staff, contain the breach, notify those affected by the breach, investigate the breach, and notify the OIPC of significant breaches. The OIPC can investigate privacy breaches formally or informally.

However, there is mandatory reporting of privacy breaches under the CYFSA and PHIPA. Under PHIPA, a HIC is required to notify the OIPC of a privacy breach in prescribed circumstances, which include the use or disclosure without authority, stolen information, a pattern of similar breaches, disciplinary action for breaches, and significant breaches. Further, HICs are required to submit annual reports to the OIPC setting out the number of times personal health information was stolen, lost, used without authority, and disclosed without authority in the previous calendar year.

Under the CYFSA, service providers are required to notify the OIPC of privacy breaches under certain circumstances, including the use or disclosure without authority, stolen information, a pattern of similar breaches, breaches that lead to disciplinary action against an employee, and significant breaches. Similar to PHIPA, service providers under the CYFSA must submit annual reports to the OIPC setting out the number of times personal information was stolen, lost, used without authority, disclosed without authority, and used in a manner outside the scope of its information practices.

Organizations under PIPEDA are required to report breaches of security safeguards involving personal information that pose a real risk of significant harm (also known as the 'RROSH standard') to individuals to the OPC. Organizations are also required to notify individuals about those breaches and keep records of those breaches for a period of at least 24 months. A breach of a security safeguard is defined as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of the organization's security safeguards or from a failure to establish safeguards. Significant harm includes but is not limited to bodily harm, humiliation, damage to reputation, financial loss, and identity theft.

The factors relevant to determining whether a security breach creates a real risk of significant harm include the sensitivity of the personal information, the probability of misuse of the personal information, and any other prescribed factor (Section 10.1(1) of the PIPEDA). 

7.7. Data retention

To limit use, disclosure, and retention under PIPEDA, organisations are to only disclose personal information for the purpose for which it was collected (unless the individual consents), keep personal information for a reasonable time to allow the individual to access it but only as long as needed, and destroy information that is no longer required for an identified purpose or legal requirement.

Under the accuracy principle, organizations are to minimize the possibility of using incorrect personal information. Under the safeguard principle, organizations are to protect personal information against loss or theft and safeguard it against unauthorized access or disclosure.

7.8. Children's data

While there are no regulations related to the processing of children's data and age of consent, the OPC has identified the following tips for services aimed to children and youth:

• limit, or avoid altogether, the collection of personal information;
• be careful about 'inadvertent' collection;
• have an appropriate retention schedule for inactive accounts;
• speak to the specific services being provided to youth;
• make sure users can understand the ask, or know, to engage their parents/guardians;
• consider the user experience;
• make clear who is agreeing to terms and conditions;
• ensure there are proper defaults for the age of users;
• know what is happening on the organisation's own website; and
• prevention is preferable to monitoring.

7.9. Special categories of personal data

Not applicable.

7.10. Controller and processor contracts

The accountability principle provides that organizations that transfer personal information to a third party for processing should use contractual or other means to provide a comparable level of protection while the information is being processed by a third party (Schedule 1 of PIPEDA).

This is generally not applicable in Ontario's legislative context.

However, a HIC can disclose personal health information to a researcher if the researcher enters into an agreement with the HIC to comply with the conditions and restrictions that the HIC imposes, if any, relating to the use, security, disclosure, return, or disposal of the information (Section 44 of the PHIPA).

Similarly, under FIPPA and the MFIPPA, the head of an institution can disclose personal information for a research purpose if the person receiving the information agrees to comply with certain security and confidentiality terms and conditions prescribed in the regulations.

8. Data Subject Rights

8.1. Right to be informed

As noted above, individuals generally must be given notice under FIPPA and the MFIPPA when an institution subject to FIPPA or the MFIPPA collects personal information.

8.2. Right to access

Individuals also have the right under FIPPA and the MFIPPA to access any personal information about themselves that is in the custody or under the control of an applicable institution or any other personal information about themselves that is reasonably retrievable by the institution.

8.3. Right to rectification

Individuals who are given access to their personal information can request correction of errors or omissions, request that a statement of disagreement be attached to the information reflecting corrections that were requested but not made, and require that any person to whom the information has been disclosed within the year before a correction is requested or a statement of disagreement is required to be notified of the correction or statement of disagreement.

8.4. Right to erasure

Canada has yet to recognize a right to be forgotten or to enact erasure laws. However, injured parties can use the complaint procedure under PIPEDA.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Individuals can make complaints to the OIPC when they believe that an institution has not complied with the privacy rules on personal information. Individuals are encouraged to first resolve the complaint with the institution directly, but they can file a complaint with the OIPC if they believe the institution has not adequately addressed their concerns. The OIPC will investigate and encourage settlement or adjudicate as appropriate and necessary.

9. Penalties

FIPPA and the MFIPPA include offenses for violations of the rules they provide. These offenses include but are not limited to wilful disclosure of personal information, making a request for access or correction of personal information under false pretenses, and/or wilfully obstructing OIPC in the performance of their prescribed functions.

Institutions and individuals can be liable for fines of up to CAD 5,000 (approx. $3,700) for these offenses (Section 61 of the FIPPA and Section 48 of the MFIPPA).

PHIPA contains similar offenses, including but not limited to wilful collection, use, or disclosure of personal health information in contravention of its provisions and wilfully obstructing the OIPC in the performance of their prescribed functions. In addition to previous amendments stated above, the Fiscal Act amended PHIPA to give the OIPC the power to order that an administrative penalty be paid by persons who have contravened the Act or its regulations (Section 61 of the PHIPA). The Fiscal Act also includes a new provision allowing justices to make production orders requiring persons to produce certain documents or data if satisfied that an offense under PHIPA has been or is being committed and that the document or data will provide evidence respecting the offense or suspected offense.

Additionally, Section 72 of the PHIPA is amended to provide that natural persons are liable for a fine of up to CAD 200,000 (approx. $148,170) and that non-natural persons are liable for a fine of up to CAD 1 million (approx. $740,830).

There is the possibility for imprisonment of natural persons for violations (Section 72 of the PHIPA).

As of January 1, 2024, the OIPC also has the discretion to issue administrative monetary penalties under section 61.1 of the PHIPA. Penalties can be up to CAD 50,000 (approx. $37,040) for individuals and CAD 500,000 (approx. $370,430) for organizations.

Section 332 of the CYFSA also outlines similar offenses, and a person who is guilty of these is liable for a fine of up to CAD 5,000 (approx. $3,700).

Organizations that knowingly contravene certain sections it contains (a failure to retain personal information long enough for individuals to access and correct it, a failure to report security breaches, a failure to maintain records of security breaches, and disciplining or disadvantaging whistle-blowers or obstruct the OPC's investigation of a complaint is guilty of a summary conviction offence and liable to a fine of up to CAD 10,000 (approx. $7,400) or an indictable offence and liable for a fine of up to CAD 100,000 (approx. $74,090) (Section 28 of the PIPEDA).

It is an offense under Section 68 of the Privacy Act to obstruct the Privacy Commissioner in their performance of duties and functions under the Act, and each person who commits this offense is liable on summary conviction to a fine of up to CAD 1,000 (approx. $740).

9.1 Enforcement decisions

On October 19, 2017, the Canadian Radio-television and Telecommunications Commission ('CRTC') handed down two decisions in response to 3510395 Canada Inc.'s, operating as CompuFinder, a challenge to the notice of violation issued under Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL'). The notice set out a penalty of CAD 1.1 million (approx. $814,930).

CompuFinder raised a challenge to the constitutionality of CASL, arguing, among other things, that CASL:

• had not been validly enacted by the Federal Parliament; and
• contravened the Canadian Charter of Rights and Freedoms ('the Charter') by infringing CompuFinder's freedom of expression and other protections conferred by Sections 7, 8, and 11 of the Charter. CompuFinder also challenged the amount of the penalty.

In its two decisions, the CRTC determined CASL to be constitutional and confirmed CompuFinder's violation of CASL. However, it reduced the amount of the monetary penalty to CAD 200,000 (approx. $148,170).

On June 5, 2020, the Federal Court of Appeal ('FCA') released its decision in the appeals raised by CompuFinder in response to two decisions by the CRTC‎ and dismissed a constitutional challenge to CASL brought by CompuFinder in the first detailed judicial consideration of CASL.