In June, the Ontario government released a White Paper entitled Modernizing Privacy in Ontario Empowering Ontarians and Enabling the Digital Economy (the “White Paper”). A White Paper, for those who don’t know, is a government policy document setting out a proposal for future legislation. In this case, the White Paper sets out a proposal for privacy legislation that would apply to the private sector.
What privacy laws apply to the Ontario private sector now?
Currently, Ontario has no general privacy legislation applicable to the private sector, which leaves some gaps. Personal health information, in the possession of health information custodians, is governed by the Personal Health Information Protection Act, 2004, and personal information collected in the course of commercial activities is governed by the federal Personal Information Protection and Electronic Documents Act. While principles and best practices abound, there is no specific law applicable to an employer’s collection of employee personal information for employment purposes. Questions about employee privacy are increasingly relevant in light of employers wanting to know employees’ vaccination status.
What will the proposed law address?
We can expect that an Ontario privacy law, applicable to the private sector, would apply to all non-government organizations—aka private organizations—in the province and would specifically address employee personal information.
The White Paper is critical of the federal government’s Bill C-11, which is the federal proposed update to Canada’s private sector privacy law. It specifically addresses proposed private-sector obligations regarding use of artificial intelligence and other technologies that might collect personal information.
It also proposes:
- Consent Requirements
- Plain language privacy policies
- Clear legal basis of the collection of private information
- Clear process by which individuals can exercise their privacy rights regarding their personal information
- Circumstances where consent for collection may not be required
- Limits on collection to only what is necessary for the organization’s legitimate needs
- Prohibiting collection of information from people under 16 for the purposes of influencing their behaviour
- A “rights-base approach” to privacy—meaning the individual will have rights of access, correction, disposal and mobility regarding their personal information
- A specific approach to data collected for the purposes of research, including exempting anonymized information from the province’s private sector privacy law
The law also proposes new powers for the IPC, including issuing financial penalties of up to $10 million or 3% of the organization’s gross global revenue.
The consultation process is ongoing and comments can be submitted to the Manager of Access and Privacy Strategy and Policy Unit up until September 3, 2021.