Private sector privacy legislation – Is it coming to Ontario?

In June, the Ontario government released a White Paper entitled Modernizing Privacy in Ontario Empowering Ontarians and Enabling the Digital Economy (the “White Paper”). A White Paper, for those who don’t know, is a government policy document setting out a proposal for future legislation. In this case, the White Paper sets out a proposal for privacy legislation that would apply to the private sector. 

What privacy laws apply to the Ontario private sector now?

Currently, Ontario has no general privacy legislation applicable to the private sector, which leaves some gaps. Personal health information, in the possession of health information custodians, is governed by the Personal Health Information Protection Act, 2004, and personal information collected in the course of commercial activities is governed by the federal Personal Information Protection and Electronic Documents Act. While principles and best practices abound, there is no specific law applicable to an employer’s collection of employee personal information for employment purposes. Questions about employee privacy are increasingly relevant in light of employers wanting to know employees’ vaccination status.

What will the proposed law address? 

We can expect that an Ontario privacy law, applicable to the private sector, would apply to all non-government organizations—aka private organizations—in the province and would specifically address employee personal information.

The White Paper is critical of the federal government’s Bill C-11, which is the federal proposed update to Canada’s private sector privacy law. It specifically addresses proposed private-sector obligations regarding use of artificial intelligence and other technologies that might collect personal information. 

It also proposes:

• Consent Requirements 
  • Plain language privacy policies 
  • Clear legal basis of the collection of private information 
  • Clear process by which individuals can exercise their privacy rights regarding their personal information 
• Circumstances where consent for collection may not be required
• Limits on collection to only what is necessary for the organization’s legitimate needs 
• Prohibiting collection of information from people under 16 for the purposes of influencing their behaviour 
• A “rights-base approach” to privacy—meaning the individual will have rights of access, correction, disposal and mobility regarding their personal information 
• A specific approach to data collected for the purposes of research, including exempting anonymized information from the province’s private sector privacy law

The law also proposes new powers for the IPC, including issuing financial penalties of up to $10 million or 3% of the organization’s gross global revenue.

The consultation process is ongoing and comments can be submitted to the Manager of Access and Privacy Strategy and Policy Unit up until September 3, 2021. 

• About
• Latest Posts

Follow me

Spring Law

Employment and Labour Law Firm at SpringLaw

SpringLaw is a virtual Canadian boutique law firm, practicing exclusively in the areas of employment, labour and human rights law. We work with a wide range of employers - from global companies with operations in Canada to local owner-operators and start-ups - advising on the wide range of legal issues that arise out of the workplace, particularly workplaces in the tech and creative space. We also provide legal and strategic advice to employees throughout their employment journey. Blog posts are written by Lisa Stam, Hilary Page, Emily Siu, Danielle Murray, Lindsay Koruna, Jessyca Greenwood and Marnie Baizley.

Follow me

Latest posts by Spring Law (see all)

• In the moonlight: Working a side hustle - July 13, 2022
• The end of masks in Ontario – Almost… - June 15, 2022
• Offer letters vs employment contracts - May 11, 2022