Privacy impact assessments were built for data flows, not algorithms. When an AI system goes beyond handling personal information and starts making decisions that affect people, a PIA alone won't cover the risk. Here's a practical framework for deciding which assessment your AI tools actually need.

Ontario's Bill 97 became law on April 24, 2026, and public sector institutions are already operating under a changed framework. New timelines, staged access rules, mandatory privacy impact assessments, and expanded breach reporting obligations are now in play across both FIPPA and MFIPPA. If your policies and procedures haven't been updated yet, the clock is running.

When the Information and Privacy Commissioner of Ontario issued its second Administrative Monetary Penalty under PHIPA, the most important detail wasn't the penalty itself. It was who received it, and who didn't. PHIPA Decision 334 makes one thing clear: how your organization responds to a privacy incident can matter just as much as the incident itself. Here's what every health information custodian needs to know.

Clinic Managers who have been delegated the task of Privacy Officer often feel overwhelmed with understanding privacy laws, operationalizing privacy best practices across the organization, and building a privacy culture. Here are 5 must do’s for clinic managers who are grappling with the new role in privacy.

If 61% of breaches are a result of third-party vendors, what can companies do to mitigate this risk? Developing a vendor due diligence process can help sift through the risky vendors. Reviewing your vendor’s privacy and security practices is not just a good business practice, but a legal requirement.

In Part 3 of the ABC’s of Bill 194, we outline what organizations need to know to be compliant with cybersecurity and artificial intelligence requirements.

In Part 2 of the ABC’s of Bill 194, we delve into the intricate balance of safeguarding children’s privacy and how institutions like Children’s Aid Societies and School Boards can prepare for the onset of regulations that will follow.

On November 25, 2024, Ontario's Bill 194, also known as the Strengthening Cyber Security and Building Trust in the Public Sector Act, reached royal assent. The passing of this Bill marks a significant milestone in Ontario's efforts to enhance digital security and trust within the public sector.

The wave of new and updated U.S. state privacy laws is propelling the country towards stronger data protection standards as of January 2025. Evolving state laws are beginning to align with more seasoned privacy regulations of California and other jurisdictions worldwide, creating a unified and robust framework for data privacy.

The Office of the Privacy Commissioner (OPC) and the Global Privacy Enforcement Network (GPEN) recently embarked on a sweep focusing on “Deceptive Design Patterns” (DDPs, also known as “Dark Patterns”) in websites and mobile apps, hunting for manipulative and deceptive designs that undermine users’ privacy.

Google’s plans to follow suit with other big browsers like Safari and Firefox and remove third-party cookies (TPCs) from Chrome has come to a crashing stop. The decision to move forward with keeping TPCs on their web browser is the culmination of many years of back-and-forth discussion on Google’s end (since the year 2020), however, they have ultimately decided to simply enhance their privacy settings without losing an advertising penny from their large pockets. Their solution – the Privacy Sandbox.

As a non-profit, you will likely collect and have access to highly sensitive data, be it from members, supported individuals, minors, volunteers or donors – you are privy to quite a lot. You may be exempt from several onerous pieces of legislation however non-profit organizations are not automatically exempt from PIPEDA. The Office of the Privacy Commissioner of Canada (OPC) has said that “Whether an organization is a non-profit business for purposes of taxation is not determinative of whether its collection, use or disclosure of personal information is carried out in the course of commercial activity”. So is it a ”maybe?”. Over the years there have been several cases in Ontario trying to determine this question.

At Bamboo we’re constantly aware of the push and pull nature between privacy and security, and often it comes to the fore in processes such as incident response or considerations around data lakes and operational data. In the last few weeks though, we’ve seen a great deal of discussion around Data Leak Prevention (DLP) and endpoint protection, and the clash it has against employee privacy – particularly when Bring Your Own Device (BYOD) is involved.

The article discusses the implications of someone filing a privacy complaint with the Office of the Privacy Commissioner of Canada (OPC) and the motivation of naming and shaming companies. It highlights that even if a complaint seems frivolous, it can lead to thorough investigations by the OPC, potentially uncovering compliance gaps within a company's privacy program. The article emphasizes the importance of proactive preparation for businesses, including maintaining updated policies, designating a Privacy Officer, and viewing every decision through the lens of potential regulatory scrutiny. It warns that regardless of the company's size or industry, a single complaint can have significant financial, operational, and reputational consequences, stressing the necessity for vigilance in addressing privacy concerns in the digital age.

In recent years, Canada has experienced a concerning surge in shoplifting incidents, a trend potentially exacerbated by economic factors such as inflation. As the guardians of a retailer's assets, loss prevention personnel find themselves on the frontline in addressing this growing challenge. However, in the pursuit of securing business interests, it is imperative to recognize the delicate dance between protecting assets and upholding privacy rights.

As an immigrant to Canada, I have seen the process and the documentation required to get here. My entire life condensed into a folder to be submitted to a consultant, who will in turn validate everything, and then submit it all to the IRCC (Immigration, Refugees and Citizenship Canada). This translates to a lot of deeply personal information put into the trust of a third-party, and this article goes into how quickly a phishing attack on any business can put sensitive information at risk.

In a world where data breaches and privacy concerns are constantly in the headlines, it’s more crucial than ever for businesses to prioritize and navigate both privacy and security. While these concepts are often treated as separate entities, tackling them together can yield significant benefits for organizations.

The privacy and security functions, respectively, often have tunnel vision and move in different directions causing the business to spin rather than move forward fast. It is time for privacy and security to form an alliance. When privacy and security cross-pollinate to form Governance, Privacy, and Security (GPS), they are better able to protect the business, protect data, and protect individuals.

Call centres are often the first point of contact between customers and businesses. Over the past few years, with advances in technology, including AI, call centres are collecting more personal information than before and using it in novel ways. This article explores how call centres may violate privacy and what they can do to reduce their risk of non-compliance.

Collecting geolocation information can be useful to your business, however, if not done properly, not only will you be non-compliant with privacy regulations, get fined, and find your company in a class-action lawsuit, but you will be classified as that “creepy stalker” that nobody wants to associate with. Read up on the latest cases involving geolocation data.