Carpool Consulting: Privacy Commissioner Edition (Part 1)
0:01
1 second
Sharon: Someone told me that when you go on a road trip, you have a road trip snack that you really like. It's
Patricia: Yes.
0:08
8 seconds
Sharon: Vitamin water.
0:09
9 seconds
Patricia: That's exactly with no sugar. Oh, you found one with zero sugar. Amazing.
Sharon: Well, can I just tell you, Patricia,
0:18
18 seconds
that this was no easy task.
0:21
21 seconds
And I think I got the last one in the city.
Patricia: I love this. It gives me such energy.
0:27
27 seconds
And this is my favorite snack or drink or whatever. That is so nice. Thank you.
0:32
32 seconds
Sharon: Oh, you're welcome. And you know, when my guests come on and I give them a road trip snack, they usually crack it open and they share it with me.
0:41
41 seconds
And I thought, okay, well, I'm not going to ask the privacy commissioner to let me share her bottle of vitamin water. That might be a little weird, right? I mean,
0:48
48 seconds
like, you wouldn't want to share the bottle with me, right?
Patricia: You have a straw?
0:52
52 seconds
Sharon: Um, no, I don't. But I didn't want you to drink vitamin water by yourself. So,
0:58
58 seconds
um, if you don't mind helping me out here, just hold this bottle of water for me. And I have, um, a few vitamins that
1:06
1 minute, 6 seconds
I'm just going to take and then and then we can both have vitamin water and it'll be
1:13
1 minute, 13 seconds
great. Here are all my vitamins. Um, do you just mind cracking that open for me?
1:18
1 minute, 18 seconds
These are vitamins, by the way, so we're going to be okay. This is where the vitamin water comes in. So, excuse me while I You're welcome to drink your vitamin water if you want.
1:29
1 minute, 29 seconds
Patricia: Vitamin water and real life vitamins all going on here in this car.
1:33
1 minute, 33 seconds
Sharon: Yeah. Um Yeah. And then that way we're both feeling energized and and healthy.
1:39
1 minute, 39 seconds
And you know, if I start glowing in the dark, it's okay. Don't worry about it. It's just vitamins.
1:43
1 minute, 43 seconds
Patricia: This is great. I'm going to have such a good day
Sharon: . Um I just have I think five more to go. So, so that should be enough.
1:51
1 minute, 51 seconds
Ever wonder what it's like to sit shotgun with a privacy regulator? Well,
1:57
1 minute, 57 seconds
buckle up and wish me good luck, cuz I'm about to find out. I see one right there. Let's go get her. Hey, need a ride.
2:05
2 minutes, 5 seconds
Patricia: So nice to see you.
Sharon: So nice to see you, too, Commissioner.
Patricia: Oh my goodness. I'm so excited.
2:11
2 minutes, 11 seconds
Sharon: Well, thank you so much for joining me on Carpool Consulting.
2:14
2 minutes, 14 seconds
Patricia: Thank you for having me and taking me out of my regular day to do such a fun outing with you.
Sharon: My pleasure. So,
2:20
2 minutes, 20 seconds
Commissioner, I'm one of
Patricia: You can call me Patricia, by the way.
Sharon: Okay. All right. Thank you. So,
2:25
2 minutes, 25 seconds
Patricia, as Ontario's information and privacy commissioner, uh, for some, that is a very official kind of mysterious
2:34
2 minutes, 34 seconds
role. Can you tell us what do you actually do and and who falls under your watch?
2:39
2 minutes, 39 seconds
Patricia: Okay. Well, first of all, it shouldn't be mysterious, which is a great reason for doing this to explain what I do in
2:46
2 minutes, 46 seconds
very simple terms. And um generally, I am an officer of the legislature. That means I don't report to the government.
2:55
2 minutes, 55 seconds
Uh I along with other officers oversee government and other public institutions, health sector, etc. in
3:01
3 minutes, 1 second
respect of their access to information obligations to make available information to the public to the media
3:08
3 minutes, 8 seconds
on uh matters of of public interest and also on their privacy obligations to ensure that they're collecting using and
3:17
3 minutes, 17 seconds
disclosing and safeguarding personal information of Ontarians.
3:20
3 minutes, 20 seconds
Sharon: Okay, that's a really important role especially in this data driven world.
3:24
3 minutes, 24 seconds
I'd love for you to tell us what are some quirky unexpected things that people may not know about you.
3:31
3 minutes, 31 seconds
Patricia: Oh, that's a good question. One quirky thing is I have terrible sense of direction.
Sharon: You and I both.
3:38
3 minutes, 38 seconds
Patricia: Oh my gosh. Don't ask me to take you anywhere, but I have an amazing quality of judging three-dimensional sizes. So,
3:47
3 minutes, 47 seconds
I'm amazing guesser at the right size Tupperware for leftovers. And I I once
3:54
3 minutes, 54 seconds
told my staff about this and or so many people with the same hidden talent. We're starting like a group.
3:59
3 minutes, 59 seconds
Sharon: Patricia, you've had an incredible career. You Are a lawyer of course, including being a privacy commissioner, you are in health, you were in ethics,
4:08
4 minutes, 8 seconds
you're in AI, you've touched it all. If you were not in the privacy and legal space, what would you do?
4:17
4 minutes, 17 seconds
Patricia: I've always wanted to be a jeweler., yeah. To craft like original jewelry.
4:22
4 minutes, 22 seconds
Not necessarily the most expensive or exquisite, but natural stones, and I've always admired jewelers.
4:30
4 minutes, 30 seconds
Sharon: Okay , I do want to turn to Bill 194.
Patricia: Bill 194 has two parts.
4:37
4 minutes, 37 seconds
One part is about introducing a framework for future regulations on AI, cyber security, and digital
4:45
4 minutes, 45 seconds
technologies affecting youth and children.
And then the second part is about modernizing the provincial public sector law, right? We call it FIPPA. As
4:55
4 minutes, 55 seconds
you said, it it amends FIPPA for provincial institutions, but unfortunately did not amend the
5:01
5 minutes, 1 second
municipal equivalent of uh MFIPPA. So, municipal institutions are not covered
5:08
5 minutes, 8 seconds
by this yet. I say yet because it's my continuing hope that the same provisions in bill 194 will eventually make their way into MFIPPA as well.
5:19
5 minutes, 19 seconds
Sharon: Can I ask you a question just before you move on? Why didn't it impact MFIPPA? Why is it why was it just FIPPA?
Patricia: I think you need to ask government that.
5:28
5 minutes, 28 seconds
I also I mean what I understand is that they wanted more time to consult with
5:35
5 minutes, 35 seconds
municipal institutions um before imposing new obligations on them which is fair you know as long as they carry
5:43
5 minutes, 43 seconds
through you know and uh and and have those consultations. Soon uh we come up with uh a version of MFIPPA amendments
5:53
5 minutes, 53 seconds
that is well-suited for the municipal sector and that is aligned with the changes in bill 194. So the main changes
6:02
6 minutes, 2 seconds
In Bill 194 are provincial institutions now have to um do PIA
6:11
6 minutes, 11 seconds
before they collect personal information for new uh initiatives and that was
6:19
6 minutes, 19 seconds
always an aspect of safeguarding obligation but now it's explicit in the law so we're very happy about that and
6:28
6 minutes, 28 seconds
it'll encourage that upfront thinking to make sure that you know they're designing new projects and initiatives
6:36
6 minutes, 36 seconds
with privacy in mind and mitigating against privacy risks and we as a data
6:43
6 minutes, 43 seconds
regulator the IPC we could ask to see the PIA right so
Sharon: What situations would you ask an agency
6:52
6 minutes, 52 seconds
to see their PIA
Patricia: There's a couple one is if something goes wrong um then we get a complaint or there's a
7:00
7 minutes
breach or we might want to see the PIA and what was the conceptual thinking that led up to such and such a a design
7:08
7 minutes, 8 seconds
and ha has the institution really thought through and done the due diligence.
7:14
7 minutes, 14 seconds
Um so that's one. Another is institutions sometimes come to us and ask us for advice. We have a an advisory
7:22
7 minutes, 22 seconds
function as well and they may want to set a you know new precedent setting uh
7:29
7 minutes, 29 seconds
initiative and come to us for some advice on how they can do it in a privacy protective way. In those situations we'll say well show us your
7:36
7 minutes, 36 seconds
PIA your thinking so far and we'll give you comments.
7:40
7 minutes, 40 seconds
Sharon: Would you do that in every situation? So anytime someone comes to you with a PIA that's a lot of work a lot of free work.
7:50
7 minutes, 50 seconds
Patricia: You know cuz you consult on that so you know how many there are. No, we we really um focus on uh initiatives that
7:59
7 minutes, 59 seconds
are novel that are precedent setting that are high risk..
8:03
8 minutes, 3 seconds
And that we can invest our time and our resources in in order to set a hopefully a positive path for others to follow.
8:14
8 minutes, 14 seconds
Sharon: part of schedule two that was just just enforced July 1st was the mandatory breach reporting. We see it under PIPEDA.
8:24
8 minutes, 24 seconds
Uh I I think that the bill borrowed the real risk of significant harm threshold from PIPEDA use it in bill 194. So what
8:33
8 minutes, 33 seconds
are your expectations of agencies reporting to your office? Now,
8:38
8 minutes, 38 seconds
Patricia: On July 1st, uh, my great team has put up on our website a landing page on everything people need to know about bill 194 that explains the changes,
8:48
8 minutes, 48 seconds
including PIAs and breach notification and uh our expectations on uh how to
8:57
8 minutes, 57 seconds
notify when and how to notify our office in the event of breaches. um we've updated all of our previous breach
9:04
9 minutes, 4 seconds
guidance so it's all up there and so it's um it's important and timely and I'm happy
9:12
9 minutes, 12 seconds
about it because sometimes you know uh institutions would tell us about a breach but kind of
9:21
9 minutes, 21 seconds
haltingly or say well you know we're just telling you out of courtesy and then we'd say okay and then we'd want to work with them and then you'd kind of
9:29
9 minutes, 29 seconds
shut down and say no no no this was just a courtesy call. We're under no obligation.
Sharon: And right cuz there because it wasn't mandatory.
9:35
9 minutes, 35 seconds
Patricia: It wasn't mandatory. So I think this is good because it's clear that it is mandatory and that we can get notified
9:44
9 minutes, 44 seconds
earlier because it there is a time element in there. It has to be done as soon as feasible and uh we can work together with them on the breach response.
9:53
9 minutes, 53 seconds
Sharon: Once it's reported to your office,
9:55
9 minutes, 55 seconds
what's the first thing that the agency can expect?
Patricia: First, we always encourage them to fill out a breach notification
10:03
10 minutes, 3 seconds
form. And that's important because it's it's a step-by-step process that gets them to really think through deliberately
10:10
10 minutes, 10 seconds
all the relevant facts uh in order for us to be able to assess the risks. Second, our team is very
10:18
10 minutes, 18 seconds
proficient on the list of follow-up questions. So we have a very well-used
10:25
10 minutes, 25 seconds
and trodden list of of questions that we will follow up with and ask for more details on uh certain aspects. Answering
10:34
10 minutes, 34 seconds
those questions is again just one step further in fleshing out all the facts that we need to know in order to be able to assess.
10:43
10 minutes, 43 seconds
Sharon: Is that follow-up list available for the public?
10:46
10 minutes, 46 seconds
Patricia: Certainly the breach notification form has it all. it's public and uh the the followup sometimes is what's not on the form. So, it's customized in every case.
10:56
10 minutes, 56 seconds
A vast majority of breaches reported to our office and even more so now with Bill 194 get resolved at what we call early
11:05
11 minutes, 5 seconds
resolution. You know, they they work with the institution as I said to contain, investigate, notify and remediate and most cases and vast
11:14
11 minutes, 14 seconds
majority as I said are resolved at that point. Um, sometimes there's a clo, like in every case there's a closing letter.
11:21
11 minutes, 21 seconds
Sometimes we publish the closing letter because, you know, it's a good educational story for others.
11:28
11 minutes, 28 seconds
Um, in cases where it doesn't go so well because there's not agreement to do XY Z or we discover that there's a lot of
11:38
11 minutes, 38 seconds
remediate remedial steps that need to be taken and that are going to take time or we don't get agreement from the institution at first. Then we'll open an
11:47
11 minutes, 47 seconds
investigation and that's where we go much deeper in terms of you know um
11:54
11 minutes, 54 seconds
seeking submissions, interviews, uh analyzing documents, systems etc. And in that case we publish a report. Now,
12:04
12 minutes, 4 seconds
under Bill 194, if I may, the third big change is that that investigation
12:11
12 minutes, 11 seconds
process that we used to always do um is now laid out in the law explicitly.
12:18
12 minutes, 18 seconds
Before we used to do it, but it was based on a very nebulous provision in our act that
12:25
12 minutes, 25 seconds
allows us to report to the legislature on matters of risk. And the courts have said, well, that gives you a, you know,
12:31
12 minutes, 31 seconds
the mandate to investigate. But it really wasn't in the law anywhere. There was no regime. There was no explicit powers.
12:39
12 minutes, 39 seconds
There was no steps. There was no And now Bill 194 thankfully lays out a whole investigative regime with investigative powers and order-making powers.
12:51
12 minutes, 51 seconds
So for the rare cases I'm happy to say where institutions don't want to you know follow our recommendations on how
13:00
13 minutes
to remediate for instance following a breach we can now order them to do something or to stop doing something
13:06
13 minutes, 6 seconds
Sharon: With Bill 194 I can imagine that there's going to be an influx of work within your office currently. how many breaches
13:14
13 minutes, 14 seconds
are reported before July 1st and what do you expect after July 1st and how are you going to handle all of that?
13:23
13 minutes, 23 seconds
Patricia: We had to think about that um and we did our research of other jurisdictions uh that got breach mandatory breach
13:32
13 minutes, 32 seconds
reporting as part of their legislative reforms including Ontario under PHIPA..
13:38
13 minutes, 38 seconds
Uh as you know breach reporting mandatory breach reporting came into effect I think 2018.
So in all of those instances, we went back either in our
13:47
13 minutes, 47 seconds
case to uh our own records or we asked our FBT colleagues. And in all instances
13:54
13 minutes, 54 seconds
it was uh at least a doubling of breach reports from the time it was
14:01
14 minutes, 1 second
voluntary to the year it became mandatory.
Sharon: So, Commissioner, if school boards accidentally post student health
14:10
14 minutes, 10 seconds
records on a public website, if the ministry rolls out an a data sharing initiative without doing a PIA, uh when
14:19
14 minutes, 19 seconds
someone replies all which includes an attachment with millions of people's personal information, I just want you to
14:28
14 minutes, 28 seconds
know that you can shine this signal and I will come running to you
14:33
14 minutes, 33 seconds
[Music]
14:39
14 minutes, 39 seconds
[Applause]
14:41
14 minutes, 41 seconds
[Music]
