Overview
In general, submissions were very supportive of the IPC’s priorities setting exercise and the consultation paper. Many respondents supported all of the identified potential priorities and did not necessarily identify their “top three.” Very few excluded any priorities outright. Where a respondent disagreed with the inclusion of a particular priority, it was because they felt it was not relevant to their particular interests or mandate, or that sufficient work was already underway in that area.
We were encouraged by the extent to which stakeholders described their own strategic priorities and showed themselves interested in collaborating with the IPC in advancing a specific area of interest. In particular, they expressed a willingness to work with the IPC in developing new frameworks, guidance, and resources, which will help enable broad stakeholder engagement and ensure they are practical in their implementation.
Many respondents commented on how interconnected these priorities are, recognizing the growing overlap between them due to emerging technologies and inter-sectoral initiatives that are increasingly blurring boundaries.
Several also advised of the importance for the IPC to maintain a careful balance between its dual role of enabling modernization initiatives by advising on privacy and access considerations, and overseeing institutions to hold them to account for their statutory responsibilities.
Many submissions provided detailed proposals for how the IPC could implement each priority, if it were selected. We do not summarize all of these details here. Still, these valuable proposals will be considered again at the implementation phase, as the IPC develops its action plan for operationalizing each of the selected priorities. Several submissions called on the IPC to acknowledge and address the possibility of Ontario adopting a private sector privacy law, with one stating that our “priorities should be adjusted to include recognition of the IPC’s expanded role,” which would likely require the dedication of significant resources.
Given the overall positive and supportive nature of the responses, we focus below on the key considerations and recommendations made by respondents that we took into account in adjusting, refining, and ultimately selecting, our strategic priorities and related goal statements to ensure their overall success.
Government Digital Service Delivery
This potential priority was broadly supported by respondents, recognizing the opportunity to promote efficiencies and equity by centralizing service delivery, while also leading in privacy-sensitive innovation. One municipality, for instance, envisioned that with IPC guidance and advice, it could become ‘best-in-class’ with respect to digital service delivery.
Respondents supporting the selection of this priority emphasized the need for standardization and consistency across the public service, transparency about how digital services are designed and implemented, and appropriate independent oversight, including through mandatory privacy impact assessments. Others agreed with our view that establishing and managing digital identities and developing age-appropriate gateways are foundational to this work.
Municipalities stated that they have a unique perspective on this priority and seek assurances that they will be consulted. For instance, it was noted that while the provincial government (and some municipalities) have their own information technology departments with multiple full-time staff members, smaller municipalities may rely on joint-service agreements with other municipalities for basic services. For rural and Northern communities, access to reliable and affordable broadband is also a challenge. While they understood that it is not the IPC’s role to solve these challenges, they argued that the IPC should take a whole-of-service perspective to its activities, taking into account not just the perspective of the access requestor and privacy complainant, but also of municipal administrators.
Some respondents identified their own challenges with digital service delivery, such as ensuring accountability when working with third-party service providers. They expressed the desire and need to work with third parties but recommended that the IPC’s priority work include an examination of the steps necessary to provide sufficient reassurance to Ontarians that use of a third party will not become “personal information conduits to feed commercial interests” and negatively impact individual privacy. To “embrace a digital future, guidance regarding agency agreements with private sector companies would be helpful,” said one respondent, as would “an information framework for digital collection including information security content.”
One submission called for a “user-centric” approach to designing digital services, while another emphasized the need for a “privacy-first” approach. Many saw the importance of ensuring transparency in government digital service delivery and holding government institutions accountable for their digital initiatives particularly due to their impact on low-income and historically marginalized populations.
Some respondents suggested expanding this priority area to integrate the unique needs of Crown corporations and the role of broader public sector institutions beyond government.
Finally, one university reminded the IPC of the importance, when providing trusted advice, that it remain a “true, third-party, autonomous and independent organization, separate from governmental influence, pressure and sway.”
Transparency and Open Government
Though less than Government Service Delivery, there was significant support for the inclusion of Transparency and Open Government as an IPC priority —with one submission seeing both these priorities “as going hand in hand” on the understanding that the complexity that comes with modernizing information systems should be accompanied by greater transparency and accountability.
A submission from the municipal sector stated that openness is at the heart of how municipalities make decisions, and transparency is important for building and maintaining trust. Another submission affirmed that encouraging openness supports evidence-based decision-making and “prevents ideologically driven perspectives from guiding policy.” The benefits of transparency, one stated, should be accessible to all Ontarians and not only those with money and resources.
One submission suggested that the goal of “promoting” transparency and open government was rather soft and suggested being more proactive (e.g., “driving” transparency).
Though some saw this priority as the cornerstone of democracy, the limited non-support for the priority tended to be based on the view that there is already a significant amount of work that has been done towards open government, or is underway in this area.
A number of submissions encouraged the IPC to develop practical guidance in addition to policy or high-level frameworks. For instance, one submission proposed “case studies which set out the entire collection-to-openness data lifecycle (including discussions of success points or design patterns),” while others proposed toolkits and information for end-users and “resources that outline how to execute proactive transparency step-by-step, with promising practices on reducing administrative burden.” Many saw building on IPC’s De-Identification Guidelines for Structured Data as an important means of enabling greater transparency and open government.
Multiple submissions mentioned the need to modernize public sector laws with suggestions on reducing strain on the freedom of information system, including through proactive disclosures and the need to address frivolous, vexatious or abusive access to information requests that pose resource challenges for government institutions with little benefit to taxpayers. These submitters noted that, at a minimum, the IPC should consider the potential that bad actors will take advantage of any additional transparency or openness requirements when creating (or analysing existing) frameworks. They stated that such bad actors are not a reason to abandon transparency initiatives, but they should also be considered in the development of new processes.
A small number of stakeholders recommended that the goal statement be reframed to reference the requirement to protect commercial information in appropriate circumstances.
Finally, one public interest group pointed out that proactive disclosure better enables organizations like theirs “to play a role in public accountability.”
Responsible Use of Data for Good
Responsible Use of Data for Good was among the more frequently recommended priorities. Submissions from the health sector tended to be particularly enthusiastic about this priority in combination with Trust in Virtual Health. One noted that access to data and artificial intelligence would foster the innovation needed to provide people the care they deserve, and another noted that this priority would apply to the education and transportation sectors as well. Some respondents cautioned that “innovation” should not be seen as a justification for privacy-invasive practices while others called for a clear, neutral, and bias-free definition of “socially beneficial purposes.”
A small number of submissions stated that they did not consider this to be a priority area in itself, but rather a consideration underlying other strategic priorities.
Many respondents recommended that the IPC focus on practical guidance (such as case studies and lessons learned), rather than theoretical frameworks (which they viewed as already the subject of significant work in Canada and internationally). One pointed to the need to address what they viewed as the cumbersome processes around data sharing agreements. Other areas identified as being in need of practical guidance included explainability of artificial intelligence systems, responsible use of personal data in training artificial intelligence systems, de-identification, the intersection between privacy and ethics, clarity around concepts such as data trusts and group privacy, and governance frameworks to address the increasing role of commercial actors in the public sphere.
With respect to the goal, multiple submissions argued that it should be revised to explicitly reference “… while also protecting the personal information of individuals.” Though this may be implied in the reference to the “responsible” use of data, they stated that it would be beneficial for this balance to be made explicit. Some also suggested expanding the goal beyond “frameworks” to include “resources,” and adding a dimension of “public engagement” or “public awareness.”
A provincial ministry viewed Data for Good as “the principle that the use of data should improve equity and that data should be leveraged to benefit Ontarians, Canadians, and the world, in a manner that supersedes the biases introduced by corporate priorities or institutionalized practices.” It suggested that the IPC continue to support guidelines and mechanisms to advance this principle and address some of the challenges.
One municipality suggested that clear guidance on de-identification standards and appropriate levels of technical controls would greatly assist in “cutting down on reticence risk,” while another submission emphasized the need to protect individuals (and groups) from the consequences of analyzing even de-identified data.
One submission recommended that “Data for Good” be replaced with “Data for Social Value” which has more significant meaning based on input of individuals and communities, whereas public good tends to be unilaterally defined.
Lastly, one submission spoke of the possible establishment of data-trust-like entities called central data facilities over which the IPC might have a key supervisory role comparable to the one it already has in respect of prescribed entities under Ontario’s health privacy law (PHIPA). When it comes to data trusts, another submission agreed with the various questions raised in IPC’s consultation paper and called for a comprehensive multi-stakeholder consultation process to begin to address them.
Access, Privacy, and Youth
Access, Privacy, and Youth was also a widely supported potential priority. However, some differences of opinion emerged with respect to the IPC’s goal and proposed approach.
For instance, one submission considered access and privacy for children and youth as a cross-cutting theme, instead of a discrete priority.
Some respondents supported the goal as-is. One submission noted that the phrase “… helping youth exercise their independence …” implies ongoing assistance from the IPC, whereas a term such as “empowering” or “enabling” would better capture the ultimate goal of youth being able to make privacy decisions independently. To do this, they recommended that the IPC focus its goal on getting an appropriate curriculum into Ontario classrooms (including science, technology, engineering, and mathematics or STEM courses), and teaching students about issues like online safety and encryption. Others recommended that the IPC develop guidelines and lesson plans for digital literacy among children in much earlier grades.
Some saw the goal statement as minimizing the role of parents or guardians. They stated that parents or guardians should also be empowered to support, or act in place of, the children in their care, particularly given the critical role they play as “initial ‘gatekeepers’ of Internet access for their children.” Respondents suggested IPC could help support parents by educating them about privacy concerns of children and increasing their awareness of available IPC resources, educational curriculum, and digital literacy campaigns.
A third approach argued that the IPC is focusing on the wrong side of the equation. Instead of considering whether youth are adequately equipped, the IPC should focus on whether institutions are meeting their obligations with respect to protecting, and enabling access to, youth information and creating environments that promote their autonomy. For some, this meant increased scrutiny of, or engagement with, those who work with youth such as schools and children’s aid societies. Others pointed to the need to protect youth from private sector digital services, apps, consumer devices, and social media. Multiple submissions also raised the need to improve the vetting of free software tools deployed in classrooms.
Respondents urged that when developing youth-related policy, it is important to recognize the diversity of youth and the circumstances in which they interact with government, health care, and service providers in the child welfare sector. The IPC was cautioned against a one-size-fits-all approach, noting that with youth — as with privacy in general — the notion of an ‘informed choice’ will differ across various situations, and requires flexibility. One called for the need to balance “parents’ right-of-access with mature minors’ right to self-determination,” while another stated: “guidance on age of majority for making decisions about personal health information would be helpful for healthcare professionals, youth and their family members.”
Several submissions pointed out that while children and youth are vulnerable, those in low-income or historically marginalized populations are even more so. Open data and proactive disclosures by relevant stakeholders should likewise be promoted to identify and address these social inequities.
Next-Generation Law Enforcement
The Next-Generation Law Enforcement priority received the least number of overall comments and top three priority rankings. However, those respondents who did explore this issue generally considered it to be of great importance, particularly concerning marginalized communities. Algorithmic policing was noted as having real and substantial impacts on the lives of Ontarians.
Submissions generally focused on the need for transparency and oversight. One submission noted that Ontario — as the largest province in one of the leading liberal democracies in the world — should take the lead on these issues. This could include a more proactive oversight role for the IPC, and collaboration across police services and municipal, provincial, and federal government agencies on any necessary and appropriate access and privacy frameworks. Regardless of the mechanism, it was generally felt that Ontarians should know how and when police and law enforcement agencies were collecting information about them and have confidence these activities take place with appropriate oversight.
In the event this priority was selected, the IPC was encouraged to work with the Ontario Human Rights Commission and explicitly include promoting transparency in the associated goal statement.
It is worth noting that the submission received from a law enforcement agency was also supportive of this priority, recognizing the mutual interest in responsible use, proper oversight, and appropriate protection of personal information, as well as the overall need to increase police-public trust. Given the rapid pace of evolving technology and constraints on resources, it was noted that rather than police services across Ontario each separately undertaking privacy impact assessments of a new process or technology, it would be more efficient to be guided by a common set of provincial guidelines developed by, or in consultation with, the IPC. These guidelines could also include features for customization on a case-by-case basis. It was also suggested that the IPC convene a provincial working group with broad, cross-sectoral representation from police, first responders, investigators, privacy and legal experts, with further engagement of crown counsel, defence counsel, civil libertarians, human rights advocates, and those with lived experiences from marginalized communities.
Trust in Virtual Health
Trust in Virtual Health was one of the areas most often identified as a top three priority in submissions. As one submission stated: “Canada has an opportunity to be a world leader in the development and implementation of digital health technologies, including the adoption of artificial intelligence and machine learning for health.” Another pointed to the “tremendous opportunity in virtual health to bring practical, scalable methods into common use” and “integrate concepts of privacy engineering into innovative solutions for health care delivery and health tech more broadly.”
Some suggested the need to support individuals as they gain greater control over their health information through personal health portals, digital health apps, and body sensors, and the need to support health organizations with respect to information security issues, such as managing cybersecurity threats.
The overlap between this priority and Responsible Use of Data for Good was highlighted by many respondents, with multiple submissions noting the potential benefits for Ontarians by enabling artificial intelligence in health research. Similarly, overlaps with Government Digital Service Provision were highlighted, noting that as occurred with government services, the rapid uptake of digital services in the health sector accelerated by COVID-19 did not necessarily allow for consistent and adequate scrutiny of platforms.
One group recommended the IPC consider evaluating the changes that have come about in response to COVID with “an eye to addressing health care delivery outside of an emergency” and how personal health information should continue to be managed once the threat of COVID-19 has subsided. Another identified the need to help institutions reset by providing clear guidance to those that may have quickly adopted virtual solutions to ensure prompt delivery of health care, outweighing privacy and security concerns at the time. A third recommended the IPC continue to keep a watchful eye on new categories of personal health information (such as COVID-19 test results or vaccination status) to protect individuals from potential privacy and discrimination risks, particularly in insurance or employment contexts. A fourth identified the importance of “modernizing and future-proofing policy and legislation” to reflect changes brought on by the pandemic in a manner that reflects the views of Ontarians.
A respondent recommended that should this priority be selected, explicit reference should be made to principles of trust, dignity, fairness, participation, and security, bearing in mind that the elderly are the most frequent users of Ontario’s health system and yet “may not always have the same level of digital literacy as the rest of the population.”
One submission made the point that, as drafted, this priority appears to focus entirely on physical health, to the possible exclusion of mental health. Given the rapid expansion of services such as online therapy, they suggested that this priority area should specifically include mental health.
One respondent thought that the goal description was too broad, noting that the health analytics involved a different toolbox than virtual health while recognizing some overlap. Another recommended separate goal statements in respect of virtual health and health data analytics. Yet others recommended that this priority, if adopted, be renamed Trust in Digital Health to reflect that it speaks to more than the virtual provision of healthcare.
Lastly, the overlap between health, law enforcement and child protection was identified as an area where more guidance is needed.
Cross-Cutting Approaches
One submission recommended that, within the Equity and Accessibility approach, the term “vulnerable and marginalized people” be replaced with more person-centred language such as “people experiencing structural vulnerabilities or marginalization.”
Other respondents put forward other potential cross-cutting approaches. These included: enabling innovation, engagement with other Ontario regulators, ensuring privacy compliance through a human rights framework, re-envisioning data protection for genomics, and lessening the overall burden on individuals with a focus on accountability.
One recommended adding standardization as a cross-cutting approach can support the implementation of all strategic priorities, facilitate their management over time, and facilitate IPC’s interaction with other organizations.
Others urged the IPC to consider the increasing “blurring of strict distinctions between the public and private sectors” and the need to respond to the realities of an innovative public-private sector economy within a broader human rights framework.