Privacy Policy Gaps in Ontario

Earlier this year, Elections Ontario revealed that the personal information of at least 2.4 million Ontarians had been compromised in what was the largest data breach in the province’s history. The province’s Information and Privacy Office has recently released an important report, which aims to make clear the connection between policy and practice.

“A Policy is Not Enough”

In response to the slippage between privacy policies and practices in Ontario, the province’s Information and Privacy Office published a paper in early September 2012, entitled Policy is Not Enough: It must be Reflected in Concrete Practices. The paper aims to provide a step-by-step action plan on how to effectively execute an appropriate privacy policy and integrate it into the day-to-day practices of the organization.

According to Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian:

“Privacy policies alone, without a proper strategy for implementation and ongoing compliance procedures, will not protect an organization from privacy risks. The seven recommendations presented in this paper will provide organizations with concrete guidance on how to effectively execute an appropriate privacy policy, and have it reflected in actual practice. This information will be helpful to organizations of any size and in any sector.”

Whilst addressing a meeting of the privacy section of the Canadian Bar Association in Halifax, Cavoukian said, “If you don’t enforce your policy, it has no value. And don’t dare to assume that your frontline staff will know automatically how to implement a policy.”

Although the report does not specifically target Elections Ontario, it does make some important suggestions as to improving privacy protections at any organization, including developing privacy education awareness training programs.

Seven Foundational Principles

The paper outlines a series of steps that organizations should consider implementing. These steps include:

  1. Implement a privacy policy that reflects the privacy needs and risks of the organization and consider conducting an effective Privacy Impact Assessment.
  2. Link each requirement within the policy to a concrete, actionable item – operational processes, controls and/or procedures, translating each policy item into a specific practice that must be executed.
  3. Demonstrate how each practice item will actually be implemented.
  4. Develop and conduct privacy education and awareness training programs to ensure that all employees understand the policies/practices required, as well as the obligations they impose.
  5. Designate a central “go to” person for privacy-related queries within the organization.
  6. Verify both employee and organizational execution of privacy policies and operation al processes and procedures.
  7. Proactively prepare for a potential privacy breach by establishing a data breach protocol to effectively manage a breach.

These steps are based on the Privacy by Design framework, a proactive approach to privacy which provides a framework as well as a methodology. Privacy by Design is based “on the notion that privacy is best assured when strategically interwoven into all business processes and practices (e.g. work processes, management structures, physical spaces, information technology and networked infrastructure).”

Response from Elections Ontario

Julia Bennett, spokeswoman for Elections Ontario, mentioned that she wouldn’t comment on the Privacy Commissioner’s report, as it was still being reviewed. Bennett did mention that Elections Ontario would submit a report to the Speaker of the provincial legislature by the end of the year, to outline the steps taken thus far to improve privacy protections.


This article focuses on Ontario’s Information and Privacy Commissioner’s September 2012 paper entitled Policy is Not Enough: It Must be Reflected in Concrete Practices. Prompted by one of the largest data breaches, which took place in the fall of 2011 with the province’s voter data, the paper sketches out a seven-step action plan on the successful execution of appropriate privacy policies, and embedding it in the day-to-day practices of any organization.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Canada (CIPP/C) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Provincial privacy commissioners (I.A.c.i.1.b.)
  • Privacy principles (I.C.)
  • Privacy incidents – commissioner expectations (II.B.g.i.)
  • Privacy Impact Assessments (III.B.a.i.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>