Protecting privacy in Ontario’s nonprofit and private sectors
It is a priority for ONN to ensure that nonprofit voices are reflected in the development of privacy legislation and frameworks for the ethical use of client, community, employee, and donor personal data.
In August 2020, the Ontario government began consulting on a proposed legislative framework for the protection of privacy in Ontario’s nonprofit and private sectors. The Ministry of Government and Consumer Services (MGCS) published a discussion paper proposing new legislation that would fill regulatory gaps left by the federal PIPEDA (Personal Information Protection and Electronic Documents Act), which does not cover the activities of many nonprofits and for-profit companies operating within Ontario.
ONN worked with the Data Policy Coalition, which we co-convene with Powered By Data, to prepare a response (October 2020).
White paper consultation: Summer 2021
A year later, MGCS published a white paper, Modernizing Privacy in Ontario, to launch a second round of consultations. At the time, federal Bill C-11 (An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act) was proceeding through Parliament but died on the order paper when Federal Election 2021 was called.
The provincial white paper asked a series of questions about how new legislation should be framed so as to extend privacy protection to the private and nonprofit sectors in Ontario. The proposals were organized under the following themes:
- rights-based approach to privacy;
- safe use of automated decision making;
- thoughtful consent and lawful uses of personal data;
- data transparency for Ontarians;
- protecting children and youth;
- a fair, proportionate and supportive regulatory regime; and
- support for Ontario businesses and innovators.
As the Information and Privacy Commissioner (IPC) of Ontario noted in her response to the white paper:
“The significant volumes of data held by the not-for-profit sector in Ontario are not immune from privacy and security vulnerabilities, yet they remain largely unprotected by federal privacy law, which is constitutionally constrained in this space. . . . Currently, no privacy law applies generally to Ontario non-profit organizations and no regulator has been given responsibility for this sector. Under a provincial private sector privacy law, the IPC would have the expanded mandate to support not-for-profits by advising them on their privacy and security challenges, educating them about risks, and encouraging up-front protections.”
During the consultation period, ONN engaged our network through the Data Policy Coalition to bring the voices of nonprofits and charities to respond to the white paper consultation and inform the anticipated legislation.
ONN has had several discussions with the Ontario Government’s Chief Privacy Officer about the forthcoming legislation. He also spoke at our conference in 2019 and at a webinar in 2020. We will continue to engage the Ontario government to ensure the regulatory framework for personal information and other data reflects the needs and priorities of the nonprofit sector– and our workers, volunteers, and community members.
Drawing the links between data policy and privacy legislation
On a related front, ONN has been engaging the Ontario Digital Service on its Building a Digital Ontario, a digital and data strategy for the Ontario government, which includes (of relevance to our sector):
- The development of an Ontario Data Authority, responsible for “building modern data infrastructure to support economic and social growth, while keeping that information private and secure.” This body is intended to “equip people, organizations and communities with the information they need to thrive as the province accelerates its economic recovery.”
- Sectoral data tables: The government is planning to hold “forums of industry experts to provide targeted, sector-specific advice to the government on how to harness data more effectively to increase people’s participation in the digital economy, find new opportunities for growth, and support more Ontario businesses.”
- A Digital ID for Ontarians for use in situations like proving age-of-majority, applying for government assistance, opening a bank account, or accessing vaccination records. According to the consultation document, employers could use the ID system in future hiring processes, opening accounts, or verifying customer ID.
- A number of pandemic-related initiatives, including the Ontario Health Data Platform (formerly PANTHR, Pandemic Threat Response).
- Further investment in high-speed internet access across the province.
- Transfer payment agreement (TPA) consolidation.
As announced in Budget 2020, Ontario government ministries are getting $500 million over four years for this work through the Ontario Onwards Acceleration Fund.
While the privacy legislation and development of new data policy are on separate tracks, they both could affect the way nonprofits (especially those that deliver services on behalf of the Ontario government) collect, store, use, and share personal information. For more about the important connection between these two areas, a useful resource is provided by University of Ottawa privacy law professor Teresa Scassa here.
- Ontario Government – Modernizing Privacy in Ontario (white paper) (June 2021)
- Information & Privacy Commissioner of Ontario’s Response to Modernizing Privacy in Ontario (September 2021)
- Information & Privacy Commissioner website (with guidance for organizations and individuals)
- Data Policy Coalition – convened by ONN and Powered By Data