In today's intro, I’m flagging a few things that data governance professionals in Canada and elsewhere may be interested to know.
The first is to flag important changes that Schedule 2 of Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, have brought as of 1 July. The Bill resulted in some key updates to the Ontario Freedom of Information and Protection of Privacy Act, introducing legal requirements for privacy impact assessments and breach reporting, and bestowing upon the commissioner powers to issue binding orders to ensure organizations beef up their security and breach response.
The Information and Privacy Commissioner of Ontario's office provided more detail on what institutions need to do. I think it's interesting that Canada's provinces are advancing these things, but that federal laws governing the practices of our federal government hasn't yet turned these policy requirements into legal requirements.
Also, somewhat connected — you'll see why — to the theme of legislative reform, I'm excited to see the updated deidentification and anonymization guidance that the Information and Privacy Commissioner of Ontario will be putting out in the not-so-distant future, apparently in fall 2025. Commissioner Patricia Kosseim hinted at the forthcoming guidance in her keynote address at the Synthetic Data Summit in Montreal in mid-May and Khaled El Emam, who just finished up his time as the IPC's Scholar-in-Residence, recently shared quite a bit of additional detail in a new blog post, given his work with the IPC on the new-and-improved document.
Ontario has always been a leader in this area, at least in part because they deal day-to-day with the issue of privacy and the responsible use of technology when it comes to health data, arguably the most sensitive data. I also really like the idea of bringing in actual experts. I think they still need to hold the pen, but I've said before that our regulators need to increase their own practical experience and tap into the many experts that are not within their walls, so I hope this model can be replicated elsewhere and with future guidance that’s produced.
In any event, what I hope and expect to see here is some concrete and usable guidance that is going to help us understand when and how datasets can be considered risk-free enough to advance all sorts of good things. I would strongly urge the federal government to pay close attention when this guidance comes out and as they consider any updates to Bill C-27, which we're all hearing is going to be tweaked and then reintroduced, at some point.
Another thing I want to draw your attention to is an interesting chat across the pond between two Canadians. Canada's Brent Homan, now commissioner in Guernsey and still a curling superstar, invited Colin Bennett from the University of Victoria on his "Data, Democracy and Freedom" podcast. They cover quite a bit of ground, but one part I found particularly interesting — and frankly, a very good reminder — was when Bennett said that striking the "balance" between privacy and security is not the real question. Instead, he urges us to focus more on the problem we wish to solve and use the appropriate technology — ask if it's worth it — to solve the problem and work to avoid mission or function creep. This is often referred to as design-thinking in other fields. Anyway, not unlike the earlier theme of deidentification, he suggested we focus more on effectiveness and proportionality.
As a final thought, I opened this intro by mentioning data governance professionals. If you've been a privacy pro for some time, are you finding yourself wondering what to call yourself these days? Are we data governance, privacy, AI, technology, data protection professionals, or all of the above? I think it's possible to hone-in on one area and rock it out, but the reality is — and what the IAPP has pivoted to — that more and more we are wearing all the hats. And we need to expand our knowledge, learning and experience to deal with these areas.
What I'm curious about, though, is which of these terms resonates most for the non-experts who are requiring our services. It's partly a branding question, for all of us, but I’d love to know what you think and how you’re experiencing this in your work and in your dealings with others, when you explain what you do. Think about it, take a moment to share your thoughts, catch up on the Canadian news and have a wonderful July weekend.
