TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Canada Dashboard Digest | Notes from the IAPP Canada Managing Director, Feb. 10, 2023 Related reading: ICO seeks comment on fining guidance


In my law class this week, we sadly had to turn to Zoom because of a COVID-19 outbreak that hit several of my students. So, it wasn’t as engaging as the in-person classes, but we managed.

We were wrapping up discussion on the embarrassingly outdated federal Privacy Act. Gosh, I wish there was some promising news to report on when we might see a more modern law, but alas — the silence from the Department of Justice has been deafening. At my firm, we’ve done some work for clients that have been consulted on a new law, so I’m led to believe they are still moving forward. I guess it’s just not a very quick process, to say the least.

We ended the class talking about a really interesting case from a few years ago known as the “Gordon v Health” case. It’s the one about deidentification and reidentification theories and, while the case is getting a little old, its importance today is as strong as ever.

At issue in that case was an access to information request for a medical database. Of course, government institutions must provide access to government databases, but, at the same time, they are prohibited from disclosing personal information. So, obviously, things like the patients’ names and addresses had to be redacted or removed prior to disclosure. The sticking point to Gordon (the requestor) was the fact the government institution also argued the province in which the patient resided had to be removed prior to disclosure.

The case moved along, pitting expert witnesses against one another on the probability of reidentification if the province field was released. Ultimately, the requestor lost because the court was convinced that in too many cases, if the patients’ provinces were disclosed, that, coupled with other available information, could lead to their identification.

The whole issue of deidentification and anonymization, I hope, will be addressed in a more modern Privacy Act. In the proposed Consumer Privacy Protection Act (found in Bill C-27) — which is the law that will replace the Personal Information Protection and Electronic Documents Act if it ever gets through Parliament — they deal with the concepts of deidentification and anonymization. I’m not convinced the proposed regime is even workable, but if we can just get to studying and discussing these and other provisions, I think there are solutions to be found. C’mon Parliament — you have some important work to do. Get going!

Have a great weekend everyone.


If you want to comment on this post, you need to login.