Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
There's this one class I teach every term to the law students taking my privacy law class that is about the evolution of how the Supreme Court of Canada interprets how to determine if we have a reasonable expectation of privacy in something — particularly when that something involves technology or the use of technology.
While the sniffer dog cases from about 20 years ago involved a crude from technology — a species' ability to detect odor that humans cannot — there's one phrase from the Supreme Court judgment that has always resonated: "In the sniffer-dog business," opined Supreme Court Justice Ian Binnie, "there are many variables."
I've been thinking and, quite frankly, it's not just the sniffer dog business. Just about everything in our industry is extremely contextual. Variables are everywhere. This is why template or artificial intelligence-generated privacy policies are money not well spent.
This week, the concept of variability was at the forefront of my mind because the Ontario Information and Privacy Commissioner's Office released, I believe to be the first, regulatory, concrete guidelines on the concept of deidentification, with a significant update and expansion of its original guidelines.
In deidentification, there are, as Justice Binnie might say, many variables.
I've been pondering, learning and applying data ethics issues for 30-plus years and I've lost track of the number of times I've examined an entity's purported claim that they have deidentified a dataset because they replaced a customer's or patient's name with their initials. Sure, that is theoretically a tiny bit of deidentification, but I don't think the entity using this technique can legitimately say they are now working with data that is not personal information. Well, the entity might insist, but I suspect a regulator would disagree.
I'm a fan of treating different types of data differently. So, yes, I think if you deidentify a dataset, you should be able to do more with it than if it remained an identifiable date set. I think several policy makers think the same way. In fact, in Bill C-27, the one that introduced a law that would replace the Personal Information Protection and Electronic Documents Act, there was clearly an attempt to create tiers of datasets. The terms "de-identified" and "anonymized" were thrown in — and, sadly, ended up being horribly discussed during committee meetings by politicians who clearly didn't understand what they were talking about. I think we all hope for more clarity and a path forward in the next attempt to update the law.
To this end, the IPC's guidance is a gigantic and welcome addition to the dialogue. When there are so many variables at play, how can someone determine if they have truly deidentified a dataset to reduce the privacy risks associated with using it?
I'm not claiming to have had the time to read the entire release — warning: it's a few pages long — but in looking at the parts I did analyze, I'd say this is a huge leap from a regulator that is taking the time to explain to everyone they regulate what they expect and what it truly means to deidentify a dataset.
And, while I know the IPC guidance technically only applies to those entities that fall within their jurisdiction, I sure hope other Canadian, and even international, policy thinkers take some time to study it closely. It was the culmination of tons of research, input from the real experts in this very technical field and folks who need to deidentify data in their work .
In any event, that's what struck me as rather important this week, something I wanted to flag and that I hope you'll take the time to digest. But I'd be remiss if I didn't tell you there was a ton of other news and, most importantly, this Sunday is the last day to submit a speaking proposal to be considered for next spring's IAPP Symposium 2026 in Toronto. Something tells me there might be a few submissions on deidentification.
Kris Klein, CIPP/C, CIPM, FIP, is the country leader, Canada, for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
