On 15 Oct., the Office of the Information and Privacy Commissioner of Ontario released the final version of its internationally recognized De-Identification Guidelines for Structured Data.
When the deidentification guidelines were first released in 2016, the document was 28 pages long, and earned the agency the then-International Conference of Data Protection and Privacy Commissioners' award in 2017, before the organization became the Global Privacy Assembly.
The update expands the IPC's guidelines to more than 100 pages and features educational materials to introduce data custodians to deidentification concepts and techniques, examples of operational steps that can be undertaken to deidentify data, and checklists for organizational stakeholders to follow both from the top-level and for key steps along the deidentification process.
While the guidelines are not legally binding, Information and Privacy Commissioner Patricia Kosseim said in an interview with the IAPP that the guidelines were updated to reflect evolving regulatory frameworks around the world and in Canada, while offering practical examples of best practices for deidentification. Additionally, she said the guidelines were updated to reflect the latest methods of deidentification and risk assessment strategies that have developed over the last decade.
"We wanted to keep our leadership in this area, so we knew we needed to update the guidelines to reflect the current modern situation," Kosseim said. "We were hoping to provide the sector with support to use and innovate with data for the public good, including health care, education, environmental issues and improved government service."
'Sector agnostic'
Kosseim said the updated guidelines were developed to be "sector agnostic," recognizing that smaller organizations in Ontario may not have the resources to deploy deidentification solutions at scale.
"Our target audience is Ontario government institutions, including private sector organizations that are part of the health sector, but I really think these guidelines can be used by any organization in virtually any sector," Kosseim said. "Not all organizations are going to be able to ramp up from level zero to level 10 in de-identification sophistication overnight, so we tried to make it achievable for organizations of all sizes."
While the IPC’s Tribunal does not have enforcement authority to require organizations to adopt the guidelines,Toronto Hydro Governance Counsel Warren Urquhart, CIPP/C, recommended both private and public sector organizations take the necessary steps to implement the guidelines to the best of their ability as a preventative measure against liability in potential data breach lawsuits.
"They do not bind the IPC's tribunal, following these guidelines would likely meet the standard they are looking for, and also offer the private sector a strong path to follow for de-identification and avoiding breach lawsuits," Urquhart said in an email. "These guidelines are probably useful for any private sector organization that is working with the Ontario public sector and using their data. So while there may be no direct legislative authority, private-sector entities looking for public-sector contracts should definitely take a look at integrating these guidelines into their processes."
Stakeholder engagement produces deidentification 'checklists'
University of Ottawa Professor Khaled El Emam was named as the IPC's second-ever Scholar-in-Residence from April 2024 through June of this year, during which he said his main charge was updating the deidentification guidelines. He said the new guidelines went through multiple rounds of public consultations, culminating with the Canadian Anonymization Network holding a workshop to provide feedback on the then-draft guidelines in December of last year.
"My mandate was to update the de-identification guidance," El Emam said in an interview with the IAPP. "We got broad feedback from the community and spent the rest of the time revising the document."
El Emam said the original deidentification guidance has "stood the test of time." For instance, in 2022, the International Standards Organization published deidentification standard 27559, which El Emam said contains a number of concepts that originated in the IPC's deidentification guidelines.
Both Kosseim and El Emam said a key feature of the new deidentification guidelines is the inclusion of checklists practitioners and organizational leaders can use for guiding themselves through different aspects of the full deidentification process and how to document that work.
"The community wanted something more detailed, something more operational," El Emam said. "They wanted information that would reduce uncertainty about what they would have to do to implement de-identification practices that would be viewed favorably by the IPC."
Kosseim said the guidelines' checklists are not a "check box exercise," but rather provide practical steps for organizations to follow to ensure they are undertaking and documenting the necessary measures to reduce reidentification risks.
Regulatory flexibility
"We tried to make the guidelines as easy to implement as possible because de-identification is a very complicated topic," Kosseim said. "They are intended to help people through a step-by-step process so that they can carry out de-identification themselves, or if they get assistance, to be able to direct the work in an informed manner."
Additionally, Kosseim said the guidelines were updated to reflect regulatory changes governing how deidentification must be carried out in Canada, such as the anonymization requirements under Quebec's Law 25, and around the world.
"We wanted to be sure that we were looking with a broad, global lens at what's happening around the world and that we’re putting forth expectations and best practices that are commensurate with these evolving regulations," Kosseim said. "To the extent where it was possible, we tried to make the guidelines as harmonized as we could across these different jurisdictions in order to assist individuals with that 'crosswalk' between different regulatory environments."
El Emam said even though federal privacy law reform and artificial intelligence regulation in Canada with Bill C-27 ultimately failed during the last session of Parliament, the IPC's guidelines were developed to be flexible for whatever form efforts to reform Canada's private-sector privacy laws may look like when Parliament introduces new legislation. He said an area where the guidelines may become particularly helpful is for AI integration in all sectors and ensuring that researchers and other stakeholders can access quality, de-identified data to provide public benefit.
"There's no point in investing in de-identification and producing data that is not useful and has low utility," El Emam said. "So it's important to be cognizant and think about how we can responsibly enable access to comprehensive data, because if you strangle access, you make it very difficult for AI innovation to happen."
Constant vigilance key
Kosseim stressed that while the updated guidance reflects the latest best practices for deidentification techniques that have evolved over the last 10 years, the process of deidentification for organizations is a constant effort.
"De-identification is not a one-and-done activity, it really is an ongoing process of monitoring data, conducting risk assessments and adjusting, depending on the changes to the context or changes in use cases," Kosseim said. "I hope this guidance is on the desk of every CEO, CIO, CPO as a tool ready to be referred back to on an ongoing basis."
Alex LaCasse is a staff writer at the IAPP.
