Ontario’s new privacy commissioner takes on COVID-19 challenges

In many ways, the abilities of security professionals are being tested in remarkable ways by the COVID-19 pandemic. Whether it’s resource allocation, emergency response, safety protocols or other measures, they have been required to look at them through a new lens.

It’s in this challenging environment that Patricia Kosseim recently began her role as Ontario’s Information and Privacy Commissioner (IPC), taking over from Brian Beamish, who departed after his five-year term.

“In this time of global turmoil and change, upholding privacy and access rights is more important than ever,” states Kosseim in her welcome message, published on the IPC office’s blog on July 2, her first official day.

“The health, social and economic upheavals we are currently facing continue to test our sense of normalcy, posing some of the toughest privacy and accountability challenges yet.”

Patricia Kosseim (image courtesy IPC)

A career in privacy

Kosseim was counsel for the privacy and data management group at Toronto law firm Osler before accepting the commissioner role, and before that served as director general and senior general counsel in the Federal Privacy Commissioner’s Office in Ottawa.

Her legal career began in Quebec at the same time as the province was adopting the Private Sector Act which, in 1993, became the first private-sector privacy law in Canada. “[That] was my introduction to the field, particularly to guiding and educating organizations on these new privacy obligations, which were, in fact, quite novel for many organizations at the time,” says Kosseim, who spoke to Canadian Security during the first week of her term as commissioner.

Kosseim’s career has also intersected with the health-care field — prior to her time in the federal privacy office, she led the ethics office for the Canadian Institutes of Health Research in Ottawa.

“There, amongst other national ethics guidelines and issues we dealt with, was the secondary use of personal health information for health research purposes and public health, which is very germane to the current context we’re living in,” says Kosseim.

Testing the boundaries

She says that privacy laws in Canada (and elsewhere) account for public health emergencies such as the COVID-19 pandemic and may allow for some flex when public health interests are at stake.

“I can certainly say that so far, we’ve seen those boundaries tested in several ways, as you can anticipate,” she says. “In many privacy laws, there is the opportunity to collect, share or disclose information where the public interest outweighs privacy concerns. So how you weigh and balance those countervailing values in a context such as this — which is so unprecedented — is certainly one of the issues we’re seeing right now.”

Kosseim says that her office is reviewing a voluntary COVID-19 exposure notification app, which uses non-identifiable information to let users know if they’ve been in contact with someone who has tested positive for COVID-19. The app was originally due to launch in Ontario in early July before rolling out to other provinces but was recently delayed for further development. “Ontario is first out of the gate; my staff is being consulted by the Ontario government officials,” she says.

At press time, the app was still in a test phase with a launch possibly imminent. [Editor’s Note: The COVID Alert app debuted July 31]

Kosseim’s welcome letter also explores the recent expansion of the IPC office’s powers, allowing for potential punitive action in breach cases where personal health-care data is compromised.

“One of the things that excites me about this new mandate is to assume the position at a time when there’s been some very thoughtful reform initiatives in recent years,” she explains, “including some very recent changes to the Personal Health Information Protection Act in Ontario, that introduces, among other things, administrative monetary penalties for actors that breach the privacy laws and privacy obligations in particularly egregious cases.”

Kosseim has published three more blog posts in her first month as the province’s privacy commissioner. One dated July 23 is a reminder that privacy policies are as relevant today in the home as they are in public spaces, given the number of Canadians who have swapped their office spaces for hastily arranged home-working situations.

“As the province begins to reopen and remote working conditions continue to evolve, let’s keep the conversation going, so organizations and their staff know how to mitigate risks to access, privacy and security even from home,” writes Kosseim.

A Privacy Fact Sheet with guidelines addressing the current work-from-home situation is available on the IPC website.