Ontario IPC publishes new guidelines

Last November I attended a “Privacy By Design” workshop, hosted by the UK Information Commissioner’s Office to mark the launch of a report on that topic, produced by the excellent Toby Stevens of EPG. For once, the UK ICO was ahead of its Canadian counterpart ;^)

You may also have seen that the ICO has issued guidance to the effect that UK public sector bodies must now do a Privacy Impact Assessment for any project which involves the processing of personal data… in that instance, though, I have to report that the Ontario Commission beat them to it. Dr Ann Cavoukian and her team have been using PIAs for some time now (see, for instance, this 2005 paper applying PIA principles to the processing of personal healthcare information… a practice, incidentally, which might give many of us reassurance if applied to the UK’s Electronic Patient Record initiative).

The Ontario Commission is in the lead with its latest press release, too: this one is about what to do if your project not only deals with personal data but also crosses organisational boundaries. The answer is the F-PIA, or Federated Privacy Impact Assessment. This starts with the initial privacy principles for data-at-rest and extends them to apply to data-in-motion.

A recommended read… and here’s a link to the requisite page on the IPC website.