Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
If you've been paying attention, I sometimes take the opportunity here to highlight Canadians who are having an impact in our industry. I wasn't actually planning to do one of those this week, but as I proofread this column, I realized I've done just that — and it's just as well.
This week, my privacy law class at the University of Ottawa was treated to a special guest: the Information and Privacy Commissioner of Ontario Patricia Kosseim. Despite Ottawa's newly notorious traffic — now a genuine urban challenge — she made the trek across town to join us, bringing both her expertise and her trademark warmth.
Commissioner Kosseim's visit was more than a lecture; it was a candid conversation about the realities of privacy regulation in Ontario. She spoke about her office's mandate, which is anchored in promoting and protecting Ontarians' access and privacy rights in an increasingly data-driven world.
The IPC's strategic priorities, as outlined on its website and in recent consultations, focus on four pillars: privacy and transparency in a modern government, children and youth in a digital world, next-generation law enforcement, and trust in digital health. These priorities aren't just aspirational. They actually guide the office's day-to-day work as well as its longer-term vision. And you may have noticed the office recently launched a consultation to aid in its refresh.
While our class didn't have time to fully explore the need for private sector privacy legislation in Ontario — especially as it relates to employee privacy — the commissioner alluded to the importance of such reforms. Even without these additional enforcement obligations, the responsibilities of her office remain extensive, spanning oversight of public sector institutions, health information custodians, educational institutions and law enforcement agencies.
One of the most engaging parts of the talk was our discussion about administrative monetary penalties. The class was eager to understand how the commissioner arrives at a dollar figure when organizations violate privacy obligations. She walked us through the factors her office considers, emphasizing proportionality, deterrence and the broader public interest.
Adding a personal dimension to the afternoon, Commissioner Kosseim's son, Tristan, was in the audience. Tristan competed in the Special Olympics as a downhill skier who acted as the guide to his partner, the other Olympian skier, who is visually impaired — a role that, as you can imagine, requires a great deal of skill and empathy. After class, Tristan generously gave me a signed copy of his book about what he learned from his experience. It's a great read. I was amused when the commissioner said she was a bit nervous speaking in front of her son, but it was clear they are both natural communicators, each in their own domain.
The next day, at a privacy and access conference in Ottawa that was partially organized by my nNovation colleague Dustin Moores, I ran into Commissioner Kosseim again — this time among a group of provincial commissioners. To her credit, she attended every conference session, fully engaged and taking notes. I take it as an indication the office is listening. This was in stark contrast with some other attendees in the audience — like at every conference — who were busy multi-tasking on their devices and probably only half listening.
As someone who regularly represents organizations in their interactions with regulators, I'm acutely aware that our perspectives don't always align. In fact, we sometimes completely disagree with one another about perspective, approach and what the ultimate outcome should look like.
I actually think that's pretty healthy. That tension can be useful when it's paired with civility and a willingness to hear each other out. We start by recognizing that we share a common aim — strong rights for individuals and fair, workable rules for organizations that support trusted use and protection of data.
I appreciate working with the regulators who show an openness to questions and I welcome continued, good-faith dialogue. It feels characteristically Canadian: pragmatic, public-focused and civil.
On that note, thanks to Commissioner Kosseim for spending time with my students and for modeling that kind of conversation.
Kris Klein, CIPP/C, CIPM, FIP, is the country leader, Canada, for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
