Protecting Public Sector Organizations from Ransomware

As ransomware becomes an increasingly dangerous threat for public sector organizations, the Information and Privacy Commissioner of Ontario (IPC) has published a fact sheet with information on how organizations can protect themselves. Ransomware is a type of malware that accesses a computer (or network), encrypts its files and then demands payment to restore access. In June of this year the University of Calgary paid a $20,000 ransom after an unknown hacker committed a ransomware cyber-attack.

Read the fact sheet here.


IPC Weighs In on Personal Email and Instant Messaging

The Information and Privacy Commissioner (IPC) released a report in June outlining his position on the use of instant messaging and private email in Ontario’s public institutions. It presents the IPC’s view that both personal email and instant messages are subject to Ontario’s information access and privacy laws. According to the IPC:

All public servants should be aware records relating to an institution’s business that are created, sent or received through instant messaging or personal email accounts are subject to Ontario’s access and privacy laws. The IPC recommends that all institutional leaders strictly control the use of these tools when doing business. If it is necessary to use these tools, institutions should implement appropriate policy and technical measures to ensure that records are saved.

Read the full report here.

IPC Rules Councillor’s Email An Official City Record

In a decision that may set a precedent for municipalities across the province, Ontario’s Information and Privacy Commissioner (IPC) has ruled that the City of Oshawa must consider an email sent by a sitting councillor from her personal email address an official city record. As part of its ruling, the IPC stated that any records that emanate from a councillor’s official responsibilities as a member of council are subject to information access laws.

The city argues that it could not legally compel the councillor to provide the record. The parties did not refer me to any contracts, codes of conduct or policies that expressly or by implication give the city the legal right to possess or otherwise control the record, which was sent from the councillor’s personal iPad. The Supreme Court has stated, however, that de facto (as opposed to de jure) control is recognized as control. Although a councillor is not considered to be part of the city for the purposes of the Act, neither is a councillor a stranger to the city; both are governed by the Municipal Act.… I acknowledge that, as discussed above, many previous orders of this office have found that records created by city councillors are not in the control of the city. However, determining custody and control is a contextual exercise. None of the orders involved facts similar to those before me…

-Information and Privacy Commissioner Ontario, ORDER MO-3281, The Corporation of the City of Oshawa, January 22 2016


Fore more:

Information and Privacy Commissioner Report 

Toronto Star: Email from Oshawa councillor’s private account ordered released 


IPC Calling for Access to Councillor’s Records

As part of the municipal legislation review Ontario’s Information and Privacy Commissioner has written to the Minister of Municipal Affairs with a recommendation that amendments be made to MFIPPA that would extend its coverage to municipal councillor’s records. According to the letter, the current standards, which exempt certain records held by municipal councillors, are not meeting the public’s demand for transparency and accountability.

You can read the letter here.