Search a title or topic

Over 20 million podcasts, powered by 

Player FM logo
Artwork

Content provided by David Fraser. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by David Fraser or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.
Player FM - Podcast App
Go offline with the Player FM app!

The words “use” and “loss” in privacy laws may not mean what you think in a cyber-security incident

8:19
 
Share
 

Manage episode 507770991 series 3689633
Content provided by David Fraser. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by David Fraser or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.

In this episode, David Fraser, PrivacyLawyer, unpacks the recent Ontario Divisional Court decision in Hospital for Sick Children v. Information and Privacy Commissioner of Ontario. The case arose from ransomware attacks that temporarily encrypted servers at SickKids and the Halton Children’s Aid Society. No evidence suggested that hackers viewed, copied, or exfiltrated personal information—yet the Information and Privacy Commissioner found there had been an unauthorized “use” and “loss” of data, triggering notification obligations. The Court upheld those findings, deferring to the regulator’s broad interpretation.

David explains why this matters for organizations across Ontario (and beyond), focusing on how common words like “use” and “loss” may not mean what you think when regulators are involved. He also contrasts Ontario’s strict approach with the federal private-sector law, PIPEDA, which only requires notification where there is a “real risk of significant harm.” The key takeaway: Ontario’s laws can demand notification even when no harm to individuals exists, a standard that may lead to over-notification and notice fatigue.

The Divisional Court decision can be found here: https://canlii.ca/t/kffpm

Where you can find me

► Privacylawyer blog: https://blog.privacylawyer.ca

► Twitter: https://twitter.com/privacylawyer

► LinkedIn: https://www.linkedin.com/in/davidtsfraser

Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel.

All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

  continue reading

12 episodes

Artwork
iconShare
 
Manage episode 507770991 series 3689633
Content provided by David Fraser. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by David Fraser or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.

In this episode, David Fraser, PrivacyLawyer, unpacks the recent Ontario Divisional Court decision in Hospital for Sick Children v. Information and Privacy Commissioner of Ontario. The case arose from ransomware attacks that temporarily encrypted servers at SickKids and the Halton Children’s Aid Society. No evidence suggested that hackers viewed, copied, or exfiltrated personal information—yet the Information and Privacy Commissioner found there had been an unauthorized “use” and “loss” of data, triggering notification obligations. The Court upheld those findings, deferring to the regulator’s broad interpretation.

David explains why this matters for organizations across Ontario (and beyond), focusing on how common words like “use” and “loss” may not mean what you think when regulators are involved. He also contrasts Ontario’s strict approach with the federal private-sector law, PIPEDA, which only requires notification where there is a “real risk of significant harm.” The key takeaway: Ontario’s laws can demand notification even when no harm to individuals exists, a standard that may lead to over-notification and notice fatigue.

The Divisional Court decision can be found here: https://canlii.ca/t/kffpm

Where you can find me

► Privacylawyer blog: https://blog.privacylawyer.ca

► Twitter: https://twitter.com/privacylawyer

► LinkedIn: https://www.linkedin.com/in/davidtsfraser

Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel.

All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

  continue reading

12 episodes

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Copyright 2025 | Privacy Policy | Terms of Service | | Copyright
Listen to this show while you explore
Play