In this episode, David Fraser, PrivacyLawyer, unpacks the recent Ontario Divisional Court decision in Hospital for Sick Children v. Information and Privacy Commissioner of Ontario. The case arose from ransomware attacks that temporarily encrypted servers at SickKids and the Halton Children’s Aid Society. No evidence suggested that hackers viewed, copied, or exfiltrated personal information—yet the Information and Privacy Commissioner found there had been an unauthorized “use” and “loss” of data, triggering notification obligations. The Court upheld those findings, deferring to the regulator’s broad interpretation.

David explains why this matters for organizations across Ontario (and beyond), focusing on how common words like “use” and “loss” may not mean what you think when regulators are involved. He also contrasts Ontario’s strict approach with the federal private-sector law, PIPEDA, which only requires notification where there is a “real risk of significant harm.” The key takeaway: Ontario’s laws can demand notification even when no harm to individuals exists, a standard that may lead to over-notification and notice fatigue.

The Divisional Court decision can be found here: https://canlii.ca/t/kffpm

Where you can find me

► Privacylawyer blog: https://blog.privacylawyer.ca

► Twitter: https://twitter.com/privacylawyer

► LinkedIn: https://www.linkedin.com/in/davidtsfraser

Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel.

All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.