Privacy commissioner reflects on 2025 work, including first-of-its-kind administrative monetary penalty
In her last blog post of the year, Patricia Kosseim, Ontario’s information and privacy commissioner (IPC), discussed a number of notable privacy-related issues, decisions, and guidance that impacted the office’s efforts in 2025.
“As we encapsulate 2025, one thing is clear: the progress we’ve made this year reflects the dedication and care of the people behind the work,” Kosseim said in the blog post.
Kosseim expressed gratitude to IPC staff members for their commitment to fulfilling the office’s mandate in the service of Ontarians.
In 2025, the IPC issued the first administrative monetary penalty (AMP) under Ontario’s Personal Health Information Protection Act (PHIPA).
In PHIPA Decision 298, the IPC set a $5,000 penalty against a doctor and an additional $7,500 penalty against his private clinic for accessing and utilizing patient records without permission for personal financial gain.
“This case was a prime example of why AMPs were introduced in the first place: to encourage compliance with the law and/or to prevent a person from deriving, directly or indirectly, any economic benefit as a result of contravening the law,” Kosseim said.
Last year, the IPC published a report identifying trends and lessons learned from access-to-information appeals regarding the province’s Greenbelt.
Kosseim emphasized the public interest engaged by the government’s decisions and actions concerning the Greenbelt’s boundaries and their impacts on environmental protection and sustainability.
Among other recommendations, the IPC recommended that the government:
“As we process the tail end of the remaining Greenbelt-related appeals, we will be looking for steady and continued progress by government in implementing these recommendations and enhancing its transparency to the citizens it serves,” Kosseim said in the blog post.
In 2025, the IPC updated and expanded the de-identification guidelines for structured data, which seek to promote the responsible use of data for the public good and strike a balance between the needs for data utility and data privacy.
According to Kosseim, the update reflects major technological advances, increased privacy risks, and the changes to the landscape since the publication of the original guidelines in 2016.
The updated guidelines include modern methods of de-identification and risk assessment, outline the steps for de-identification, and provide more detailed guidance in the appendices.
The IPC issued guardrails for police use of investigative genetic genealogy (IGG) in Ontario, a first-in-Canada resource.
According to Kosseim, the IGG, an emerging technology and investigative tool, aims to help police solve cold cases involving serious crimes, bring criminals to justice, and give grieving families answers.
The IPC noted that the IGG raises privacy and human rights issues and questions regarding the proper relationship between law enforcement and private sector genetic testing companies.
Late last year, the IPC announced its findings on a privacy breach concerning PowerSchool, an educational technology provider, in the office’s first coordinated enforcement action with its Alberta counterpart.
According to Kosseim, the breach impacted millions in the US and Canada, including almost four million students, parents, and teachers across 20 public school boards in Ontario.
The IPC noted that the government has released draft regulations under the Enhancing Digital Security and Trust Act (EDSTA) for consultation with the public.
“We will be closely examining these proposed regulations and will provide our comments and recommendations to the government in the new year,” Kosseim said.
