Thoughts on Technology and IT

Why hiding bad news is a terrible idea!

Ontario’s colleges, universities, and hospitals are not government ministries, but they answer to government and serve the public. That means when something goes wrong, they are expected to act with the same level of transparency and care.

With Bill 194 taking effect in July 2025, the legal bar is higher than before. Institutions must show they have real safeguards in place, run privacy impact assessments (PIAs) before collecting personal information, and report breaches that create a “real risk of significant harm.”

This matters because many higher education and health institutions already rely heavily on U.S. cloud services. That dependence creates a foreseeable risk: if U.S. authorities issue a sealed order to a vendor under the CLOUD Act, Canadian student or patient information can be disclosed. The fact that this risk is public knowledge means institutions cannot claim surprise if harm occurs.

How Public Awareness Creates Responsibility

When issues are reported in the media, regulators act.

• Doctors complained about a University of Toronto health data project called UTOPIAN, and after the story hit the news, Ontario’s Privacy Commissioner launched an investigation. The project was paused until safeguards were reviewed.1
• In the LifeLabs breach, which exposed health data of millions, regulators ruled that the company had failed to take reasonable steps to protect information and ordered corrective actions.2

These cases show that once a risk or breach is public, institutions carry a higher duty to respond. If a student or professor were harmed because their data flowed through a U.S. cloud provider, an investigation would not stop at “we did the minimum.” The IPC (Information and Privacy Commissioner) would ask whether the institution knew about the risk and what it did to mitigate it.

Vendor Assurances Do Not Erase Risk

Many institutions lean on consultants or vendors who say “no risk” when asked about U.S. cloud exposure. That may be comforting, but it is not a shield.

Courts in Canada have started to consider negligence claims against consultants whose advice contributed to harm. In British Columbia, a class action against McKinsey was allowed to proceed, with allegations that the firm’s consulting work contributed to the opioid crisis.3 Legal commentary notes that Canadian courts are now willing to test whether consultants’ liability extends beyond their immediate clients to others affected by their advice.4

In practice, the institution is still accountable to regulators, students, and patients. If harm occurs, “the consultant said it was fine” will not satisfy the IPC.

Best practice is to verify vendor claims, document risk assessments, and include clear contractual language on breach notification and liability. Canadian case law and commentary show that while consultants may eventually face liability, institutions cannot rely on that possibility as protection — they remain the first line of responsibility.

Expanded Best Practices for Institutions

Institutions that cannot realistically abandon U.S. cloud overnight must still act. Bill 194 does not pause. The focus should be on showing diligence: documenting risks, reducing exposure, and communicating clearly.

1. Fix Contracts

• Add clauses requiring vendors to notify you of any breach or legal demand for data.
• Limit how long vendors can keep your data.
• State clearly that the institution, not the vendor, is the data controller.
  Who to inform: leadership and legal teams need to know these changes; staff, students, and patients should be told that stronger protections are now in place.

2. Run a Privacy Impact Assessment (PIA)

• Bill 194 makes PIAs mandatory before collecting or changing use of personal data.
• Document that U.S. CLOUD Act exposure is a risk and describe how you will reduce it.
  Who to inform: executive leadership and the Board should see the PIA; a summary of findings should be shared with staff and faculty to build awareness.

3. Reduce Exposure

• Collect only the data you need.
• Keep highly sensitive data (immigration, equity research, health records) off vendor systems where possible.
• Limit which staff can access sensitive records.
  Who to inform: staff and faculty whose data is collected, and students or patients whose records are involved, need clear notices about what is and is not stored in cloud systems.

4. Add Compensating Controls

• Use strong encryption, even if you cannot yet implement “hold your own key” (HYOK).
• Maintain your own Canadian-based logs so you always have an authoritative record.
• Store key logs in systems you control that cannot be silently altered.
  Who to inform: IT and security staff need full details; leadership should hear high-level assurances; faculty, students, and patients should be reassured that extra safeguards are active.

5. Prepare for Breach Response

• Write a breach notification playbook that aligns with Bill 194’s “real risk of significant harm” test.
• Decide in advance who will notify the IPC and who will notify affected individuals.
• Run tabletop exercises that simulate sealed foreign orders or major data leaks.
  Who to inform: executives, privacy officers, and communications staff need to know the playbook; all staff should be trained on how incidents will be reported.

6. Communicate Honestly

• Be open with leadership about the risks of U.S. cloud dependence.
• Share realistic timelines and costs for moving toward Canadian-only solutions.
• Tell staff, students, and patients what data is at risk, what you are doing about it, and what they should do if a breach occurs.
  Who to inform: everyone. Trust depends on clarity and transparency at all levels.

Why This Matters

If a refugee student is detained because immigration records flowed through a U.S. vendor, or a professor is harassed for their research after logs are disclosed abroad, the institution cannot claim ignorance.

Bill 194 makes safeguards, PIAs, and breach reporting a matter of law. Public awareness of cross-border risk is already high. Failing to act could be judged negligent.

Institutions that cannot shift technology quickly must still act responsibly: tighten contracts, run PIAs, reduce exposure, add controls, prepare for breach, and communicate openly.

The regulator and the public will ask one simple question: did you act reasonably given what you knew? Today, the answer cannot be “we did the minimum.”

---

1. Global News, “Whistleblowers allege U of T data project collected 600K patient records without consent”. https://globalnews.ca/news/9428080/university-of-toronto-medical-records-data-project-ontario-privacy-complaint/

2. Office of the Information and Privacy Commissioner of Ontario, “LifeLabs data breach report released after court rejects bid to block publication”. https://www.canadianlawyermag.com/practice-areas/privacy-and-data/lifelabs-data-breach-report-released-after-court-rejects-bid-to-block-publication/390054

3. “B.C. can move ahead with class action to recoup opioid-related damages from consultancy McKinsey,” Canadian Lawyer, Jan 2023. https://www.canadianlawyermag.com/practice-areas/litigation/bc-can-move-ahead-with-class-action-to-recoup-opioid-related-damages-from-consultancy-mckinsey/380920

4. “Consultants’ liability for bad advice: just to their clients, or does it go further?” Mondaq, 2024. https://www.mondaq.com/canada/advertising-marketing-branding/1380658/consultants-liability-for-bad-advice-just-to-their-clients-or-does-it-go-further