In this episode, David Fraser, PrivacyLawyer, unpacks the recent Ontario Divisional Court decision in Hospital for Sick Children v. Information and Privacy Commissioner of Ontario. The case arose from ransomware attacks that temporarily encrypted servers at SickKids and the Halton Children’s Aid Society. No evidence suggested that hackers viewed, copied, or exfiltrated personal information—yet the Information and Privacy Commissioner found there had been an unauthorized “use” and “loss” of data, triggering notification obligations. The Court upheld those findings, deferring to the regulator’s broad interpretation.

David explains why this matters for organizations across Ontario (and beyond), focusing on how common words like “use” and “loss” may not mean what you think when regulators are involved. He also contrasts Ontario’s strict approach with the federal private-sector law, PIPEDA, which only requires notification where there is a “real risk of significant harm.” The key takeaway: Ontario’s laws can demand notification even when no harm to individuals exists, a standard that may lead to over-notification and notice fatigue.

The Divisional Court decision can be found here: https://canlii.ca/t/kffpm

Where you can find me

► Privacylawyer blog: https://blog.privacylawyer.ca

► Twitter: https://twitter.com/privacylawyer

► LinkedIn: https://www.linkedin.com/in/davidtsfraser

Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel.

All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

The law — and the practical realities — of recording conversations in Canada. From AI wearables like the Bee that promise “always-on” memory assistance, to built-in recording and transcription on Zoom and Teams, to employees secretly recording meetings, the legal framework hasn’t really changed: one-party consent under the Criminal Code means you can record if you’re part of the conversation and your purposes are 100% personal. But that doesn’t always make it wise, and in workplaces or commercial settings, privacy laws and policies come into play.

David explores where the law draws the line, why secret recordings are often seen as hostile, and how policies can help manage new tools like AI transcription and wearables. Whether it’s a patient recording therapy sessions, an employee hitting record in a meeting, or an organization using AI-enabled tools for accessibility, this video unpacks the legal rules, the privacy risks, and the best practices for managing them responsibly.

Where you can find me

► Privacylawyer blog: https://blog.privacylawyer.ca

► BlueSky https://bsky.app/profile/privacylawyer.ca

► Twitter: https://twitter.com/privacylawyer

► LinkedIn: https://www.linkedin.com/in/davidtsfraser

Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel.

All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

In August 2025, Ontario’s Information and Privacy Commissioner issued a revised finding against the University of Waterloo for a privacy breach involving “smart” vending machines that secretly used biometric face detection technology. Students discovered the issue when an error message revealed the machines were running FacialRecognition.App.exe.

In this video, privacy lawyer David Fraser explains the Commissioner’s decision, why the University of Waterloo was found responsible under Ontario’s privacy law, and the lessons learned.

The IPC finding can be found here: https://decisions.ipc.on.ca/ipc-cipvp/privacy/en/item/521985/index.do

Where you can find me

► Privacylawyer blog: https://blog.privacylawyer.ca

► My law firm: https://www.mcinnescooper.com/people/...

► Twitter: https://twitter.com/privacylawyer

► LinkedIn: https://www.linkedin.com/in/davidtsfr...

Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel.

All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.