On October 15, 2025, the Office of the Information and Privacy Commissioner of Ontario (IPC) released updated De-Identification Guidelines for Structured Data (the “New Guidelines”), providing Ontario-based data custodians with an updated framework for safeguarding privacy while maintaining data utility. The New Guidelines take into account emerging privacy risks and technological advancements, replacing the original version published in 2016.
The New Guidelines set out terminology, key concepts and principles pertaining to de-identification, provide use cases where de-identification techniques have been used responsibly, and outline a process for de-identifying structured data.
Specifically, the New Guidelines outline a 12-step process for de-identifying structured datasets. Some notable steps include identifying direct and indirect identifiers, pseudonymizing the direct identifiers, determining an acceptable re-identification risk threshold, assessing data vulnerability based on the context of the data release (i.e., public, non-public internal, or non-public external), and calculating the risk of re-identification. The New Guidelines encourage organizations to document their de-identification processes to ensure transparency and engage in a periodic monitoring of the risk environment to assess if anything material has changed that affects the risk of re-identification.
The New Guidelines also outline three types of disclosure: (1) identity disclosure (linking data to an individual); (2) attribute disclosure (inferring personal information); and (3) membership disclosure (determining if an individual is part of a dataset). While the New Guidelines focus primarily on mitigating identity disclosure risks, it notes that to have a very low risk of re-identification, the risk of all three types of disclosures should be “very low”.
The New Guidelines also contain multiple checklists to assist in implementing the techniques discussed in the document, such as checklists for: assessing an intended data recipient’s mitigating controls; documenting pseudonymization and de-identification; and clauses to be included in data sharing agreements.
Ultimately, the IPC’s New Guidelines aim to support responsible data use while protecting individual privacy. The New Guidelines are not legally binding and are intended to complement emerging international standards and regulatory developments.
For more information, see the full New Guidelines available here.
Summary By: Victoria Di Felice
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
