By Esther Shainblum and Martin U. Wissmath

Ontario’s privacy regulator has released updated guidance to help organizations use and share data responsibly while protecting individual privacy. On October 15, 2025, the Information and Privacy Commissioner of Ontario (the IPC) published its new “De-Identification Guidelines for Structured Data” (the “Guidelines”), replacing the IPC’s 2016 version. The Guidelines provide organizations with a detailed process to follow when de-identifying structured datasets (data in a standardized format such as spreadsheets and databases) for purposes such as research, scholarship and policy development.

Although the public increasingly relies upon the generation and sharing of data, some of the main concerns around sharing data for these purposes relate to privacy. Organizations de-identify data so that it can be used and shared without identifying individuals or permitting their re-identification. However, there is always a risk that data can be re-identified, which could expose the organization to liability, financial loss and reputational damage. The Guidelines are intended to assist organizations in confidently de-identifying information so that the risk of re-identification is minimized as much as possible. The IPC’s press release for the Guidelines state that they provide “clear, practical tools for applying de-identification confidently, effectively, and responsibly” and include “step-by-step processes, practical tools, useful checklists, fact sheets and case studies.” The Guidelines are not mandatory or binding, but the IPC “encourages” all of Ontario’s public sector institutions to consult them.

Although generally intended for Ontario’s public sector institutions, the Guidelines can be used by any organization that wants to share data responsibly and minimize privacy risks to itself and to its stakeholders.

For charities and not-for-profits, the updated Guidelines provide timely direction for using data responsibly in program delivery, research, evaluation and digital service design. They encourage organizations to understand what information they hold, assess whether de-identification is appropriate, and document their decisions. The Guidelines also reinforce the importance of transparency, careful data management and ongoing oversight to meet applicable statutory obligations and to maintain public trust.

​Read the November 2025 Charity & NFP Law Update