This practice area is rooted in privacy and confidentiality: protecting personal information and other sensitive and privileged information organizations hold, manage, or are responsible for. In an ever-changing technological environment, privacy failures can cause irreparable, life-altering harm to individuals and serious legal and reputational consequences for organizations.

I advise organizations on privacy obligations, access to information issues, and information governance, including privacy protection. While a privacy policy is an important aspect of organizational governance, it is generally not sufficient on its own, and should be supported by privacy risk assessment, operational planning, staff practices and training, vendor controls, incident response readiness, and ongoing review.

My service in this practice area may include:

• Privacy obligations and compliance under applicable legislation and common law.
• Privacy protection assessment and privacy program design, including operational planning and implementation.
• Data breach response planning, breach management, and notification and mitigation obligations.
• Advice on privacy litigation risk and emerging issues, including the evolving landscape of class actions and data breach claims.
• Information governance in relation to sensitive and privileged records and data, including retention, access controls, and internal accountability.
• Contractual privacy and confidentiality provisions, including for vendors, consultants, and other service providers.
• Access to information requests.

Many of the legal principles and governance practices involved in privacy and information law are also relevant in Indigenous governance contexts, including in relation to data sovereignty and stewardship of sensitive and privileged Indigenous knowledge and information.