The Registered Education Savings Plan (RESP) company whose employee improperly collected and used personal health information of Ontario hospital patients has implemented recommendations from the Office of the Privacy Commissioner of Canada (OPC). A recently completed third-party audit determined that Global RESP Corporation has put in place appropriate accountability measures to ensure the protection of personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA).
The OPC’s investigation was conducted in cooperation with the IPC’s investigation, which found the hospital had failed to put in place reasonable technical and administrative safeguards to protect patient information. The hospital has since taken steps to rectify the deficiencies uncovered by our investigation and has satisfied the terms of our Order.
The cooperation between the two offices demonstrates the ability of federal and provincial authorities to work together to address serious privacy issues affecting the public. For more information, please see the OPC's website.
TORONTO, ON (Sept. 29, 2016) – Ontario’s Information and Privacy Commissioner (IPC) Brian Beamish today released the findings of his investigation into the records management practices of the Toronto Organizing Committee for the 2015 Pan American and Parapan American Games (TO2015). Commissioner Beamish concluded that records were not intentionally destroyed or withheld to avoid accountability during the Office of the Auditor General’s audit, and that TO2015 had appropriate recordkeeping and record retention policies in place.
The investigation was started in June of this year as a result of statements in the Office of the Auditor General’s Special Report on the 2015 Pan Am/Parapan Am Games. In her report, the Auditor General indicated that her staff had been unable to obtain answers to certain questions, as well as documents and hard drives from TO2015, during her audit. This led to speculation that TO2015 had deliberately destroyed or withheld documents to avoid accountability. In light of these statements, and the questions raised publicly as a result of these statements, the IPC initiated an investigation to examine the following:
Did TO2015 have appropriate recordkeeping and record retention policies and practices in place?
The IPC’s investigation determined that TO2015 had appropriate recordkeeping and record retention policies and practices in place, consistent with the requirements of the Archives and Recordkeeping Act (ARA) and the Freedom of Information and Protection of Privacy Act (FIPPA). TO2015 developed appropriate policies and practices that focused on preserving the content of business records in a cloud-based system, rather than on hard drives or other devices.
Did TO2015 staff destroy or withhold documents with the intention of avoiding accountability or misleading the Auditor General in the course of her audit?
The investigation found no intention by TO2015 to destroy records or withhold hard drives to mislead the Auditor General or avoid accountability. Similarly, although some documents may not have been available to the Auditor General, this was not as a result of any attempt to mislead or hinder the work of her office.
“As a result of my office’s investigation, I am satisfied that TO2015 staff did not deliberately attempt to avoid accountability or to mislead the Auditor General in the course of her audit.”
~ Brian Beamish, Information and Privacy Commissioner of Ontario
Full report on the Commissioner's investigation into the records management practices of the Toronto Organizing Committee for the 2015 Pan American and Parapan American Games (TO2015).
This is the Addendum to the Special Investigation Report, Deleting Accountability: Records Management Practices of Political Staff. In that Report, the IPC made findings critical of the email management practices of political staff that were identified through hearings taking place before the Standing Committee on Justice Policy (Justice Policy Committee). We also commented on the failure of political staff to retrieve emails responsive to motions of the Justice Policy Committee and to a number of freedom of information requests.
Subsequent to the release of the Report, the IPC was provided with new information regarding the Ontario Public Service (OPS) Enterprise Email System – information that should have been given to me during my investigation. This information was material to the issues in my investigation and directly responsive to questions my staff had asked.
This Addendum describes the circumstances surrounding the disclosure of new information provided by MGS staff and sets out the detailed information that was not provided to IPC staff during the initial investigation. It describes the OPS Enterprise Email System and explains why this new information was relevant to the discovery of responsive emails.
Findings and Conclusion:
In light of this information, the IPC would have arrived at a different conclusion regarding the ability of MGS staff to retrieve the relevant emails from Mr. MacLennan’s email account. However, the other findings in the Report were not affected and remain accurate.
Investigation into the allegation that there had been an inappropriate deletion of all emails related to the cancellation and relocation of the gas plants by political staff in the former Minister of Energy’s Office. Based on information received, a review of the email management practices in the former Premier’s Office was also conducted.
Findings:
The practice of indiscriminate deletion of all emails sent and received by the former Chief of Staff was in violation of the Archives and Recordkeeping Act (ARA) and the records retention schedule developed by Archives of Ontario for ministers’ offices.
The email management practices of the former Premier’s office were in violation of the obligations set out in the ARA.
Recommendations:
Ministry of Government Services
Conduct a complete review of the Archives of Ontario records retention policies and practices that apply to the records management processes in ministers’ offices and the Premier’s office, having regard to the issues raised in this Report. Staff responsibility for retaining business records must be clearly set out, in an effort to ensure proper execution of the retention schedules. Particular attention should be paid to staff responsibility for retaining records originating with, and kept by, offices and branches within the ministries.
Office of the Premier
Develop policies and procedures to ensure that ministers’ staff are fully trained regarding their records management obligations – immediately following a change in ministers’ staff, a change in government, or upon the hiring of any new staff within the office.
Require that a senior individual be designated in each minister’s office and the Premier’s office as the person who is accountable for the implementation of the Archives of Ontario records management policies, and for ensuring that all new staff receive the appropriate training.
Issue a communiqué to all staff within the Premier’s and ministers’ offices regarding this Investigation Report. This communiqué should include a message that the Premier takes records retention requirements and the transparency purposes of the Freedom of Information and Protection of Privacy Act(FIPPA) and the ARA very seriously, has an expectation that all staff will comply with relevant laws and policies, and requires that a senior individual be designated in each office to be accountable for the implementation of records management policies and procedures.
FIPPA/MFIPPA amendments
FIPPA and MFIPPA be amended to address institutions’ responsibilities to ensure that all key decisions are documented, to secure retention of records, and to add an offence for the willful and inappropriate destruction of records:
Create a legislative duty to document communications and business-related activities within FIPPA and MFIPPA; including a duty to accurately document key decisions;
Require that every institution subject to FIPPA and MFIPPA define, document and put into place reasonable measures to securely retain records that are subject to or may reasonably be subject to an access request under FIPPA and MFIPPA, taking into account the nature of the records to be retained;
Prohibit the wilful destruction of records that are subject to, or may reasonably be subject to, an access request under FIPPA and MFIPPA; and
Make it an offence under FIPPA and MFIPPA for any person to willfully destroy records that are subject to, or may reasonably be subject to, an access request under FIPPA and MFIPPA.
Investigation into the loss of two USB keys containing unencrypted personal information that were used by the Strike-off Project of Elections Ontario (EO).
Findings:
EO failed to put in place reasonable measures to protect the physical security, and the privacy and security of the personal information in its custody and control and, in particular, failed to ensure that the personal information stored on mobile electronic devices was encrypted.
EO failed to take steps to ensure that existing policies were reflected in actual practice; failed to ensure that senior staff were accountable and responsible for privacy and security; failed to adequately train its staff; and, failed to respond adequately to the privacy breach by continuing to store unencrypted data on USB keys after having learned of the privacy breach.
Recommendations:
Retain the services of an independent third party to conduct a thorough and comprehensive audit of all of the personal information management practices at EO;
Develop an overarching privacy policy;
Establish Technology Services as the centre of responsibility and accountability at EO for implementation of strong measures to protect the privacy and security of personal information on all electronic devices and for ensuring that staff are fully trained and supported regarding the use of these devices;
Appoint a Chief Privacy Officer;
Develop a comprehensive, mandatory privacy training program for all staff;
Develop an ongoing communications plan to ensure that all staff are made aware of and are reminded of EO’s privacy and security policies.
In addition, the Report recommends that the government of Ontario ask the Auditor General of Ontario to conduct privacy audits of the information management practices of selected public sector agencies in the province; and conduct a review and modernization of the Election Act to ensure that the privacy and security of the personal information in the custody of EO is strongly protected and used prudently, as prescribed.
Report on concerns raised by an MPP about the privacy and security of personal information that is currently being stored in the U.S. as part of the Licensing Automation System (LAS) database of the Ministry of Natural Resources (the ministry). Specifically, concerns were raised about the collection and storage of personal information as part of the LAS, in light of the U.S. PATRIOT Act.
Findings:
The Ministry’s collection, use and disclosure of personal information for the purpose of administering the Ministry’s hunting and fishing licensing program is in compliance with the Freedom of Information and Protection of Privacy Act (FIPPA).
The ministry’s contract with Active Outdoors is comprehensive, and includes sufficient provisions to safeguard the privacy and security of personal information, and to restrict the use of this personal information by the Agent, in accordance with the FIPPA.
Report on allegations of political interference in two FOI requests. The allegations were made by members of the Opposition Party and they related to actions taken by a Legislative Assistant in the office of the Minister of Finance.
Findings:
Contentious issues management processes, absent politically driven influences, are not inconsistent with the government’s responsibilities under the Act.
No evidence of political interference in either request was found.
Ministry’s contentious issues management process allowed inaction by political staff to lead to unacceptable delays in processing one request – Minister to conduct a review of that process
IPC to offer comprehensive training to political staff.