A Review of Noteworthy Cases

Conflict to consensus: The power of early resolution

noteworthy cases

Cyberattack of a third party vendor, Aetonix, affects 32 health information custodians

In a significant incident, a cyberattack on Aetonix, a vendor providing virtual care platforms, compromised the personal health information (PHI) of over 100,000 patients across 32 health care providers. The breach, rooted in the vulnerabilities of the third-party service, exposed the crucial need for stringent data protection measures, including strong contractual safeguards between the client health care institutions and Aetonix. This review, conducted with Aetonix's full cooperation, led to strengthened contractual arrangements and an enhanced understanding of PHI security responsibilities for which health care institutions remain accountable, even when they use third party service providers. 

With over half of the year's cybersecurity incidents involving third party attacks, the Aetonix breach is a stark reminder to the health care sector of the importance of ensuring strong data protection strategies and cybersecurity measures are in place, especially when entrusting PHI to external service providers.

Enhanced privacy measures implemented following CPIN breach by CAS employee

An employee of a Southwestern children’s aid society (CAS) accessed the Child Protection Information Network (CPIN) without authorization, affecting 24 individuals. The privacy breach was discovered during an audit following a high-profile investigation. The IPC’s early resolution team swiftly intervened, focusing on ensuring victim notification, containment of the breach, and the implementation of measures to prevent similar future incidents.

Responding quickly, the CAS made significant improvements to its privacy protocols, including enhanced compliance with annual privacy training, regular signing of oaths of confidentiality, introduction of privacy warnings on CAS network logins, and a formal auditing program. The CAS also updated its privacy policy to explicitly include disciplinary actions for unauthorized access to personal information. Working cooperatively with the IPC’s early resolution analyst, the CAS implemented these steps to strengthen its responses to future privacy breaches, reflecting the importance of proactive measures in safeguarding sensitive information.

Mediation: A collaborative path to resolution

mediation

Collaborative approach unlocks information for human trafficking research

A group of researchers filed a request for information relating to a human trafficking operation. The police denied access to some of the information based on several exemptions, namely law enforcement, advice or recommendations and personal privacy.

The police agreed to take part in a mediated teleconference where the researchers pinpointed the specific type of information they were looking for. The police informally consulted with another police service and then revised its decision, disclosing additional information. The researchers further inquired about statistical data, which the police provided, effectively resolving the appeal.

Transparency and access to information are key to shedding light on societal issues that matter to Ontarians. The mediation process proved instrumental in expediting the exchange of information, highlighting the benefits of collaborative and efficient resolution methods.

Disclosure of historical records opens up dialogue about reconciliation

An Indigenous individual requested historical information related to a police morality squad active between 1945 and 1955. Some of the information requested was withheld under the law enforcement exemption. 

A constructive teleconference, followed by a further search by the police, led to the discovery and disclosure of all responsive records at no extra cost. The appellant was also provided with explanations for non-responsive information during mediation, leading to the successful closure of the appeal to the appellant's satisfaction. This case was significant not only for the disclosure of historical records important to the Indigenous appellant, but also for the trust-building and insightful discussions that took place during the teleconference, where topics like reconciliation and the Sixties Scoop were explored and discussed.

Adjudication: Efficiency and fairness in focus

adjudication

Key records in inmate death ordered released PO-4428

The appellant in this case was the father of the deceased inmate, who sought access to information about the circumstances of his son's death following an altercation with correctional officers at the Central East Correctional Centre. The Ministry of Solicitor General denied access to the records, citing employment, law enforcement, and personal privacy exemptions.

The IPC's adjudicator ordered the disclosure of several records, including use of force reports and surveillance footage, which detailed the actions of the correctional officers. The adjudicator ruled that while some of the information in these records was subject to the mandatory personal privacy exemption, other information should be disclosed, given the public interest in understanding the details of the inmate’s death.

This order highlights that government institutions must interpret the labour relations and employment exclusion in a way that aligns with the transparency purposes of FIPPA. It also emphasizes that government officials should not use privacy exemptions as a shield from public scrutiny.

Transparency in policing MO-4403 

An individual requested high-level information about homicides involving intimate partners cleared by the Kingston Police Services Board between 2015 and 2020. The IPC's adjudicator considered the balance between individual privacy rights and the desirability of subjecting the police to public scrutiny, and decided that the transparency of police operations, especially concerning intimate partner violence, outweighs the privacy concerns in this context. The adjudicator found that even if a privacy exemption applied, the compelling public interest in understanding how these sensitive cases are handled by law enforcement would have overridden such exemptions.

Intimate partner violence is a major public health problem, and the public needs to know how these cases are being handled and investigated by the police. Personal information may be disclosed where its disclosure would serve the purpose of subjecting government institutions to public scrutiny.

Insights from recent privacy investigations

privacy investigations

IPC investigators handle privacy complaints and review privacy breach incidents that cannot be resolved at early resolution. After completing an investigation, they offer findings and recommendations to the respective institution or organization. In some cases, the matter may proceed to a formal review and a binding order.

Protecting student privacy from online exam proctoring powered by AI (PI21-00001) 

Following a complaint by a student who wished to remain anonymous, the IPC opened a commissioner-initiated complaint under FIPPA to investigate McMaster University's use of Respondus exam proctoring software. This software locks down certain functions of a student’s computer during online exams so they can’t conduct an internet search, access other files on their computer, use the copy/paste function, message, or screen share with others. It also collects sensitive biometric information and monitors students’ movements and behaviours through audio/video recordings, using AI to detect instances of potential cheating.

The investigation found that the university is lawfully authorized to conduct and proctor exams to ensure their academic integrity and that nothing legally prevented them from doing so online, both during and post pandemic. This is a legitimate aim in a context moving towards remote learning and given heightened risks of cheating associated with modern digital tools. 

The investigation also found that the university’s collection of students’ personal information was technically necessary for this exam proctoring software to function properly. However, the sensitive nature of the personal information being collected and the consequential inferences about students’ movements and behavioural conduct through AI, raised significant privacy concerns.

The university’s notice to students about the purposes for this data collection was found to be inadequate, and the university’s safeguards to protect student’s personal information through its contractual arrangements with the company, were not sufficient. Most concerning was the company’s non-consensual use of students’ audio and video recordings, including via third party researchers, to improve system performance and enhance its services.

The commissioner recommended that McMaster University introduce stronger measures to protect students’ personal information in the context of online exam proctoring and ensure an approach that balances academic integrity and student privacy rights. She also went on to make additional recommendations to address the broader privacy and ethical risks associated with the use of AI and asked the university to report back within six months on the implementation of these recommendations.

Cybersecurity in health care: lessons learned from a major data breach PHIPA Decision 210

A cyberattack at a hospital affected the personal health information of over a million patients. The hacker used a password spraying attack to gain access to over a dozen hospital accounts, including a legacy account with significant privileges, which the hacker used to access servers and transfer out data. The hacker was able to do this because a temporary change to a firewall was mistakenly left in place, leaving the server connected to the internet and vulnerable to the hacker.

The hospital was unable to specify exactly which data was compromised and estimated that over a million patients were potentially affected. The hospital issued a public notice and committed to two years of dark web monitoring to track any misuse of the data. After reviewing its security protocols, the hospital revised its information security policies, focusing on password strength, account privileges, and firewall security. The IPC found that the hospital's measures and policy revisions provided adequate response and the case did not need to go on to formal review.

This incident serves as a reminder of the ever-evolving nature of cybersecurity threats and the importance of strong data protection measures. Health care institutions must continually review and enhance their security protocols, particularly in areas of password management, access controls, and firewall security.