Decisions

Showing 15 of 570 results

Order Numbers Type Collection Adjudicators Date Published
PHIPA DECISION 149 Decision - PHIPA Health Information and Privacy Jennifer James Read moreExpand

A father filed a complaint to the IPC against a counselling centre’s decision to deny him access to records containing the personal health information (PHI) of his three children. In PHIPA Decision 129, the adjudicator found that the father does not have an independent right of access to his children’s PHI under Part V of PHIPA, given the children’s mother’s objection, and dismissed his complaint.

The complainant sought a reconsideration of PHIPA Decision 129. In this reconsideration decision, the adjudicator finds that the complainant’s evidence failed to establish grounds for reconsideration under the claimed grounds in sections 27.01(b) and (c) of Code of Procedure for Matters under the Personal Health Information Protection Act, 2004. Accordingly, the complainant’s reconsideration request is denied.

PHIPA DECISION 148 Decision - PHIPA Health Information and Privacy Sherry Liang Read moreExpand

The complainant requested reconsideration of PHIPA Decision 144, on the basis that it contains errors of fact and jurisdictional defects. In this decision, the adjudicator partially upholds the request for reconsideration, finding that she omitted to fully address an allegation that a doctor disclosed the complainant’s personal health information to two other doctors, when it was not reasonably necessary for the provision of health care to the complainant. The adjudicator reviews this allegation and dismisses it.

PHIPA DECISION 147 Decision - PHIPA Health Information and Privacy Lucy Costa Read moreExpand

This investigation file was opened after a public hospital contacted the Office of the Information and Privacy Commissioner/Ontario to report a privacy breach under the Personal Health Information Protection Act, 2004. The hospital advised that a patient had made a complaint, which alleged the unauthorized use and disclosure of her personal health information by a named physician. In particular, this investigation related to concerns that a “quality audit” the physician was conducting resulted in referrals of motor vehicle accident patients to his wife, a personal injury lawyer.
This Decision concludes that the quality audit conducted by the physician was an unauthorized use under the Act, and that I am unable to determine whether the physician disclosed personal health information in contravention of the Act. It also concludes that the hospital’s previously vague policies, practices and procedures regarding quality audits, and the complete lack of privacy training for physicians, did not amount to taking reasonable steps to protect the personal health information within the meaning of section 12(1) of the Act. However, I also find that the hospital has since remedied these issues.
Lastly, I decide that this review will be concluded without proceeding to the adjudication stage and without an order being issued by this office.

PHIPA DECISION 146 Decision - PHIPA Health Information and Privacy Sherry Liang Read moreExpand

This reconsideration order dismisses the complainant’s request for reconsideration of PHIPA Decision 126. In that decision, the adjudicator found that the respondent is a health information custodian within the meaning of the Personal Health Information Protection Act, 2004 in relation to marriage counselling services he provided to the complainant and that he is not a health information custodian in relation to the co-parenting counselling services he provided to the complainant. The adjudicator also determined the respondent had conducted a reasonable search for records of the complainant’s personal health information. In this reconsideration decision, the adjudicator finds that the complainant has not established grounds for reconsideration under section 27.01 of the Code of Procedure for Matters under the Personal Health Information Protection Act, 2004 and denies the request.

PHIPA DECISION 145 Decision - PHIPA Health Information and Privacy John Gayle Read moreExpand

The complainant sought access to her records of personal health information from Dr. Robert Samuel Crozier (the custodian). This decision determines that the custodian is deemed to have refused the complainant’s request for access. The custodian is ordered to provide a response to the complainant in response to her request for access to records of her personal health information in accordance with the Personal Health Information Protection Act.

MI18-5 Privacy Complaint Report Privacy Reports John Gayle Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the City of Cambridge (the city). The complaint was about the city’s installation of a video surveillance system in its downtown core areas. The complainant was concerned that the city’s operation of the system breached the privacy of individuals under the Municipal Freedom of Information and Protection of Privacy Act (the Act).

This report finds that the city has not conducted an assessment of whether the video surveillance system is necessary to achieve its objectives and recommends that it do so, to ensure compliance with the Act.

In the event that the city’s assessment determines that the system is necessary and the collection of personal information is thus consistent with the Act, this report considers whether the city’s notice of collection and use and disclosure of the personal information is in accordance with the Act. It also considers whether the city provides a right of access to this information, as well as whether the city has reasonable privacy protection measures and retention periods in place.

This report finds that the city’s notice of collection and use and disclosure of the personal information is in accordance with the Act. It also finds that there is a right of access to this information and that the city has reasonable protection measures and proper retention periods in place.

PHIPA DECISION 144 Decision - PHIPA Health Information and Privacy Sherry Liang Read moreExpand

This decision finds that The Ottawa Hospital failed to take reasonable steps to implement the complainant’s lock-box request from October 2016 to June 2019 and, as a result, certain hospital caregivers used the complainant’s personal health information without consent or other authority. Other allegations of unauthorized use are dismissed. With the introduction of a new electronic medical records system in June 2019, the hospital remedied the deficiencies in its procedures for implementation of consent directives. The adjudicator makes one recommendation, to improve the directions given to users of the hospital’s electronic medical records. The adjudicator dismisses allegations that unauthorized uses were deliberate and malicious violations of the complainant’s privacy, concluding that they resulted from systemic failures in the hospital’s practices.

MC18-48 Privacy Complaint Report Privacy Reports Lucy Costa Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parent of a student of the York Region District School Board (the board) objecting to the board’s implementation of a cloud-based data management service (Edsby), under contract with Corefour Inc. (Corefour), to store and process information pertaining to the attendance of the board’s students. The complainant alleged that the board’s use of Edsby contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainant’s concerns included the board’s failure to secure parental consent to the use of Edsby, the adequacy of its notice of collection, potential misuse of information by Edsby service providers, the adequacy and enforceability of the terms of the board’s contract with Corefour and the adequacy of the board’s oversight in relation to various Edsby security measures. The complainant also raised concerns relating to the Edsby Terms of Use and Privacy Policy and a specific security vulnerability that was exploited by the complainant.

This report concludes that the board’s collection, notice of collection, use and disclosure of the students’ personal information were in compliance with the Act. This report also concludes that the board has reasonable contractual measures in place to ensure the privacy and security of the personal information of its students.

However, this report concludes that the board has not demonstrated that it has reasonable oversight measures in place in relation to the performance of the board’s and Corefour’s contractual security obligations, in accordance with the requirements of the Act and its regulations. In particular, the board did not have reasonable measures in place to prevent the security vulnerability that was exploited. This report makes recommendations as to the steps the board should take to strengthen and document the board’s oversight of security measures. This report also make recommendations with respect to its contract with Corefour and the Edsby Terms of Use and Privacy Policy.

MC18-23 Privacy Complaint Report Privacy Reports John Gayle Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the Municipality of Leamington (the municipality). The complaint was that the municipality had inappropriately disclosed an email containing personal information to third parties. The complainant was concerned that the disclosure breached his privacy under the Municipal Freedom of Information and Protection of Privacy Act (the Act).

This report finds that the municipality’s disclosure of the complainant’s information was not in accordance with section 32 of the Act.

PHIPA DECISION 143 Decision - PHIPA Health Information and Privacy Gillian Shaw Read moreExpand

The complainant sought access under the Personal Health Information Protection Act, 2004 to her chart, and that of her son, from the respondent medical centre, for the purpose of transferring the charts to their physician’s new practice. The complainant took issue with the medical centre’s fee for access, and made a complaint to the Information and Privacy Commissioner. During the adjudication of the complaint, the medical centre revised its fee to $40 for each of the complainant and her son, itemized as $30 for the electronic transfer of medical records and a $10 administration fee for providing a USB flash drive. The adjudicator upholds the custodian’s revised fee in each complaint and dismisses the complaints. No order is issued.

PHIPA DECISION 142 Decision - PHIPA Health Information and Privacy Gillian Shaw Read moreExpand

The appellant, on behalf of her brother, made an access request to UHN for a copy of security video footage relating to an incident involving her brother at a rehabilitation hospital. She did not seek the images of other patients or visitors. UHN issued a decision to release the footage, with images of all other patients, visitors, hospital staff and security personnel redacted. It also provided a fee estimate of $725. On appeal, the adjudicator makes findings on the appellant’s right of access pursuant to the Personal Health Information Protection Act and the Freedom of Information and Protection of Privacy Act. UHN is ordered to provide access to most of the information in the record, including images of staff and security personnel, and to issue a new fee estimate under PHIPA if it decides to charge a fee for access.

MC18-39 Privacy Complaint Report Privacy Reports John Gayle Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint from a parent (the complainant) in which he advised that a supply teacher employed by the Conseil scolaire catholique Providence (the Board) had inappropriately collected his children’s personal information by video recording them without his consent. The parent was concerned that the teacher’s actions breached his children’s privacy under the Municipal Freedom of Information and Protection of Privacy Act (the Act).

This report finds that the Board’s collection of the children’s personal information was not in accordance with section 28(2) of the Act and, therefore, breached their privacy. It also finds that the Board did not respond adequately to the breach because it did not notify them of the steps it has taken to address the breach. As a result, I recommend that, going forward, the Board take steps to ensure that adequate notification is provided to parties affected by a breach.

PHIPA DECISION 129 Decision - PHIPA Health Information and Privacy Jennifer James Read moreExpand

A father filed a complaint against a counselling centre’s decision to deny him access to records containing the personal health information (PHI) of his three children. In this decision, the adjudicator finds that the father does not have an independent right of access to his children’s PHI under Part V of PHIPA, given the children’s mother’s objection, and dismisses his complaint. However, the adjudicator finds that the father’s evidence raises the potential application of sections 41(1)(d)(i) (court order) and 43(1)(h) (other statute) under Part IV of PHIPA which may permit the custodian to disclose the records to the father without consent of the other parent. The adjudicator makes no order but suggests that the custodian turn its mind to the discretionary disclosure provisions under PHIPA.

MC17-35 Privacy Complaint Report Privacy Reports John Gayle Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint from an individual in which he advised that the County of Norfolk (the County), without notice to him, disclosed his personal information in response to two access requests made under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report finds that the County’s disclosure of the complainant’s information was not in accordance with section 32 of the Act.

PR17-23 Privacy Complaint Report Privacy Reports John Gayle Read moreExpand

The Ministry of Community and Social Services (the ministry) reported a privacy breach under the Freedom of Information and Protection of Privacy Act (the Act) to the Office of the Information and Privacy Commissioner of Ontario (IPC). The ministry advised that a Family Responsibility Office (FRO) employee inappropriately accessed the case files of multiple FRO clients and disclosed the personal information of some of them to an unauthorized individual. This report finds that the disclosure of information was not in accordance with section 42(1) of the Act. It also finds that, at the time of the breach, the ministry did not have reasonable measures in place to prevent unauthorized access to the records. However, in the light of the steps taken by the ministry to address its deficiencies in protecting personal information, no further recommendations are required.

Help us improve our website. Was this page helpful?
When information is not found

Note:

  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.