Decisions

The Office of the Information and Privacy Commissioner of Ontario (IPC) was contacted by Innisfil Hydro Distribution Systems Limited (Innpower) to report a privacy breach under the Municipal Freedom of Information and Protection of Privacy Act (the Act). Innpower informed the IPC that the laptop of one of its contractors had been stolen from a university library and that the laptop contained the unencrypted personal information of its customers. Given that the unencrypted personal information was disclosed by way of a theft, the disclosure was not consistent with section 32 of the Act. This report finds that Innpower responded adequately to the breach.

The complainant, a patient of Dr. Philip Solomon, requested that Dr. Solomon disclose to another health information custodian records of her personal health information relating to a specified treatment. The complainant subsequently amended her consent in a number of follow-up communications with Dr. Solomon and his office.
In this decision, the adjudicator makes findings on the scope of the complainant’s consent to the disclosure of her personal health information following various amendments to her consent. The adjudicator concludes that Dr. Solomon disclosed to the recipient doctor some personal health information of the complainant outside the scope of the complainant’s consent, and in contravention of the Personal Health Information Protection Act, 2004. Dr. Solomon is ordered to develop and implement a written information practice that addresses how consents from patients to the disclosure of their personal health information are to be processed, documented and clarified.

The Office of the Information and Privacy Commissioner/Ontario opened a Commissioner Initiated Privacy Complaint under the Freedom of Information and Protection of Privacy Act (the Act), against the Ministry of Community Safety and Correctional Services (the ministry). The complaint relates to concerns regarding the collection and destruction of personal information contained in a recording which was made by a police officer with his personal cell phone during a traffic stop. In this Privacy Complaint Report I conclude that I am unable to make a finding as to whether the record at issue contained personal information as defined in section 2(1) of the Act, however, I conclude that if the recording had contained the personal information of the requester, it would have been an authorized collection under section 38(2).
This Report also considers whether the ministry has measures in place to ensure the preservation of records in its custody or control and recommends that the Ontario Provincial Police amend its Personal Electronic Device Policy.

The Office of the Information and Privacy Commissioner received identical complaints from two individuals (the complainants), alleging that the Ottawa Police Service (the police) inappropriately disclosed personal information pertaining to criminal charges against the complainants, to their employer, Correctional Services Canada (CSC), contrary to the Municipal Freedom of Information and Protection of Privacy Act (the Act). In January 2017, all criminal charges against the complainants were withdrawn. This Privacy Complaint Report concludes that the police’s disclosure of the complainants’ personal information to CSC was not consistent with section 32 of the Act.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Township of McGarry (the Township) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it disclosed a resident’s personal information to a third-party who in turn contacted the resident to advertise their services. The Privacy Complaint Report concludes that the Township’s use and disclosure of the personal information was not in accordance with sections 31 and 32 of the Act.

The Ministry of Finance (the ministry) received an access request under the Freedom of Information and Protection of Privacy Act (FIPPA) for non-public communications from the Insurance Bureau of Canada (IBC), as well as follow-up exchanges, meeting notes and agendas on automobile insurance topics. The ministry denied access to the records in full or in part, citing the mandatory Cabinet records exemption in section 12(1) and the discretionary advice or recommendations exemption in section 13(1). This order finds that the records are not exempt under these exemptions.

The complainant sought access to records of her personal health information from Dr. Mary Elizabeth McIntyre (Dr. McIntyre). This order determines that Dr. McIntyre is deemed to have refused the complainant’s request for access. Dr. McIntyre is ordered to provide a response to the complainant regarding her request for access to records of her personal health information in accordance with the Personal Health Information Protection Act, 2004, and without recourse to a time extension, no later than February 10, 2017.

The complainants, the daughters of a deceased patient of Dr. Fausto Michael Cianfrone and Woodview Medical Pharmacy (the pharmacy), filed complaints about the pharmacy’s disclosure to Dr. Cianfrone, and Dr. Cianfrone’s concomitant collection, and subsequent use and disclosure, of their mother’s prescription information after her death. This information was relevant to an investigation by the College of Physicians and Surgeons of Ontario into the complainants’ allegations about Dr. Cianfrone’s treatment and care of their mother before her death, particularly in relation to his prescribing of medication to her.
In this decision, the adjudicator dismisses the doctor’s and the pharmacy’s claims that they had the mother’s consent to collect, use and disclose her personal health information after her death. She finds, however, that the collection, use and disclosure were permitted to be made without consent under the Personal Health Information Protection Act, 2004 (the Act). In particular, she accepts that the pharmacy’s disclosure of the mother’s prescription information to the doctor was permitted to be made without consent under section 39(1)(d) of the Act, which permits the sharing of a patient’s information between health care providers of that patient for quality of care purposes. She finds that the doctor’s collection, use and disclosure of this same information were permitted to be made without consent under sections 36(1)(g) (collection where disclosure permitted or required by law), 37(1)(b) (use for purpose for which disclosure permitted or required by law) and 43(1)(b) (disclosure to a College) of the Act. She concludes that there has been no breach of the Act.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Hamilton-Wentworth Catholic School Board (the Board) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it disclosed the complainant’s son’s Ontario School Record (OSR) during a proceeding filed against the Board with the Human Rights Tribunal of Ontario (HRTO). The Privacy Complaint Report concludes that the Act prevails over the confidentiality provisions in sections 266(2) and 266(10) of the Education Act. The Board’s disclosure of the personal information from the OSR to the HRTO was in accordance with section 51 of the Act.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the York Region District School Board (the Board) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it disclosed the complainant’s son’s Ontario School Record (OSR) during a proceeding filed against the Board with the Human Rights Tribunal of Ontario (HRTO). The Privacy Complaint Report concludes that the Act prevails over the confidentiality provisions in section 266(2) and 266(10) of the Education Act. The Board’s disclosure of the personal information from the OSR to the HRTO and the Board’s legal counsel was in accordance with sections 51 and 32(d) of the Act, respectively.

The complainant, whose residence is adjacent to the Monsignor Fraser College (the School) in Toronto, expressed concern with the use of video surveillance at the School, which is operated by the Toronto Catholic District School Board (the Board). The Information and Privacy Commissioner/Ontario (the IPC) finds that the Board’s collection of the personal information within the School property is in accordance with section 28(2) of the Municipal Freedom of Information and Protection of Privacy Act (the Act). However, the collection of personal information from outside the School’s property is not in accordance with section 28(2) of the Act.
This Report also considers whether the Board’s use, disclosure, retention and security of personal information are in compliance with the Act.

The IPC makes recommendations regarding the collection of personal information from outside the School’s property and revision of the Board’s notice and policy on video surveillance.

Brantford Hydro Inc. (BHI) received a request under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) for access to its Board of Directors’ meeting minutes for the years 2010 to 2013. BHI located 33 sets of minutes and denied access to them pursuant to sections 6(1)(b) (closed meeting), 7(1) (advice or recommendations), 10(1) (third party information), 11 (economic or other interests), and 12 (solicitor-client privilege).
This order upholds the sections 10(1) and 12 exemptions and does not uphold the section 6(1)(b) exemption. This order also partially upholds the sections 7(1) and 11 exemptions. BHI was ordered to re-exercise its discretion concerning the information subject to the discretionary exemptions. This order also determines that the attachments to the meeting minutes fall within the scope of the request.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the City of Vaughan (the City) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when making the complainant’s personal information available on the Internet in relation to a minor variance application made under the Planning Act. In response, this office opened a privacy complaint file to determine if the disclosure of the complainant’s personal information was in compliance with the Act.

The Privacy Complaint Report concludes that the City’s decision to disclose the complainant’s personal information via the Internet is not in contravention of the Act. However, the Report recommends that the City consider implementing privacy protective measures that obscures this type of information from search engines and automated agents.

The complainant, whose child attended the St. Thomas Aquinas Catholic School in Oakville (the School), expressed concern with the use of video surveillance at the School, which is operated by the Halton Catholic District School Board (the Board). The Office of the Information and Privacy Commissioner/Ontario (the IPC) finds that the Board’s collection of the personal information is not in accordance with section 28(2) of the Municipal Freedom of Information and Protection of Privacy Act (the Act). The IPC recommends that the Board conduct an assessment of the video surveillance system at the School in a manner consistent with the Act, the Board’s internal policy and this Report.
With consideration that the Board may determine that video surveillance at the School is in accordance with section 28(2) of the Act, this Report also considers whether the Board’s use, disclosure and retention of personal information is in compliance with the Act.

Rouge Valley Health System (the Hospital) reported two separate breaches of patient privacy involving allegations that Hospital employees used and/or disclosed the personal health information of mothers for the purposes of selling or marketing RESPs. 

This Order finds that personal health information was used and disclosed in contravention of the Act, and that the Hospital failed to comply with sections 12(1), and 10(1) and (2) of the Act.  The Order requires the Hospital to:

1. In relation to all of the Hospital’s electronic information systems, implement the measures necessary to ensure that the Hospital is able to audit all instances where agents access personal health information on its electronic information systems, including the selection of patient names on the patient index of its Meditech system.

2. In relation to the Hospital’s Meditech system:

a)         Work with the Hospital’s Hosting Provider to review and amend the service level agreement between the Hospital and the Hosting Provider to clarify the responsibility for the creation, maintenance and archiving of user activity logs generated by the Hospital’s use of its Meditech system, and ensure that the user activity logs are available to the Hospital for audit purposes.

b)         Work with Meditech or another software provider to develop a solution that will limit the search capabilities and search functionalities of the Hospital’s Meditech system so that agents are unable to perform open-ended searches for personal health information about individuals, including newborns and/or their mothers, and can only perform searches based on the following criteria: health number, medical record number, encounter number, or exact first name, last name and date of birth.

3. Review and revise its Privacy Audits policy, the Pledge of Confidentiality policy and the Pledge of Confidentiality, and the Privacy Advisory in accordance with the comments and findings made in this Order, and take steps to ensure that it complies with the Privacy Audits policy.

4. Develop a Privacy Training Program policy, a Privacy Awareness Program policy, and a Privacy Breach Management policy in accordance with the comments and findings made in this Order.

5. Immediately review and revise its privacy training tools and materials in accordance with the   comments and findings made in this Order. 

6. Using the privacy training materials developed in accordance with Order provision 5:

a)         immediately conduct privacy training for all agents in clerical positions in the Hospital; and

b)         conduct privacy training for all other agents by June 16, 2015.

7. Provide this office with proof of compliance with all of the Order provisions by September 16, 2015.