Decisions

Showing 15 of 570 results

Order Numbers Type Collection Adjudicators Date Published
MO-4544 Order Access to Information Orders Anna Kalinichenko Read moreExpand

The township received a request under the Act, in part, for a report that was discussed at a closed session of the township council. The township relied on section 6(1)(b) of the Act to deny access to the report on the basis that it revealed the substance of deliberations of the closed session. In this order, the adjudicator upholds the township’s decision.

MO-4545 Order Access to Information Orders Katherine Ball Read moreExpand

The Toronto Transit Commission (the TTC) received a multi-part request under the Act for records relating to its investigation into the requester’s complaint and to information about transit fare enforcement and revenue. The TTC granted partial access to responsive records, withholding portions on the basis of the exemptions in sections 14(1) (personal privacy) and 38(b) (discretion to refuse requester’s own information) of the Act. The TTC denied access to the investigation file claiming the exclusion in section 52(3)3 (employment or labour relations). In addition, the TTC stated that other requested records did not exist. The requester appealed the TTC’s decision to pursue access to the withheld information and records and stated that additional records ought to exist.
In this order, the adjudicator upholds the TTC’s search as reasonable. The adjudicator finds that the exclusion in section 52(3)3 applies to the investigation file. In addition, the adjudicator upholds the TTC’s decision to withhold portions of the records because they are exempt under section 14(1) and section 38(b). She dismisses the appeal.

MO-4543 Order Access to Information Orders Marian Sami Read moreExpand

The City of Kawartha Lakes (the city) received a request under the Act for all city expenses over $1,000 over three and a half years. The city determined that it had reasonable grounds to consider the request as frivolous or vexatious under section 4(1)(b) of the Act. In this order, the adjudicator upholds the city’s decision, and dismisses the appeal.

PHIPA DECISION 256 Decision - PHIPA Health Information and Privacy Justine Wai Read moreExpand

An individual asked the appointed guardian of her late doctor’s medical records (the custodian) for access to her complete medical records. While the custodian originally claimed he found the individual’s medical records, he later said he did not find any. In this interim decision, the adjudicator finds the custodian did not conduct a reasonable search for the individual’s medical records and orders him to conduct another search.

PO-4527 Order Access to Information Orders Jessica Kowalski Read moreExpand

The appellant sought access from the WSIB to records relating to his claims. The WSIB granted partial access, withholding information from one of 17 responsive records because it contains another individual’s personal information. The appellant challenges the WSIB’s claim that the withheld information is exempt and claims that the WSIB narrowed the scope of his request, resulting in a restricted search for responsive records. The adjudicator finds that the WSIB’s clarification of the request and its search for responsive records were reasonable and that the withheld information at issue is exempt under the discretionary personal privacy exemption in section 49(b). She dismisses the appeal.

MO-4541 Order Access to Information Orders Meganne Cameron Read moreExpand

The appellant sought access to records related to investigations conducted by the Thunder Bay Police Services Board (the board). The board withheld some of the responsive records pursuant to the law enforcement and personal privacy exemptions, and the labour relations exclusion, in the Municipal Freedom of Information and Protection of Privacy Act (the Act). The appellant appealed the access decision to this office, and also challenged the reasonableness of the board’s search.
During the inquiry process, the board took the position that the ongoing prosecution exclusion at section 52(2.1) applied to all the records at issue. The adjudicator added this issue and sought representations from the appellant. In this decision, she upholds the board’s application of section 52(2.1) and its search for responsive records and dismisses the appeal.

MO-4542 Order Access to Information Orders Steven Faughnan Read moreExpand

The appellant made a request under the Act to the Halton Regional Police Services Board (the police) for records revealing inquiries made about him by all police services across Canada on several identified law enforcement databases. The police took the position that they do not have custody or control over the information sought by the appellant. In this order, the adjudicator finds that while the police do not have custody or control over records relating to whether officers or employees of other police services made inquiries about the appellant on the identified databases, they have custody or control over records, if they exist, regarding whether their own officers or employees accessed those databases in relation to the appellant. The adjudicator orders the police to conduct a search for records relating to inquiries made about the appellant on the identified databases by their own officers or employees and to issue a decision on access to the appellant.

PHIPA DECISION 254 Decision - PHIPA Health Information and Privacy Jenny Ryu Read moreExpand

In June 2021, the respondent Kingston, Frontenac and Lennox & Addington Public Health (KFL&A) was the subject of a ransomware attack. The attack resulted in the encryption of multiple KFL&A servers, including those containing personal health information.
The IPC initiated a review of the matter under the Personal Health Information Protection Act, 2004 (PHIPA). Section 12(2) of PHIPA sets out a duty on health information custodians like KFL&A to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or used or disclosed without authority. KFL&A takes the position that the threat actor’s encryption of servers containing personal health information, without evidence of any access to or exfiltration of that information, does not qualify as a theft, loss, or unauthorized use or disclosure of personal health information within the meaning of section 12(2), and that the duty to notify does not apply.
In this decision, the adjudicator finds that the threat actor’s encryption of KFL&A servers affected the personal health information in those servers, by making that information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal health information within the meaning of section 12(2). As a result, KFL&A had a duty under PHIPA to notify affected individuals “at the first reasonable opportunity.” At the time of the incident, KFL&A issued media releases informing the public about the attack, and of the progress of its recovery efforts. While KFL&A’s notice did not comply with section 12(2) because it did not include a statement about the right to complain to the IPC, and ought to have included more detail for the benefit of affected individuals, the adjudicator finds no useful purpose in directing that further notice be given now. She concludes the review without issuing an order.

CYFSA Decision 19 Decision Child, Youth, and Family Information and Privacy Jenny Ryu Read moreExpand

In February 2022, the respondent Halton Children’s Aid Society (CAS) was the subject of a ransomware attack. While the CAS’s investigation did not find any evidence that the threat actor had accessed or exfiltrated any data stored in the CAS’s environment, it found that the threat actor had encrypted several CAS servers, including those containing personal information.

The IPC initiated a review of the matter under Part X of the Child, Youth and Family Services Act, 2017 (CYFSA). Section 308(2) of the CYFSA sets out a duty on service providers like the CAS to notify individuals at the first reasonable opportunity if their personal information is stolen, lost, or used or disclosed without authority. The CAS asserts that because the ransomware attack targeted its servers at the external or “container” level, the attack did not “individually impact” file folders and files of personal information held inside the encrypted containers. The CAS takes the position that the encryption event did not result in a theft, loss, or unauthorized use or disclosure of personal information within the meaning of section 308(2), and that the duty to notify does not apply.

In this decision, the adjudicator finds that the threat actor’s encryption of CAS servers at the container level affected the personal information in those servers, by making that personal information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal information within the meaning of section 308(2). As a result, the CAS had a duty to notify affected individuals “at the first reasonable opportunity” of the incident. After taking into account relevant circumstances, including the evidence of diligent efforts by the CAS to contain and to mitigate the risks of the privacy breach, the adjudicator finds that the notice requirement can be met in this case through the posting of a general notice on the CAS’s website, or another form of indirect public notice. The adjudicator orders the CAS to provide this notice within 30 days of the date of this decision.

PHIPA DECISION 255 Decision - PHIPA Health Information and Privacy Jenny Ryu Read moreExpand

In July 2022, the respondent Simcoe Muskoka District Health Unit (SMDHU) was the subject of an email phishing attack. As a result of the attack, a threat actor gained access to one SMDHU email account containing approximately 20,000 emails, including about 1,000 emails containing personal health information. SMDHU reports that the threat actor’s access to the compromised email account was limited to one hour, and that its forensic analysis found no evidence that the threat actor viewed, downloaded, copied, sent, forwarded, or removed any emails while in the compromised account.
The IPC initiated a review of the matter under the Personal Health Information Protection Act, 2004 (PHIPA). Section 12(2) of PHIPA sets out a duty on health information custodians like SMDHU to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or used or disclosed without authority. SMDHU asserts that there is no evidence to conclude, on a balance of probabilities, that any such privacy breach occurred, and on this basis takes the position that the duty to notify does not apply.
In this decision, the adjudicator concludes, on a balance of probabilities, that the threat actor’s undisturbed access to an SMDHU email account containing a considerable amount of personal health information resulted in both an unauthorized disclosure and an unauthorized use of personal health information. As a result, the duty to notify in section 12(2) applies. During the IPC review, SMDHU decided to send detailed letter notices to individuals whose personal health information may have been affected by the phishing attack. The adjudicator finds that through its direct notification of individuals during the review, SMDHU provided notice as required by section 12(2) of PHIPA, although it should have done so at the first reasonable opportunity. In the circumstances, she concludes the review without issuing an order.

PHIPA DECISION 253 Decision - PHIPA Health Information and Privacy Jenny Ryu Read moreExpand

In December 2022, the respondent the Hospital for Sick Children (the hospital) was the subject of a ransomware attack. The attack resulted in the encryption of numerous hospital servers, including those containing personal health information. However, the hospital’s investigation did not find evidence of any access to or exfiltration of personal health information by the threat actor, or of any impact to the hospital’s primary medical records system.

The IPC initiated a review of the matter under the Personal Health Information Protection Act, 2004 (PHIPA). Section 12(2) of PHIPA sets out a duty on health information custodians like the hospital to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or used or disclosed without authority. The hospital asserts that because the threat actor encrypted virtual servers at the “container” level, it did not “directly interact” with personal health information housed in the encrypted servers. The hospital takes the position that the attack did not result in a theft, loss, or unauthorized use or disclosure of personal health information within the meaning of section 12(2), and that the duty to notify does not apply.

In this decision, the adjudicator finds that the threat actor’s encryption of hospital servers at the container level affected the personal health information in those servers, by making that information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal health information within the meaning of section 12(2). As a result, the hospital had a duty under PHIPA to notify affected individuals “at the first reasonable opportunity” of the incident. In the immediate aftermath of the attack, and in the weeks following, the hospital posted updates on its website and on social media informing the public about the attack, and of the progress of its investigation and remediation efforts. While the hospital’s notice did not comply with section 12(2) because it did not include a statement about the right to complain to the IPC, the adjudicator finds no useful purpose in directing that notice of the right to complain be given now. She concludes the review without issuing an order.

MO-4540 Order Access to Information Orders Steven Faughnan Read moreExpand

This order determines whether the Toronto District School Board (the board) conducted a reasonable search for records responsive to a request made under the Act. In this order, the adjudicator finds that the board conducted a reasonable search for responsive records in accordance with its obligations under section 17 and dismisses the appeal.

MO-4538 Order Access to Information Orders Anna Kalinichenko Read moreExpand

The city denied access to records relating to a trespass notice issued by it to the appellant. Responsive records were withheld pursuant to section 38(a) (discretion to refuse requester’s own information) read with law enforcement exemptions at section 8(1) of the Act. In this order, the adjudicator upholds the city’s decision to deny access to responsive records pursuant to section 38(a) read with section 8(1)(e) (endanger life or safety).

PHIPA DECISION 252 Decision - PHIPA Health Information and Privacy Stella Ball Read moreExpand

The complainant asserted that a doctor had not conducted a reasonable search for his medical records. The complainant relied on an affidavit of documents from an existing court proceeding between himself and the doctor to identify the allegedly missing records and to argue that they should exist.
In this decision, the adjudicator concludes that the existing court proceeding between the complainant and the doctor could more appropriately and completely address the complaint, since it concerns the affidavit of documents. The adjudicator concludes there are no reasonable grounds to conduct a review of the complaint and she exercises her discretion not to proceed with a review.

MO-4539 Order Access to Information Orders Katherine Ball Read moreExpand

The City of Ottawa received a request under the Act for access to records relating to the successful bid response to a specified RFP for healthcare procurement services. The city granted partial access to the records, withholding portions pursuant to various exemptions. The requester appealed the city’s decision and claimed a public interest in the disclosure of the withheld information.
In this order, the adjudicator finds that the third party information exemption in section 10(1) of the Act applies to the remaining information at issue. She finds that the public interest override in section 16 does not apply. She upholds the city’s decision and dismisses the appeal.

Help us improve our website. Was this page helpful?
When information is not found

Note:

  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.