Showing 15 of 656 results
| Order Numbers | Type | Collection | Adjudicators | Date Published | |
|---|---|---|---|---|---|
| MO-4541 | Order | Access to Information Orders | Meganne Cameron | Read moreExpand | |
The appellant sought access to records related to investigations conducted by the Thunder Bay Police Services Board (the board). The board withheld some of the responsive records pursuant to the law enforcement and personal privacy exemptions, and the labour relations exclusion, in the Municipal Freedom of Information and Protection of Privacy Act (the Act). The appellant appealed the access decision to this office, and also challenged the reasonableness of the board’s search. |
|||||
| MO-4542 | Order | Access to Information Orders | Steven Faughnan | Read moreExpand | |
The appellant made a request under the Act to the Halton Regional Police Services Board (the police) for records revealing inquiries made about him by all police services across Canada on several identified law enforcement databases. The police took the position that they do not have custody or control over the information sought by the appellant. In this order, the adjudicator finds that while the police do not have custody or control over records relating to whether officers or employees of other police services made inquiries about the appellant on the identified databases, they have custody or control over records, if they exist, regarding whether their own officers or employees accessed those databases in relation to the appellant. The adjudicator orders the police to conduct a search for records relating to inquiries made about the appellant on the identified databases by their own officers or employees and to issue a decision on access to the appellant. |
|||||
| PHIPA DECISION 254 | Decision - PHIPA | Health Information and Privacy | Jenny Ryu | Read moreExpand | |
In June 2021, the respondent Kingston, Frontenac and Lennox & Addington Public Health (KFL&A) was the subject of a ransomware attack. The attack resulted in the encryption of multiple KFL&A servers, including those containing personal health information. |
|||||
| CYFSA Decision 19 | Decision | Child, Youth, and Family Information and Privacy | Jenny Ryu | Read moreExpand | |
In February 2022, the respondent Halton Children’s Aid Society (CAS) was the subject of a ransomware attack. While the CAS’s investigation did not find any evidence that the threat actor had accessed or exfiltrated any data stored in the CAS’s environment, it found that the threat actor had encrypted several CAS servers, including those containing personal information. The IPC initiated a review of the matter under Part X of the Child, Youth and Family Services Act, 2017 (CYFSA). Section 308(2) of the CYFSA sets out a duty on service providers like the CAS to notify individuals at the first reasonable opportunity if their personal information is stolen, lost, or used or disclosed without authority. The CAS asserts that because the ransomware attack targeted its servers at the external or “container” level, the attack did not “individually impact” file folders and files of personal information held inside the encrypted containers. The CAS takes the position that the encryption event did not result in a theft, loss, or unauthorized use or disclosure of personal information within the meaning of section 308(2), and that the duty to notify does not apply. In this decision, the adjudicator finds that the threat actor’s encryption of CAS servers at the container level affected the personal information in those servers, by making that personal information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal information within the meaning of section 308(2). As a result, the CAS had a duty to notify affected individuals “at the first reasonable opportunity” of the incident. After taking into account relevant circumstances, including the evidence of diligent efforts by the CAS to contain and to mitigate the risks of the privacy breach, the adjudicator finds that the notice requirement can be met in this case through the posting of a general notice on the CAS’s website, or another form of indirect public notice. The adjudicator orders the CAS to provide this notice within 30 days of the date of this decision. |
|||||
| PHIPA DECISION 255 | Decision - PHIPA | Health Information and Privacy | Jenny Ryu | Read moreExpand | |
In July 2022, the respondent Simcoe Muskoka District Health Unit (SMDHU) was the subject of an email phishing attack. As a result of the attack, a threat actor gained access to one SMDHU email account containing approximately 20,000 emails, including about 1,000 emails containing personal health information. SMDHU reports that the threat actor’s access to the compromised email account was limited to one hour, and that its forensic analysis found no evidence that the threat actor viewed, downloaded, copied, sent, forwarded, or removed any emails while in the compromised account. |
|||||
| PHIPA DECISION 253 | Decision - PHIPA | Health Information and Privacy | Jenny Ryu | Read moreExpand | |
In December 2022, the respondent the Hospital for Sick Children (the hospital) was the subject of a ransomware attack. The attack resulted in the encryption of numerous hospital servers, including those containing personal health information. However, the hospital’s investigation did not find evidence of any access to or exfiltration of personal health information by the threat actor, or of any impact to the hospital’s primary medical records system. The IPC initiated a review of the matter under the Personal Health Information Protection Act, 2004 (PHIPA). Section 12(2) of PHIPA sets out a duty on health information custodians like the hospital to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or used or disclosed without authority. The hospital asserts that because the threat actor encrypted virtual servers at the “container” level, it did not “directly interact” with personal health information housed in the encrypted servers. The hospital takes the position that the attack did not result in a theft, loss, or unauthorized use or disclosure of personal health information within the meaning of section 12(2), and that the duty to notify does not apply. In this decision, the adjudicator finds that the threat actor’s encryption of hospital servers at the container level affected the personal health information in those servers, by making that information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal health information within the meaning of section 12(2). As a result, the hospital had a duty under PHIPA to notify affected individuals “at the first reasonable opportunity” of the incident. In the immediate aftermath of the attack, and in the weeks following, the hospital posted updates on its website and on social media informing the public about the attack, and of the progress of its investigation and remediation efforts. While the hospital’s notice did not comply with section 12(2) because it did not include a statement about the right to complain to the IPC, the adjudicator finds no useful purpose in directing that notice of the right to complain be given now. She concludes the review without issuing an order. |
|||||
| MO-4540 | Order | Access to Information Orders | Steven Faughnan | Read moreExpand | |
This order determines whether the Toronto District School Board (the board) conducted a reasonable search for records responsive to a request made under the Act. In this order, the adjudicator finds that the board conducted a reasonable search for responsive records in accordance with its obligations under section 17 and dismisses the appeal. |
|||||
| MO-4537 | Order | Access to Information Orders | Alec Fadel | Read moreExpand | |
The appellant requested records relating to criminal investigations he was involved in from the police. The police decided to grant access to some of the records, but withheld information pursuant to the personal privacy exemption in section 38(b). In this order, the adjudicator upholds the police’s decision and dismisses the appeal. |
|||||
| MO-4538 | Order | Access to Information Orders | Anna Kalinichenko | Read moreExpand | |
The city denied access to records relating to a trespass notice issued by it to the appellant. Responsive records were withheld pursuant to section 38(a) (discretion to refuse requester’s own information) read with law enforcement exemptions at section 8(1) of the Act. In this order, the adjudicator upholds the city’s decision to deny access to responsive records pursuant to section 38(a) read with section 8(1)(e) (endanger life or safety). |
|||||
| PHIPA DECISION 252 | Decision - PHIPA | Health Information and Privacy | Stella Ball | Read moreExpand | |
The complainant asserted that a doctor had not conducted a reasonable search for his medical records. The complainant relied on an affidavit of documents from an existing court proceeding between himself and the doctor to identify the allegedly missing records and to argue that they should exist. |
|||||
| MO-4539 | Order | Access to Information Orders | Katherine Ball | Read moreExpand | |
The City of Ottawa received a request under the Act for access to records relating to the successful bid response to a specified RFP for healthcare procurement services. The city granted partial access to the records, withholding portions pursuant to various exemptions. The requester appealed the city’s decision and claimed a public interest in the disclosure of the withheld information. |
|||||
| MO-4536 | Order | Access to Information Orders | Justine Wai | Read moreExpand | |
The appellant submitted a request under the Act to the police for an audio/video statement made by her deceased brother to the police. The police denied the appellant access to the record, claiming the application of the personal privacy exemption. The appellant appealed the police’s decision, claiming the application of the compassionate grounds exception to the personal privacy exemption in section 14(4)(c) of the Act. In this decision, the adjudicator upholds the police’s decision, finding the record is exempt under the personal privacy exemption at section 38(b) and not subject to section 14(4)(c). |
|||||
| PHIPA DECISION 251 | Decision - PHIPA | Health Information and Privacy | Chris Anzenberger | Read moreExpand | |
Asserting the correction rights in the Act, the mother of a child requested that the hospital make several corrections to her child’s medical record regarding a previous diagnosis and references to other matters regarding the child and his father. The hospital granted some corrections, but denied two corrections related to a specific diagnosis. In this decision, the adjudicator finds that the references to the diagnosis are professional opinions or observations made in good faith by a hospital physician, and the section 55(9)(b) exception to the duty to correct therefore applies. He upholds the decision of the hospital and dismisses the complaint. |
|||||
| PHIPA DECISION 250 | Decision - PHIPA | Health Information and Privacy | Jessica Kowalski | Read moreExpand | |
The complainant requested a copy of her entire file from the custodian. The complainant was dissatisfied with the completeness of the records she received and challenges the search for records. The adjudicator finds that the custodian has complied with her search obligations under PHIPA and dismisses the complaint. |
|||||
| PO-4526-F | Order - Final | Access to Information Orders | Steven Faughnan | Read moreExpand | |
This final order determines whether the Workplace Safety and Insurance Board (the WSIB) conducted a reasonable search for responsive records. In the first interim order PO-4402-I, the adjudicator ordered the WSIB to conduct a further search for responsive records. In the second interim order PO-4424-I, the adjudicator again ordered the WSIB to conduct a further search for responsive records. In this final order, the adjudicator finds that the WSIB has now conducted a reasonable search for responsive records and dismisses the appeal. |
|||||