Latest IPC Decisions

Search Decisions below by keyword or visit the Advanced Decisions Search for more details.

Showing 15 of 546 results

Order Numbers Type Collection Adjudicators Date Published
PHIPA DECISION 143 Decision - PHIPA Health Information and Privacy Gillian Shaw Read moreExpand

The complainant sought access under the Personal Health Information Protection Act, 2004 to her chart, and that of her son, from the respondent medical centre, for the purpose of transferring the charts to their physician’s new practice. The complainant took issue with the medical centre’s fee for access, and made a complaint to the Information and Privacy Commissioner. During the adjudication of the complaint, the medical centre revised its fee to $40 for each of the complainant and her son, itemized as $30 for the electronic transfer of medical records and a $10 administration fee for providing a USB flash drive. The adjudicator upholds the custodian’s revised fee in each complaint and dismisses the complaints. No order is issued.

PHIPA DECISION 142 Decision - PHIPA Health Information and Privacy Gillian Shaw Read moreExpand

The appellant, on behalf of her brother, made an access request to UHN for a copy of security video footage relating to an incident involving her brother at a rehabilitation hospital. She did not seek the images of other patients or visitors. UHN issued a decision to release the footage, with images of all other patients, visitors, hospital staff and security personnel redacted. It also provided a fee estimate of $725. On appeal, the adjudicator makes findings on the appellant’s right of access pursuant to the Personal Health Information Protection Act and the Freedom of Information and Protection of Privacy Act. UHN is ordered to provide access to most of the information in the record, including images of staff and security personnel, and to issue a new fee estimate under PHIPA if it decides to charge a fee for access.

MC18-39 Privacy Complaint Report Privacy Reports John Gayle Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint from a parent (the complainant) in which he advised that a supply teacher employed by the Conseil scolaire catholique Providence (the Board) had inappropriately collected his children’s personal information by video recording them without his consent. The parent was concerned that the teacher’s actions breached his children’s privacy under the Municipal Freedom of Information and Protection of Privacy Act (the Act).

This report finds that the Board’s collection of the children’s personal information was not in accordance with section 28(2) of the Act and, therefore, breached their privacy. It also finds that the Board did not respond adequately to the breach because it did not notify them of the steps it has taken to address the breach. As a result, I recommend that, going forward, the Board take steps to ensure that adequate notification is provided to parties affected by a breach.

PHIPA DECISION 129 Decision - PHIPA Health Information and Privacy Jennifer James Read moreExpand

A father filed a complaint against a counselling centre’s decision to deny him access to records containing the personal health information (PHI) of his three children. In this decision, the adjudicator finds that the father does not have an independent right of access to his children’s PHI under Part V of PHIPA, given the children’s mother’s objection, and dismisses his complaint. However, the adjudicator finds that the father’s evidence raises the potential application of sections 41(1)(d)(i) (court order) and 43(1)(h) (other statute) under Part IV of PHIPA which may permit the custodian to disclose the records to the father without consent of the other parent. The adjudicator makes no order but suggests that the custodian turn its mind to the discretionary disclosure provisions under PHIPA.

MC17-35 Privacy Complaint Report Privacy Reports John Gayle Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint from an individual in which he advised that the County of Norfolk (the County), without notice to him, disclosed his personal information in response to two access requests made under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report finds that the County’s disclosure of the complainant’s information was not in accordance with section 32 of the Act.

PR17-23 Privacy Complaint Report Privacy Reports John Gayle Read moreExpand

The Ministry of Community and Social Services (the ministry) reported a privacy breach under the Freedom of Information and Protection of Privacy Act (the Act) to the Office of the Information and Privacy Commissioner of Ontario (IPC). The ministry advised that a Family Responsibility Office (FRO) employee inappropriately accessed the case files of multiple FRO clients and disclosed the personal information of some of them to an unauthorized individual. This report finds that the disclosure of information was not in accordance with section 42(1) of the Act. It also finds that, at the time of the breach, the ministry did not have reasonable measures in place to prevent unauthorized access to the records. However, in the light of the steps taken by the ministry to address its deficiencies in protecting personal information, no further recommendations are required.

PHIPA DECISION 123 Decision - PHIPA Health Information and Privacy Jennifer James Read moreExpand

The complainant requested the video recordings of events leading up to, and including, his restraint and placement in a seclusion room by staff at Waypoint Centre for Mental Health Care (the hospital). The hospital denied the complainant access to the responsive records under section 52(1)(f) of the Personal Health Information and Protection Act, 2004 (PHIPA), with reference to section 49(a) of the Freedom of Information and Protection of Privacy Act (FIPPA), in conjunction with various law enforcement exemptions in section 14(1) of FIPPA.
The adjudicator finds that the records are not “dedicated primarily to” the complainant’s personal health information (PHI). Accordingly, the complainant’s right of access under PHIPA is limited to his PHI that can reasonably be severed from the remaining portions of the records. The adjudicator finds that some portions of the records containing the complainant’s PHI qualify for exemption under section 52(1)(f) of PHIPA, with reference to sections 49(a) and 14(1)(k) (security of a centre of lawful detention) of FIPPA.
The hospital is ordered to grant the complainant access to the portions of the video containing his PHI that can reasonably be severed from the exempt information.

PHIPA DECISION 106 Decision - PHIPA Health Information and Privacy Jaime Cardy Read moreExpand

In this final decision, the adjudicator upholds the reasonableness of the search conducted by the hospital in response to PHIPA Decision 101. As the only remaining issue for determination in the complaint is now resolved, this complaint is dismissed.

PC18-18 Privacy Complaint Report Privacy Reports Lucy Costa Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Ministry of Transportation contravened the Freedom of Information and Protection of Privacy Act when it disclosed the complainant’s personal information to the War Amputations of Canada. This report finds that the information at issue is “personal information” as defined in section 2(1) of the Act and that the personal information was disclosed in accordance with section 42(1)(c) of the Act.

MC17-48 Privacy Complaint Report Privacy Reports Alanna Maloney Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Town of East Gwillimbury (the town) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it released a record with the complainant’s personal information to the public. A complaint was opened to review the town’s collection, use and disclosure of the information at issue. In this report, I find that the some of the information contained in the record at issue is personal information. I find that the town’s collection and use of that information was in accordance with the Act. However, I find that the disclosure of the personal information in the publicly available record was not in accordance with section 32 of the Act.
I recommend that the town redact all street numbers and street names contained in the publicly available memo, chart, agenda and the Special Council Meeting minutes.

MC17-32 Privacy Complaint Report Privacy Reports John Gayle Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Halton Regional Police Services Board (the police)’s online application process for a police record check, which involves a third party company, collects and uses applicants’ personal information contrary to the Municipal Freedom of Information and Protection of Privacy Act (the Act).
In this Report, I conclude that the police’s retention and use of applicants’ information is, respectively, in accordance with sections 30(1) and 31 of the Act. I also conclude that the police have reasonable measures in place to protect the information, as required by section 3(1) of Regulation 823. However, I find that the police’s collection of the information and notice of the collection is not, respectively, in accordance with sections 28(2) and 29(2) of the Act. In response to this finding, the police have agreed to implement my recommendations to address this concern.

MC17-49 Privacy Complaint Report Privacy Reports Alanna Maloney Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the City of Toronto contravened the Municipal Freedom of Information and Protection of Privacy Act when it disclosed four video records containing the complainant’s personal information in response to a Freedom of Information request. This report finds that the records at issue were used by the city as the basis for an investigation of the complainant’s conduct as a city employee and are excluded from the scope of the Act pursuant to section 52(3)3.

PR16-40 Privacy Complaint Report Privacy Reports Lucy Costa Read moreExpand

On November 9, 2016, the Ontario Lottery and Gaming Corporation (OLG) notified the Office of the Information and Privacy Commissioner/Ontario (the IPC) of a possible privacy breach under the Freedom of Information and Protection of Privacy Act (FIPPA or the Act). OLG advised that a hacker had managed to steal information about employees and patrons of Casino Rama Resort (CRR) and was threatening to make the information public unless he was paid a ransom. OLG could not confirm the amount or extent of information in possession of the hacker. OLG further stated that the hacker claimed to have 154 gigabytes of CRR data and had posted examples of the information online. On November 21, 2016, the hacker released 4.49 gigabytes of CRR data on the Internet reported to consist of more than 14,000 documents.

In this report, I conclude that CRR did not have reasonable security measures in place to prevent unauthorized access to records of personal information of CRR patrons and individuals registered for OLG’s self-exclusion program (OLG self-exclusion registrants); however, since the breach, CRR has taken steps to address the gaps in its systems and processes. Although I am generally satisfied with CRR’s response to the breach in this regard, this report makes additional recommendations to address some specific shortcomings.

The other pillar of the IPC’s investigation concerns the contract between OLG and the private-sector company responsible for operating CRR on behalf of OLG, CHC Casinos Canada Limited (CHC or the Operator). In this report, I conclude that OLG did not have reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of CRR patrons and OLG self-exclusion registrants. This report also makes recommendations to address these shortcomings.

PC17-15 Privacy Complaint Report Privacy Reports Alanna Maloney Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Human Rights Tribunal of Ontario (the Tribunal) contravened the Freedom of Information and Protection of Privacy Act (the Act) when it disclosed personal information in a public decision. A complaint was opened to review the Tribunal’s use and disclosure of personal information. In this report, I find that the Tribunal’s decisions are not covered by the privacy rules in Part III of the Act because the information in those decisions is maintained for the purpose of creating a record available to the general public.

PC17-9 Privacy Complaint Report Privacy Reports Alanna Maloney Read moreExpand

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Human Rights Tribunal of Ontario (the Tribunal) contravened the Freedom of Information and Protection of Privacy Act (the Act) when it disclosed personal information in a public decision. A complaint was opened to review the Tribunal’s collection, use and disclosure of personal information. In this report, I find that the Tribunal’s decisions are not covered by the privacy rules in Part III of the Act because the information in those decisions is maintained for the purpose of creating a record available to the general public.
Although I find that the Tribunal’s decisions are outside the scope of Part III of the Act, I recommend that the Tribunal respect privacy data minimization practices and ensure that only the personal information that is necessary in order to achieve the Tribunal’s purposes be included in its decisions.

Help us improve our website. Was this page helpful?
When information is not found

Note:

  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.