Showing 15 of 546 results
| Order Numbers | Type | Collection | Adjudicators | Date Published | |
|---|---|---|---|---|---|
| MC11-73 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the York Region District School Board (the Board) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it disclosed the complainant’s son’s Ontario School Record (OSR) during a proceeding filed against the Board with the Human Rights Tribunal of Ontario (HRTO). The Privacy Complaint Report concludes that the Act prevails over the confidentiality provisions in section 266(2) and 266(10) of the Education Act. The Board’s disclosure of the personal information from the OSR to the HRTO and the Board’s legal counsel was in accordance with sections 51 and 32(d) of the Act, respectively. |
|||||
| MC13-60 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The complainant, whose residence is adjacent to the Monsignor Fraser College (the School) in Toronto, expressed concern with the use of video surveillance at the School, which is operated by the Toronto Catholic District School Board (the Board). The Information and Privacy Commissioner/Ontario (the IPC) finds that the Board’s collection of the personal information within the School property is in accordance with section 28(2) of the Municipal Freedom of Information and Protection of Privacy Act (the Act). However, the collection of personal information from outside the School’s property is not in accordance with section 28(2) of the Act. The IPC makes recommendations regarding the collection of personal information from outside the School’s property and revision of the Board’s notice and policy on video surveillance. |
|||||
| MO-3205-I | Order - Interim | Access to Information Orders | Diane Smith | Read moreExpand | |
Brantford Hydro Inc. (BHI) received a request under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) for access to its Board of Directors’ meeting minutes for the years 2010 to 2013. BHI located 33 sets of minutes and denied access to them pursuant to sections 6(1)(b) (closed meeting), 7(1) (advice or recommendations), 10(1) (third party information), 11 (economic or other interests), and 12 (solicitor-client privilege). |
|||||
| MC13-67 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the City of Vaughan (the City) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when making the complainant’s personal information available on the Internet in relation to a minor variance application made under the Planning Act. In response, this office opened a privacy complaint file to determine if the disclosure of the complainant’s personal information was in compliance with the Act. The Privacy Complaint Report concludes that the City’s decision to disclose the complainant’s personal information via the Internet is not in contravention of the Act. However, the Report recommends that the City consider implementing privacy protective measures that obscures this type of information from search engines and automated agents. |
|||||
| MC13-46 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The complainant, whose child attended the St. Thomas Aquinas Catholic School in Oakville (the School), expressed concern with the use of video surveillance at the School, which is operated by the Halton Catholic District School Board (the Board). The Office of the Information and Privacy Commissioner/Ontario (the IPC) finds that the Board’s collection of the personal information is not in accordance with section 28(2) of the Municipal Freedom of Information and Protection of Privacy Act (the Act). The IPC recommends that the Board conduct an assessment of the video surveillance system at the School in a manner consistent with the Act, the Board’s internal policy and this Report. |
|||||
| HO-013 | Order - PHIPA | Health Information and Privacy | Brian Beamish | Read moreExpand | |
Rouge Valley Health System (the Hospital) reported two separate breaches of patient privacy involving allegations that Hospital employees used and/or disclosed the personal health information of mothers for the purposes of selling or marketing RESPs. This Order finds that personal health information was used and disclosed in contravention of the Act, and that the Hospital failed to comply with sections 12(1), and 10(1) and (2) of the Act. The Order requires the Hospital to: 1. In relation to all of the Hospital’s electronic information systems, implement the measures necessary to ensure that the Hospital is able to audit all instances where agents access personal health information on its electronic information systems, including the selection of patient names on the patient index of its Meditech system. 2. In relation to the Hospital’s Meditech system: a) Work with the Hospital’s Hosting Provider to review and amend the service level agreement between the Hospital and the Hosting Provider to clarify the responsibility for the creation, maintenance and archiving of user activity logs generated by the Hospital’s use of its Meditech system, and ensure that the user activity logs are available to the Hospital for audit purposes. b) Work with Meditech or another software provider to develop a solution that will limit the search capabilities and search functionalities of the Hospital’s Meditech system so that agents are unable to perform open-ended searches for personal health information about individuals, including newborns and/or their mothers, and can only perform searches based on the following criteria: health number, medical record number, encounter number, or exact first name, last name and date of birth. 3. Review and revise its Privacy Audits policy, the Pledge of Confidentiality policy and the Pledge of Confidentiality, and the Privacy Advisory in accordance with the comments and findings made in this Order, and take steps to ensure that it complies with the Privacy Audits policy. 4. Develop a Privacy Training Program policy, a Privacy Awareness Program policy, and a Privacy Breach Management policy in accordance with the comments and findings made in this Order. 5. Immediately review and revise its privacy training tools and materials in accordance with the comments and findings made in this Order. 6. Using the privacy training materials developed in accordance with Order provision 5: a) immediately conduct privacy training for all agents in clerical positions in the Hospital; and b) conduct privacy training for all other agents by June 16, 2015. 7. Provide this office with proof of compliance with all of the Order provisions by September 16, 2015. |
|||||
| HO-12 | Order - PHIPA | Health Information and Privacy | Nathalie Rioux | Read moreExpand | |
Through their agent and substitute decision-maker the complainants sought access to their records of personal health information from Dynamic Foot Care and Therapy Inc. This order determines that Dynamic Foot Care and Therapy Inc. is deemed to have refused the complainants’ request for access. Dynamic Foot Care and Therapy Inc. is ordered to provide a response to the complainants’ agent and substitute decision-maker regarding the complainants’ request for access to records of personal health information in accordance with the Personal Health Information Protection Act, 2004 and without recourse to a time extension. |
|||||
| PO-3356-R | Reconsideration Order | Privacy Reports | Ann Cavoukian | Read moreExpand | |
A Reconsideration of Order PO-3171 that relates to the personal information collection practices of the Liquor Control Board of Ontario (LCBO) relating to purchases made by clubs on behalf of their members pursuant to the LCBO’s Business Process and Program Guidelines – Spirit, Beer or Wine Clubs (Club Guidelines). Section 38(2) - LCBO’s personal information collection practices relating to sales made through clubs on behalf of their members is contrary to section 38(2) of the Act, except in limited circumstances. Section 59(b) The LCBO is ordered to cease its collection practice and to destroy its collections of personal information relating to sales made through clubs on behalf of their members . |
|||||
| MC11-84 | Privacy Complaint Report | Privacy Reports | Read moreExpand | ||
The Office of the Information and Privacy Commissioner/Ontario (the IPC) received a complaint alleging that the City of Kingston (the city) inappropriately disclosed personal information to a named individual and the Social Benefits Tribunal (SBT). In response, the IPC opened a privacy complaint file to determine if the disclosure of the complainant’s personal information was in compliance with the Municipal Freedom of Information and Protection of Privacy Act (the Act). This Privacy Complaint Report finds the disclosure of the complainant’s personal information to the named individual and the SBT was in accordance with the Act. |
|||||
| MC13-49 | Privacy Complaint Report | Privacy Reports | Lucy Costa | Read moreExpand | |
The complainant complained that the Guelph Police Service inappropriately used and disclosed the complainant’s personal information while conducting a Police Vulnerable Sector Check. In response the Office of the Information and Privacy Commissioner/Ontario opened a privacy complaint file to determine if the use and disclosure of the complainant’s personal information was in compliance with the Municipal Freedom of Information and Protection of Privacy Act. |
|||||
| PO-3171 | Order | Privacy Reports | Ann Cavoukian | Read moreExpand | |
This Order was issued in response to a privacy complaint filed against the LCBO, by the manager of a wine club, who was also a member of the wine club. The complainant objected to the collection of personal information about wine club members when the wine club places orders through the LCBO’s Private Ordering Department. The complainant submitted that the LCBO’s practice of collecting this information is in violation of the Freedom of Information and Protection of Privacy Act (the Act). In this Order, the Investigator finds that the information being collected by the LCBO qualifies as “personal information” under section 2(1) of the Act and that the collection of the personal information by the LCBO contravenes section 38(2) of the Act except in limited circumstances. The LCBO is ordered to cease its collection practice and to destroy any personal information previously collected relating to purchases by members of wine clubs. |
|||||
| MC11-26 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The Office of the Information and Privacy Commissioner/Ontario received a complaint alleging that the Local Services Board of Britt-Byng Inlet (the board) had improperly collected and disclosed the complainant’s personal information during a public meeting of the board. In response, the IPC opened a privacy complaint file to determine if the collection and disclosure of the complainant’s personal information was in compliance with the Municipal Freedom of Information and Protection of Privacy Act (the Act). The Privacy Complaint Report upholds the board’s decision to collect the complainant’s personal information, but concludes that the board was not in compliance with section 32 of the Act when it disclosed the complainant’s personal information at a public meeting of the board. |
|||||
| PR11-33 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The Office of the Information and Privacy Commissioner/Ontario (IPC) received a notice from the Ministry of Labour (the ministry) advising that it had disclosed personal information in response to an Ontario Labour Relations Board order. Two individuals filed complaints in response to the ministry’s disclosure of their personal information. In response, the IPC opened a privacy complaint file to assess if the collection, disclosure and transfer of personal information were in compliance with the Freedom of Information and Protection of Privacy Act (the Act). The Privacy Complaint Report upholds the ministry’s decision to disclose the records of personal information, but concludes that the ministry did not implement adequate measures to prevent unauthorized access to the records at issue as required under section 4 of Regulation 460, made pursuant to the Act. |
|||||
| NJ12-7 | Reviews/Registrations / Authorizations | Privacy Reports | Read moreExpand | ||
Investigation into the loss of two USB keys containing unencrypted personal information that were used by the Strike-off Project of Elections Ontario (EO). Findings: EO failed to put in place reasonable measures to protect the physical security, and the privacy and security of the personal information in its custody and control and, in particular, failed to ensure that the personal information stored on mobile electronic devices was encrypted. EO failed to take steps to ensure that existing policies were reflected in actual practice; failed to ensure that senior staff were accountable and responsible for privacy and security; failed to adequately train its staff; and, failed to respond adequately to the privacy breach by continuing to store unencrypted data on USB keys after having learned of the privacy breach. Recommendations: Retain the services of an independent third party to conduct a thorough and comprehensive audit of all of the personal information management practices at EO; Develop an overarching privacy policy; Establish Technology Services as the centre of responsibility and accountability at EO for implementation of strong measures to protect the privacy and security of personal information on all electronic devices and for ensuring that staff are fully trained and supported regarding the use of these devices; Appoint a Chief Privacy Officer; Develop a comprehensive, mandatory privacy training program for all staff; Develop an ongoing communications plan to ensure that all staff are made aware of and are reminded of EO’s privacy and security policies. In addition, the Report recommends that the government of Ontario ask the Auditor General of Ontario to conduct privacy audits of the information management practices of selected public sector agencies in the province; and conduct a review and modernization of the Election Act to ensure that the privacy and security of the personal information in the custody of EO is strongly protected and used prudently, as prescribed. • News Release: Commissioner Cavoukian’s investigation finds systemic failures at Elections Ontario – paving the way to the largest privacy breach in Ontario history |
|||||
| PC11-34 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The complainant complained that staff at the Ontario Provincial Police, Lancaster Branch had inappropriately disclosed to her landlord an occurrence report which included her personal information. The ministry responsible for the Ontario Provincial Police admitted that a privacy breach had occurred. The issue here is whether the ministry responded appropriately to this breach, and this Report finds that it did not. |
|||||