Showing 15 of 421 results
| File Numbers | Type | Collection | Adjudicators | Date Published | |
|---|---|---|---|---|---|
| HR14-59 | Order - PHIPA | Health Information and Privacy | Brian Beamish | Read moreExpand | |
Rouge Valley Health System (the Hospital) reported two separate breaches of patient privacy involving allegations that Hospital employees used and/or disclosed the personal health information of mothers for the purposes of selling or marketing RESPs. This Order finds that personal health information was used and disclosed in contravention of the Act, and that the Hospital failed to comply with sections 12(1), and 10(1) and (2) of the Act. The Order requires the Hospital to: 1. In relation to all of the Hospital’s electronic information systems, implement the measures necessary to ensure that the Hospital is able to audit all instances where agents access personal health information on its electronic information systems, including the selection of patient names on the patient index of its Meditech system. 2. In relation to the Hospital’s Meditech system: a) Work with the Hospital’s Hosting Provider to review and amend the service level agreement between the Hospital and the Hosting Provider to clarify the responsibility for the creation, maintenance and archiving of user activity logs generated by the Hospital’s use of its Meditech system, and ensure that the user activity logs are available to the Hospital for audit purposes. b) Work with Meditech or another software provider to develop a solution that will limit the search capabilities and search functionalities of the Hospital’s Meditech system so that agents are unable to perform open-ended searches for personal health information about individuals, including newborns and/or their mothers, and can only perform searches based on the following criteria: health number, medical record number, encounter number, or exact first name, last name and date of birth. 3. Review and revise its Privacy Audits policy, the Pledge of Confidentiality policy and the Pledge of Confidentiality, and the Privacy Advisory in accordance with the comments and findings made in this Order, and take steps to ensure that it complies with the Privacy Audits policy. 4. Develop a Privacy Training Program policy, a Privacy Awareness Program policy, and a Privacy Breach Management policy in accordance with the comments and findings made in this Order. 5. Immediately review and revise its privacy training tools and materials in accordance with the comments and findings made in this Order. 6. Using the privacy training materials developed in accordance with Order provision 5: a) immediately conduct privacy training for all agents in clerical positions in the Hospital; and b) conduct privacy training for all other agents by June 16, 2015. 7. Provide this office with proof of compliance with all of the Order provisions by September 16, 2015. |
|||||
| HA13-58-2 | Order - PHIPA | Health Information and Privacy | Nathalie Rioux | Read moreExpand | |
Through their agent and substitute decision-maker the complainants sought access to their records of personal health information from Dynamic Foot Care and Therapy Inc. This order determines that Dynamic Foot Care and Therapy Inc. is deemed to have refused the complainants’ request for access. Dynamic Foot Care and Therapy Inc. is ordered to provide a response to the complainants’ agent and substitute decision-maker regarding the complainants’ request for access to records of personal health information in accordance with the Personal Health Information Protection Act, 2004 and without recourse to a time extension. |
|||||
| PC12-47 | Reconsideration Order | Privacy Reports | Ann Cavoukian | Read moreExpand | |
A Reconsideration of Order PO-3171 that relates to the personal information collection practices of the Liquor Control Board of Ontario (LCBO) relating to purchases made by clubs on behalf of their members pursuant to the LCBO’s Business Process and Program Guidelines – Spirit, Beer or Wine Clubs (Club Guidelines). Section 38(2) - LCBO’s personal information collection practices relating to sales made through clubs on behalf of their members is contrary to section 38(2) of the Act, except in limited circumstances. Section 59(b) The LCBO is ordered to cease its collection practice and to destroy its collections of personal information relating to sales made through clubs on behalf of their members . |
|||||
| MC11-84 | Privacy Complaint Report | Privacy Reports | Read moreExpand | ||
The Office of the Information and Privacy Commissioner/Ontario (the IPC) received a complaint alleging that the City of Kingston (the city) inappropriately disclosed personal information to a named individual and the Social Benefits Tribunal (SBT). In response, the IPC opened a privacy complaint file to determine if the disclosure of the complainant’s personal information was in compliance with the Municipal Freedom of Information and Protection of Privacy Act (the Act). This Privacy Complaint Report finds the disclosure of the complainant’s personal information to the named individual and the SBT was in accordance with the Act. |
|||||
| MC13-49 | Privacy Complaint Report | Privacy Reports | Lucy Costa | Read moreExpand | |
The complainant complained that the Guelph Police Service inappropriately used and disclosed the complainant’s personal information while conducting a Police Vulnerable Sector Check. In response the Office of the Information and Privacy Commissioner/Ontario opened a privacy complaint file to determine if the use and disclosure of the complainant’s personal information was in compliance with the Municipal Freedom of Information and Protection of Privacy Act. |
|||||
| PC12-47 | Order | Privacy Reports | Ann Cavoukian | Read moreExpand | |
This Order was issued in response to a privacy complaint filed against the LCBO, by the manager of a wine club, who was also a member of the wine club. The complainant objected to the collection of personal information about wine club members when the wine club places orders through the LCBO’s Private Ordering Department. The complainant submitted that the LCBO’s practice of collecting this information is in violation of the Freedom of Information and Protection of Privacy Act (the Act). In this Order, the Investigator finds that the information being collected by the LCBO qualifies as “personal information” under section 2(1) of the Act and that the collection of the personal information by the LCBO contravenes section 38(2) of the Act except in limited circumstances. The LCBO is ordered to cease its collection practice and to destroy any personal information previously collected relating to purchases by members of wine clubs. |
|||||
| MC11-26 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The Office of the Information and Privacy Commissioner/Ontario received a complaint alleging that the Local Services Board of Britt-Byng Inlet (the board) had improperly collected and disclosed the complainant’s personal information during a public meeting of the board. In response, the IPC opened a privacy complaint file to determine if the collection and disclosure of the complainant’s personal information was in compliance with the Municipal Freedom of Information and Protection of Privacy Act (the Act). The Privacy Complaint Report upholds the board’s decision to collect the complainant’s personal information, but concludes that the board was not in compliance with section 32 of the Act when it disclosed the complainant’s personal information at a public meeting of the board. |
|||||
| PR11-33 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The Office of the Information and Privacy Commissioner/Ontario (IPC) received a notice from the Ministry of Labour (the ministry) advising that it had disclosed personal information in response to an Ontario Labour Relations Board order. Two individuals filed complaints in response to the ministry’s disclosure of their personal information. In response, the IPC opened a privacy complaint file to assess if the collection, disclosure and transfer of personal information were in compliance with the Freedom of Information and Protection of Privacy Act (the Act). The Privacy Complaint Report upholds the ministry’s decision to disclose the records of personal information, but concludes that the ministry did not implement adequate measures to prevent unauthorized access to the records at issue as required under section 4 of Regulation 460, made pursuant to the Act. |
|||||
| NJ12-7 | Reviews/Registrations / Authorizations | Privacy Reports | Read moreExpand | ||
Investigation into the loss of two USB keys containing unencrypted personal information that were used by the Strike-off Project of Elections Ontario (EO). Findings: EO failed to put in place reasonable measures to protect the physical security, and the privacy and security of the personal information in its custody and control and, in particular, failed to ensure that the personal information stored on mobile electronic devices was encrypted. EO failed to take steps to ensure that existing policies were reflected in actual practice; failed to ensure that senior staff were accountable and responsible for privacy and security; failed to adequately train its staff; and, failed to respond adequately to the privacy breach by continuing to store unencrypted data on USB keys after having learned of the privacy breach. Recommendations: Retain the services of an independent third party to conduct a thorough and comprehensive audit of all of the personal information management practices at EO; Develop an overarching privacy policy; Establish Technology Services as the centre of responsibility and accountability at EO for implementation of strong measures to protect the privacy and security of personal information on all electronic devices and for ensuring that staff are fully trained and supported regarding the use of these devices; Appoint a Chief Privacy Officer; Develop a comprehensive, mandatory privacy training program for all staff; Develop an ongoing communications plan to ensure that all staff are made aware of and are reminded of EO’s privacy and security policies. In addition, the Report recommends that the government of Ontario ask the Auditor General of Ontario to conduct privacy audits of the information management practices of selected public sector agencies in the province; and conduct a review and modernization of the Election Act to ensure that the privacy and security of the personal information in the custody of EO is strongly protected and used prudently, as prescribed. • News Release: Commissioner Cavoukian’s investigation finds systemic failures at Elections Ontario – paving the way to the largest privacy breach in Ontario history |
|||||
| PC11-34 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The complainant complained that staff at the Ontario Provincial Police, Lancaster Branch had inappropriately disclosed to her landlord an occurrence report which included her personal information. The ministry responsible for the Ontario Provincial Police admitted that a privacy breach had occurred. The issue here is whether the ministry responded appropriately to this breach, and this Report finds that it did not. |
|||||
| MC10-46 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
The Municipality forwarded an access request to Chatham-Kent Energy and Chatham-Kent Energy forwarded a copy of its response to the access request to the Municipality. Section 2(1)(personal information) - information about the Complainant's utilities account qualifies as personal information. Section 18(2)(access) - request was appropriately transferred by the Municipality to Chatham-Kent Energy in accordance with the Act. Section 28(2)(collection) - the response to the access request was not collected by the Municipality within the meaning of the Act. Recommendation: The Municipality should fully delete all electronic copies of Chatham-Kent Energy's response to the access request and securely shred any paper copies in its possession. |
|||||
| MC10-55 | Privacy Complaint Report | Privacy Reports | Jeffrey Cutler | Read moreExpand | |
Chatham-Kent Energy forwarded a copy of its response to an access request to its Chief Executive Officer and to the Municipality of Chatham-Kent. Section 2(1)(personal information) - information about the Complainant's utilities account qualifies as personal information. Section 32 (Disclosure) - Chatham-Kent Energy improperly disclosed the Complainant’s personal information to its Chief Executive Officer and to the Municipality of Chatham-Kent. Recommendations: 1. Chatham-Kent Energy should develop guidelines for the processing of FOI requests that are in accordance with the Act. 2. Chatham-Kent Energy should ask the Municipality of Chatham-Kent to fully delete all electronic copies of the November 6, 2007 email and to securely shred any paper copies in its possession. |
|||||
| MC11-18, MC10-75 | Privacy Complaint Report | Privacy Reports | Read moreExpand | ||
Use of complainant’s e-mail address by former City Councillor and TTC Chair to send e-mail advising that he would no longer be serving in those capacities. Issues: • Section 2(1) (personal information) – the complainant’s e-mail address qualifies as personal information. • Custody or control (City of Toronto) – the e-mail record was in the City’s custody or control. • Custody or control (TTC) – The e-mail record was in the TTC’s custody or control. • Section 31 (use) – the City’s use of the record was not in accordance with the Act. • Section 31 (use) the TTC’s use of the record was not in accordance with the Act. Recommendations: 1. The City should amend the Code of Conduct for Members of Local boards to clarify that correspondence should only be used in accordance with the Act. 2. The City should strongly encourage all current members of Council to attend a training session on access and privacy. 3. The TTC should circulate a memorandum to all of its current board members addressing the importance of protecting the privacy of the personal information contained in correspondence received from members of the public. |
|||||
| PC10-39 | Privacy Complaint Report | Privacy Reports | Read moreExpand | ||
• Collection of the date of birth of complainants by the Office of the Independent Police Review Director (OIPRD). • Section 2(1) (personal information) - the date of birth of OIPRD complainants qualifies as personal information. • Section 38(2) (collection) - the collection of the personal information was in accordance with the Act. |
|||||
| MC08-91, MC08-92 | Privacy Complaint Report | Privacy Reports | Mark Ratner | Read moreExpand | |
• Practices respecting the complainants’ personal information. • Section 2(1) (personal information) – the information contained in the complainants’ correspondence qualifies as personal information. • Section 2(1) (personal information) – the information described in the memorandum in question does not qualify as personal information. • Section 28(2) (collection) - the personal information in question was not “collected” under the Act. • Section 29(2) (notice) -notice of collection was not required. • Section 31 (use) - the personal information was used in accordance with the Act. • Section 32 (disclosure) - the personal information was disclosed in accordance with the Act. |
|||||