INTRODUCTION This report deals with two privacy investigations involving the Ministry of the Attorney General (the Ministry). Both stem from incidents involving the disclosure of personal information as a consequence of computer theft. In both instances the police were notified of the theft, but neither computer has been recovered. Both investigations remain ongoing. BACKGROUND Privacy Investigation #1 - PC-000026-1 On August 4, 2000, the Office of the Information and Privacy Commissioner (the IPC) received a letter from a Director from one Division of the Ministry regarding the theft of a portable computer containing litigation documents. The letter stated: On Thursday August 3, 2000 a portable computer containing information related to litigation conducted by counsel from [the Ministry] was stolen. The computer was locked in the trunk of the lawyer's automobile and was removed while the vehicle was in an underground parking area. The police have been notified and I am advised that efforts are underway to recover this stolen property. As the data on the computer includes some personal information, [the Deputy Attorney General] requested that I notify you of this matter. Also, please be advised that office policies with respect to the security of portable computers are under review and all staff will be reminded of their obligation to secure personal information. ... On the basis of this letter, the IPC initiated Privacy Investigation PC-000026-1, pursuant to the Freedom of Information and Protection of Privacy Act (the Act ). Privacy Investigation #2 - PC-010009-1 On February 21, 2001, the IPC received a letter from the Ministry's Assistant Deputy Attorney General, Criminal Law Division, which stated: On February 14, 2001, a laptop belonging to an Assistant Crown Attorney was stolen from the locked trunk of his car in Durham Region. It appears to have been stolen when he stopped at a Shopper's Drug Mart on his way home from work. I have been advised that there was personal information, and also information of a sensitive nature stored in the C drive of the computer. The computer was not password protected. There are inquiries being made regarding the extent to which the information was backed up so we can determine who ought to be notified of the incident. The Criminal Law Division is reviewing current practices regarding the transportation of files in an effort to enhance security measures. Crowns have recently been reminded not to leave laptops and files unattended. We will take immediate steps to ensure that all laptops in the Criminal Law Division are password protected in an effort to ensure that should such an unfortunate event occur in the future, the information stored on the computer would be inaccessible. ... As a result, the IPC initiated Privacy Investigation, PC-010009-1 under the Act . RESULTS OF THE INVESTIGATION The first two priorities when faced with a potential disclosure of personal information are: (1) to identify the scope of the potential disclosure and take steps to contain it; and (2) to identify those individuals whose personal information may have been disclosed and, barring exceptional circumstances, to notify those individuals accordingly. Although the circumstances which lead to Privacy Investigations #1 and #2 were very similar in nature, the approach taken by the Ministry in addressing these two priorities differed significantly. Privacy Investigation #1 - PC-000026-1 The Ministry initially advised the IPC that the stolen computer contained a very large number of documents relating to a specific litigation matter. No details were provided. The Ministry informed the IPC that the lawyer whose laptop was stolen was of the view that the only personal information contained in the electronic records stored on the computer consisted of the names and home telephone numbers of certain public servants. On August 9, 2000, the Director who authored the August 4, 2000 letter to the IPC sent an e-mail to her staff advising them of the stolen laptop and reminding them to "take laptops directly home from the office" and to "ensure that access to documents stored on the laptop is password protected." On August 28, 2000, the Ministry's Freedom of Information and Privacy Co-ordinator (the Co-ordinator) provided the Director with a copy of the IPC Practices entitled "Privacy and Confidentiality When Working Outside the Office" and asked her to distribute it to the staff of the branch. The IPC advised the Ministry that it required more information in order to determine whether the actions taken by the Ministry adequately addressed basic privacy concerns. Specifically, the IPC asked the Ministry to provide more information concerning: the type of records at issue; the scope and type of personal information at issue; and the identity of the individuals whose personal information was contained in the records. IPC staff offered to meet with the lawyer, but the Ministry declined. The Ministry provided a general description of the types of records at issue, but no further details concerning the particulars of the case or the individuals involved. The Ministry subsequently explained that the records contained privileged information that could not be divulged to the IPC, but that some remedial steps had been taken by the Ministry to prevent similar incidents in future. As an initial investigative step, the IPC decided to focus our efforts in the following two areas: ensuring that all public servants whose personal information was included in the records had been notified by the Ministry; and ensuring that a privacy expert from the Ministry personally reviewed the hard-copy version of each record contained on the stolen computer to confirm that no other personal information was contained in any of them. The Ministry promptly confirmed that the notifications relating to the first item had been sent by the lawyer during the week of September 7, 2000. As far as the second item was concerned, the Ministry took until December 22, 2000 to complete the review, almost 5 months after the theft of the computer had been reported. Further, although the review was apparently completed on December 22, 2000, the IPC was not advised of the results of the review until February 2, 2001. In response to persistent enquiries from the IPC, the Ministry finally confirmed that the review had been completed, and advised us for the first time at that point that additional personal information had been identified in the records. The Ministry informed the IPC that internal consultations were underway to address this situation. On February 22, 2001, the Deputy Attorney General wrote to the Commissioner outlining a number of steps the Ministry had taken to prevent similar situations from arising in future, which are discussed later in this report. As far as the specific records at issue in Privacy Investigation #1 were concerned, the Ministry stated: ... during the week of September 2, 2000, the public servants whose personal information was included in t
PC-010009-1
Collection
Privacy Reports
Date
Adjudicators
Ann Cavoukian
Decision Type
Privacy Complaint Report
Applicable Legislation
FIPPA
FIPPA - 42