Dernières décisions

A public hospital (the hospital) contacted the Information and Privacy Commissioner/Ontario (the IPC) to report two privacy breaches under the Personal Health Information Protection Act, 2004 (PHIPA or the Act). Specifically, and unrelated to each other, a clerk and a nurse had each accessed the personal health information of many patients without authorization. In light of the steps taken by the hospital to address both breaches, no formal review of this matter will be conducted under Part VI of the Act.

The complainant requested a reconsideration of PHIPA Decision 99, which dealt with a complaint made under the Personal Health Information Protection Act (the Act) about a physician. In that complaint, the complainant alleged that the physician did not conduct a reasonable search for records responsive to her access request and that the physician improperly refused to make requested corrections to her records of personal health information. In PHIPA Decision 99, the adjudicator upheld the physician’s search for records as reasonable and upheld the physician’s refusal to make the requested corrections to the records. In this reconsideration decision, the adjudicator determines that there are no grounds for reconsideration and the complainant’s request for reconsideration is dismissed. The adjudicator also dismisses the complainant’s allegation of a reasonable apprehension of bias.

This reconsideration decision addresses the complainant’s request for reconsideration of PHIPA Decision 170. In that decision, the adjudicator found that the respondent hospital was not required to correct a record of the complainant’s personal health information because the exception for good faith opinion or observation under section 55(9)(b) of the Personal Health Information Protection Act, 2004 applied. The adjudicator finds that the complainant has not established any ground for reconsideration under section 27.01 of the Code of Procedure for Matters under the Personal Health Information Protection Act, 2004 and denies the request.

The complainant, a teacher who was interviewed by a children’s aid society (CAS) as part of an investigation, requested the correction of the CAS record detailing his interview. The CAS, which had provided the complainant with a severed copy of the record of his interview, refused the correction request and advised the complainant that he could make a complaint about the refusal to the Information and Privacy Commissioner of Ontario under the Child, Youth and Family Services Act, 2017.

The adjudicator determines that there are no reasonable grounds to conduct a review of the subject-matter of the complaint and that a review is not warranted. She bases her determination on her finding that the complainant has no right to request that the children’s aid society correct the record under section 315(2) of the Act because he has no right of access to the record under section 312(1) of the Act; an individual’s right to request a correction under section 315(2) is limited to records to which the individual has a right of access under section 312(1). As a result, the adjudicator declines to conduct a review and she dismisses the complaint.

The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parents of students of the Halton District School Board (the board), objecting to the board’s use of third party apps (“apps”), and the associated collection, use, and disclosure of students’ personal information. The complainant alleged that the board’s utilization of these apps contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainants’ concerns included a failure to regulate the third party apps available to students via the board’s platform, a failure to track which apps had collected students’ personal information and what information they had collected, the posting of students’ personal information without knowledge or consent, and third party apps advertising to students. The complainants also stated that the board does not have reasonable measures in place to ensure that third party vendors protect the security of student personal information.

This report concludes that the board’s catalogue system regulating the apps that collect, use, and disclose students’ personal information is in partial compliance with the Act, but that the board’s notice of collection was deficient. This report concludes that personal information was used for advertising or marketing purposes, contrary to the provisions of the Act. This report recommends that the board review its usage agreements with vendors, and revise the agreements to expressly prohibit the use of personal information by vendors for advertising or marketing purposes and to ensure that vendors only use personal information for the board’s education-related purposes. This report further recommends that the board review which apps use personal information for marketing or advertising purposes, and take the steps needed to prevent vendors from using personal information for those purposes going forward.

This report also concludes that the board does not have reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of its students. This report recommends that the board revise its usage agreement to require vendors to notify the board when they have been compelled by law to disclose personal information. This report further recommends that the board revise its usage agreement to include both a requirement that vendors delete data for accounts no longer in use and a commitment by vendors to confirm, on the board’s request, that this deletion had occurred. Finally, this report recommends that the board’s usage agreement include both an audit requirement and a term stating that vendors’ obligations regarding personal information continue to apply, regardless of any changes to a vendor’s business name, structure, or ownership.

Under the Personal Health Information Protection Act, 2004 (PHIPA), the complainant made requests to a public hospital for deletions and other changes to her records of personal health information. The complainant alleges that the information she seeks to have removed relates to a doctor’s factually incorrect diagnosis of her. The hospital refused the requests, including on the basis the information at issue consists of professional opinions or observations made in good faith, and thus qualifies for the exception at section 55(9)(b) to the duty to correct in section 55(8) of PHIPA.

After considering the circumstances of the complaint, the adjudicator exercises her discretion not to conduct a review of the matter under PHIPA. Among other reasons, she finds that the hospital has responded adequately to the complaint in the circumstances, and that no useful purpose would be served by reviewing a complaint in which the complainant seeks deletions to her records and other remedies that are not available in PHIPA. She dismisses the complaint.

The adjudicator also addresses as a preliminary matter the complainant’s allegations that the IPC discriminated against her and failed to accommodate her disability in the IPC complaint process. She finds that in the absence of information from the complainant to support an accommodation request, it is reasonable to proceed with her consideration of the complaint.

An individual submitted a correction request under the Personal Health Information Protection Act to St. Thomas Elgin General Hospital, seeking correction to a consulting doctor’s report about him because he believed it to be inaccurate. The hospital denied the correction request, pursuant to the exception for good faith professional opinion or observation in section 55(9)(b) of PHIPA. The adjudicator finds that section 55(9)(b) applies and she upholds the hospital’s decision not to make the requested correction. No order is issued.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Ministry of Transportation (the ministry) contravened the Freedom of Information and Protection of Privacy Act (the Act) when it disclosed the complainant’s personal information to a parking lot operator and a collection agency. This report finds that the information at issue is “personal information” as defined in section 2(1) of the Act and that the personal information was disclosed in accordance with sections 42(1)(c) and 43 of the Act.

The complainant made a request under the Act for records relating to her late mother’s admittance at the Southlake Regional Health Centre (the custodian). The custodian located records responsive to the request and granted the complainant complete access to them. The complainant filed a complaint to the IPC on the basis that additional records ought to exist. In this decision, the adjudicator upholds the custodian’s search and dismisses the complaint.

An adopted person made a request to the Children’s Aid Society of Ottawa (CASO) under the Child, Youth and Family Services Act, 2017 (the CYFSA or the Act), for access to all information about himself, including information about his birth parents. The CASO granted partial access to the requested records, having severed all identifying information about the requester’s birth parents. The requester filed a complaint with the Information and Privacy Commissioner/Ontario (the IPC) because he seeks access to his birth parents’ identifying information.

The adjudicator finds that the identifying information about the requester’s birth parents is excluded from the scope of Part X of the CYFSA under the exception at section 285(4)(a) as information that relates to an adoption. As a result of the application of the exception, Part X does not apply to the requested information and the requester does not have a right of access to his birth parents’ identifying information under that part. The complaint is dismissed.

This decision addresses both an individual complaint and an IPC-initiated investigation into a hospital’s practices around its agents’ use of personal health information for education purposes. In the individual complaint, a hospital patient alleged that a doctor had improperly accessed her health records while claiming an education purpose for the accesses. The patient’s allegations raised broader questions about whether the hospital had in place adequate information practices to govern this use of personal health information by its agents. The IPC opened the self-initiated investigation to address those systemic issues.

In this decision, the adjudicator finds there were a number of unauthorized accesses to the patient’s health records. These accesses were made in violation of the hospital’s policy on education use, which permits patients to refuse consent to this use, and the patient’s withdrawal of consent under the policy. The adjudicator finds these accesses were violations of the Personal Health Information Protection Act, 2004 (PHIPA). After considering the circumstances surrounding the accesses, she concludes they were largely the result of systemic deficiencies in the information practices around education use that the hospital had in place at the time. These were failures by the hospital to comply with its obligations under PHIPA, including its duty to take reasonable steps to protect personal health information in its custody or control.

The adjudicator then considers a number of changes the hospital has already made or has committed to making to its information practices in response to the breaches, as well as the hospital’s cooperation throughout the IPC process. In view of all the circumstances, she finds it unnecessary to issue orders against the hospital. However, she provides guidance to the hospital in the form of three key recommendations, as well as some additional recommendations, for further improvements to its information practices in relation to the use of personal health information for education purposes.

The complainant, a patient of a regional cancer centre within a public hospital, filed a complaint against the hospital about a cancer symptoms survey he completed at the cancer centre. He complained that the hospital collected his personal health information through the survey and then disclosed it to Cancer Care Ontario, without a valid consent. He also complained about the hospital’s privacy practices and privacy training in respect of how hospital staff registered him for his appointment and how a hospital volunteer assisted him with the survey, and regarding the placement of the survey kiosks. Finally, the complainant asked that his survey responses be removed from his health records with the hospital.
The hospital responded that it had the complainant’s implied consent to collect and use his personal health information in the survey, in accordance with the requirements of the Personal Health Information Protection Act, 2004. The hospital also responded that the Act permitted the hospital to use the services of Cancer Care Ontario (in its capacity as a health information network provider) to collect the complainant’s personal health information through the survey and use it, and to disclose personal health information to Cancer Care Ontario (in its capacity as a prescribed entity). In addition, the hospital confirmed that it provided additional training to its staff and volunteers, added language to the survey to highlight that it was voluntary, and determined that the privacy screen software it used for the kiosks was adequate. Finally, the hospital acknowledged the complainant’s concerns about the validity of his consent and advised him that while it could not remove his survey responses from his health records, it could take steps to preclude the use of his survey responses going forward.
The adjudicator determines that the hospital has responded adequately to the complaint and there are no reasonable grounds to conduct a review. As a result, she declines to conduct a review and she dismisses the complaint.

The complainant, a patient of a regional cancer centre within a public hospital, alleged that Cancer Care Ontario collected and used his personal health information, obtained through a cancer symptoms survey, without his valid consent and without legal authority. He also expressed concerns about the survey, including that it should have clearly stated that its completion was voluntary. Cancer Care Ontario responded that various sections of the Personal Health Information Protection Act, 2004 and its regulations authorize it to provide the survey to the hospital, collect personal health information from the hospital and store personal health information from the survey in a database. In some of these transactions, Cancer Care Ontario acts in its capacity as a health information network provider, while in others, it acts in its capacity as a prescribed entity. Cancer Care Ontario also took steps to address the complainant’s concerns, including updating the survey to make it clearer that completion of the survey was voluntary.
The adjudicator determines that Cancer Care Ontario has responded adequately to the complaint and there are no reasonable grounds to conduct a review. As a result, she declines to conduct a review and she dismisses the complaint.

The complainant, a teacher named in two reports made by a third party to the Children’s Aid Society of Toronto about a child in need of protection, sought access to “records of service” relating to himself. CAST refused the complainant’s access request on the basis that it did not provide a “service” to him within the meaning of section 312(1) of the Child, Youth and Family Services Act and, therefore, he has no right of access under the Act. The complainant sought a review of CAST’s decision by the IPC.

The adjudicator upholds CAST’s decision that the complainant has no right of access to the records under section 312(1) of the Act because the records do not relate “to the provision of a service” to him. The adjudicator dismisses the complaint.

The complainant submitted a correction request under section 55(1) of the Personal Health Information Protection Act (the Act) to the Appletree Medical Group (Appletree) with respect to information contained in a record relating to a walk-in visit at a clinic run by Appletree. Appletree denied the correction request under section 55(8) of the Act, on the basis that the complainant had not established that the record is incomplete or inaccurate for the purposes for which the Appletree uses the information. In this decision, the adjudicator finds that the complainant has not established that the record is incomplete or inaccurate for the purposes for which Appletree uses the information and she upholds Appletree’s refusal to correct the record. No order is issued.