Dernières décisions

• Information contained in a Report of the Integrity Commissioner for the City of Vaughan

• Section 2(1) (definition of personal information) - the Report contained personal information.

• Section 32 (disclosure) - the disclosure of the personal information was in accordance with the Act.

• E-mails sent to a list of recipients providing information about events.

• Section 2(1) (definition of personal information) - the e-mails contained some personal information.

• Section 38(2) (collection) - the records were not collected under the Act.

• Section 39(2) (notice) - the University was not required to provide Notice of Collection.

• Section 41(1)(b) - the use of the personal information was in accordance with the Act.

• Letters and public meeting documentation posted on City’s website.

• Section 2(1) (definition of personal information) - the information in the public meeting documentation, and in letters A and B, qualifies as personal information.

• Section 32 (disclosure) - the disclosure of the complainant’s identity in the public meeting documentation was in accordance with the Act.

• Section 32 (disclosure) - the disclosure of letter B to the external auditor and on the City’s website was in accordance with the Act.

• Unauthorized access to customer billing records

• Section 2(1) (definition of personal information) - the records in question contained personal information.

• Section 32 (disclosure) - the disclosure of the personal information was not in accordance with the Act.

• Section 3(1) of Regulation 823 (security) - there were not adequate security measures in place at the time of the breach.

Recommendations:

1. Hydro should implement measures to enhance security at the e-bill account creation stage.

2. Hydro should take measures to prevent, limit, and to detect the ability of employees to access lists of all Hydro customers.

3. Hydro should implement robust access controls.

4. Hydro should implement additional mechanisms to detect and limit unusual online account activities.

5. Hydro should repair the software coding that allowed for the unauthorized override of password protections.

6. Hydro should provide a quarterly report to the IPC regarding system enhancements designed to protect customer privacy.

• Posting of a lawn sign in front of a residence indicting that the residence had been the subject of a search warrant for drugs.

• Section 2(1) (definition of personal information) - the information in question was personal information.

• Section 32 (disclosure) - the disclosure of the personal information was not in accordance with the Act.

Recommendation:

• Cease the practice of posting lawn signs in front of homes indicating that those homes have been the subject of a search warrant for drugs.

Unshredded documents set aside for disposal found at courthouse.

The records are subject to the Act.

Section 65(5.2)/52(2.1) (records relating to a prosecution) – does not apply.

Section 2(1) (definition of personal information) – the records contain personal information

Section 37/27 (record available to the general public) – not applicable; the records are subject to the privacy provisions of the Acts.

Section 40(4)/30(4) (disposal of personal information) – some of the disposal methods were not in accordance with the Act.

Recommended that the City of Toronto:

1. Draft a comprehensive policy on records and information destruction.

2. Provide staff training on the policy.

3. Ensure that new staff orientation includes training on privacy protection and the secure destruction of records

4. Ensure that either secure bins or paper shredders are located in all Old City Hall Offices.

5. Ensure that a certificate of destruction is provided by service providers once destruction has taken place.

• Access and correction request relating to records retained by Police concerning the appellant

• 2(1) “personal information” – records contain personal information of appellant and others

• Sections 28(2) and 29(1) (collection) - complied with

• Section 30 (use and retention) - complied with

• Section 32 (disclosure) not complied with

• Section 31 (use) partly complied with

• Recommendation to develop a police reference check program that complies with O. Reg 265/98 and the Charter. Further recommendation to assess the complainant’s police reference check situation

• Complaint concerning Board's video surveillance of employee which captured image of employee's spouse. 

• Section 52(3) (labour relations and employment) applies to exclude the records in question from the application of the Act.

• No recommendations

• Use of list of student names and contact information to administer mailings on behalf of the Golden Key Society

• Section 2(1) definition of personal information - records contain personal information

• Section 41 use of personal information - the use was in accordance with section 41 of the Act

• No recommendations

• Transfer of an individual's Labour Market Re-entry file to a WSIB Service Provider

• Section 2(1) "personal information" - record contains personal information.

• Section 42(1) (disclosure of personal information) - the disclosure was in accordance with the Act.

• Section 43 (consistent purpose) – the disclosure might have been reasonably expected.

• No recommendations made

This Privacy Complaint Report deals with two similar, but unrelated, privacy complaints. Both privacy complaints involve the Toronto Police Service, (the TPS) and its practice of disclosing information in response to Police Reference Checks. In both cases, the complainant was concerned that the actions of the TPS were inappropriate, and constituted a breach of the provisions of the Municipal Freedom of Information and Protection of Privacy Act. The investigation concluded that the personal information was not disclosed in accordance with section 32 of the Act and provided recommendations for the TPS.

The Office of the Information and Privacy Commissioner/Ontario (the IPC) received complaints under the Freedom of Information and Protection of Privacy Act (the Act) concerning the Ministry of Health and Long-Term Care from three patients at the Oak Ridge site of the Penetanguishene Mental Health Centre (the Centre). Specifically, the complaints relate to inspections of the patients’ computers and related equipment and material and the consents that patients were asked to provide in this regard.

The complainants maintain that the consent they were asked to sign was too broad and was requested, in their view, in a coercive manner such that if consent was not given, access to their computers was revoked. They feel that the impounding and inspection of their computers and related equipment under these circumstances was an inappropriate collection of their personal information and contrary to the Act.

In addition, one complainant (PC-040019-1) is also of the view that "spyware" had been installed on his computer during the course of the computer inspections. The same complainant feels that the apparent purpose of the search - to locate pornographic material, including child pornography, and copyright violations - is a criminal matter and the Centre does not have the jurisdiction to investigate criminal offences. He adds this as another reason why the computer searches should not have taken place.

Another complainant (PC-040021-1) is concerned that his CDs, containing personal information, are being stored in the nursing management office and not in a lockbox in his room as is the case with other patients.

On December 3, 2004, the Office of the Information and Privacy Commissioner (the IPC) was notified by the Ministry of Finance (the Ministry) about a breach of the Freedom of Information and Protection of Privacy Act(the Act). The Ministry advised that the privacy breach occurred with its November 30, 2004 mail-out of the Ontario Child Care Supplement cheques, which are mailed out on a monthly basis. The Ministry advised that each of the approximately 27,000 cheques mailed out contained the recipient's name, address, amount paid and social insurance number (SIN), along with four additional digits directly following the SIN. The counter-foil (the cheque stub) contained the name and SIN of the recipient as well as the name, address, and the SIN, along with four additional digits, of another recipient. The Ministry advised that the cheques were printed at the iSERV data centre in Downsview and mailed out for the Ministry by the Shared Services Bureau (the SSB) of Management Board Secretariat (MBS).

That same day, the IPC also received a second telephone call in relation to the incident, this time from MBS. MBS confirmed that the cheques were printed by iSERV, a program area for which MBS is responsible, and that MBS was investigating the circumstances leading to the privacy breach. MBS stated that it was now double-checking the cheques printed by iSERV for other programs, prior to mailing them out.

Both the Ministry and MBS expressed their concerns over the privacy breach and assured us of their intention to co-operate fully with our investigation, which they have done.

The IPC initiated privacy investigations under the Act with MBS (PC-040077-1) and the Ministry (PC-040078-1). Both investigations are addressed in this report since the privacy breach involved both the Ministry and MBS.

Summary of Commissioner-Initiated Investigation Background Results of the Investigation The Disclosure Steps Taken by the Ministry and MBS upon Learning of the Disclosure Remedial Steps taken by MBS Additional Disclosure and Notification Conclusions Other Matters The Use of the SIN as a Unique Identifier The Need for An Independent, Comprehensive Audit Recommendations Privacy Complaint Report Privacy Complaint Nos. PC-040077-1 and PC-040078-1 Institutions: Management Board Secretariat (PC-040077-1) Ministry of Finance (PC-040078-1) Summary of Commissioner-Initiated Investigation: On December 3, 2004, the Office of the Information and Privacy Commissioner (the IPC) was notified by the Ministry of Finance (the Ministry) about a breach of the Freedom of Information and Protection of Privacy Act (the Act ). The Ministry advised that the privacy breach occurred with its November 30, 2004 mail-out of the Ontario Child Care Supplement cheques, which are mailed out on a monthly basis. The Ministry advised that each of the approximately 27,000 cheques mailed out contained the recipient's name, address, amount paid and social insurance number (SIN), along with four additional digits directly following the SIN. The counter-foil (the cheque stub) contained the name and SIN of the recipient as well as the name, address, and the SIN, along with four additional digits, of another recipient. The Ministry advised that the cheques were printed at the iSERV data centre in Downsview and mailed out for the Ministry by the Shared Services Bureau (the SSB) of Management Board Secretariat (MBS). That same day, the IPC also received a second telephone call in relation to the incident, this time from MBS. MBS confirmed that the cheques were printed by iSERV, a program area for which MBS is responsible, and that MBS was investigating the circumstances leading to the privacy breach. MBS stated that it was now double-checking the cheques printed by iSERV for other programs, prior to mailing them out. Both the Ministry and MBS expressed their concerns over the privacy breach and assured us of their intention to co-operate fully with our investigation, which they have done. The IPC initiated privacy investigations under the Act with MBS (PC-040077-1) and the Ministry (PC-040078-1). Both investigations are addressed in this report since the privacy breach involved both the Ministry and MBS. Background The Ontario government has a number of programs that involve mailing cheques to individuals. The cheques for some programs, such as the Ontario Child Care Supplement for Working Families (OCCS) Program and the Ontario Disability Support Program, are printed at the iSERV data centre in Downsview. However, the cheques for other programs may be printed at a limited number of government buildings. Regardless of the government program, the process for printing and mailing cheques follows a common chain of events that typically involve the Office of the Provincial Controller (OPC), SSB, and the iSERV data centre in Downsview. For the OCCS program, the Ministry of Finance first prepares an electronic program file. This file contains data that will ultimately be printed out on each cheque, such as the name, address and identifying number (which includes the social insurance number) of an OCCS recipient. Each cheque includes a stub with similar data that would typically be detached and retained by the recipient before he or she deposited or cashed the cheque at a bank or other financial institution. The Ministry electronically transmits the OCCS program file to a "holding" s

SUMMARY OF COMMISSIONER INITIATED COMPLAINT: The Office of the Information and Privacy Comissioner/Ontario (the IPC) was contacted by Management Board Secretariat (MBS) regarding a disclosure of personal information relating to the Ontario Student Award Program (OSAP) by the Ministry of Training, Colleges and Universities and a private collection agency. Subsequently, this Office was contacted by MBS regarding a second disclosure of personal information relating to the same program by another private collection agency. On the basis of this information, the IPC initiated two privacy complaints under the Freedom of Information and Protection of Privacy Act (the Act ). Background The first complaint involves the Student Support Branch of the Ministry of Training, Colleges and Universities (the Ministry), and both complaints involve the Collections Management Unit (CMU) of the Shared Services Bureau (SSB) of MBS. The Student Support Branch of the Ministry manages OSAP, a program of student financial assistance administered by the Ministry and composed of a variety of programs funded by the province of Ontario and the government of Canada. The CMU manages the collection of overdue non-tax debts owing to the government, by hiring private sector debt collection agencies to undertake the collection of unpaid debts on behalf of the Ontario government. When a debtor defaults on the repayment of an OSAP loan and the Ministry is unable to settle the account with the debtor, the Ministry refers the debt to the CMU at MBS for collection, and these accounts are then assigned by the CMU to private collection agencies. Particulars of the two incidents In the first complaint, PA-040033-1, a private collection agency retained by MBS received a request from a debtor for supporting information about her student loan. In response, the agency forwarded the request to the Ministry, which in turn sent a copy of a bulk report prepared by a bank to the agency. The agency then forwarded this report to the debtor. However, the report contained the personal information of thirty- eight other individuals in addition to that of the debtor. In the second instance, PA-040044-1, another private collection agency mailed information to a debtor regarding her student loan and inadvertently enclosed the personal information of another debtor in the envelope. In both instances, MBS was made aware of the incidents by the two recipients of the records. The personal information in the records at issue included the student debtors’ names, social insurance numbers (SIN) and details regarding the student loans. Actions taken in response to these incidents PC-040033-1 Management Board Secretariat MBS advised that it undertook the following steps to address this incident. On receipt of the telephone call from the debtor’s mother advising that her daughter had received a record from a collection agency retained by MBS containing the personal information of individuals other than her daughter, staff in the SSB alerted senior management in the CMU, and obtained the debtor’s written consent for the SSB to communicate with her mother on this issue. A client services officer in the CMU then contacted the mother, who confirmed that her daughter received a record containing the names, social insurance numbers and details of the loans relating to 38 other individuals. The record was sent to the daughter by a private collection agency retained by the CMU. This information was provided to her daughter as a result of a request for supporting information from the Ministry regarding the daughter’s outstanding OSAP loan. At MBS’ request, the mother faxed the record to the CMU, and advised that she would shred her copy. Subsequently, MBS arranged to pick up the record by courier and has since returned it to the Ministry. The CMU then contacted the collection agency, which confirmed that it sent the information at issue to the daughter. It also confirmed that it had originally received this record from the Ministry. The CMU also contacted the Student Support Branch of the Ministry, which confirmed that the record was sent to the collection agency by the Ministry. The Ministry indicated that the record is one of a series of quarterly statements prepared for the years 1996 and 1997 for a particular bank identifying individuals who have participated in the interest relief program. The record identifies 38 individuals including the recipient. It contains the individuals’ social insurance number, given name and surname, and other details of the loans relating to these individuals. MBS notes that it has established comprehensive contractual provisions in its contracts with the PCA [private collection agency] agents it retains in order to protect the personal information that is collected, used and disclosed in the course of debt collection... at the behest of the CMU all [staff at the collection agency] were reminded that when receiving back-up information about debtors from Ministries they must conduct a thorough review of all documents to ensure that only the personal information of the debtor is mailed out; the CMU, the MBS legal services branch, and the Access and Privacy Office of MBS [conducted] a comprehensive privacy training session for staff of all PCAs retained by the CMU.[...] A training session [was] conducted for staff in the [CMU]. Ministry of Training, Colleges and Universities The Ministry advised that it undertook the following steps to address this incident. Specifically it sent letters to all 38 individuals, advising them that as the result of a mailing error, their personal information (name, social insurance number and the principal and interest of their OSAP loan) was inadvertently sent to another individual. The director of Student Support Branch, who signed the letter, apologized for the breach, stated that the record had been returned without being copied, and provided the name and telephone number of the Senior Manager of Operations as a contact person to provide them with additional information. We also informed the individuals that the ministry has changed the process by which banks and collection agencies report on OSAP loans and we have enhanced internal measures to protect client privacy. The letters were sent by registered mail to the most recent address that the ministry could obtain for each of the individuals. However, many of these addresses are several years old. To date, 21 of the letters have been returned to the ministry. These letters are being kept in the files of the individuals concerned. The Ministry indicated that in light of this incident, it has reviewed its policies and procedures and made the following changes: The processes under which disclosure of personal information is made to private collection agencies, upon request for proof of an OSAP debt, has been enhanced. Before disclosure is made by a financial services clerk, the disclosure is re