Dernières décisions

The complainant, an employee of the hospital, complained about the hospital’s handling of information in her file in the hospital’s Occupational Health Services (OHS) department. The complainant’s OHS file contains identifying information about her, including medical documentation that she provided to address issues such as her capacity to work, entitlement to sick pay, and workplace accommodation needs. In this decision, the adjudicator finds that the complainant’s OHS file is maintained primarily for employment purposes, not for health care purposes, and is not a record of personal health information within the meaning of the Personal Health Information Protection Act, 2004 [section 4(4)]. As a result, PHIPA does not apply to the hospital’s handling of information in the OHS file. She dismisses the complaint.

The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parent of a student of the Toronto District School Board (the board), objecting to the board’s use of Google’s G Suite for Education services. The complainant alleged that the board’s utilization of G Suite for Education contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainant’s concerns included a failure to notify, and obtain the consent of, parents and children for the collection, use, and disclosure of students’ personal information; the use of personal information beyond the scope of what is permitted under the Act; the storage of personal information outside of Canada; inadequate security protections for the students’ personal information; and a lack of adequate deletion and retention practices for the personal information.

This report concludes that the board’s collection, uses, and disclosures of the students’ personal information were in compliance with the Act, but that the board’s notice of collection was deficient.

This report also concludes that the board has reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of its students. This report makes recommendations to strengthen the board’s oversight of those security measures.

The Office of the Information and Privacy Commissioner of Ontario received a complaint under the Personal Health Information Protection Act, 2004 (the Act) about a public hospital (the hospital)’s redaction of its employees’ names from an audit of a patient’s health records. This led to an investigation by this office into the hospital’s practices with respect to responding to access requests for these audits.

This decision concludes that the hospital’s practices were not in accordance with section 54(1) of the Act. However, in light of the steps taken by the hospital to amend these practices, this decision finds that a review of this matter is not warranted.

The office of the Information and Privacy Commissioner of Ontario received a complaint under the Personal Health Information Protection Act, 2004 (the Act) against a medical clinic (the Clinic). The complaint involved a second incident in which a physician working at the Clinic left a patient alone in a waiting room that had a computer screen displaying the physician’s schedule, which contained personal health information of 35 patients.

This decision finds that the Clinic failed to take reasonable steps to ensure the protection of the personal health information against unauthorized disclosure as required by section 12(1) of the Act. I also find that the Clinic did not notify the affected patients as is required by section 12(2) of the Act. However, in light of the steps taken by the Clinic to address the privacy breach, which included notifying the affected patients, I am satisfied with the Clinic’s response to the breach and it is unnecessary for this matter to proceed to adjudication to consider potential orders.

This decision deals with the issues of access to records of personal health information, and reasonable search. The access request, made to Hamilton Health Sciences, was for psychological testing data relating to the complainant. In this decision, the adjudicator finds that the records at issue are excluded from Part V of the Personal Health Information Protection Act by virtue of section 51(1)(c). The adjudicator also finds that the hospital’s search for records responsive to the request was reasonable.

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the Corporation of the Village of Newbury (Newbury). The complaint was about Newbury’s installation of a video surveillance system in a park. The complainant was concerned that Newbury’s operation of the surveillance system breached the privacy of individuals under the Municipal Freedom of Information and Protection of Privacy Act (the Act).

This report concludes that Newbury’s notice of collection is not in accordance with the Act. However, it finds that Newbury’s collection, use and disclosure of the personal information is in accordance with the Act. Further, it finds that there is a right of access to this information and that the Newbury has reasonable protection measures and proper retention periods in place.

A father filed a complaint to the IPC against a counselling centre’s decision to deny him access to records containing the personal health information (PHI) of his three children. In PHIPA Decision 129, the adjudicator found that the father does not have an independent right of access to his children’s PHI under Part V of PHIPA, given the children’s mother’s objection, and dismissed his complaint.

The complainant sought a reconsideration of PHIPA Decision 129. In this reconsideration decision, the adjudicator finds that the complainant’s evidence failed to establish grounds for reconsideration under the claimed grounds in sections 27.01(b) and (c) of Code of Procedure for Matters under the Personal Health Information Protection Act, 2004. Accordingly, the complainant’s reconsideration request is denied.

This investigation file was opened after a public hospital contacted the Office of the Information and Privacy Commissioner/Ontario to report a privacy breach under the Personal Health Information Protection Act, 2004. The hospital advised that a patient had made a complaint, which alleged the unauthorized use and disclosure of her personal health information by a named physician. In particular, this investigation related to concerns that a “quality audit” the physician was conducting resulted in referrals of motor vehicle accident patients to his wife, a personal injury lawyer.
This Decision concludes that the quality audit conducted by the physician was an unauthorized use under the Act, and that I am unable to determine whether the physician disclosed personal health information in contravention of the Act. It also concludes that the hospital’s previously vague policies, practices and procedures regarding quality audits, and the complete lack of privacy training for physicians, did not amount to taking reasonable steps to protect the personal health information within the meaning of section 12(1) of the Act. However, I also find that the hospital has since remedied these issues.
Lastly, I decide that this review will be concluded without proceeding to the adjudication stage and without an order being issued by this office.

The complainant requested reconsideration of PHIPA Decision 144, on the basis that it contains errors of fact and jurisdictional defects. In this decision, the adjudicator partially upholds the request for reconsideration, finding that she omitted to fully address an allegation that a doctor disclosed the complainant’s personal health information to two other doctors, when it was not reasonably necessary for the provision of health care to the complainant. The adjudicator reviews this allegation and dismisses it.

This reconsideration order dismisses the complainant’s request for reconsideration of PHIPA Decision 126. In that decision, the adjudicator found that the respondent is a health information custodian within the meaning of the Personal Health Information Protection Act, 2004 in relation to marriage counselling services he provided to the complainant and that he is not a health information custodian in relation to the co-parenting counselling services he provided to the complainant. The adjudicator also determined the respondent had conducted a reasonable search for records of the complainant’s personal health information. In this reconsideration decision, the adjudicator finds that the complainant has not established grounds for reconsideration under section 27.01 of the Code of Procedure for Matters under the Personal Health Information Protection Act, 2004 and denies the request.

The complainant sought access to her records of personal health information from Dr. Robert Samuel Crozier (the custodian). This decision determines that the custodian is deemed to have refused the complainant’s request for access. The custodian is ordered to provide a response to the complainant in response to her request for access to records of her personal health information in accordance with the Personal Health Information Protection Act.

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the City of Cambridge (the city). The complaint was about the city’s installation of a video surveillance system in its downtown core areas. The complainant was concerned that the city’s operation of the system breached the privacy of individuals under the Municipal Freedom of Information and Protection of Privacy Act (the Act).

This report finds that the city has not conducted an assessment of whether the video surveillance system is necessary to achieve its objectives and recommends that it do so, to ensure compliance with the Act.

In the event that the city’s assessment determines that the system is necessary and the collection of personal information is thus consistent with the Act, this report considers whether the city’s notice of collection and use and disclosure of the personal information is in accordance with the Act. It also considers whether the city provides a right of access to this information, as well as whether the city has reasonable privacy protection measures and retention periods in place.

This report finds that the city’s notice of collection and use and disclosure of the personal information is in accordance with the Act. It also finds that there is a right of access to this information and that the city has reasonable protection measures and proper retention periods in place.

This decision finds that The Ottawa Hospital failed to take reasonable steps to implement the complainant’s lock-box request from October 2016 to June 2019 and, as a result, certain hospital caregivers used the complainant’s personal health information without consent or other authority. Other allegations of unauthorized use are dismissed. With the introduction of a new electronic medical records system in June 2019, the hospital remedied the deficiencies in its procedures for implementation of consent directives. The adjudicator makes one recommendation, to improve the directions given to users of the hospital’s electronic medical records. The adjudicator dismisses allegations that unauthorized uses were deliberate and malicious violations of the complainant’s privacy, concluding that they resulted from systemic failures in the hospital’s practices.

The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parent of a student of the York Region District School Board (the board) objecting to the board’s implementation of a cloud-based data management service (Edsby), under contract with Corefour Inc. (Corefour), to store and process information pertaining to the attendance of the board’s students. The complainant alleged that the board’s use of Edsby contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainant’s concerns included the board’s failure to secure parental consent to the use of Edsby, the adequacy of its notice of collection, potential misuse of information by Edsby service providers, the adequacy and enforceability of the terms of the board’s contract with Corefour and the adequacy of the board’s oversight in relation to various Edsby security measures. The complainant also raised concerns relating to the Edsby Terms of Use and Privacy Policy and a specific security vulnerability that was exploited by the complainant.

This report concludes that the board’s collection, notice of collection, use and disclosure of the students’ personal information were in compliance with the Act. This report also concludes that the board has reasonable contractual measures in place to ensure the privacy and security of the personal information of its students.

However, this report concludes that the board has not demonstrated that it has reasonable oversight measures in place in relation to the performance of the board’s and Corefour’s contractual security obligations, in accordance with the requirements of the Act and its regulations. In particular, the board did not have reasonable measures in place to prevent the security vulnerability that was exploited. This report makes recommendations as to the steps the board should take to strengthen and document the board’s oversight of security measures. This report also make recommendations with respect to its contract with Corefour and the Edsby Terms of Use and Privacy Policy.

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the Municipality of Leamington (the municipality). The complaint was that the municipality had inappropriately disclosed an email containing personal information to third parties. The complainant was concerned that the disclosure breached his privacy under the Municipal Freedom of Information and Protection of Privacy Act (the Act).

This report finds that the municipality’s disclosure of the complainant’s information was not in accordance with section 32 of the Act.