Dernières décisions

The appellant made a request to the Ministry of the Solicitor General (the ministry) for access to high-level information about homicides involving intimate partners cleared by the Ontario Provincial Police (OPP) between 2015 and 2020. The ministry denied access to a chart containing the requested information prepared by the OPP on the basis of the mandatory personal privacy exemption in section 21(1) of the Act. The appellant raised the application of the public interest override in section 23. In this order, the adjudicator finds that disclosure of the information at issue would not constitute an unjustified invasion of personal privacy because it is desirable for subjecting the OPP to public scrutiny, and that the record is therefore not exempt under section 21(1). The adjudicator also finds that, even if the information were exempt, the public interest override would require its disclosure, and orders the ministry to disclose it to the appellant.

The London Police Services Board (the police) received a request under the Act for access to information about the appellant. The police issued a decision denying access in full to the responsive record under section 38(a) read with section 8(1)(g) of the Act. The appellant appealed the police’s access decision to the IPC and also raised reasonable search as an issue. In this order, the adjudicator upholds the police’s access decision, finds that the police conducted a reasonable search, and dismisses the appeal.

A complainant requested that a public hospital make his requested changes to certain hospital records concerning him, and to circulate those changes (or, in the alternative, a statement of his disagreement with the contents of the original records) to a list of individuals or groups within the hospital. The hospital refused his requests, including on the basis he had not established the duty to correct in section 55(8) of the Personal Health Information Protection Act, 2004 (PHIPA), and that the information at issue falls within the exception to the duty to correct for professional opinions or observations made in good faith (section 55(9)(b) of PHIPA). The hospital also refused to circulate his statement of disagreement to named hospital agents on the basis there is no duty in PHIPA to do so. In addition to his complaint to the IPC about the hospital’s decisions, the complainant challenged the constitutionality of the hospital’s actions in a Notice of Constitutional Question served on the IPC and on the Attorneys-General of Ontario and Canada.

In this decision, the adjudicator determines there are no reasonable grounds to review the complaint under PHIPA. She accordingly exercises her discretion under sections 57(3) and (4) not to conduct a review, and dismisses the complaint.

Un hôpital public a informé le Bureau du commissaire à l’information et à la protection de la vie privée (le « CIPVP ») d’une atteinte à la vie privée en contravention de la Loi de 2004 sur la protection des renseignements personnels sur la santé (la « Loi ») à la suite d’une cyberattaque. Le CIPVP a ouvert un dossier sur cette atteinte à la vie privée, et a reçu par la suite quatre plaintes de la part de personnes concernées. Au cours de la cyberattaque, l’auteur de menace a accédé à de nombreux systèmes de l’hôpital, se livrant à une attaque par rafale de mots de passe, ce qui a compromis un compte privilégié. L’hôpital a aussitôt désactivé les comptes touchés et rectifié le problème de pare-feu que l’auteur de menace avait exploité. Il a constaté que ce dernier avait exfiltré de grandes quantités de renseignements, sans pouvoir déterminer exactement de quelles données il s’agissait. L’hôpital a établi les types de renseignements personnels sur la santé qui avaient peut-être été exfiltrés, et estimé le nombre de patients touchés. Il a donné un avis public de l’atteinte à la vie privée et convenu de poursuivre sa surveillance du Web caché pendant deux ans pour déceler toute activité liée à cet incident.

L’hôpital a fourni au CIPVP ses nombreuses lignes directrices en place pour assurer la sécurité de l’information, lesquelles ont toutes été révisées après la cyberattaque. Ces lignes directrices portaient notamment sur la force des mots de passe, les limites imposées aux privilèges attribués à certains comptes et le pare-feu. L’hôpital a également fourni au CIPVP un protocole en cas d’atteinte à la vie privée attribuable aux incidents de cybersécurité mis en place après l’incident. Compte tenu des mesures que l’hôpital a prises pour rectifier la situation et des lignes directrices en vigueur, j’ai conclu qu’il n’est pas nécessaire de procéder à un examen de cette affaire en vertu de la partie VI de la Loi.

Un hôpital public a informé le Bureau du commissaire à l’information et à la protection de la vie privée (le « CIPVP ») d’une atteinte à la vie privée en contravention de la Loi de 2004 sur la protection des renseignements personnels sur la santé (la « Loi ») à la suite d’une cyberattaque. Le CIPVP a ouvert un dossier sur cette atteinte à la vie privée, et a reçu par la suite quatre plaintes de la part de personnes concernées. Au cours de la cyberattaque, l’auteur de menace a accédé à de nombreux systèmes de l’hôpital, se livrant à une attaque par rafale de mots de passe, ce qui a compromis un compte privilégié. L’hôpital a aussitôt désactivé les comptes touchés et rectifié le problème de pare-feu que l’auteur de menace avait exploité. Il a constaté que ce dernier avait exfiltré de grandes quantités de renseignements, sans pouvoir déterminer exactement de quelles données il s’agissait. L’hôpital a établi les types de renseignements personnels sur la santé qui avaient peut-être été exfiltrés, et estimé le nombre de patients touchés. Il a donné un avis public de l’atteinte à la vie privée et convenu de poursuivre sa surveillance du Web caché pendant deux ans pour déceler toute activité liée à cet incident.

L’hôpital a fourni au CIPVP ses nombreuses lignes directrices en place pour assurer la sécurité de l’information, lesquelles ont toutes été révisées après la cyberattaque. Ces lignes directrices portaient notamment sur la force des mots de passe, les limites imposées aux privilèges attribués à certains comptes et le pare-feu. L’hôpital a également fourni au CIPVP un protocole en cas d’atteinte à la vie privée attribuable aux incidents de cybersécurité mis en place après l’incident. Compte tenu des mesures que l’hôpital a prises pour rectifier la situation et des lignes directrices en vigueur, j’ai conclu qu’il n’est pas nécessaire de procéder à un examen de cette affaire en vertu de la partie VI de la Loi.

The complainant sought a review of a hospital’s decision to refuse her request, under the Personal Health Information Protection Act, to correct her records of personal health information that referred to her suffering from mental illness. The hospital refused the correction request under the section 55(9)(b) (professional opinions or observations made in good faith) exception to the duty to correct in section 55(8) of the Act.
In this decision, the adjudicator exercises her discretion, under sections 57(3) and 57(4)(a) of the Act, not to conduct a review of the complaint because there are no reasonable grounds to do so and the hospital has responded adequately to the complaint.

The complainant through her legal representative submitted an access request to Weechi-it-te-win Family Services (the service provider). This order determines that the service provider is deemed to have refused the complainant’s request for access. The service provider is ordered to provide a response to the complainant regarding their request for access to records of personal information in accordance with the Child, Youth and Family Services Act, 2017 and without a recourse to a time extension.

This complaint deals with an access decision made by the Kristus Darzs Latvian Home (the custodian) in response to a request made by an Estate Trustee for all records relating to her deceased father who had been a resident at the custodian’s facility. The custodian granted access to all records, with the exception of a number of emails for which it claimed the application of the exemption in section 52(1)(e)(iii) of the Personal Health Information Protection Act (the Act). In this decision, the adjudicator finds that the emails are “dedicated primarily” to the deceased’s personal health information within the meaning of section 52(3) of the Act. She also finds that these emails are exempt from disclosure under section 52(1)(e)(iii) of the Act Consequently, under section 61(1) of the Act, the adjudicator makes no order. The complaint is dismissed.

In this decision, the adjudicator orders Weechi-it-te win Family Services to produce the records at issue in the complaint to the Information and Privacy Commissioner of Ontario.

In this decision the adjudicator finds that the complainant has established that the clinic has a duty to correct his records of personal health information and orders the clinic to do so by striking out the incorrect statements that the clinic had “saved images for future reference.” The complainant established under section 55(8) that the records are inaccurate for the purposes for which the clinic uses the information because the images were not saved, thereby undermining the very purpose for which the clinic included the statements in the records – to document the availability of the images for future reference.

The complainant requested, under section 55(1) of the Personal Health Information Protection Act, 2004 (PHIPA), that her former family physician (the physician) make corrections to a record of her personal health information, a progress note. The physician denied the correction request stating that the conditions necessary to require a correction in PHIPA had not been met. He also relied on the exception to that duty which permits him to refuse to correct professional opinions or observations made in good faith. In this decision, the adjudicator upholds the physician’s refusal to correct the progress note, finding that the exception to the duty to correct, at section 55(9) of PHIPA, applies to the personal health information at issue. She dismisses the complaint.

Two health service provider organizations, one a health information custodian (the Custodian), and the other an organization contracted to deliver health care services on behalf of the Custodian (the Agent), both reported the same privacy breach under the Personal Health Information Protection Act, 2004 (the Act) to the Information and Privacy Commissioner of Ontario (IPC). The breach involved a phishing email attack that resulted in the unauthorized use of personal health information relating to the Custodian’s patients. However, in light of the steps taken by the Custodian and the Agent to address the breach, as well as the Agent’s commitment to providing the IPC with an update before or by March 31, 2024 to confirm that the outstanding recommendations arising from the independent cybersecurity risk assessment that it undertook have been implemented, no formal review of the two complaints will be conducted under Part VI of the Act.

A public hospital (the hospital) reported three separate privacy breaches under the Personal Health Information Protection Act, 2004 (the Act) to the Information and Privacy Commissioner of Ontario. Each breach involved unauthorized access to patients’ personal health information by an employee of the hospital. In light of the steps taken by the hospital to address the breaches, no formal review of this matter will be conducted under Part VI of the Act.

The complainant made a request under the Personal Health Information Protection Act to the custodian seeking copies of records containing her personal health information. In her complaint to the IPC, the complainant takes the position that the custodian deleted emails that would have been responsive to her request and asks the IPC to conduct an audit of the custodian’s computer so that the emails may be recovered and provided to her. The complainant raised the same allegation in a complaint to the College of Psychologists (the college), of which the custodian is a member.

In this decision, the adjudicator finds that no review of the complaint is warranted given that the college proceedings appropriately dealt with the subject matter of the complaint before the IPC. The adjudicator exercises her discretion under section 57(4)(b) of PHIPA not to review the complaint.

The complainant sought access under the Child, Youth and Family Services Act, 2017 (the Act) for his family’s entire case file with the York Region Children’s Aid Society (the society). The society granted access, in part, denying access to the name of an individual pursuant to the exemption at section 312(1)(d)(ii) of the Act (identification of an individual required by law to provide information to a service provider). The complainant filed a complaint with the Information and Privacy Commissioner of Ontario (IPC), asking the IPC to review the society’s decision to withhold the individual’s name.

In this decision, the adjudicator finds that the exemption at section 312(1)(d)(ii) applies to the name withheld from the record and upholds the society’s decision not to provide it to the complainant.