Dernières décisions

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the Human Rights Tribunal of Ontario (HRTO). The complaint was that the HRTO had inappropriately disclosed personal information in a Case Assessment Direction (CAD). The complainant believed that the disclosure had breached his privacy under the Freedom of Information and Protection of Privacy Act (the Act).
This report finds that a CAD is an HRTO decision and that, in accordance with section 37 of the Act, the provisions for the protection of individual privacy found in Part III of the Act do not apply to it.

Under the Personal Health Information Protection Act (the Act), Bellwood Health Services Inc. (Bellwood) received a request from a former client for access to records relating to his treatment. Bellwood provided the requester, now the complainant, a complete copy of what it describes as his “official health record.” In addition to the official health record, the complainant sought access to his counsellor’s handwritten notes. Bellwood provided the complainant with a copy of the counsellor’s notebook, in which other clients’ personal health information had been withheld. Bellwood advised that the counsellor’s handwritten “loose working notes” had been shredded and therefore it was unable to provide the complainant with access to those notes. The complainant sought verification that Bellwood had provided him with access to all of his personal health information from the counsellor’s notebook. He also took issue with Bellwood’s destruction of the counsellor’s loose notes, which occurred after he submitted his request for access to them.

In this decision, the adjudicator finds that the counsellor’s notebook is a record of the complainant’s personal health information, but that it is not dedicated primarily to the complainant’s personal health information. His right of access is therefore limited to his personal health information in the record that can reasonably be severed from the remainder of the record. Upon review of the record, the adjudicator finds that there are small portions of the complainant’s personal health information to which he has not yet been provided access. She orders Bellwood to provide the complainant with access to those portions of the record.

The adjudicator also accepts Bellwood’s position that the counsellor’s loose notes would have contained the complainant’s personal health information; however, given that those records have been destroyed such that access is now impossible, she finds that no useful purpose would be served by determining the extent of the complainant’s right of access to those loose notes.

Finally, the adjudicator considers Bellwood’s handling and retention of the counsellor’s loose notes, and determines that it has acted in accordance with its obligations under section 13 of the Act.

The complainant made a number of requests to the custodian for records relating to her two children, who received services from the custodian. She later requested information about herself as well as about her children. The custodian issued several decisions, after which it maintained it had located and granted full access to all records responsive to the complainant’s requests. The complainant challenged the reasonableness of the custodian’s searches, including by identifying other records that she believed ought to exist. The adjudicator finds that the custodian conducted a reasonable search in accordance with its obligations under the Personal Health Information Protection Act, 2004. She dismisses the complaint.

In this decision, the adjudicator determines that Quinte Health Care (the hospital) breached the Personal Health Information Protection Act, 2004 in permitting staff fulfilling a designated role to access personal health information not reasonably necessary to the role. The inadequacies of the hospital’s processes and policies in defining the access to patient information appropriate to this role resulted in unauthorized accesses to the complainant’s personal health information. This decision also finds that an investigation of allegations of breaches of the complainant’s privacy was conducted in a manner contrary to the hospital’s privacy policies, resulting in other unauthorized accesses. The adjudicator concludes, taking into account a second investigation, that the hospital’s response to the privacy breach was adequate. The hospital has taken steps to remedy the deficiencies in its processes and policies and no orders are necessary.

The complainant, an employee of the hospital, complained about the hospital’s handling of information in her file in the hospital’s Occupational Health Services (OHS) department. The complainant’s OHS file contains identifying information about her, including medical documentation that she provided to address issues such as her capacity to work, entitlement to sick pay, and workplace accommodation needs. In this decision, the adjudicator finds that the complainant’s OHS file is maintained primarily for employment purposes, not for health care purposes, and is not a record of personal health information within the meaning of the Personal Health Information Protection Act, 2004 [section 4(4)]. As a result, PHIPA does not apply to the hospital’s handling of information in the OHS file. She dismisses the complaint.

The hospital reported three privacy breaches to the Information and Privacy Commissioner of Ontario (IPC). Despite efforts at the intake and investigation stages of the IPC’s process to obtain complete and clear information about the breaches, the IPC was not satisfied with the response of the hospital and commenced a review into the circumstances. After a review, the adjudicator concluded that the hospital failed in its duty to notify the affected patients of unauthorized uses of their personal health information, as required by the Personal Health Information Protection Act, 2004. Given the passage of time and the relatively benign circumstances of the privacy breaches, no useful purpose would be served by ordering notification at this time.

The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parent of a student of the Toronto District School Board (the board), objecting to the board’s use of Google’s G Suite for Education services. The complainant alleged that the board’s utilization of G Suite for Education contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainant’s concerns included a failure to notify, and obtain the consent of, parents and children for the collection, use, and disclosure of students’ personal information; the use of personal information beyond the scope of what is permitted under the Act; the storage of personal information outside of Canada; inadequate security protections for the students’ personal information; and a lack of adequate deletion and retention practices for the personal information.

This report concludes that the board’s collection, uses, and disclosures of the students’ personal information were in compliance with the Act, but that the board’s notice of collection was deficient.

This report also concludes that the board has reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of its students. This report makes recommendations to strengthen the board’s oversight of those security measures.

The Office of the Information and Privacy Commissioner of Ontario received a complaint under the Personal Health Information Protection Act, 2004 (the Act) about a public hospital (the hospital)’s redaction of its employees’ names from an audit of a patient’s health records. This led to an investigation by this office into the hospital’s practices with respect to responding to access requests for these audits.

This decision concludes that the hospital’s practices were not in accordance with section 54(1) of the Act. However, in light of the steps taken by the hospital to amend these practices, this decision finds that a review of this matter is not warranted.

The office of the Information and Privacy Commissioner of Ontario received a complaint under the Personal Health Information Protection Act, 2004 (the Act) against a medical clinic (the Clinic). The complaint involved a second incident in which a physician working at the Clinic left a patient alone in a waiting room that had a computer screen displaying the physician’s schedule, which contained personal health information of 35 patients.

This decision finds that the Clinic failed to take reasonable steps to ensure the protection of the personal health information against unauthorized disclosure as required by section 12(1) of the Act. I also find that the Clinic did not notify the affected patients as is required by section 12(2) of the Act. However, in light of the steps taken by the Clinic to address the privacy breach, which included notifying the affected patients, I am satisfied with the Clinic’s response to the breach and it is unnecessary for this matter to proceed to adjudication to consider potential orders.

This decision deals with the issues of access to records of personal health information, and reasonable search. The access request, made to Hamilton Health Sciences, was for psychological testing data relating to the complainant. In this decision, the adjudicator finds that the records at issue are excluded from Part V of the Personal Health Information Protection Act by virtue of section 51(1)(c). The adjudicator also finds that the hospital’s search for records responsive to the request was reasonable.

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the Corporation of the Village of Newbury (Newbury). The complaint was about Newbury’s installation of a video surveillance system in a park. The complainant was concerned that Newbury’s operation of the surveillance system breached the privacy of individuals under the Municipal Freedom of Information and Protection of Privacy Act (the Act).

This report concludes that Newbury’s notice of collection is not in accordance with the Act. However, it finds that Newbury’s collection, use and disclosure of the personal information is in accordance with the Act. Further, it finds that there is a right of access to this information and that the Newbury has reasonable protection measures and proper retention periods in place.

A father filed a complaint to the IPC against a counselling centre’s decision to deny him access to records containing the personal health information (PHI) of his three children. In PHIPA Decision 129, the adjudicator found that the father does not have an independent right of access to his children’s PHI under Part V of PHIPA, given the children’s mother’s objection, and dismissed his complaint.

The complainant sought a reconsideration of PHIPA Decision 129. In this reconsideration decision, the adjudicator finds that the complainant’s evidence failed to establish grounds for reconsideration under the claimed grounds in sections 27.01(b) and (c) of Code of Procedure for Matters under the Personal Health Information Protection Act, 2004. Accordingly, the complainant’s reconsideration request is denied.

The complainant requested reconsideration of PHIPA Decision 144, on the basis that it contains errors of fact and jurisdictional defects. In this decision, the adjudicator partially upholds the request for reconsideration, finding that she omitted to fully address an allegation that a doctor disclosed the complainant’s personal health information to two other doctors, when it was not reasonably necessary for the provision of health care to the complainant. The adjudicator reviews this allegation and dismisses it.

This investigation file was opened after a public hospital contacted the Office of the Information and Privacy Commissioner/Ontario to report a privacy breach under the Personal Health Information Protection Act, 2004. The hospital advised that a patient had made a complaint, which alleged the unauthorized use and disclosure of her personal health information by a named physician. In particular, this investigation related to concerns that a “quality audit” the physician was conducting resulted in referrals of motor vehicle accident patients to his wife, a personal injury lawyer.
This Decision concludes that the quality audit conducted by the physician was an unauthorized use under the Act, and that I am unable to determine whether the physician disclosed personal health information in contravention of the Act. It also concludes that the hospital’s previously vague policies, practices and procedures regarding quality audits, and the complete lack of privacy training for physicians, did not amount to taking reasonable steps to protect the personal health information within the meaning of section 12(1) of the Act. However, I also find that the hospital has since remedied these issues.
Lastly, I decide that this review will be concluded without proceeding to the adjudication stage and without an order being issued by this office.

This reconsideration order dismisses the complainant’s request for reconsideration of PHIPA Decision 126. In that decision, the adjudicator found that the respondent is a health information custodian within the meaning of the Personal Health Information Protection Act, 2004 in relation to marriage counselling services he provided to the complainant and that he is not a health information custodian in relation to the co-parenting counselling services he provided to the complainant. The adjudicator also determined the respondent had conducted a reasonable search for records of the complainant’s personal health information. In this reconsideration decision, the adjudicator finds that the complainant has not established grounds for reconsideration under section 27.01 of the Code of Procedure for Matters under the Personal Health Information Protection Act, 2004 and denies the request.