The Office of the Information and Privacy Commissioner received a privacy complaint about the disclosure of a certified copy of a death registration for a deceased individual (the deceased) by the Ministry of Public and Business Service Delivery (the ministry) to an applicant who is not the deceased’s next of kin or extended next of kin. The complainant, who is the deceased’s mother and next of kin, believed that the disclosure was unauthorized and, therefore, a privacy breach under the Freedom of Information and Protection of Privacy Act (the Act).
In this report, I find that the information at issue is “personal information” within the meaning of section 2(1) of the Act and that the ministry’s disclosure of this information was not in accordance with section 42(1) of the Act. I also find that the ministry did not have reasonable measures in place to prevent unauthorized access to the personal information in accordance with section 4(1) of Regulation 460 made under the Act. As a result, I recommend that the ministry take reasonable steps to be satisfied as to the identity of an applicant before granting them access to a certified copy of a death registration. Further, as I found that the ministry did not respond adequately to the breach with respect to containment, I recommend that the ministry consider pursuing other means to retrieve the deceased’s certified copy of a death registration.