The Toronto Police Services Board (the police or the TPS) was notified that a TPS employee may have inappropriately accessed the complainants’ personal information from a police database. The TPS investigated and found that the TPS employee accessed and disclosed the complainants’ personal information to another TPS employee in violation of the Municipal Freedom of Information and Protection of Privacy Act (the Act).
In this report, I find that the TPS employee conducted database searches of the complainants’ personal information without authorization, and verbally disclosed their personal information to another TPS employee contrary to the Act. I conclude that the TPS does not have reasonable measures in place to protect personal information in its database, as required by section 3(1) of Regulation 823 to the Act. I recommend improvements to the TPS verification and auditing protocols. I also recommend improvements to its privacy guidance documents, and privacy training program. In addition, I recommend notifying additional parties whose privacy was breached and who the TPS identified during this investigation.