PC-040078-1

Summary of Commissioner-Initiated Investigation Background Results of the Investigation The Disclosure Steps Taken by the Ministry and MBS upon Learning of the Disclosure Remedial Steps taken by MBS Additional Disclosure and Notification Conclusions Other Matters The Use of the SIN as a Unique Identifier The Need for An Independent, Comprehensive Audit Recommendations Privacy Complaint Report Privacy Complaint Nos. PC-040077-1 and PC-040078-1 Institutions: Management Board Secretariat (PC-040077-1) Ministry of Finance (PC-040078-1) Summary of Commissioner-Initiated Investigation: On December 3, 2004, the Office of the Information and Privacy Commissioner (the IPC) was notified by the Ministry of Finance (the Ministry) about a breach of the Freedom of Information and Protection of Privacy Act (the Act ). The Ministry advised that the privacy breach occurred with its November 30, 2004 mail-out of the Ontario Child Care Supplement cheques, which are mailed out on a monthly basis. The Ministry advised that each of the approximately 27,000 cheques mailed out contained the recipient's name, address, amount paid and social insurance number (SIN), along with four additional digits directly following the SIN. The counter-foil (the cheque stub) contained the name and SIN of the recipient as well as the name, address, and the SIN, along with four additional digits, of another recipient. The Ministry advised that the cheques were printed at the iSERV data centre in Downsview and mailed out for the Ministry by the Shared Services Bureau (the SSB) of Management Board Secretariat (MBS). That same day, the IPC also received a second telephone call in relation to the incident, this time from MBS. MBS confirmed that the cheques were printed by iSERV, a program area for which MBS is responsible, and that MBS was investigating the circumstances leading to the privacy breach. MBS stated that it was now double-checking the cheques printed by iSERV for other programs, prior to mailing them out. Both the Ministry and MBS expressed their concerns over the privacy breach and assured us of their intention to co-operate fully with our investigation, which they have done. The IPC initiated privacy investigations under the Act with MBS (PC-040077-1) and the Ministry (PC-040078-1). Both investigations are addressed in this report since the privacy breach involved both the Ministry and MBS. Background The Ontario government has a number of programs that involve mailing cheques to individuals. The cheques for some programs, such as the Ontario Child Care Supplement for Working Families (OCCS) Program and the Ontario Disability Support Program, are printed at the iSERV data centre in Downsview. However, the cheques for other programs may be printed at a limited number of government buildings. Regardless of the government program, the process for printing and mailing cheques follows a common chain of events that typically involve the Office of the Provincial Controller (OPC), SSB, and the iSERV data centre in Downsview. For the OCCS program, the Ministry of Finance first prepares an electronic program file. This file contains data that will ultimately be printed out on each cheque, such as the name, address and identifying number (which includes the social insurance number) of an OCCS recipient. Each cheque includes a stub with similar data that would typically be detached and retained by the recipient before he or she deposited or cashed the cheque at a bank or other financial institution. The Ministry electronically transmits the OCCS program file to a "holding" s