On December 3, 2004, the Office of the Information and Privacy Commissioner (the IPC) was notified by the Ministry of Finance (the Ministry) about a breach of the Freedom of Information and Protection of Privacy Act(the Act). The Ministry advised that the privacy breach occurred with its November 30, 2004 mail-out of the Ontario Child Care Supplement cheques, which are mailed out on a monthly basis. The Ministry advised that each of the approximately 27,000 cheques mailed out contained the recipient's name, address, amount paid and social insurance number (SIN), along with four additional digits directly following the SIN. The counter-foil (the cheque stub) contained the name and SIN of the recipient as well as the name, address, and the SIN, along with four additional digits, of another recipient. The Ministry advised that the cheques were printed at the iSERV data centre in Downsview and mailed out for the Ministry by the Shared Services Bureau (the SSB) of Management Board Secretariat (MBS).
That same day, the IPC also received a second telephone call in relation to the incident, this time from MBS. MBS confirmed that the cheques were printed by iSERV, a program area for which MBS is responsible, and that MBS was investigating the circumstances leading to the privacy breach. MBS stated that it was now double-checking the cheques printed by iSERV for other programs, prior to mailing them out.
Both the Ministry and MBS expressed their concerns over the privacy breach and assured us of their intention to co-operate fully with our investigation, which they have done.
The IPC initiated privacy investigations under the Act with MBS (PC-040077-1) and the Ministry (PC-040078-1). Both investigations are addressed in this report since the privacy breach involved both the Ministry and MBS.