Decisions

A father filed a complaint against a counselling centre’s decision to deny him access to records containing the personal health information (PHI) of his three children. In this decision, the adjudicator finds that the father does not have an independent right of access to his children’s PHI under Part V of PHIPA, given the children’s mother’s objection, and dismisses his complaint. However, the adjudicator finds that the father’s evidence raises the potential application of sections 41(1)(d)(i) (court order) and 43(1)(h) (other statute) under Part IV of PHIPA which may permit the custodian to disclose the records to the father without consent of the other parent. The adjudicator makes no order but suggests that the custodian turn its mind to the discretionary disclosure provisions under PHIPA.

The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint from an individual in which he advised that the County of Norfolk (the County), without notice to him, disclosed his personal information in response to two access requests made under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report finds that the County’s disclosure of the complainant’s information was not in accordance with section 32 of the Act.

The Ministry of Community and Social Services (the ministry) reported a privacy breach under the Freedom of Information and Protection of Privacy Act (the Act) to the Office of the Information and Privacy Commissioner of Ontario (IPC). The ministry advised that a Family Responsibility Office (FRO) employee inappropriately accessed the case files of multiple FRO clients and disclosed the personal information of some of them to an unauthorized individual. This report finds that the disclosure of information was not in accordance with section 42(1) of the Act. It also finds that, at the time of the breach, the ministry did not have reasonable measures in place to prevent unauthorized access to the records. However, in the light of the steps taken by the ministry to address its deficiencies in protecting personal information, no further recommendations are required.

The complainant requested the video recordings of events leading up to, and including, his restraint and placement in a seclusion room by staff at Waypoint Centre for Mental Health Care (the hospital). The hospital denied the complainant access to the responsive records under section 52(1)(f) of the Personal Health Information and Protection Act, 2004 (PHIPA), with reference to section 49(a) of the Freedom of Information and Protection of Privacy Act (FIPPA), in conjunction with various law enforcement exemptions in section 14(1) of FIPPA.
The adjudicator finds that the records are not “dedicated primarily to” the complainant’s personal health information (PHI). Accordingly, the complainant’s right of access under PHIPA is limited to his PHI that can reasonably be severed from the remaining portions of the records. The adjudicator finds that some portions of the records containing the complainant’s PHI qualify for exemption under section 52(1)(f) of PHIPA, with reference to sections 49(a) and 14(1)(k) (security of a centre of lawful detention) of FIPPA.
The hospital is ordered to grant the complainant access to the portions of the video containing his PHI that can reasonably be severed from the exempt information.

In this final decision, the adjudicator upholds the reasonableness of the search conducted by the hospital in response to PHIPA Decision 101. As the only remaining issue for determination in the complaint is now resolved, this complaint is dismissed.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Ministry of Transportation contravened the Freedom of Information and Protection of Privacy Act when it disclosed the complainant’s personal information to the War Amputations of Canada. This report finds that the information at issue is “personal information” as defined in section 2(1) of the Act and that the personal information was disclosed in accordance with section 42(1)(c) of the Act.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Town of East Gwillimbury (the town) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it released a record with the complainant’s personal information to the public. A complaint was opened to review the town’s collection, use and disclosure of the information at issue. In this report, I find that the some of the information contained in the record at issue is personal information. I find that the town’s collection and use of that information was in accordance with the Act. However, I find that the disclosure of the personal information in the publicly available record was not in accordance with section 32 of the Act.
I recommend that the town redact all street numbers and street names contained in the publicly available memo, chart, agenda and the Special Council Meeting minutes.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Halton Regional Police Services Board (the police)’s online application process for a police record check, which involves a third party company, collects and uses applicants’ personal information contrary to the Municipal Freedom of Information and Protection of Privacy Act (the Act).
In this Report, I conclude that the police’s retention and use of applicants’ information is, respectively, in accordance with sections 30(1) and 31 of the Act. I also conclude that the police have reasonable measures in place to protect the information, as required by section 3(1) of Regulation 823. However, I find that the police’s collection of the information and notice of the collection is not, respectively, in accordance with sections 28(2) and 29(2) of the Act. In response to this finding, the police have agreed to implement my recommendations to address this concern.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the City of Toronto contravened the Municipal Freedom of Information and Protection of Privacy Act when it disclosed four video records containing the complainant’s personal information in response to a Freedom of Information request. This report finds that the records at issue were used by the city as the basis for an investigation of the complainant’s conduct as a city employee and are excluded from the scope of the Act pursuant to section 52(3)3.

On November 9, 2016, the Ontario Lottery and Gaming Corporation (OLG) notified the Office of the Information and Privacy Commissioner/Ontario (the IPC) of a possible privacy breach under the Freedom of Information and Protection of Privacy Act (FIPPA or the Act). OLG advised that a hacker had managed to steal information about employees and patrons of Casino Rama Resort (CRR) and was threatening to make the information public unless he was paid a ransom. OLG could not confirm the amount or extent of information in possession of the hacker. OLG further stated that the hacker claimed to have 154 gigabytes of CRR data and had posted examples of the information online. On November 21, 2016, the hacker released 4.49 gigabytes of CRR data on the Internet reported to consist of more than 14,000 documents.

In this report, I conclude that CRR did not have reasonable security measures in place to prevent unauthorized access to records of personal information of CRR patrons and individuals registered for OLG’s self-exclusion program (OLG self-exclusion registrants); however, since the breach, CRR has taken steps to address the gaps in its systems and processes. Although I am generally satisfied with CRR’s response to the breach in this regard, this report makes additional recommendations to address some specific shortcomings.

The other pillar of the IPC’s investigation concerns the contract between OLG and the private-sector company responsible for operating CRR on behalf of OLG, CHC Casinos Canada Limited (CHC or the Operator). In this report, I conclude that OLG did not have reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of CRR patrons and OLG self-exclusion registrants. This report also makes recommendations to address these shortcomings.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Human Rights Tribunal of Ontario (the Tribunal) contravened the Freedom of Information and Protection of Privacy Act (the Act) when it disclosed personal information in a public decision. A complaint was opened to review the Tribunal’s use and disclosure of personal information. In this report, I find that the Tribunal’s decisions are not covered by the privacy rules in Part III of the Act because the information in those decisions is maintained for the purpose of creating a record available to the general public.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Human Rights Tribunal of Ontario (the Tribunal) contravened the Freedom of Information and Protection of Privacy Act (the Act) when it disclosed personal information in a public decision. A complaint was opened to review the Tribunal’s collection, use and disclosure of personal information. In this report, I find that the Tribunal’s decisions are not covered by the privacy rules in Part III of the Act because the information in those decisions is maintained for the purpose of creating a record available to the general public.
Although I find that the Tribunal’s decisions are outside the scope of Part III of the Act, I recommend that the Tribunal respect privacy data minimization practices and ensure that only the personal information that is necessary in order to achieve the Tribunal’s purposes be included in its decisions.

On May 25, 2016, the Office of the Information and Privacy Commissioner/Ontario received an appeal under the Municipal Freedom of Information and Protection of Privacy Act (the Act) in relation to an access decision issued by the Township of McGarry (the Township). During the processing of the appeal, the lawyer for the Township wrote to the affected parties in order to notify them of the access request and to obtain consent to disclose the information related to them that had been identified as responsive to the access request.
In correspondence to the affected parties, the Township’s lawyer disclosed the name of the individual who sought access to the requested information. This Report finds that the information disclosed was personal information and that the disclosure was not in accordance with section 32 of the Act.
This Report also finds that the Mayor is the “head” of the Township, and that the head has not complied with section 3(1) of Ontario Regulation 832. Specifically, the head has not ensured that the Township has defined, documented and put in place reasonable measures to prevent and respond to unauthorized use or disclosure of records containing or revealing the identity of a requester.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Hamilton-Wentworth District School Board (the Board) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it disclosed a student’s personal information to a photography vendor. I conclude that the collection and use of students’ photographs for administrative purposes is in accordance with sections 28(2) and 31 of the Act, respectively. As well, I find that the Board’s notice of collection complies with section 29(2) of the Act and that the Board’s Service Agreement with the vendor included adequate provisions with respect to the protection of the students’ personal information. Furthermore, while I conclude that the Board’s disclosure of students’ personal information to the vendor for administrative and limited marketing purposes was in accordance with section 32 of the Act, I find that the disclosure for the vendor’s Pictures2Protect Program was not.

The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Toronto District School Board (the Board) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it disclosed a student’s personal information to a photography vendor who in turn contacted the student’s parents to advertise their services. I conclude that the collection and use of students’ photographs for administrative purposes is in accordance with sections 28(2) and 31 of the Act, respectively and that the Board’s disclosure of students’ personal information to the vendor for administrative and limited marketing purposes was in accordance with section 32 of the Act. I also conclude that the notice of collection of student photographs does not comply with section 29(2) of the Act; nor did the Board’s Service Agreement with the vendor include adequate provisions with respect to the protection of students’ personal information.