Dernières décisions

• Use of list of student names and contact information to administer mailings on behalf of the Golden Key Society

• Section 2(1) definition of personal information - records contain personal information

• Section 41 use of personal information - the use was in accordance with section 41 of the Act

• No recommendations

• Transfer of an individual's Labour Market Re-entry file to a WSIB Service Provider

• Section 2(1) "personal information" - record contains personal information.

• Section 42(1) (disclosure of personal information) - the disclosure was in accordance with the Act.

• Section 43 (consistent purpose) – the disclosure might have been reasonably expected.

• No recommendations made

This Privacy Complaint Report deals with two similar, but unrelated, privacy complaints. Both privacy complaints involve the Toronto Police Service, (the TPS) and its practice of disclosing information in response to Police Reference Checks. In both cases, the complainant was concerned that the actions of the TPS were inappropriate, and constituted a breach of the provisions of the Municipal Freedom of Information and Protection of Privacy Act. The investigation concluded that the personal information was not disclosed in accordance with section 32 of the Act and provided recommendations for the TPS.

The Office of the Information and Privacy Commissioner/Ontario (the IPC) received complaints under the Freedom of Information and Protection of Privacy Act (the Act) concerning the Ministry of Health and Long-Term Care from three patients at the Oak Ridge site of the Penetanguishene Mental Health Centre (the Centre). Specifically, the complaints relate to inspections of the patients’ computers and related equipment and material and the consents that patients were asked to provide in this regard.

The complainants maintain that the consent they were asked to sign was too broad and was requested, in their view, in a coercive manner such that if consent was not given, access to their computers was revoked. They feel that the impounding and inspection of their computers and related equipment under these circumstances was an inappropriate collection of their personal information and contrary to the Act.

In addition, one complainant (PC-040019-1) is also of the view that "spyware" had been installed on his computer during the course of the computer inspections. The same complainant feels that the apparent purpose of the search - to locate pornographic material, including child pornography, and copyright violations - is a criminal matter and the Centre does not have the jurisdiction to investigate criminal offences. He adds this as another reason why the computer searches should not have taken place.

Another complainant (PC-040021-1) is concerned that his CDs, containing personal information, are being stored in the nursing management office and not in a lockbox in his room as is the case with other patients.

On December 3, 2004, the Office of the Information and Privacy Commissioner (the IPC) was notified by the Ministry of Finance (the Ministry) about a breach of the Freedom of Information and Protection of Privacy Act(the Act). The Ministry advised that the privacy breach occurred with its November 30, 2004 mail-out of the Ontario Child Care Supplement cheques, which are mailed out on a monthly basis. The Ministry advised that each of the approximately 27,000 cheques mailed out contained the recipient's name, address, amount paid and social insurance number (SIN), along with four additional digits directly following the SIN. The counter-foil (the cheque stub) contained the name and SIN of the recipient as well as the name, address, and the SIN, along with four additional digits, of another recipient. The Ministry advised that the cheques were printed at the iSERV data centre in Downsview and mailed out for the Ministry by the Shared Services Bureau (the SSB) of Management Board Secretariat (MBS).

That same day, the IPC also received a second telephone call in relation to the incident, this time from MBS. MBS confirmed that the cheques were printed by iSERV, a program area for which MBS is responsible, and that MBS was investigating the circumstances leading to the privacy breach. MBS stated that it was now double-checking the cheques printed by iSERV for other programs, prior to mailing them out.

Both the Ministry and MBS expressed their concerns over the privacy breach and assured us of their intention to co-operate fully with our investigation, which they have done.

The IPC initiated privacy investigations under the Act with MBS (PC-040077-1) and the Ministry (PC-040078-1). Both investigations are addressed in this report since the privacy breach involved both the Ministry and MBS.

Summary of Commissioner-Initiated Investigation Background Results of the Investigation The Disclosure Steps Taken by the Ministry and MBS upon Learning of the Disclosure Remedial Steps taken by MBS Additional Disclosure and Notification Conclusions Other Matters The Use of the SIN as a Unique Identifier The Need for An Independent, Comprehensive Audit Recommendations Privacy Complaint Report Privacy Complaint Nos. PC-040077-1 and PC-040078-1 Institutions: Management Board Secretariat (PC-040077-1) Ministry of Finance (PC-040078-1) Summary of Commissioner-Initiated Investigation: On December 3, 2004, the Office of the Information and Privacy Commissioner (the IPC) was notified by the Ministry of Finance (the Ministry) about a breach of the Freedom of Information and Protection of Privacy Act (the Act ). The Ministry advised that the privacy breach occurred with its November 30, 2004 mail-out of the Ontario Child Care Supplement cheques, which are mailed out on a monthly basis. The Ministry advised that each of the approximately 27,000 cheques mailed out contained the recipient's name, address, amount paid and social insurance number (SIN), along with four additional digits directly following the SIN. The counter-foil (the cheque stub) contained the name and SIN of the recipient as well as the name, address, and the SIN, along with four additional digits, of another recipient. The Ministry advised that the cheques were printed at the iSERV data centre in Downsview and mailed out for the Ministry by the Shared Services Bureau (the SSB) of Management Board Secretariat (MBS). That same day, the IPC also received a second telephone call in relation to the incident, this time from MBS. MBS confirmed that the cheques were printed by iSERV, a program area for which MBS is responsible, and that MBS was investigating the circumstances leading to the privacy breach. MBS stated that it was now double-checking the cheques printed by iSERV for other programs, prior to mailing them out. Both the Ministry and MBS expressed their concerns over the privacy breach and assured us of their intention to co-operate fully with our investigation, which they have done. The IPC initiated privacy investigations under the Act with MBS (PC-040077-1) and the Ministry (PC-040078-1). Both investigations are addressed in this report since the privacy breach involved both the Ministry and MBS. Background The Ontario government has a number of programs that involve mailing cheques to individuals. The cheques for some programs, such as the Ontario Child Care Supplement for Working Families (OCCS) Program and the Ontario Disability Support Program, are printed at the iSERV data centre in Downsview. However, the cheques for other programs may be printed at a limited number of government buildings. Regardless of the government program, the process for printing and mailing cheques follows a common chain of events that typically involve the Office of the Provincial Controller (OPC), SSB, and the iSERV data centre in Downsview. For the OCCS program, the Ministry of Finance first prepares an electronic program file. This file contains data that will ultimately be printed out on each cheque, such as the name, address and identifying number (which includes the social insurance number) of an OCCS recipient. Each cheque includes a stub with similar data that would typically be detached and retained by the recipient before he or she deposited or cashed the cheque at a bank or other financial institution. The Ministry electronically transmits the OCCS program file to a "holding" s

SUMMARY OF COMMISSIONER INITIATED COMPLAINT: The Office of the Information and Privacy Comissioner/Ontario (the IPC) was contacted by Management Board Secretariat (MBS) regarding a disclosure of personal information relating to the Ontario Student Award Program (OSAP) by the Ministry of Training, Colleges and Universities and a private collection agency. Subsequently, this Office was contacted by MBS regarding a second disclosure of personal information relating to the same program by another private collection agency. On the basis of this information, the IPC initiated two privacy complaints under the Freedom of Information and Protection of Privacy Act (the Act ). Background The first complaint involves the Student Support Branch of the Ministry of Training, Colleges and Universities (the Ministry), and both complaints involve the Collections Management Unit (CMU) of the Shared Services Bureau (SSB) of MBS. The Student Support Branch of the Ministry manages OSAP, a program of student financial assistance administered by the Ministry and composed of a variety of programs funded by the province of Ontario and the government of Canada. The CMU manages the collection of overdue non-tax debts owing to the government, by hiring private sector debt collection agencies to undertake the collection of unpaid debts on behalf of the Ontario government. When a debtor defaults on the repayment of an OSAP loan and the Ministry is unable to settle the account with the debtor, the Ministry refers the debt to the CMU at MBS for collection, and these accounts are then assigned by the CMU to private collection agencies. Particulars of the two incidents In the first complaint, PA-040033-1, a private collection agency retained by MBS received a request from a debtor for supporting information about her student loan. In response, the agency forwarded the request to the Ministry, which in turn sent a copy of a bulk report prepared by a bank to the agency. The agency then forwarded this report to the debtor. However, the report contained the personal information of thirty- eight other individuals in addition to that of the debtor. In the second instance, PA-040044-1, another private collection agency mailed information to a debtor regarding her student loan and inadvertently enclosed the personal information of another debtor in the envelope. In both instances, MBS was made aware of the incidents by the two recipients of the records. The personal information in the records at issue included the student debtors’ names, social insurance numbers (SIN) and details regarding the student loans. Actions taken in response to these incidents PC-040033-1 Management Board Secretariat MBS advised that it undertook the following steps to address this incident. On receipt of the telephone call from the debtor’s mother advising that her daughter had received a record from a collection agency retained by MBS containing the personal information of individuals other than her daughter, staff in the SSB alerted senior management in the CMU, and obtained the debtor’s written consent for the SSB to communicate with her mother on this issue. A client services officer in the CMU then contacted the mother, who confirmed that her daughter received a record containing the names, social insurance numbers and details of the loans relating to 38 other individuals. The record was sent to the daughter by a private collection agency retained by the CMU. This information was provided to her daughter as a result of a request for supporting information from the Ministry regarding the daughter’s outstanding OSAP loan. At MBS’ request, the mother faxed the record to the CMU, and advised that she would shred her copy. Subsequently, MBS arranged to pick up the record by courier and has since returned it to the Ministry. The CMU then contacted the collection agency, which confirmed that it sent the information at issue to the daughter. It also confirmed that it had originally received this record from the Ministry. The CMU also contacted the Student Support Branch of the Ministry, which confirmed that the record was sent to the collection agency by the Ministry. The Ministry indicated that the record is one of a series of quarterly statements prepared for the years 1996 and 1997 for a particular bank identifying individuals who have participated in the interest relief program. The record identifies 38 individuals including the recipient. It contains the individuals’ social insurance number, given name and surname, and other details of the loans relating to these individuals. MBS notes that it has established comprehensive contractual provisions in its contracts with the PCA [private collection agency] agents it retains in order to protect the personal information that is collected, used and disclosed in the course of debt collection... at the behest of the CMU all [staff at the collection agency] were reminded that when receiving back-up information about debtors from Ministries they must conduct a thorough review of all documents to ensure that only the personal information of the debtor is mailed out; the CMU, the MBS legal services branch, and the Access and Privacy Office of MBS [conducted] a comprehensive privacy training session for staff of all PCAs retained by the CMU.[...] A training session [was] conducted for staff in the [CMU]. Ministry of Training, Colleges and Universities The Ministry advised that it undertook the following steps to address this incident. Specifically it sent letters to all 38 individuals, advising them that as the result of a mailing error, their personal information (name, social insurance number and the principal and interest of their OSAP loan) was inadvertently sent to another individual. The director of Student Support Branch, who signed the letter, apologized for the breach, stated that the record had been returned without being copied, and provided the name and telephone number of the Senior Manager of Operations as a contact person to provide them with additional information. We also informed the individuals that the ministry has changed the process by which banks and collection agencies report on OSAP loans and we have enhanced internal measures to protect client privacy. The letters were sent by registered mail to the most recent address that the ministry could obtain for each of the individuals. However, many of these addresses are several years old. To date, 21 of the letters have been returned to the ministry. These letters are being kept in the files of the individuals concerned. The Ministry indicated that in light of this incident, it has reviewed its policies and procedures and made the following changes: The processes under which disclosure of personal information is made to private collection agencies, upon request for proof of an OSAP debt, has been enhanced. Before disclosure is made by a financial services clerk, the disclosure is re

The Information and Privacy Commissioner/Ontario received two related complaints under the
Municipal Freedom of Information and Protection of Privacy Act (the Act). The complainants are the same in both cases and are parents whose son had been a student with the Toronto District School Board (the TDSB).

After their son had ceased as a student with the TDSB, the complainants applied to enrol their son in a school within the Toronto Catholic District School Board (the TCDSB). While the request for admission was being considered, the receiving school’s Vice-Principal contacted his counterpart at the son’s former school to obtain information in order to verify the son’s academic status and to assess whether the receiving school could meet his program needs. This contact was made by telephone.

The bases for the complaints are that a) the TCDSB should not have sought information about the son from the TDSB without the written consent of the parents and b) the TDSB should not have provided information about the son to the TCDSB without the parents’ written consent. The complainants maintain that these actions were contrary to the privacy provisions of the
Act.

Decisions in Privacy Complaint Nos. MC-030029-1 and MC-030029-2 have not been published

Decisions in Privacy Complaint Nos. MC-030028-1 and MC-030043-1 have not been published

An article appeared in a Toronto newspaper about a web site that provides school bus schedule information. Although designed to help with school bus scheduling in York Region, the article suggested it was “giving out kids’ info” and “stirred up fears about children’s safety”. As a result of privacy concerns and the related safety issues raised by the article, the IPC initiated a privacy investigation under the Act with respect to the information being disclosed on this web site. The investigation found that the web site and related phone system disclosed personal information, and that these disclosures are not authorized by section 32 of the Act. In addition, these disclosures have the potential to seriously threaten the safety of students. The IPC recommended both be dismantled.

An article appeared in a Toronto newspaper about a web site that provides school bus schedule information. Although designed to help with school bus scheduling in York Region, the article suggested it was “giving out kids’ info” and “stirred up fears about children’s safety”. As a result of privacy concerns and related safety issues raised by the article, the IPC initiated a privacy investigation under the Act with respect to the information being disclosed on this web site. The investigation found that the web site and related phone system disclose personal information, and that these disclosures are not authorized by section 32 of the Act. In addition, these disclosures have the potential to seriously threaten the safety of students. The IPC recommended both be dismantled.

The appellant wrote to the Leamington Police Services Board (the Police) seeking access under the
Municipal Freedom of Information and Protection of Privacy Act (the Act) to records relating to criminal charges brought against him. The Police failed to respond to the request within the 30 day period required by the Act, and the appellant appealed this “deemed refusal” to this office. During the mediation stage of the deemed refusal appeal, the Police wrote to the requester advising that they were providing partial access to the requested records, and enclosing an index of records. The Police claimed the application of the exemptions at sections 8 (law enforcement) and 14 (personal privacy) as the basis for withholding records in whole or in part. In particular, the Police cited sections 8(1)(g) and 8(2)(a), as well as sections 14(1)(f), 14(3)(a) and 14(3)(b). As a result of this decision, the deemed refusal appeal was closed.

The Office of the Public Guardian and Trustee (OPGT) notified the Office of the Information and Privacy Commissioner/Ontario (the IPC) of an incident involving misdirected faxes. Specifically, the Toronto Community Housing Corporation (TCHC) received a fax sent by the OPGT, and others, intended for the Ministry of Community and Social Services, now the Ministry of Community, Family and Children's Services (the Ministry).

The OPGT advised that it had faxed a special needs application to the Ministry's Ontario Disability Support Program (the ODSP). The fax was sent to the number provided by the ODSP Special Needs office. However, the next day, the TCHC telephoned the OPGT to advise that it had received this faxed document and as well as a number of similar documents intended for the ODSP.

In total, there were five faxes sent by various sources during the course of the day that were intended for the ODSP but which were received by TCHC instead. As mentioned above, one of these faxes was sent by the OPGT. The remainder consisted of a fax sent by a Ministry employee from a different location; faxes sent by two ODSP clients; and a fax sent by a private company. The following is a brief description of each of these faxes:

1. Fax sent by the OPGT consisted of a special needs application form and included an ODSP client's name, date of birth, OPGT file number, and the need for replacement glasses (1 page).

2. Fax sent by a Ministry employee consisted of a cover page with an ODSP client's name on it (1 page), a financial statement of entitlements for the client (2 pages), and a memo advising of re-admittance of the client to a mental health centre (1 page).

3. Fax sent by an ODSP client consisted of the client's earnings statement, description of her current medication, and timelines for back-to-work possibilities (2 pages).

4. Fax sent by another ODSP client consisted of his name, his wife's name and a reassessment decision regarding the status of his disability (1 page).

5. Fax sent by a private company pertained to the amount of rent paid by two ODSP clients, and contained the address and date of birth of one of the clients (2 pages).

As a result, three privacy complaints were initiated by the IPC involving the OPGT, the Ministry and the TCHC.

...

The Office of the Public Guardian and Trustee (OPGT) notified the Office of the Information and Privacy Commissioner/Ontario (the IPC) of an incident involving misdirected faxes. Specifically, the Toronto Community Housing Corporation (TCHC) received a fax sent by the OPGT, and others, intended for the Ministry of Community and Social Services, now the Ministry of Community, Family and Children's Services (the Ministry).

The OPGT advised that it had faxed a special needs application to the Ministry's Ontario Disability Support Program (the ODSP). The fax was sent to the number provided by the ODSP Special Needs office. However, the next day, the TCHC telephoned the OPGT to advise that it had received this faxed document and as well as a number of similar documents intended for the ODSP.

In total, there were five faxes sent by various sources during the course of the day that were intended for the ODSP but which were received by TCHC instead. As mentioned above, one of these faxes was sent by the OPGT. The remainder consisted of a fax sent by a Ministry employee from a different location; faxes sent by two ODSP clients; and a fax sent by a private company. The following is a brief description of each of these faxes:

1. Fax sent by the OPGT consisted of a special needs application form and included an ODSP client's name, date of birth, OPGT file number, and the need for replacement glasses (1 page).

2. Fax sent by a Ministry employee consisted of a cover page with an ODSP client's name on it (1 page), a financial statement of entitlements for the client (2 pages), and a memo advising of re-admittance of the client to a mental health centre (1 page).

3. Fax sent by an ODSP client consisted of the client's earnings statement, description of her current medication, and timelines for back-to-work possibilities (2 pages).

4. Fax sent by another ODSP client consisted of his name, his wife's name and a reassessment decision regarding the status of his disability (1 page).

5. Fax sent by a private company pertained to the amount of rent paid by two ODSP clients, and contained the address and date of birth of one of the clients (2 pages).

As a result, three privacy complaints were initiated by the IPC involving the OPGT, the Ministry and the TCHC.