THIRTY YEARS OF ACCESS AND PRIVACY SERVICE 2017 ANNUAL REPORT June 14, 2018
The Honourable Dave Levac Speaker of the Legislative Assembly of Ontario
Dear Speaker,
I have the honour to present the 2017 Annual Report of the Information and Privacy Commissioner of Ontario to the Legislative Assembly.
This report covers the period from January 1 to December 31, 2017.
Please note that additional reporting from 2017, including the full array of statistics, analysis and supporting documents, may be found within our online Annual Report section at www.ipc.on.ca.
Sincerely yours,
Brian Beamish Commissioner TABLE OF CONTENTS
COMMISSIONER’S MESSAGE 1 ABOUT US 9 OUR WORK 10 ACCESS TO INFORMATION 14 MUNICIPAL LEGISLATION 15 DELETION OF EMAILS 15 PROMOTING UNDERSTANDING OF ACCESS ISSUES 16 SIGNIFICANT ACCESS DECISIONS 16 MEDIATED APPEALS 19 JUDICIAL REVIEWS 20 PROTECTION OF PRIVACY 22 DATA PRIVACY DAY 23 CHILD, YOUTH AND FAMILIES SERVICES ACT, 2017 24 IPC’S DE-IDENTIFICATION PUBLICATION WINS AT INTERNATIONAL CONFERENCE 24 PRIVACY IN EDUCATION 24 POLICE SERVICES ACT 25 ANTI-RACISM ACT 25 BIG DATA 25 OPEN GOVERNMENT AND PRIVACY 26 PRIVACY INVESTIGATIONS 26 CONSULTATIONS 30 HEALTH 32 NEW CODE OF PROCEDURE FOR MATTERS UNDER PHIPA 34 THREE-YEAR REVIEWS OF PRESCRIBED HEALTH ENTITIES AND PERSONS 34 SIGNIFICANT PHIPA DECISIONS 35 30 YEARS OF ACCESS AND PRIVACY SERVICE 40 GUIDANCE AND FACT SHEETS 44 COMMISSIONER’S RECOMMENDATIONS 46 STATISTICS 50 FINANCIAL SUMMARY IBC What has not changed in all of these years ... is our unwaveringWhat has pursuit not changed of in all of these years ... is privacyour protection unwavering pursuit within of privacy protection within a a moremore open, open, transparenttransparent and and accountableaccountable Ontario. Ontario.
Thirty Years of Access and Privacy Service
COMMISSIONER’S MESSAGE
4 1 2017 WAS A MILESTONE YEAR FOR THE OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER (IPC), ONE IN WHICH MY OFFICE PROUDLY CEL- EBRATED 30 YEARS OF ACCESS AND PRIVACY SERVICE TO ONTARIANS. For more than three decades, protecting and advanc- ing access to information and personal privacy rights has been at the forefront of our work.
Much has changed since we first opened our doors in 1987. In 1988, the Freedom of Informa- tion and Protection of Privacy Act (FIPPA) came into force, followed by its municipal counterpart, MFIPPA, in 1991. The IPC has seen its mandate expand a number of times since then. In 2004, the Personal Health Information Protection Act (PHIPA) ushered in a new era of health privacy rights for Ontarians, and has since become the gold standard against which other health privacy statutes are measured. The IPC’s mandate grew yet again in 2006 when universities were brought under FIPPA, and again in 2012 when hospitals followed suit. Soon, our mandate will undergo another historic expansion when, for the first time ever, children’s aid societies and other child and family service providers will become subject to the IPC’s oversight.
What has not changed in all of these years, how- ever, is our unwavering dedication to privacy protection while pursuing a more open, trans- parent and accountable Ontario. Each expansion of our mandate has brought greater access to information, more government transparency and increased privacy rights for Ontarians.
Included in this annual report is a special anni- versary retrospective, highlighting our 30-year legacy—from our extensive advocacy work to the major milestones and many successes we have
4 1 achieved as an oversight agency. The last three missioner) v. University of Calgary. In this decision, decades have been productive and rewarding the court ruled that Alberta’s IPC did not have the for the IPC and 2017 unfolded in very much the power to compel the production of records over same vein. which solicitor-client privilege is claimed. This ruling raises serious concerns for Canada’s Privacy Day and Big Data IPCs, who require this power to independently review appeals of access decisions and properly 2017 began on a high note with our signature fulfil our respective mandates as the nation’s Privacy Day event, this year focusing on the access and privacy regulators. theme of Government and Big Data. We welcomed privacy and big data experts who engaged in This SCC decision was the impetus for passing a a lively discussion about the various privacy joint resolution, in which we called on govern- challenges that governments face in the era of ments to amend access and privacy laws to ensure big data. I used this special occasion to call on the that IPCs across Canada are expressly authorized Ontario government to modernize our access and to compel the production of records over which privacy laws to ensure that public institutions solicitor-client privilege is claimed. This is critical harness data analytics in a privacy-protective if we are to safeguard the independent review of manner. FIPPA and MFIPPA were designed such claims and verify that institutions are prop- almost 30 years ago, prior to the emergence of big erly applying this exemption. data analytics as tools to identify trends, detect patterns and gather other valuable findings from Student Privacy the massive amount of information available to government institutions. With more organiza- My office collaborated with our federal counter- tions relying on data to develop evidence-based parts on another important front in 2017. This programs and policies, the need for legislative time we partnered with the Office of the Privacy reform in this area has never been greater. My Commissioner of Canada in a joint research effort office will continue to work closely with institu- to evaluate online educational services. Our work tions to ensure that the great promise of big data was part of a larger, annual initiative coordinated respects and protects their privacy rights. by the Global Privacy Enforcement Network, made up of over 60 privacy enforcement author- Joint Resolution on Solicitor-Client ities around the world who work to strengthen Privilege privacy protections in an increasingly data-rich landscape. In 2017, I represented the IPC at the annual fed- eral, provincial and territorial meeting of Infor- As part of this privacy initiative, our offices eval- mation and Privacy Commissioners in Iqaluit, uated a number of online educational services to Nunavut. At the top of the agenda was a discussion determine what personal information is collected, about the Supreme Court of Canada’s (SCC) 2016 how it is used and disclosed, and what control decision in Alberta (Information and Privacy Com- users have over their personal information.
2 3 Our review included best practices for protecting Global Privacy Award for IPC student privacy and recommended that educators De-identification Guidelines carefully examine privacy policies and terms of service to understand how students’ information In 2017, our De-identification Guidelines for Struc- may be collected, used, and disclosed. We also tured Data won the inaugural International Con- urged educators to consult with school officials ference of Data Protection and Privacy Commis- before selecting online educational services to sioners’ (ICDPPC) award for excellence in research. ensure they comply with Ontario privacy laws. The ICDDPC awards attracted 90 entries from data protection and privacy authorities around the world and were announced at the 39th ICDPPC Prescribed Health Entities and Registries conference in Hong Kong.
Every three years, my office reviews the priva- Our guidelines are the first of their kind in Canada cy-related practices and procedures of prescribed to use plain language to explain sophisticated entities and registries in the health sector. In de-identification concepts for the process of 2017, the IPC conducted this review to determine removing personal information from a record or whether they continue to meet the requirements data set. I was honoured to accept this award on under PHIPA. behalf of the IPC and it was especially gratifying to have our efforts recognized on the global stage. As part of this year-long process, each of the four The IPC’s Crossing the Line: The Indiscriminate prescribed entities* and six prescribed registries** Disclosure of Attempted Suicide Information to US submitted detailed written reports and sworn affi- Border Officials via CPIC was also recognized as a davits to my office, attesting that their respective finalist in the dispute resolution, enforcement and information practices and procedures are consis- compliance category. This report, and the subse- tent with Ontario’s health privacy law. quent court resolution, was the result of working Based on our comprehensive reviews, my office collaboratively with the Toronto Police Service was pleased to confirm that all prescribed entities and privacy, mental health, and human rights and registries continue to have in place practices stakeholders to develop privacy-protective mea- and procedures that protect the health privacy of sures that bring greater clarity and discipline to police disclosure practices. Ontarians, and sufficiently maintain the confi- dentiality of their information. An Ontario-Based Philadelphia Model for * Cancer Care Ontario, Canadian Institute for Sexual Assault Research Health Information, Institute for Clinical Eval- uative Sciences, Pediatric Oncology Group of In 2017, my office engaged with the Kingston Ontario ** Cardiac Care Network of Ontario, INS- and Ottawa police, the Ottawa Rape Crisis Centre, CYTE, Cancer Care Ontario, Children’s Hospital and other policing and violence against women of Eastern Ontario, Ontario Institute for Cancer stakeholders on how to implement the US-based Research, Hamilton Health Sciences Corporation. Philadelphia Model. This is a model where police
2 3 The Privacy Protective Roadmap Understanding Exemptions in FIPPA and MFIPPA Issues and solutions in the context of a collaborative service delivery development: The Situation Table
The success of our webinar series has helped us to overcome geographical barriers to delivering our mandate on behalf of all Ontarians, regardless of where they live or work.
and women’s advocates regularly review closed ing access, privacy, and health privacy issues facing sexual assault files to identify any investigative our public and health care sector stakeholders. shortcomings related to, for example, biases or Our popular Reaching Out to Ontario series is a key stereotypes. The centrepiece of our collaborative element of our outreach program, with visits this work was the development of a model Memo- past year to Thunder Bay and Windsor. These randum of Understanding (MOU) and confiden- events featured a range of topics including the tiality agreement, designed to set the terms for privacy risks of big data; the benefits of open con- the review of sexual assault cases by police and tracting; how institutions can protect against ran- external reviewers. Our Kingston-based model somware attacks; recent developments in access to MOU and confidentiality agreement will help to information laws; and the technical, physical and ensure a privacy-protective framework is in place administrative safeguards that health care pro- for other police services considering the use of the Philadelphia Model. viders should implement to protect their patients’ information.
Outreach and Stakeholder Engagement My office continued to fulfil our commitment to increased engagement with audiences across the So much of what we do at the IPC involves educat- province through our interactive webinar series. ing public and health sector institutions—and the One of the webinars we hosted this year focused people they serve—about their access and privacy on how the IPC interprets FIPPA and MFIPPA rights and obligations. In 2017, IPC staff delivered exemptions. This webinar exceeded all expecta- more than 100 presentations on leading and emerg- tions, attracting more than 600 registrants who
4 5 Understanding Exemptions in FIPPA and MFIPPA The Impact of Records and Information Management on Access and Privacy
watched the live presentation and participated in providing a strong level of accountability for the the Q&A session that followed. The webinar series veracity of their 2017 statistical submissions. has helped us to overcome geographical barriers to engaging with all Ontarians, regardless of where Policy Consultations with Government they live or work. Much of the work at the IPC centres on provid- Annual Statistical Report Attestations of ing advice on proposed legislation, programs FIPPA Compliance and practices to ensure that they comply with Ontario’s access and privacy laws. In 2017 alone, Every year, public institutions must submit an I provided my comments on four bills, including annual statistical report to the IPC – this responsi- Bill 68, Modernizing Ontario’s Municipal Legislation bility forms an important part of their work and Act, 2017; Bill 84, the Medical Assistance in Dying is required by law. One of my 2016 Annual Report Statute Law Amendment Act, 2017; Bill 89, the Sup- recommendations was that all deputy ministers porting Children, Youth and Families Act; and Bill sign and submit an annual attestation to my 160, the Strengthening Quality and Accountability for office, indicating that their respective ministries Patients Act, 2017. A common thread across all of are in compliance with the statistical reporting my submissions was to urge the Ontario govern- requirements set out in FIPPA and that their ment to advance the basic tenets of open govern- statistics are accurate. ment and privacy protection and to ensure that This year my office received attestations from these bills guard against the erosion of Ontarians’ the deputy ministers of Ontario’s 30 ministries, access to information and privacy rights.
4 5 Throughout 2017 my office consulted extensively our Tribunal Services staff responded to this dra- with the Ministry of Children and Youth Services, matic increase in workload. the Ontario Child Advocate and the child welfare sector to support the implementation of the Child, Final Thoughts Youth and Family Services Act (CYFSA). When Part X of this law comes into force, on January 1, 2020, As I reflect on the IPC’s 30-year history, I would the IPC will mark an historic expansion of its like to thank our staff—past and present—for their responsibilities. For the first time, Ontarians will professionalism in meeting the many pressures have the right to access their personal information and demands we have faced as an organization. held by children’s aid societies and other service Our work would not be possible without their providers and file privacy complaints against them dedication to protecting and advancing Ontarians’ with my office. My staff and I look forward to our access and privacy rights. Their ongoing commit- expanded oversight and believe it will usher in an ment to excellence has helped to make the IPC one era of greater public accountability in Ontario. of the most respected oversight agencies in the country. I feel confident that in the years ahead Mandatory Health Privacy Breach my office will continue to build on the progress we Reporting made over the last 30 years.
PHIPA underwent a number of significant amendments in 2017, one of which requires that health care providers, such as hospitals, medical offices and others who deal with patient infor- mation, report certain health privacy breaches to my office. To help health care organizations Brian Beamish and professionals understand and meet their Commissioner new mandatory reporting requirements, the IPC published privacy breach reporting guidelines that outline reporting criteria and explain when and in what circumstances these bodies must notify the IPC of a breach. I was pleased to see this amend- ment come into effect on October 1, and believe it will better protect patient privacy and improve accountability and transparency across Ontar- io’s health care system. Our front-line staff was certainly put to the test by the resulting increase in reports. The number of breaches reported to our office more than doubled for the last three months of 2017, compared to the same period in 2016. I was once again impressed by the agility with which
6 7 Ontarians will have the right to access their personal information held by children’s aid societies and other service providers and file privacy complaints against them with my office.
6 7 OUR VALUES
RESPECT | We treat all people with respect and dignity, and value diversity and inclusiveness. INTEGRITY | We take accountability for our actions and embrace transparency to empower public scrutiny. FAIRNESS | We make decisions that are impartial and independent, based on the law, using fair and transparent procedures. COLLABORATION | We work constructively with our colleagues and stakeholders to give advice that is practical and effective. EXCELLENCE | We strive to achieve the highest professional standards in quality of work and delivery of services in a timely and efficient manner.
OUR STRATEGIC GOALS
Uphold the public’s right to know and right to privacy Encourage open, accountable and transparent public institutions Promote privacy protective programs and practices Ensure an efficient and effective organization with engaged and knowledgeable staff Empower the public to exercise its access and privacy rights
8 For three decades, protecting and advancing access to information and personal privacy rights has been at the forefront of our work.
ABOUT US
Established in 1987, the Office of the Information and Privacy Commissioner of Ontario (IPC) provides independent oversight of the province’s access and privacy laws.
The Freedom of Information and Protection of Privacy Act (FIPPA) applies to over 300 provincial institutions such as ministries, provincial agencies, boards and commissions, as well as community colleges, universities, local health integration networks, and hospitals.
The Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) applies to over 1,200 municipal institutions such as municipalities, police services boards, school boards, conservation authorities, boards of health, and transit commissions.
The Personal Health Information Protection Act (PHIPA) covers individuals and organizations in Ontario that are involved in the delivery of health care services, including hospitals, pharmacies, laboratories, and Ontario’s Ministry of Health and Long-Term Care, as well as health care providers such as doctors, dentists, and nurses.
9 Our Work
Commissioner and made 103 presentations to our front-line response to privacy stakeholder and public audiences. breaches. The Commissioner is appointed by In 2017, our Registrar received: the Legislative Assembly of Ontario and is independent of the gov- Tribunal • 1,392 access appeals ernment of the day. His mandate Intake • 629 health complaints includes resolving access to infor- mation appeals and privacy com- The Registrar receives all access • 268 privacy complaints plaints, educating the public about appeals and privacy complaints, We closed 246 privacy and 538 access and privacy issues, reviewing including health privacy com- health complaints at intake in 2017. information practices and com- plaints, and directs them to the menting on proposed legislation, appropriate department. Intake Investigation and Mediation programs, and practices. can screen out or resolve appeals Our team of investigators gather In 2017, the IPC was mentioned or complaints at an early stage. information and resolve privacy more than 100 times in the media Our intake analysts also serve as complaints, including health
10 11 TRIBUNAL SERVICES privacy complaints, while our team gative report. Our PHIPA inves- of mediators work to resolve or tigators also issued four decisions, OVERVIEW narrow the issues in access appeals closing breach investigations. with a view to a mutually agree- • 1,392 ACCESS APPEALS Adjudication able solution. While our decisions RECEIVED attract the most attention, the When a resolution cannot be majority of access appeals and found through mediation, access • 686 ACCESS APPEALS privacy complaints are resolved appeals and health complaints are SETTLED AT THE through mediation. forwarded to an adjudicator who MEDIATION STAGE In 2017, 686 access to information will decide whether to conduct a appeals were fully resolved at the formal inquiry. The adjudicator • 1,414 ACCESS APPEALS mediation stage. Ten privacy com- collects and reviews evidence and CLOSED plaints moved to Mediation and arguments and issues a final and Investigation and six were closed. binding decision. A court review of • 268 PRIVACY One was resolved through media- IPC decisions is available in some COMPLAINTS RECEIVED tion and five resulted in an investi- limited circumstances. • 273 PRIVACY COMPLAINTS CLOSED
• 629 HEALTH COMPLAINTS RECEIVED
• 617 HEALTH COMPLAINTS CLOSED
• 140 PROVINCIAL ORDERS ISSUED
• 135 MUNICIPAL ORDERS ISSUED
• 26 PHIPA DECISIONS ISSUED
10 11 In 2017, our adjudicators closed IPC’s decisions and in other court analysts to examine and review 140 provincial access to informa- cases regarding access to informa- their access and privacy practices. tion appeals through orders, 135 tion and privacy issues. They also examine and provide municipal appeals through orders and 22 PHIPA decisions. In 2017, our Legal Services Depart- comments on any proposed legis- ment made more than 32 presenta- lation that may affect the rights of tions and represented the Commis- Ontarians. Legal sioner in six court hearings. Legal Services also represented the IPC as Our legal department works in close In 2017, our Policy Department an intervener in a case before the collaboration with and provides released nine guidance documents, Supreme Court of Canada. legal advice and support to the fact sheets and reports, and pro- Commissioner and other depart- ments. Our lawyers frequently Policy vided consultations and advice to provide advice and comments with a variety of public sector organi- respect to proposed legislation, pro- Our policy analysts research, ana- zations and made more than 21 grams and technologies in the gov- lyze, and provide advice on current, presentations where they provided ernment and health sectors. They evolving and emerging access and also represent the Commissioner in privacy issues. Public organiza- information and insight on privacy judicial reviews and appeals of the tions will frequently ask our policy and access issues.
12 13 Health Policy Communications from the public through our public enquiry lines each year. Our health policy team researches Communications promotes the work of the IPC and engages in privacy issues relating to personal Corporate Services and public information campaigns and health information and provides outreach initiatives to inform and Technology guidance through education, con- empower both the public and public From overseeing organizational servants about matters of access sultation, and comment on health operations such as human resources and privacy. Our communications policy and legislation. They also and monitoring expenditures to team also manages the IPC website, conduct reviews of the information providing technical support, our social media channels, media rela- Corporate Services and Technology practices of prescribed entities and tions, and public events. department provides the day-to- persons on a tri-annual basis. In 2017, Communications fielded day operational support and infra- In 2017, Health Policy issued eight more than 76 media calls, devel- structure needed for the Commis- sioner and IPC staff to do their jobs publications, helped develop amend- oped two webinars, and oversaw three major events that attracted effectively and efficiently. ments to health privacy legislation, over 800 people, in person and via and consulted with and presented to webcast. Communications responds numerous organizations. to thousands of calls and emails
12 13 The IPC has long been a
championThe IPC for has increased long been a transparencychampion as for a increasedmeans transparency as a means to to supportsupport accountability accountability and and civic engagement.civic engagement.
Increasing Transparency
ACCESS TO INFORMATION
14 15 OPENNESS AND TRANSPARENCY ARE ESSENTIAL TO MAINTAINING THE PUB- LIC’S TRUST AND CONFIDENCE IN GOV- ERNMENT INSTITUTIONS. The IPC has long been a champion for increased transparency as a means to support accountability and civic engage- ment. Over the past year, the IPC has engaged in activities on a number of fronts to support the pub- lic’s right to know.
Municipal Legislation
Open meetings about government activities are essential to democracy, shining a light on policy development and promoting accountability for public spending. This year the IPC spoke out about changes to Ontario’s Municipal Act and the City of Toronto Act, which expands the criteria a municipality or local board can use to close all or part of a meeting to the public. In its submission to the legislative commit- tee related to Bill 68, the IPC questioned the need to broaden the exceptions to the open meeting require- ment and emphasized the impact of closed-door meet- ings on the public’s right to access information. The government made the legislative changes to the closed meeting rules despite the IPC’s concerns.
Deletion of Emails
In 2017, the gas plants matter came before the courts and in early 2018 one individual was found guilty of criminal offences related to the deliberate destruction of documents. Our office investigated allegations political staff inappropriately deleted emails about the gas plant cancellations when they originally surfaced back in 2013. At that time, we found that the deletions were in violation of the Archives and Recordkeeping Act and recommended amendments to Ontario’s access and privacy laws to address the responsibility of insti- tutions to ensure key decisions are documented. In light of the recent conviction and a resolution passed
14 15 6,000 TOP 10 MUNICIPAL INSTITUTIONS
5,000 Requests Received Requests Completed 4,000 Within 30 Days Over 90 Days
3,000
2,000
1,000
0
Toronto City of Niagara York Durham Peel Hamilton Halton Waterloo Ottawa Police Toronto Regional Regional Regional Regional Police Regional Regional Police Service Police Police Police Police Service Police Police Service Service Service Service Service
by all of Canada’s information their understanding of this topic. lous and Vexatious Requests, and commissioners, the IPC continues Participants had the opportunity Reasonable Search, which address to call on the government to create to hear from a panel of IPC experts the issues of managing excessive a legislated duty for public entities and ask questions. requests and how institutions and in Ontario to document matters requessters can ensure adequate Records and information man- related to their deliberations, searches for records. actions, and decisions. agement (RIM) practices can have far-reaching impacts, helping or hindering an institution’s ability to Significant Access Promoting respond to access requests from the public. In 2017, our office released Decisions Understanding of an educational video for institu- Access Issues tions, to help them understand the Our Tribunal Services team issued relationship between effective RIM a number of decisions this year, A basic principle of Ontario’s practices and their ability to meet providing guidance on the appli- access and privacy laws is that their responsibilities under Ontar- cation of FIPPA and MFIPPA, the public has a right of access to io’s access laws. including: government-held information, and exemptions from this right Over the past year, our office MO-3471 – A request was made for of access should be limited and published a number of guidance access to communications sent or specific. This year, our office materials on access-related topics received by staff of a city council- hosted a webinar for freedom of to increase understanding among lor concerning that councillor’s information coordinators and institutions and the public. These Twitter account. Our office upheld other frontline staff to enhance included fact sheets on Frivo- the City of Toronto’s decision to
16 12,000 TOP 10 PROVINCIAL INSTITUTIONS
10,000 Requests Received Requests Completed 8,000 Within 30 Days Over 90 Days
6,000
4,000
2,000
0
Ministry of Ministry of Ministry of Ministry of Landlord Ministry of Ministry of Ministry of Ministry of Workplace the Community Community Labour and Tenant the Attorney Government Transportation Health and Safety and Environment Safety and and Social Board General and Long-Term Insurance and Climate Correctional Services Consumer Care Board Change Services Services
deny access to the records. The related to the progress of the Dar- system of access was available to adjudicator determined that the lington Nuclear Generating Sta- allow anyone to obtain the records. records were personal, political tion refurbishment. The ministry PO-3691 – A requester made records relating to the councillor’s decided not to release the records numerous requests to the Public activities as an elected represen- on the basis they contained com- tative and were not under the Guardian and Trustee (PGT) for mercial and third-party informa- control of the city. records relating to the estates tion and that release would result in of named deceased individuals MO-3476 – A requester sought harm. Our office found that there (including 40 requests within a information about police street was insufficient evidence to estab- nine-week period and 116 total checks and racial data from the Peel lish the harms to the ministry or requests). When the PGT limited Regional Police. The police denied the third party’s economic or other the number of requests the indi- access to six records, claiming they interests, and ordered their release. vidual could make at one time, the contained advice and recommen- requester appealed to our office. MO-3514 – An individual dations. The IPC partially upheld The IPC found that the number of their decision, denying access to requested access to a motor vehi- requests established a pattern of one record but ordering the release cle collision report related to a car conduct that interfered with the of the others based on a compel- accident they were involved in. The operations of the institution, and ling public interest—the accurate police denied access to the report on that the requests were frivolous and reporting of race data as it related to the grounds that the information vexatious. Our office limited the street checks of individuals. contained in the record was already number of requests the individual PO-3717 – A request was made to publicly available. The IPC upheld could make to five at any given the Ministry of Energy for reports the decision, finding that a regular point in time.
17 A key element of the IPC’s mandate is to resolve access to information appeals under Ontario’s access and privacy laws.
18 Mediated Appeals is not subject to mandatory • Police denied a request by an exemptions. individual for her own report A key element of the IPC’s man- relating to a recent sexual • An individual requested the date is to resolve access to infor- assault on the grounds it was minutes and audio record- mation appeals under Ontario’s part of a continuing investi- access and privacy laws. This is ing of a town meeting held gation. Through mediation, frequently achieved through the in closed session. The town the individual requesting the mediation process, where parties denied access to all records, report was able to explain her have an opportunity to explain citing the closed meeting reasons for the request. The their respective positions, clarify exemption. During mediation, documentation was required issues, and discuss potential settle- to alert a foreign embassy ment options. of her sexual assault claim APPEALS OPENED IN 2017 against an individual who Our office resolves a large was currently traveling to volume of access to information PERSONAL ��0 his home country. With the appeals through mediation. ��� INFORMATION Here are some highlights from assistance of a mediator and the past year: additional information about GENERAL the circumstances related to • A police service received a 1�0�� 1�1�� RECORDS the request, the police agreed request from an individual to provide partial access to the for records relating to a 2017 2016 report within hours. security breach involving her credit card. The police • An individual requested denied access to some of APPEALS CLOSED IN 2017 statistical records related to the records on the grounds faculty members at a univer- they contained the personal sity and received a costly fee ��1 ��� information of another PERSONAL estimate to locate and prepare individual. The mediator INFORMATION the records. During media- obtained consent from tion, the university detailed the other individual to the technical difficulties they disclose their information, GENERAL were encountering trying to RECORDS which resulted in the police 1�02� 1�0�� extract the records from an granting full access to a outdated database. During the police report. Following 2017 2016 discussion it was determined clarification of other issues that if the request was nar- during mediation, the police the town agreed to transcribe rowed slightly, it would sig- also granted access to statis- the audio recording of the nificantly speed up the search. tical information previously meeting. The town then exer- The requester amended the withheld. These efforts also cised its discretion to provide resulted in the police changing request and the university partial access to both the aspects of their policy regard- issued a revised fee estimate ing the disclosure of statistical minutes and the transcript, of about half the original cost. information. Going forward, as well as documents consid- The requester received the they will routinely disclose ered by the council during the records and was satisfied with statistical information that meeting. the result.
19 Judicial Reviews Ministry of Health and their medical specialties, is not “per- Long-Term Care—Access sonal information.” The Ontario Court of Appeal will hear appeals to Physicians’ OHIP Billing OUR LEGAL DEPARTMENT from this decision in June 2018. Information REPRESENTS THE COMMISSIONER IN The record at issue in this appeal, Ryerson University and JUDICIAL REVIEWS AND created in response to a request by Third-Party Information APPEALS OF THE IPC’S a journalist, sets out the total dollar DECISIONS. amounts paid annually to the top The university received a request 100 OHIP billers, their names and under FIPPA for an agreement their medical specialties, for the between it and a bank relating to Treasury Board Secretariat years 2008 to 2012. The ministry the issuance of university-branded and Third-Party Records disclosed the dollar amounts and credit cards. The university granted most of the specialties, but with- partial access to the agreement, The Treasury Board Secretariat held the physicians’ names and withholding some information, received a request for access to a some of the specialties under the citing the third-party information personal privacy exemption in copy of a benchmarking report exemption. Both the requester and FIPPA. One of the parties to the prepared by a third party. After the bank appealed the university’s appeal also raised the third-party decision, with the requester argu- consulting with the third party, information exemption in FIPPA. ing that none of the agreement is the Treasury Board granted partial The appellant claimed that the exempt and the bank arguing that access to the report, with portions public interest override applied. In the entire agreement is exempt withheld, citing the third-party Order PO-3617, the adjudicator under that same section of FIPPA. exemption. The requester appealed found that the record does not In Order PO-3598, the adjudicator the Treasury Board’s decision to contain personal information, found that none of the information our office. In Order PO-3663, the and as a consequence, the personal in the agreement was “supplied” to privacy exemption does not apply. adjudicator found that the infor- the university, therefore the exemp- The adjudicator also found that mation at issue was not exempt the third-party exemption did not tion for third-party information did under the third-party records apply, and that there was a compel- not apply. She ordered the univer- exemption because disclosure could ling public interest in the disclosure sity to disclose the agreement in its not reasonably be expected to result of the record. The IPC ordered the entirety to the requester. in any of the commercial or com- ministry to disclose the record in its The bank, as the affected third petitive harms alleged. She ordered entirety to the journalist. party, sought a judicial review of disclosure of the information. The Ontario’s Divisional Court dis- this order in the Divisional Court. affected party sought a judicial missed three applications by doctors’ The Court dismissed the applica- review before the Ontario Divi- groups to quash the order, ruling tion stating that the decision of the sional Court. The Court dismissed that it was reasonable. The Court adjudicator fell within a reasonable the application for judicial review agreed that the names of the doctors, range of outcomes given the terms stating that, in its view, the adjudi- in conjunction with the amounts of the legislation and the facts cator’s decision was reasonable. they receive in OHIP payments and before her.
20 21 IPC INTERVENE� IN OT�ER Ministry of the Attorney Algoma Public Health APPLICATION OR APPEAL IN 2017� 1 General and Office of and a Report Relating to Allegations of Wrongdoing the Children’s Lawyer for RE�UESTER�COMPLAINANT� � Ontario—Application of MO-3295—Algoma Public Health (APH) received a request for access FIPPA to the “final report of [the] 2015 KPMG Forensic Review.” The New Judicial Review PO-3520—The Ministry of the applications � IPC interventions report related to whether a con- in 2017: 6 Attorney General received a request flict of interest existed regarding for information related to services the appointment of APH’s former interim CFO, and whether any IPC INTERVENE� IN OSC�� 1 provided to the requester’s two funds were subsequently misap- children by the Office of the Chil- IPC OR�ER UP�EL� propriated or lost by APH. While �AN��OR LEAVE TO APPEAL dren’s Lawyer for Ontario (OCL) APH determined that an exemp- �ISMISSE��� 2 in custody and access proceedings. tion for personal privacy under MFIPPA applied, it granted access The ministry advised that the OCL to the report under the public ABAN�ONE� OR SETTLE� OR took the position that FIPPA does interest override. An affected party �ISMISSE� FOR �ELA� � IPC OR�ER STAN�S� � not apply to litigation files where appealed APH’s decision, claiming it provides services to children. As disclosure would expose her to civil liability. The affected party also a result, the ministry claimed that claimed that the public interest Judicial Reviews � IPC interventions records related to these files were override did not apply in the cir- Closed and�or Heard not in its custody or under its con- cumstances. The IPC decided that in 2017: 7 the personal privacy exemption trol and denied the request. applied to the record, but agreed IPC INTERVENTON� 2 In Order PO-3520, the adjudica- with APH that there was a compel- ling public interest in disclosure tor found that records of the OCL of the record. Accordingly, the IPC AFFECTE� PART�� 2 covered by the request were in the ordered AHP to disclose the record custody or control of the ministry to the requester. and ordered the ministry to issue The affected party sought a judicial an access decision to the requester, review of the order and the asso- RE�UESTER � COMPLAINANT� � which could be made by the OCL. ciated reconsideration order and both orders were quashed by the The OCL filed an application for Divisional Court. The appeal was sent back to the Commissioner for a judicial review, which was dis- new hearing. missed by the Ontario Divisional INSTITUTION� 2 The IPC was granted leave to appeal Court. The Ontario Court of Appeal the Divisional Court’s decision to the heard the OCL’s appeal in late 2017 Ongoing Judicial Reviews Ontario Court of Appeal. The appeal � IPC interventions as of but has not yet issued its decision. is expected to be heard in fall 2018. December 31, 2017: 12
20 21 The IPC remains steadfast in its commitmentThe IPC remains to protectsteadfast in its commitment to protectthe privacy the privacy of of allall Ontarians.Ontarians.
PRIVACY
22 23 IN 2017, IPC’S WORK SPANNED A RANGE OF TOPICS RELATED TO PRIVACY PROTEC- TION IN ONTARIO.
Data Privacy Day
The IPC began 2017 by hosting a public event to mark International Privacy Day. Given that big data is changing the landscape of how Ontario institutions develop public policy and design government pro- grams the topic for 2017 was Government and Big Data.
Four expert panelists and close to 150 attendees engaged in lively discussions that focused on issues such as the benefits and risks of big data, measures to protect privacy, the potential for biased data sets and identifying solutions to the challenges governments face in a big data world.
Participation in the event extended beyond the venue with more than 700 devices tuned in to watch the live webcast. The event also reached more than 22,000 Twitter accounts and more than 800 LinkedIn accounts.
International Privacy Day offered an appropriate occasion to release our new fact sheet, Big Data and Your Privacy, to raise awareness of the public’s right to privacy protection in the big data landscape.
There are tremendous opportunities available to gov- ernment to develop evidence-based programs and pol- icies using big data. To support this, the IPC has called on Ontario to modernize access and privacy laws to ensure that government institutions use data linking and big data analytics in a privacy-protective manner.
The IPC remains steadfast in its commitment to pro- tect the privacy of all Ontarians. We will continue to work closely with government institutions to ensure that their use of big data respects and protects individ- ual privacy rights.
22 23 ing with the Ministry of Children use or disclosure cannot violate the Child, Youth and and Youth Services, the Ontario privacy of individuals. Families Services Act, Child Advocate, the child welfare Our guidelines are the first of sector and other sectors to prepare 2017 their kind in Canada to use plain for implementation. language to explain sophisticated Throughout 2017, we consulted This legislation represents a great de-identification concepts, with and collaborated extensively with step forward for Ontario’s child and the benefit of being useful to a very the Ministry of Children and Youth youth sector and will usher in an era wide audience. Services to support the develop- of greater public accountability in ment of the new Child, Youth and Ontario. Family Services Act, 2017 (CYFSA), Privacy in Education and its regulations. IPC’s De-identification The IPC recognizes that, more Under Part X of the CYFSA, and for than ever, educators and students the first time, Ontarians will have Publication Wins benefit from privacy education and the right to access their personal at International digital literacy skills. information held by child, youth, and family service providers, Conference In May 2017, we worked with the including children’s aid societies. Office of the Privacy Commissioner In September, our De-identifica- They will also be able to file pri- of Canada to review free online tion Guidelines for Structured Data vacy complaints if these service educational tools and services used won the inaugural International providers do not follow the rules in Ontario classrooms. The review Conference of Data Protection and for collection, use and disclosure was part of a larger international Privacy Commissioners’ (ICDPPC) of personal information contained “sweep” effort coordinated by the award for excellence in research. in the act. Our office has been Global Privacy Enforcement Net- The ICDPPC awards attracted 90 designated as the oversight body in work (GPEN). entries, in a variety of categories, relation to Part X of the act, bring- In October, we published our from data protection and privacy ing child, youth, and family service GPEN Sweep Report summarizing authorities around the world providers within our jurisdiction. our findings and outlining best and the winning entries were practices for ensuring student pri- In March 2017, Commissioner announced at the 39th ICDPPC vacy and compliance with Ontario Beamish appeared before the Stand- conference in Hong Kong. privacy laws when using online ser- ing Committee on Justice Policy “De-identification” is the general vices. We advised educators to con- to provide the IPC’s comments term for the process of remov- sult school officials before choosing and recommendations to help ing personal information from a an online educational service and strengthen the privacy protections record or data set. De-identification recommended that school board in the CYFSA. protects the privacy of individuals officials carefully examine privacy The majority of the CYFSA was because once a data set is de-identi- policies and terms of service before proclaimed on April 30, 2018, with fied, it no longer contains personal approving their use in the class- Part X scheduled to come into effect information. If a data set does not room. We also recommended that in January 2020. Our office is work- contain personal information, its educators provide students with
24 ongoing guidance on how to config- Police Services Act systemic racism and advance racial ure and use the educational services equality. The government also has the authority to mandate public in privacy-enhancing ways. For On November 2, the government sector organizations to collect example, we learned that students introduced Bill 175, the Safer defined race-related information to Ontario Act, the largest transforma- could use pseudonyms instead of support the purposes of the act. their real identities when using tion in policing and public safety The ARA requires the development some online tools. in Ontario in over 25 years. The bill included a new Police Services Act, of data standards governing the In November, the IPC jointly spon- which gives the Minister of Com- management of personal infor- sored a workshop with the Ontario munity Safety and Correctional mation, and that the government consult with the IPC on these Association of School Business Services broad powers to collect and share personal information standards to ensure robust privacy Officials at the annual “Bring IT protections are in place. to enhance evidence-based deci- Together” conference on educa- sion-making. Our office worked The IPC is the oversight body for tional technologies. The workshop, with the ministry to ensure that the privacy requirements under Privacy in the Networked Class- measures to support a privacy the ARA. Under this act, we have room, brought together teachers, protective approach to data collec- the authority to order an organi- school board administrators and tion and integration were included zation to change or discontinue IT staff to examine the uses and in the legislation. Our office also its personal information handling impacts of technology in schools. helped to ensure that improved practices if the practices contravene the ARA or the data standards. Renowned Canadian scholars transparency was at the heart of This order-making power is key to shared new research on the benefits the bill. For example, we helped protecting the privacy of affected the ministry develop rules under and risks posed by networked class- individuals. We can also make com- the new Policing Oversight Act that room technologies and the use of ments or recommendations on the require the publication of SIU educational software in classrooms. privacy implications of any matter investigation reports that conclude related to the ARA. The IPC joined our fellow federal, police should not face criminal provincial and territorial privacy charges in connection with the death or serious injury of a member regulators to encourage the Council Big Data of the public. The bill received of Ministers of Education to take Royal Assent on March 8, 2018. Government institutions are steps to ensure that future genera- increasingly relying on the analysis tions of Canadians develop strong of big data to shape and improve the digital and privacy skills. These Anti-Racism Act programs and services they provide skills are the key to ensuring that to the public. While big data may In June, Ontario passed the young people are well equipped to benefit individuals, it also raises a Anti-Racism Act, 2017 (ARA). number of privacy, fairness, and exercise their privacy rights and Under this legislation, the govern- ethical concerns about how insti- responsibilities as digital citizens, ment is responsible for developing tutions use advanced technologies and to succeed in a networked and and maintaining an anti-racism to process personal information. data-driven world. strategy that aims to eliminate Institutions should understand and
25 address these concerns to prevent and Protecting Privacy. This guide may result in recommendations to unexpected, invasive, inaccurate, outlines methods for designing, ensure compliance with Ontario’s or discriminatory uses of personal implementing, and monitoring access and privacy laws. information. open government programs to sup- port transparency while addressing In May, the IPC released its Big Data Privacy Complaint PI16-3 Guidelines to inform institutions of potential privacy risks. the key issues to consider and best Ministry of Community practices to follow when they Safety and Correctional conduct big data projects. These PRIVACY COMPLAINTS Services guidelines offer practical advice OPENED IN 2017 to ensure that personal informa- The IPC opened a Commission- tion is appropriately collected, er-initiated privacy complaint linked, analyzed, and used when under FIPPA, against the making automated decisions MUNICIPAL 1�� 1�� Ministry of Community Safety about individuals. Institutions with the legal authority to and Correctional Services. conduct big data projects should The complaint related to the PROVINCIAL follow the best practices devel- 110 11� collection and destruction of oped in these guidelines. personal information captured 2017 2016 in a recording made by a police The IPC will continue to work officer on his personal cell on issues related to big data phone during a traffic stop. The and plans to release additional PRIVACY COMPLAINTS guidance documents aimed at CLOSED IN 2017 IPC was unable to make a find- specific sectors of government ing as to whether the record and at providing further infor- at issue contained personal mation on some of the best information because the device MUNICIPAL practices identified in the Big 1�� 1�� that contained the recording Data Guidelines. had been discarded. We con- cluded that, in the particular PROVINCIAL circumstances, collection of the 11� 10� Open Government personal information would and Privacy 2017 2016 have been authorized under the act. Our report included In our view, proactively address- the recommendation that the OPP ing privacy risks from the outset is amend its personal device policy key to carrying out open govern- Privacy Investigations ment initiatives that enhance public to require staff to copy any opera- services without compromising pri- Our privacy investigations look at tional information obtained on a vacy. To assist institutions in putting whether government institutions personal device to an authorized open government into practice, this are protecting the personal infor- OPP system or device within a rea- year we published Open Government mation they collect and retain, and sonable time.
26 PRIVACY COMPLAINTS CLOSED BY TYPE OF RESOLUTION OUTCOME OF ISSUES� IN PRIVACY COMPLAINTS
Resolved - Finding not Resolved 178 (65.2�) necessary 169 (90.9�) Screened out 56 (20.5�) Complied in full 7 (3.8�)
Withdrawn 30 (11.0�) Act does not apply 8 (4.3�) Abandoned 4 (1.5�) Not complied 1 (0.5�) Report 5 (1.8�) Order issued 1 (0.5�)
*The number of issues does not equal the number of complaints closed, as some complaints may involve more than one issue. Abandoned, withdrawn and screened out complaint files are not included.
200 NUMBER OF PRIVACY COMPLAINTS OPENED 2008-2017 Municipal Provincial
150
100 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
ISSUES� IN PRIVACY COMPLAINTS
Disclosure (72.0%) General privacy issue (12.4%) Security (5.4%) Collection (3.8%) Access (2.7%) Use (2.2%) Consent (0.5%) Notice of collection (0.5%) Retention (0.5%)
�The number of issues does not equal the number of complaints closed, as some complaints may involve more than one issue. Abandoned, withdrawn and screened out complaint files are not included
134 23 10 7 5 4 1 1 1
27 Privacy Complaint MC16-7 information requested, as well as however, opportunities to improve noting the legislative authority the existing privacy practices. Ottawa Police Services under which the information The IPC identified concerns and is sought. through discussions with the IPC’s Two Correctional Services Canada policy unit related to signage, (CSC) employees filed complaints security, training, auditing, and alleging that the Ottawa Police Privacy Complaint MI17-2 retention of surveillance data, the Service inappropriately disclosed police addressed the concerns, Greater Sudbury Police personal information pertaining adopted our recommendations, and Services to criminal charges against them committed to comply with current to their employer. CSC manages The IPC opened a Commission- privacy best practices. correctional institutions and er-initiated privacy complaint supervises offenders under condi- against the Greater Sudbury Police tional release in the community. Services after a journalist con- Privacy Complaints The investigation report concluded tacted the IPC about the Lion’s Eye Resolved at Intake that the CSC is not an institution in the Sky Surveillance Program. or a law enforcement agency, and The IPC’s Intake team, headed by The aim of the investigation was the police’s disclosure of personal the Registrar, serves as the IPC’s to ensure that the expansion of information to CSC was not con- front-line response to privacy the surveillance program was in sistent with the requirements of breaches. The vast majority of keeping with the act and current MFIPPA. Our report noted that privacy complaints we receive privacy best practices. such requests for personal infor- are resolved at Intake, and do not mation should be made in writing We found the surveillance program require investigation and media- to ensure a detailed record of the complied with the act. There were, tion. These are some public-sector
28 privacy complaints that were city’s response and the application A Township resolved at Intake in 2017: of MFIPPA with the complainant, who was satisfied and agreed to An individual submitted a com- A Municipality withdraw the complaint. plaint alleging that a town in An individual submitted a com- central Ontario had posted her A School Board plaint alleging that a city inappro- Tax Arrears Extension Agreement priately disclosed information An individual submitted a com- online as part of the town’s council regarding his application to con- plaint concerning the disclosure meeting agenda, in contravention struct a front yard parking pad. of her personal information by a of the privacy provisions of the As part of the approval process, a school board to an individual who MFIPPA. The town acknowledged number of neighbours within a made a request for his own infor- that it had improperly disclosed the certain radius of the complainant’s mation. The complainant believed home were notified of the appli- that even though her name had complainant’s personal informa- cation. The city advised that the been redacted from the record tion on its website. The town imme- local municipal code requires disclosed to the requester, other diately removed the document public polling. Polling provides an information in the record could from its website and apologized opportunity for individuals who identify her. Following discussions to the complainant. The town also own or live in residences within the with the IPC, the school board made commitments to developing polling area to determine whether acknowledged its error, and issued formal privacy policies and pro- their properties and neighborhood a letter of apology to the com- viding privacy training to its staff. may be affected. The city submit- plainant. The school board also ted that disclosure of the property expanded its training regarding The complainant and the IPC were address was authorized under access and privacy. The IPC was satisfied with the steps taken by the MFIPPA. The IPC reviewed the satisfied with the board’s response. town and the file was resolved.
29 Anti-Racism Directorate, Cabinet Office Metrolinx
• Bill 114, Anti-Racism Act, 2017 • Disclosure of PRESTO Card information to law enforcement City of Brampton Ministry of the Attorney General • Access and Privacy Guide for Council • Katelynn Sampson Inquest Recommendations Durham District School Board • Bill 175, Safer Ontario Act, 2018—Policing Over- • Workforce Census sight Act, 2018, and Ontario Policing Discipline Tribunal Act, 2018 Durham Regional Police Service Ministry of Children and Youth Services • Body Worn Camera Pilot Project • Child, Youth and Family Services Act, 2017— Global Privacy Enforcement Network (GPEN) Amendments and Regulations • GPEN “Sweep”—International Study of User • Child Welfare Identity-Based Data Collection Controls (Online Educational Services in Ontario Initiative schools) • Youth Justice Services Identity-Based Data Collec- Independent Electricity System Operator tion Initiative
• Data Strategy Advisory Council Terms of Ministry of Community Safety and Correctional Reference Services
Kingston Police Service, Ottawa Police Service and the • Bill 175, Safer Ontario Act, 2018—Police Services Ottawa Rape Crisis Centre Act, 2018, Missing Persons Act, 2018, and amend- ments to the Coroners Act • Philadelphia model-related privacy guidance for external sexual assault and domestic violence case • Bill 195, Correctional Services Transformation review committees Act, 2018
30 31 In keeping with the IPC’s commitment to outreach, engagement and collaboration, we actively participated in a number of consultations in 2017.
CONSULTATIONS
Ministry of Energy Municipality of Middlesex Centre
• Green Button Implementation and Regulatory • Video Surveillance Policies and Procedures Proposal Niagara Regional Police Service Ministry of the Environment and Climate Change • Crime Mapping Tool • Drive Clean Program – Remote Emissions Testing Region of Peel Ministry of Finance • Video surveillance systems at municipal facilities • Statistics Transformation Town of Parry Sound • Bill 174, Ontario Cannabis Retail Corporation Act, • Water/Wastewater Warranty Protection Plan 2017 University of Toronto and Toronto District School Ministry of Government and Consumer Services Board • Guide for Interaction with the Office of the Infor- • Data sharing agreement for research project on mation and Privacy Commissioner of Ontario student achievement
• Bill 59, Putting Consumers First Act (Consumer Various School Boards in the Province Protection Statute Law Amendment), 2017—Door- to-Door Solicitation Restrictions and Compliance • School bus camera surveillance systems Requirements
Ministry of Municipal Affairs
• Bill 68, Modernizing Ontario’s Municipal Legisla- tion Act, 2017
Ministry of Transportation
• Highway 407 East Project
30 31 Our office urges the government to complete this Our office urges the work governmentin a timely to completemanner this so thatwork the inprivacy a timely mannerrights soof Ontariansthat are the protected privacy rights and of Ontarians are protected and they arethey given are given the the tools tools toto exerciseexercise their their legal legal rights. rights.
Amendments to the Personal Health Information Protection Act (PHIPA)
HEALTH
32 33 THIS YEAR SAW A NUMBER OF AMEND- MENTS TO ONTARIO’S HEALTH PRIVACY LAW. These changes allow for increased protection of patient privacy and improved accountability and transparency in our health care system. These amend- ments also help to ensure that personal health infor- mation (PHI) remains secure and confidential.
On October 1, 2017, it became mandatory for health information custodians (HICs) to report certain privacy breaches to our office. This new reporting requirement enhances the IPC’s ability to address key concerns and gives health care providers the oppor- tunity to benefit from our advice and assistance in responding to a breach. To help them meet this new requirement, we published the guidance document, Reporting a Privacy Breach to the Commissioner. This document explains the reporting criteria and summa- rizes circumstances under which a custodian should notify our office of a privacy breach.
Since mandatory reporting came into effect, we have seen a dramatic increase in the number of reported breaches. From 2016 to 2017, the number of reported breaches more than doubled in the months October to December, from 58 to 125. The number of cases involving snooping into medical records remained steady at 24 per cent for both years. The number of cases involving general unauthorized collection, use, and disclosure and stolen PHI grew from 15 per cent to 18 per cent. Misdirected or lost PHI, which has always been the majority of reported breaches, also grew from 28 per cent to 37 per cent.
This year we also issued Annual Reporting of Privacy Breach Statistics to the Commissioner to help custodians prepare for reporting their privacy breach statistics to our office. HICs began to track their privacy breach statistics as of January 1, 2018, and starting in March 2019, they will be required to provide an annual report on the number of privacy breaches that occurred during the previous calendar year. These statistics will be collected through our statistics submission website, which will launch in early 2019.
32 33 In our last annual report, we urged this right back in 2012. Our office Code of Procedure only applied to the government to move forward urges the government to complete access and correction complaints. with the proclamation of amend- this work in a timely manner so We also published five PHIPA Prac- ments to PHIPA relating to the that the privacy rights of Ontarians tice Directions that provide additional shared provincial electronic health are protected and they are given the record (EHR). As Ontario’s health tools to exercise their legal rights. guidance to parties about exercising sector transitions from paper and their rights and complying with their stand-alone electronic medical obligations under PHIPA. records to a shared provincial EHR, New Code of these amendments will provide an effective governance framework to Procedure for Matters Three-Year Reviews protect the privacy of individuals. under PHIPA of Prescribed Health Among other things, these amend- ments would provide individuals A new Code of Procedure for PHIPA Entities and Persons with the ability to withhold and came into force in March, taking withdraw their consent to the immediate effect on all IPC files Under PHIPA, health informa- collection, use and disclosure of under Ontario’s health privacy leg- tion custodians can disclose PHI, their PHI from the provincial EHR islation. This new code was borne without consent, to prescribed system for health care purposes. out of an internal review of our entities for the purpose of analysis The government committed to PHIPA processes. The revised code or compiling statistical informa- implementing the regulations nec- now represents a single comprehen- tion needed to plan and manage the essary to provide individuals with sive protocol for all matters arising health care system. Similarly, they a broad range of options to exercise under PHIPA where the previous can disclose PHI, without consent,
SUMMARY OF PHIPA COMPLAINTS
-4% -9% +38% +68% ACCESS/CORRECTION SELF-REPORTED INDIVIDUAL OPENED IPC INITIATED OPENED OPENED BREACH OPENED 2017 155 2017 105 2017 322 2017 47 2016 161 2016 115 2016 233 2016 28
+21% -9% +64% +119% ACCESS/CORRECTION SELF-REPORTED INDIVIDUAL CLOSED IPC INITIATED CLOSED CLOSED BREACH CLOSED 2017 164 2017 102 2017 305 2017 46 2016 135 2016 112 2016 186 2016 21
34 to prescribed persons that compile Prescribed Persons Critical Care Information or maintain registries of personal System. • Cardiac Care Network of health information for the pur- Ontario in respect of its reg- We found that all of the above poses of enabling or improving the istry of cardiac and vascular prescribed entities and persons provision of health care. services continue to meet the requirements of PHIPA. Reports, affidavits and Every three years we review the • INSCYTE Corporation in approval letters for each of these information practices and proce- respect of CytoBase reviews are publicly available. dures of these prescribed entities and persons. • Cancer Care Ontario in respect of the Ontario Cancer Screen- Significant PHIPA In 2017, we reviewed: ing Registry Decisions Prescribed Entities • Children’s Hospital of East- • Cancer Care Ontario ern Ontario in respect of the The following are some noteworthy Better Outcomes Registry and PHIPA decisions published in • Canadian Institute for Health Network 2017. Information • Ontario Institute for Cancer • Institute for Clinical Evalua- Research in respect of the Decision 49 tive Sciences Ontario Tumour Bank A doctor received an email from an • Pediatric Oncology Group of • Hamilton Health Sciences individual containing an image of Ontario. Corporation in respect of the a computer screen in the doctor’s
150 TYPES OF PHIPA COMPLAINT FILES OPENED IN 2017
120 1. Public hospital: 146 11. Physiotherapist: 5 21. Private hospital: 2 2. Community or mental health centre, program or service: 116 12. Agent: 5 22. Psychiatric facility: 2 3. Clinic: 99 13. Optometrist: 4 23. Ambulance services: 1 4. Independent health facility: 51 14. Social worker: 4 24. Charitable home for the aged: 1 90 5. Doctor : 46 15. Laboratory: 3 25. Home for special care: 1 6. Community care access centre: 38 16. Psychologist: 3 26. Midwife: 1 7. Pharmacy: 33 17. Board of Health: 3 27. Ministry of Health: 1 8. Other: 28 18. Chiropractor: 2 28. Nursing home: 1 60 9. Other health care professional: 16 19. Masseur: 2 29. Other prescribed person: 1 10. Long-term care facility: 12 20. Occupational therapist: 2
30
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
35 examination room that showed the cians, clarifying who has responsi- travel claims were filed. Our office personal health information of a bility for patient records. decided that the collection and number of patients. The doctor and use of OHIP numbers at the time of application for supplementary the doctor’s lawyer asked the indi- Decision 52 vidual to delete the image but he health insurance plans contravened PHIPA. However, the practice of refused. The IPC conducted a review An individual sought access to all collecting, using, and disclosing of the incident and found that the the electronic data about himself, in individual was in contravention its native, industry-standard elec- OHIP numbers for the purpose of PHIPA by using the PHI of tronic format. The hospital did not of processing emergency medical individuals without authorization. provide the requested information travel claims was allowed. The Decision 49 ordered the individual and noted that some of the raw data insurance company discontinued to securely dispose of the personal was not available to the hospital its practice of collecting OHIP information of other individuals itself. Our office found that the numbers on both paper and elec- in the image and provide an affida- requester only has a right of access tronic applications and deleted any vit confirming compliance to our to underlying raw data that the hos- numbers it had collected from its administrative system. office. The IPC filed this order with pital can extract through custom the Superior Court and is bringing a queries and that the hospital is contempt motion to enforce it. entitled to reasonable cost recovery Decision 62 in providing access. Our office also found that, due to the significant Two complaints alleged that a Decision 50 staff time and resources that would physician accessed records of PHI be required to extract a certain type of two related individuals at a A medical clinic contacted the IPC of data, it was not reasonably avail- community health centre without with concerns about the manage- able to the hospital itself, and so was authorization. In response, the ment of personal health informa- not subject to the right of access. centre implemented a number of tion by the service provider hosting measures to safeguard the privacy their electronic medical records Decision 56 and security of information in its (EMR). The clinic found that the custody or control. The centre also service provider had transferred The Ministry of Health and Long- entered into an agreement with a hundreds of patient records to Term Care (MOHLTC) advised our corporation, in which the physician a physician who was leaving the office that OHIP numbers were is a shareholder, clarifying respon- clinic. The doctor claimed that compromised by criminal activity sibility for PHI in the electronic those patient records belonged involving the filing of fraudulent medical records used by physicians to him. After investigating, our claims with an insurance company. practicing at the centre. While office decided not to conduct a Upon investigation, we discovered the centre did not comply with its review under PHIPA given that that the insurance company was obligations under PHIPA at the both parties consented to a court collecting and using OHIP numbers time of these events, the IPC did not order providing the physician with as part of its application process issue an order because the centre access to PHI in the EMR, and for for purchasing supplementary had already made these changes. the delivery of original patient health insurance plans. It was also Further, while the physician’s records to him. The clinic has since collecting, using, and disclosing the access to the individuals’ PHI was amended its agreement with physi- numbers when emergency medical unauthorized, there was no evi-
36 ACCESS�CORRECTION COMPLAINTS CLOSED BY ISSUE
Not personal in�ormation 1 No written re�uest 2 SUMMARY OF PHIPA COMPLAINTS OPENED Status as representative 1 Fee and �ee waiver 2 Expedited access 1 Exemptions with other issues 2 Act does not apply 5 Failure to provide access 6 Exemptions only 6
Sel�-reported breach Fee 322 42 Reasonable IPC-initiated 47 search 17
Access/Correction Other Collection/Use/ 155 Deemed re�usal 18 Disclosure 41 105 Correction 20
dence to suggest that the physician number of steps to contain another person’s health card, but disclosed the PHI in contravention the breach, notify the affected a person who provides a provin- of PHIPA. individuals and/or their sub- cially funded health resource to stitute decision makers and a person who has a health card prevent a future occurrence, may require the production of PHIPA Cases Closed including circulation of an all- the health card.” The financial Through Early Resolution staff memo and introduction institution acknowledged it is of an e-learning module on not permitted to require OHIP Our office strives to resolve PHIPA obligations. Five of cards as a form of identifica- PHIPA cases at the intake stage, the employees no longer work tion, and deleted information or through mediation, without the at the home and the home it collected from these cards. need for adjudication. Below are reported two staff members to • We received a complaint some of the cases closed through their regulatory college. Our against a hospital stating that early resolution in 2017. office was satisfied with the its lobby did not provide a city’s response to the breach. • A long-term care home, owned private area for triage, allow- and operated by a munici- • An individual alleged that ing other patients to over- pality, reported that six of its a financial institution was hear discussions about their employees used their personal requiring individuals to pro- personal health information. cellphones to take and/or vide a copy of their OHIP card In response to the complaint, receive pictures of a number in order to obtain a credit card. the hospital introduced par- of residents and then circu- This is contrary to PHIPA, titioned stations to allow for late them to other employees which states, “No person private conversations between via Snapchat. The city took a shall require the production of patients and hospital staff.
37 Hospital staff also underwent ted the image to other staff fully accessing the PHI of additional privacy awareness members and persons outside five individuals. She was the training focused on protect- of the hospital. Additionally, fourth person ever convicted ing privacy and confidenti- unknown persons accessed of an offence under PHIPA. ality when conversing with the image, using a physician’s As part of her guilty plea, she patients. login credentials, after the admitted to accessing the PHI physician failed to log out of of 139 individuals without • A hospital reported that the electronic system. The authorization. This is the high- records of PHI were found hospital took steps to identify est fine to date for a health scattered near a recycling the employees and external privacy breach in Canada. In bin on its premises. It was persons who were, or may have delivering her sentence, the determined that five patients’ been, involved and obtained Justice of the Peace stated, records were disposed of in an sworn declarations that the “Overall, the victim impact unsecure manner by a staff image was deleted from their statements reveal a lack of trust trainee. The hospital success- phones. The hospital also took and a sense of reluctance to share fully notified the affected disciplinary action ranging information with future health patients, retrained the trainee from verbal reprimands up care providers. I believe this is regarding its privacy policy, to one-month unpaid suspen- a truly significant factor, given used the incident as an sions. Following a review of its that we all must believe that example to remind residents policies, the hospital com- when we go to the doctor for our and staff of proper disposal mitted to additional training physical illnesses and our mental methods for PHI, and ensured programs and implementing health illnesses, that we will be that the records found near a privacy warning for all its able to trust our own health care the recycling container were computer systems. practitioners and their team and properly destroyed. that what we tell them will be respected and held in confidence • We received a report from a Prosecutions under PHIPA so we receive the treatment and hospital that six employees care we deserve.” took photos using personal • A Master of Social Work cell phones of a patient’s x-ray student was ordered to pay • An administrative support image. Some of these employ- a $20,000 fine and a $5,000 clerk in the emergency ees either showed or transmit- victim surcharge for will- department of a GTA hospital
38 accessed the health records of the exclusion as it applies to facil- that the proposed changes gov- 44 individuals without autho- ities, because there is no evidence erning health care services do not rization, printing out the PHI of harm in other jurisdictions include provisions that the IPC of 28 of these individuals. where medical assistance in dying considers necessary to protect the The Justice of the Peace noted is legal and provider information is privacy of Ontarians. Of particular that this was a serious breach available. In our view, if a specific concern was the exclusion of the of public trust in the health request for information posed a Patient Ombudsman’s investigative care system. The clerk pled risk of harm, existing exemptions records from FIPPA, which will guilty and was ordered to pay under FIPPA and MFIPPA would have significant consequences. an $8,000 fine and a $2,000 prevent the release of information victim surcharge. that created such a risk. In addition, Because of this exclusion, patients excluding this information may will not be able to access their own limit access to medical assistance in records of personal information Bill 84, Medical Assistance dying, and potentially prevent the in Dying Statute Law held by the Patient Ombudsman release of statistical information in an investigation. Moreover, important to public debate and Amendment Act existing privacy protections will analysis. The bill ultimately became no longer apply to Ombudsman This year, our office voiced objec- law in June 2017 despite the IPC’s investigations and individuals will tions to amendments to FIPPA concerns. In response, our office not be able to access information and MFIPPA contained in Bill called on health institutions in 84, the Medical Assistance in Dying Ontario to set their own standards used by the Ombudsman to form Statute Law Amendment Act. These of transparency, and voluntarily important recommendations. amendments exclude information disclose whether they provide these In addition to recommending related to medical assistance in services to patients. removal of this exclusion, the dying from access laws, if the infor- mation relates to identifiable indi- Commissioner made 11 other viduals and facilities. This means Bill 160, Strengthening recommendations, including that individuals do not have a right Quality and Accountability restrictions on the collection, use, to information that identifies for Patients Act and disclosure of PHI, confidenti- hospitals, pharmacies, long-term ality requirements, and protection care homes or hospices that provide In his submission on this bill, the of PHI in documents relating to the this service. Our office objected to Commissioner expressed concern prosecution of offences.
39 30 YEARS OF ACCESS AND PRIVACY SERVICE
1994 of Quebec independence on Ontario- Quebec relations. The IPC calls on the government to extend FIPPA and MFIPPA to a wider set of public organizations 1998 such as hospitals, universities, The IPC is successful in having access and social services agencies to and privacy added to the Ontario Civics make them more accountable to curriculum and placed in the “Specific the public. Expectations” of what students will learn by the end of the course. 1995 Publication of Privacy-Enhancing 1999 The Freedom of Information and Technologies: The Path to Anonymity. The Reaching Out to Ontario (ROTO) Protection of Privacy Act (FIPPA) passes This groundbreaking paper looks at event series is launched, and a small third reading on June 25, 1987, and how technology can be used to protect receives royal assent a few days later on privacy. IPC team visits London, St. Thomas and June 29, 1987. Chatham to meet with stakeholders to discuss access and privacy issues. The first Information and Privacy 1996 Commissioner of Ontario is Justice The IPC website is launched. The IPC develops teachers’ guides on Sidney B. Linden. access and privacy for grades five and Order P-1190 — Assistant ten and launches its “Ask an Expert” Commissioner Tom Mitchinson finds program, in which IPC speakers visit 1988 there is a compelling public interest in The Freedom of Information and the disclosure of records concerning Grade 5 classes. Protection of Privacy Act (FIPPA) comes nuclear safety. into force. 2000
1997 The Commissioner tables a special 1991 Dr. Ann Cavoukian succeeds Tom report: Province of Ontario Savings The Municipal Freedom of Information Wright as Information and Privacy Office—A Special Report to the Legislative and Protection of Privacy Act (MFIPPA) Commissioner. Assembly of Ontario on the Disclosure comes into force. Order P-1398 – The IPC determines of Personal Information, based on Tom Wright succeeds Justice Sidney that there is a compelling public an IPC investigation into a privacy B. Linden as Information and Privacy interest in disclosure of Ministry of breach involving account holders of the Commissioner of Ontario. Finance records relating to the impact Province of Ontario Savings Office.
40 2004 In MO-2225, the IPC directs the City of the Juries Act and Criminal Code and Ottawa and the Ottawa Police to stop proposes a fundamental shift in the The Personal Health Information collecting extensive personal information way prospective jurors are screened. Protection Act (PHIPA) comes into force. from individuals selling used goods Order PO-2826 to second-hand stores and to destroy 2005 personal information already collected. 2011
The first PHIPA Order is issued on The IPC publishes guidance for October 31, 2005: HO-001 2008 hospitals to prepare them for becoming The IPC releases Privacy and Video institutions under FIPPA: MO-1947 – The Commissioner orders Surveillance in Mass Transit Systems: A disclosure of information about lawsuits Applying PHIPA and FIPPA to Personal Special Investigation Report, which finds filed against the City of Toronto, Health Information: Guidance for Hospitals that the Toronto Transit Commission’s including the number of claims and the use of video surveillance complies with total amounts paid to settle claims. Freedom of Information at Ontario Ontario privacy law. The IPC makes a Hospitals: Frequently Asked Questions number of specific recommendations 2006 on how the TTC can enhance privacy. 2012 Ontario universities become subject As of January 1, hospitals are subject to the Freedom of Information and 2009 to the Freedom of Information and Protection of Privacy Act (FIPPA). Following an extensive investigation, Protection of Privacy Act. Ontario is the the Commissioner orders Crown The Divisional Court affirms that the last province to bring hospitals under attorneys to cease collecting any Commissioner has the authority to access legislation. personal information of potential investigate and report on privacy jurors beyond what is necessary under The IPC publishes A Policy is Not complaints made by the public Enough: It Must be Reflected in about government institutions. Concrete Practices, demonstrating The IPC celebrates the first “Right how to develop an appropriate to Know Week,” featuring a public privacy policy and embed it in the panel discussion on access issues. practices of an organization.
2007 2013
For the first time in its 20-year The IPC releases a Special Report: history, the IPC invokes the power Deleting Accountability: Records to order an institution to cease the Management Practices of Political collection of personal information. Staff, which details the findings of
41 30 YEARS OF ACCESS AND PRIVACY SERVICE
the IPC’s investigation into the improper In Order HO-013, Acting Commissioner current and emerging access to deletion of emails concerning the Beamish finds that Rouge Valley information and privacy issues. cancellation of gas plants by the Chief Health System violated PHIPA when After extensive consultation with the of Staff to the former Minister of Energy. two employees accessed and sold new IPC, Ontario’s Minister of Community mothers’ personal health information for Safety and Correctional Services financial gain. The Commissioner orders 2014 (MCSCS) introduces the Police Record the hospital to implement changes to its Brian Beamish is appointed acting Checks Reform Act in the Legislature, electronic information systems, revise Information and Privacy Commissioner establishing a new provincial standard its privacy and audit policies and deliver of Ontario. that clarifies, limits and controls privacy training to all staff. the scope of police record check The Supreme Court of Canada upholds disclosures to employers, volunteer IPC Order PO-2811, in which the 2015 agencies, and other third parties. IPC orders disclosure of statistical Appointment of Brian Beamish to five- information relating to the sex offender year term as Information and Privacy registry to a media requester. 2016 Commissioner of Ontario. To promote awareness of the Crossing the Line: The Indiscriminate Introduction of Bill 119 to amend the Disclosure of Attempted Suicide importance of sharing information with Personal Health Information Protection Information to U.S. Border Officials via a children’s aid society when there are Act (PHIPA). CPIC is released. The report calls on reasons to believe a child may be at risk, police to restrict the disclosure of The IPC celebrates International the IPC publishes the guide Yes, You Can suicide-related information to U.S. Data Privacy Day with an event to together with the Office of the Provincial agencies via the Canadian Police commemorate the tenth anniversary Advocate for Children and Youth. Information Centre (CPIC) database. of PHIPA. Order MO-3281 finds that an email sent
The IPC launches the Is It by a City of Oshawa councillor from the Worth It? campaign, warning councillor’s personal email account is health information custodians in the custody and control of the city, of the dangers and risks because it was created in the course of of unauthorized access to city business. As a result, the IPC orders information, or ‘snooping’. the city to issue an access decision.
As part of its Reaching Out to The IPC publishes Instant Messaging and Ontario (ROTO) program, the Personal Email Accounts: Meeting Your Commissioner and his team Access and Privacy Obligations, to make visit St. Catharines, Ottawa public servants aware that records and Sault Ste. Marie to discuss relating to the conduct of government
42 business are subject to provincial Court of Appeal will hear an appeal access legislation, even if they are from this decision in June 2018. created, sent, or received through The IPC publishes Open instant messaging tools or personal Government: Key Concepts and email accounts. Benefits and Open Government: Bill 119, the Health Information Key Implementation Considerations Protection Act, 2016, amends the for institutions considering Open Personal Health Information Protection Government programs. The Act (PHIPA) to better protect patient papers highlight the importance of privacy and improve accountability enhancing access to government- and transparency across Ontario’s held information, and provides Bill 89, the Supporting Children, Youth and health sector. advice on implementation. Families Act In PO-3617 (June 2016), the IPC orders The IPC launches a series of webinars De-identification Guidelines for Structured the Ministry of Health and Long-Term on access and privacy, with the first Data wins the inaugural International Care to release the names of OHIP’s top devoted to the topic of situation tables. Conference of Data Protection and billers to the Toronto Star. The ministry Privacy Commissioners’ award for had previously disclosed payment excellence in research. amounts and the specialties of some 2017 physicians in response to the Star’s In January, the IPC holds its annual Amendments to PHIPA came into force, requiring health information custodians request, but withheld the names of Privacy Day event. The theme is under PHIPA to report certain health the physicians as an invasion of their Government and Big Data and privacy breaches to the IPC. personal privacy. The IPC decides that features privacy and big data experts the information is of a business or offering solutions to privacy risks that professional nature, and not personal, governments face in an increasingly big and orders the ministry to disclose the data world. information. In June 2017, Ontario’s Divisional Court dismissed an application The IPC makes presentations to to quash the order, ruling that it was legislative committees on three bills: reasonable. The court agreed that the Bill 68, Modernizing Ontario’s Municipal names of the doctors, in conjunction Legislation Act, 2017 with the amounts they receive in OHIP payments and their medical specialties, Bill 84, the Medical Assistance in Dying is not “personal information.” The Ontario Statute Law Amendment Act, 2017
43 January May institutions should do when they receive this type of request, what a Big Data and Your Privacy Rights Big Data Guidelines requester can do if an institution The information presented in this These guidelines inform govern- claims their request is frivolous or fact sheet helps members of the ment institutions of the key issues vexatious and the IPC’s role in an public understand the meaning of to consider and best practices to appeal. “big data,” and how it can have an follow when conducting big data impact on an individual’s privacy. projects involving personal infor- Reporting a Privacy Breach to the mation. Commissioner: Guidelines for the Health Sector March July These guidelines summarize the Open Government and Protecting seven categories described in the Privacy Guidance on the Use of Automated Licence Plate Recognition Systems PHIPA regulation where custodi- The purpose of this paper is to (ALPR) by Police Services ans are required to report breaches help institutions understand that to the Commissioner. privacy is not a barrier to Open This document outlines the key Government, and that proactively obligations of police services under IPC 2017 GPEN Sweep Report: addressing privacy risks is critical MFIPPA and FIPPA in their use Online Educational Services to its success. of ALPR systems and provides guidance, including best practices, This year’s GPEN (Global Privacy April on using these systems in a priva- Enforcement Network) Sweep cy-protective manner. theme was “user control over Reasonable Search personal information.” The IPC This fact sheet explains the mean- August worked with the Office of the ing of “reasonable search,” how Privacy Commissioner of Canada institutions can comply with their Frivolous and Vexatious Requests to design and carry out a review of search obligations, how requesters can support institutions’ efforts This fact sheet explains the online educational services. This to find responsive records, and the meaning of a “frivolous or vexa- sweep report summarizes the find- role of the IPC in an appeal. tious request.” It describes what ings of our review.
44 45 GUIDANCE AND FACT SHEETS
November an-reported files under the Personal Submission to the Standing Commit- Health Information Protection Act. tee on Bill 89, Supporting Children, Youth and Families Act, 2017 Joint Federal Provincial Territo- PHIPA Practice Direction #1: Clari- rial Letter to Council of Ministers fying Access Requests of Education on the Importance of April Privacy Education PHIPA Practice Direction #2: Responding to a Request for Access to Comments of the Information and The goal of the joint letter to the Personal Health Information Council of Ministers of Education Privacy Commissioner of Ontario on PHIPA Practice Direction #3: was to encourage them to make the Proposed Open Meeting Amend- Publicly Released Decisions under the privacy education a greater priority ments in Bill 68, Modernizing Ontar- Personal Health Information Protec- io’s Municipal Legislation Act, 2017 by including it as a clear and con- tion Act, 2004 crete component in digital literacy curricula across the country. PHIPA Practice Direction #4: November Access/Correction Complaint Form Annual Reporting of Privacy Breach Comments of the Information and Statistics to the Commissioner— PHIPA Practice Direction #5: Privacy Commissioner of Ontario on Requirements for the Health Sector Collection, Use, and Disclosure Com- plaint Form Bill 160, Strengthening Quality and This document outlines the infor- Accountability for Patients Act, 2017 mation the IPC will require from health information custodians in 2017 IPC Submissions their annual reporting of breach statistics as of March 2019. and Comments on Legislation Updated Publications March Code of Procedure for Matters under the Personal Health Information Submission to the Standing Commit- Protection Act, 2004 tee on Bill 84, Medical Assistance This code applies to complaints, in Dying Statute Law Amendment IPC-initiated files, and custodi- Act, 2017
44 45 Updating our access and privacy laws is long
overdueUpdating and ournecessary access and ifprivacy they lawsare is tolong remain overdue and necessary if they are to relevantremain and relevant in line and inwith line thewith information the information age. age.
COMMISSIONER’S RECOMMENDATIONS
46 47 Expand Commissioner’s Oversight to Political Parties
POLITICAL PARTIES HOLD A LOT OF POWER IN OUR SYSTEM OF GOVERNMENT; THEY ALSO HOLD A LOT OF SENSITIVE PERSONAL INFORMATION ABOUT INDIVIDUALS. And yet, our political parties are not covered by privacy laws at either the provincial or federal level.
Recent events have illuminated the sensitive and granular nature of the personal information avail- able to political parties for their own purposes. We know that digital tools are now available to amass large amounts of personal information from diverse sources, analyze it in ways previously unforeseen and use insights gained to target individuals in specific and unique ways.
These increasingly sophisticated big data practises, frequently undertaken without voters’ knowledge or consent, raise new privacy and ethical concerns. Espe- cially given that such practices aim to influence the outcome of democratic elections, the need for greater transparency is clear.
Personal information held by political parties can also be vulnerable to privacy breaches. This includes unin- tentional breaches—for example, human error can lead to personal information being disclosed inappro- priately. It also includes cybersecurity threats, which may increase with the growing use of big data practises by political parties. Because political parties operate outside of privacy laws, there is little recourse for those impacted by a privacy breach.
To address the privacy, ethical and security risks associated with how political parties are collecting and using our personal information, I recommend that Ontario’s political parties be subject to privacy regula- tion and oversight.
46 47 for big data and data integration. aspects of our lives, communities Enact Legislation that Such a framework should support must recognize the corresponding Provides a Strong, a centralized, rather than decen- privacy concerns. Smart city proj- tralized, model of data integration. ects can involve the collection and Government-Wide Big This will help to avoid the repli- linking of large amounts of data Data Framework cation of multiple government that can generate highly personal databases that contain sensitive, information, and enable privacy I have long argued that advance- linked personal information. A gov- invasive profiling or surveillance. ments in technology and the ernment-wide big data framework These and other risks must be ever-expanding use of personal must contain additional controls addressed head on and project information are outpacing Ontar- to protect privacy, including leaders must understand their io’s public-sector access and privacy requirements for de-identification, legal obligations under Ontario’s laws. These laws were drafted 30 mandatory breach notification privacy laws. years ago and are poised for a legis- and reporting, and effective and I recommend that communities lative fix to bring them in line with independent oversight, with strong carry out thorough privacy impact modern technology and informa- investigative, audit, and review assessments (PIA) to identify and tion-sharing practices. My call to powers for the IPC. address the privacy risks before review and renew the acts stands— they launch smart city programs. Any future government framework we must modernize them if we are Transparency and community that enables big data projects must to continue to protect and promote engagement will also be critical to the access and privacy rights of the adopt this modern approach to help community members under- people we serve. privacy protection. stand how the proposed technology might affect them. Conducting a Public institutions increasingly Ensure Smart City PIA and engaging the community use big data to shape and improve early on will build public account- government policies, programs Initiatives are Privacy ability and trust. My office will and services, and gain new insights remain engaged in this area and about issues affecting the public Protective is ready to provide guidance and they serve. However, the current Across Ontario, there is growing support to ensure that smart city legislative regime effectively interest in “smart city” initia- initiatives comply with Ontario’s requires institutions to act as “silos” tives, as evidenced by large-scale privacy laws. of personal information. announcements such as Toronto’s In light of these legislative short- Quayside Project involving Alpha- Amend Ontario’s comings, Ontario needs a new or bet’s Sidewalk Labs and Waterfront modified framework, one that Toronto, and the Canada-wide Access Laws to Affirm supports sophisticated big data Smart Cities Challenge. IPC’s Power to Compel projects, streamlines and allows Many of these initiatives rely on for greater data integration while the use of data and connected tech- the Production of protecting personal privacy. To this nologies to identify and address Records end, I once again call on the Ontario the needs of communities. While I government to update our access acknowledge that smart cities have My office’s ability to determine and privacy laws to include a consis- the potential to improve many whether an institution has prop- tent, privacy-protective framework
48 erly claimed exemptions in the records to the IPC does not consti- delphia Model. Under this model, context of an access to informa- tute a waiver of this privilege. police and women’s advocates reg- tion appeal is often dependent on ularly review closed sexual assault our ability to examine the records files to identify any investigative at issue, including records over An Ontario-Based shortcomings that may be the result which solicitor-client privilege has Philadelphia Model of biases or stereotypes. The result been claimed. of our work was the development of a model Memorandum of Under- In 2016, the Supreme Court of Early in 2017 media reports standing (MOU) and confidenti- Canada considered whether the indicated that, on average, Cana- dian police services dismissed ality agreement, designed to set wording of the Alberta Freedom the terms for the review of sexual of Information and Protection of one out of every five sex-assault allegations on the basis that they assault cases by police and external Privacy Act was clear enough to reviewers. I strongly encourage empower the Alberta Informa- were “unfounded” (i.e. that no crime occurred or was attempted). police services across the province tion and Privacy Commissioner who adopt the use of the Philadel- to compel production of records “Unfounded” rates varied widely, including in Ontario. These phia Model to ensure a privacy-pro- claimed to be subject to solicitor-cli- tective framework is in place by ent privilege. The court found that reports prompted renewed calls for more effective and account- using the MOU and confidentiality the wording of Alberta’s legislation able sexual assault and domestic agreement developed through these was not sufficiently clear. In light violence investigations. Advocates consultations. of this decision, some institutions in Ontario working to end violence have questioned the IPC’s authority My office will continue to advocate against women pointed to a US to compel the production of records for the adoption of these recom- model—the Philadelphia Model—as over which solicitor-client privilege mendations on an active and ongo- a key part of the solution. Under is claimed. ing basis. Updating our access and that model, police and agencies privacy laws is long overdue and The federal government has intro- with expertise in combatting necessary if they are to remain rel- duced amendments to the Access violence against women regularly evant and in line with the informa- to Information Act and the Privacy review closed sexual assault files to tion age. The IPC is ready to work Act that would clarify the powers identify investigative shortcom- with institutions and assist wher- of the federal Information Com- ings associated with, for example, ever we can—together, we can help missioner and the federal privacy misinformation about complain- to ensure that Ontarians’ access and commissioner to examine records ants. After the City of Philadelphia privacy rights are strongly pro- subject to a claim of solicitor-cli- adopted the model in 2000, the tected well into the future. ent privilege. “unfounded” rate dropped to 4 per cent compared to the US national Once again, I am calling on the average of 7 per cent. Ontario government to follow the federal government’s lead and In 2017, my office engaged with amend FIPPA and MFIPPA to the Kingston and Ottawa police, clarify and affirm the IPC’s power the Ottawa Rape Crisis Centre, and to compel records, including those other policing and violence against subject to a claim of solicitor-cli- women stakeholders on how to ent privilege, and that providing implement the US-based Phila-
49 STATISTICS
YEAR AT A GLANCE
PROVINCIAL MUNICIPAL
PERSONAL PERSONAL GENERAL RECORDS TOTAL GENERAL RECORDS TOTAL INFORMATION INFORMATION -12% +8% +1% -2% -8% -5% REQUESTS REQUESTS TOTAL REQUESTS REQUESTS REQUESTS TOTAL REQUESTS 2017 7,220 2017 16,605 2017 23,825 2017 18,301 2017 17,681 2017 35,982 2016 8,294 2016 15,319 2016 23,613 2016 18,743 2016 19,231 2016 37,974
-15% -19% -18% -7% -1% -3% APPEALS OPENED APPEALS OPENED TOTAL APPEALS APPEALS OPENED APPEALS OPENED TOTAL APPEALS OPENED OPENED 2017 154 2017 450 2017 604 2017 194 2017 594 2017 788 2016 181 2016 555 2016 736 2016 209 2016 603 2016 812 +14% -3% +1% -1% +1% +1% APPEALS CLOSED APPEALS CLOSED TOTAL APPEALS APPEALS CLOSED APPEALS CLOSED TOTAL APPEALS CLOSED CLOSED 2017 196 2017 489 2017 685 2017 195 2017 534 2017 729 2016 172 2016 505 2016 677 2016 193 2016 530 2016 723 -71% -34% -8% -1% AVERAGE COST AVERAGE COST AVERAGE COST AVERAGE COST 2017 $ 4.02 2017 $25.53 2017 $ 9.92 2017 $24.50 2016 $13.86 2016 $38.60 2016 $10.75 2016 $24.66
SUMMARY OF PHIPA COMPLAINTS PRIVACY COMPLAINTS
-4% -9% +38% +68% PROVINCIAL MUNICIPAL ACCESS/CORRECTION SELF-REPORTED INDIVIDUAL OPENED IPC INITIATED OPENED OPENED BREACH OPENED 2017 155 2017 105 2017 322 2017 47 -7% -1% OPENED OPENED 2016 161 2016 115 2016 233 2016 28 2017 110 2017 158 2016 118 2016 159 +21% -9% +64% +119% ACCESS/CORRECTION SELF-REPORTED INDIVIDUAL CLOSED IPC INITIATED CLOSED CLOSED BREACH CLOSED +10% +4% 2017 164 2017 102 2017 305 2017 46 CLOSED CLOSED 2016 135 2016 112 2016 186 2016 21 2017 114 2017 159 2016 103 2016 153
50 OVERALL REQUESTS
OUTCOME OF REQUESTS: MUNICIPAL OUTCOME OF REQUESTS: PROVINCIAL
All information disclosed 6,034 All information disclosed 8,813
Information disclosed in part 19,254 Information disclosed in part 9,369 No information disclosed 1,500 No information disclosed 3,499 No responsive records exist 6,366 No responsive records exist 2,339 Request withdrawn, abandoned Request withdrawn, abandoned or non-�urisdictional 2,693 or non-�urisdictional 2,182
30,000
TOTAL
25,000 -2.8% REQUESTS 2017 59,807 2016 61,587 20,000 GENERAL RECORDS REQUESTS GENERAL RECORDS COMPLETED 34,286 34,550 15,000 BY SOURCE -0.7% REQUESTS 1. Individual�Public: 26,340 2017 34,286 2. Individual by agent: 13,408 2016 34,550 3. Business: 17,763 10,000 4. Academic�Researcher: 244 5. Association�Group : 878 PERSONAL 6. Media: 1,416 7. Government (all levels): 1,153 INFORMATION 8. Other: 657 5,000 -5% REQUESTS 2017 25,521
PERSONAL INFORMATION 25,521 27,037 2016 27,037 0 1 2 3 4 5 6 7 8 2017 2016 51 STATISTICS
NUMBER OF MUNICIPAL APPEALS OPENED 2008-2017
Personal Information General Records 1,000
800
20� 1�� 600 210 �0� ��� 2�� 21� 2�� �7� 400 1�� 222 2�� ��� 1�� ��2 �0� �1� ��� 2�0 �0� 200
0 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
NUMBER OF PROVINCIAL APPEALS OPENED 2008-2017
Personal Information General Records 800
700
1�1 600 17� 1�� ��� 500 1�� 1�� ��� 1�� 1�� �01 ��� 400 1�� ��� ��0 121 �21 ��7 300 1�� �2� 2�1 200
100
0 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
52 APPEALS PROCESSED� IN INTAKE BY DISPOSITION
Proceed to mediation (72.7%) Resolved (11.5%) Withdrawn (6.2%) Screened out without subs (5.3%) Screened out with subs (3.0%) Abandoned (0.7%) Order issued (0.5%)
* “Processed” refers to those files that completed the Intake stage between January 1, 2017 and December 31, 2017 and includes files that are still open in the Mediation and Adjudication stages
1,013 161 87 74 42 9 7
APPEALS PROCESSED� IN MEDIATION BY DISPOSITION
Settled (62.9%) No issues mediated (19.6%) Partially mediated (17.0%) Abandoned (0.5%) Withdrawn (0.1%)
* “Processed” refers to those files that completed the Mediation stage between January 1, 2017 and December 31, 2017 and includes files that are still open in the Adjudication stage
686 214 185 5 1
53 STATISTICS
1,200
TYPES OF APPELLANTS IN APPEALS OPENED 1,000
800
600
400
200
0 Individual Business Media Association� Government Academic� Union Politician 1,014 258 57 Group 16 Researcher 3 2 (72.8%) (18.5%) (4.1%) 34 (1.1%) 8 (0.2%) (0.1%) (2.4%) (0.6%)
NUMBER OF APPEALS CLOSED BY ORDER, NUMBER OF APPEALS CLOSED OTHER THAN BY ORDER, BY ORDER OUTCOME BY OUTCOME
Withdrawn 130 Head�s decision partially upheld 83 Screened out Head�s decision 116 not upheld 35 Abandoned 35
�ediated in �ull 854 Head�s decision upheld 152
Other 5 Dismissed without In�uiry/Review/Order 4
54 ISSUES IN APPEALS OPENED
Exemptions only (39.4%)
Third party (13.2%)
Exemptions with other issues (9.1%)
Reasonable search (8.3%)
Deemed refusal (8.0%)
Act does not apply (5.7%)
Frivolous or vexatious (4.2%)
Other (4.0%)
Interim decision (2.9%)
Custody or control (1.7%)
Time extension (1.7%)
Fee (0.6%)
Correction (0.6%)
Fee and fee waiver (0.4%)
Failure to disclose (0.2%)
Fee waiver (0.1%)
Forward (0.1%)
549 184 127 115 112 79 58 55 40 23 23 9 8 5 3 1 1
2 OUTCOME OF APPEALS BY STAGE Ad�udication Intake 342 �24.2�� 380 �26.9�� CLOSED 3
1
4 �ediation 692 �48.9�� 5 6
1. �ediated in �ull� 854 �60.4�� 2. Order issued� 275 �19.4�� 3. Withdrawn� 130 �9.2�� 4. Screened out� 116 �8.2�� 5. Abandoned� 35 �2.5�� 6. Dismissed without In�uiry/ Review/Order� 4 �0.3�� 55 STATISTICS
AVG COST OF MUNICIPAL AVG COST OF PROVINCIAL REQUESTS REQUESTS
PERSONAL PERSONAL GENERAL RECORDS GENERAL RECORDS INFORMATION INFORMATION $9.92 $24.50 $4.02 $25.53
30 50 25 40 20 30 15 20 10 10 5 0 2013 2014 2015 2016 2017 2013 2014 2015 2016 2017
General Records General Records Personal Information Personal Information
TOTAL FEES COLLECTED AND WAIVED
MUNICIPAL PROVINCIAL TOTAL $173,078.59 $103,862.45 $276,941.04 TOTAL APPLICATION FEES TOTAL APPLICATION FEES TOTAL APPLICATION FEES COLLECTED COLLECTED COLLECTED
$436,405.71 $400,480.33 $836,886.04 TOTAL ADDITIONAL FEES TOTAL ADDITIONAL FEES TOTAL ADDITIONAL FEES COLLECTED COLLECTED COLLECTED $609,484.30 $504,342.78 $1,113,827.08 TOTAL TOTAL TOTAL $47,570.83 $13,850.59 $61,421.42 TOTAL FEES WAIVED TOTAL FEES WAIVED TOTAL FEES WAIVED
56 FINANCIAL STATEMENT
2017-2018 2016-2017 2016-2017 Estimates Estimates Actual $ $ $ SALARIES AND WAGES 13,404,400 10,444,100 10,447,365 EMPLOYEE BENEFITS 3,083,600 2,401,900 2,078,290 TRANSPORTATION AND COMMUNICATIONS 286,700 337,500 165,348 SERVICES 3,123,900 1,960,300 2,353,714 SUPPLIES AND EQUIPMENT 489,000 336,000 247,038
TOTAL 20,387,600 15,479,800 15,291,755
Note: The IPC’s fiscal year begins April 1 and ends March 31. The financial statement of the IPC is audited on an annual basis by the Office of the Auditor General of Ontario.
2017 APPEALS FEES DEPOSIT (Calendar year)
GENERAL INFO. PERSONAL INFO. TOTAL
$18,660 $2,972 $21,632
See further financial information, including IPC Public Sector Salary Disclosure, at www.ipc.on.ca. 2017 ANNUAL REPORT
Office of the Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Canada www.ipc.on.ca