THIRTY YEARS OF ACCESS AND PRIVACY SERVICE 2017 ANNUAL REPORT June 14, 2018
The Honourable Dave Levac Speaker of the Legislative Assembly of Ontario
Dear Speaker,
I have the honour to present the 2017 Annual Report of the Information and Privacy Commissioner of Ontario to the Legislative Assembly.
This report covers the period from January 1 to December 31, 2017.
Please note that additional reporting from 2017, including the full array of statistics, analysis and supporting documents, may be found within our online Annual Report section at www.ipc.on.ca.
Sincerely yours,
Brian Beamish Commissioner TABLE OF CONTENTS
COMMISSIONER’S MESSAGE 1 ABOUT US 9 OUR WORK 10 ACCESS TO INFORMATION 14 MUNICIPAL LEGISLATION 15 DELETION OF EMAILS 15 PROMOTING UNDERSTANDING OF ACCESS ISSUES 16 SIGNIFICANT ACCESS DECISIONS 16 MEDIATED APPEALS 19 JUDICIAL REVIEWS 20 PROTECTION OF PRIVACY 22 DATA PRIVACY DAY 23 CHILD, YOUTH AND FAMILIES SERVICES ACT, 2017 24 IPC’S DE-IDENTIFICATION PUBLICATION WINS AT INTERNATIONAL CONFERENCE 24 PRIVACY IN EDUCATION 24 POLICE SERVICES ACT 25 ANTI-RACISM ACT 25 BIG DATA 25 OPEN GOVERNMENT AND PRIVACY 26 PRIVACY INVESTIGATIONS 26 CONSULTATIONS 30 HEALTH 32 NEW CODE OF PROCEDURE FOR MATTERS UNDER PHIPA 34 THREE-YEAR REVIEWS OF PRESCRIBED HEALTH ENTITIES AND PERSONS 34 SIGNIFICANT PHIPA DECISIONS 35 30 YEARS OF ACCESS AND PRIVACY SERVICE 40 GUIDANCE AND FACT SHEETS 44 COMMISSIONER’S RECOMMENDATIONS 46 STATISTICS 50 FINANCIAL SUMMARY IBC What has not changed in all of these years ... is our unwaveringWhat has pursuit not changed of in all of these years ... is privacyour protection unwavering pursuit within of privacy protection within a a moremore open, open, transparenttransparent and and accountableaccountable Ontario. Ontario.
Thirty Years of Access and Privacy Service
COMMISSIONER’S MESSAGE
4 1 2017 WAS A MILESTONE YEAR FOR THE OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER (IPC), ONE IN WHICH MY OFFICE PROUDLY CEL- EBRATED 30 YEARS OF ACCESS AND PRIVACY SERVICE TO ONTARIANS. For more than three decades, protecting and advanc- ing access to information and personal privacy rights has been at the forefront of our work.
Much has changed since we first opened our doors in 1987. In 1988, the Freedom of Informa- tion and Protection of Privacy Act (FIPPA) came into force, followed by its municipal counterpart, MFIPPA, in 1991. The IPC has seen its mandate expand a number of times since then. In 2004, the Personal Health Information Protection Act (PHIPA) ushered in a new era of health privacy rights for Ontarians, and has since become the gold standard against which other health privacy statutes are measured. The IPC’s mandate grew yet again in 2006 when universities were brought under FIPPA, and again in 2012 when hospitals followed suit. Soon, our mandate will undergo another historic expansion when, for the first time ever, children’s aid societies and other child and family service providers will become subject to the IPC’s oversight.
What has not changed in all of these years, how- ever, is our unwavering dedication to privacy protection while pursuing a more open, trans- parent and accountable Ontario. Each expansion of our mandate has brought greater access to information, more government transparency and increased privacy rights for Ontarians.
Included in this annual report is a special anni- versary retrospective, highlighting our 30-year legacy—from our extensive advocacy work to the major milestones and many successes we have
4 1 achieved as an oversight agency. The last three missioner) v. University of Calgary. In this decision, decades have been productive and rewarding the court ruled that Alberta’s IPC did not have the for the IPC and 2017 unfolded in very much the power to compel the production of records over same vein. which solicitor-client privilege is claimed. This ruling raises serious concerns for Canada’s Privacy Day and Big Data IPCs, who require this power to independently review appeals of access decisions and properly 2017 began on a high note with our signature fulfil our respective mandates as the nation’s Privacy Day event, this year focusing on the access and privacy regulators. theme of Government and Big Data. We welcomed privacy and big data experts who engaged in This SCC decision was the impetus for passing a a lively discussion about the various privacy joint resolution, in which we called on govern- challenges that governments face in the era of ments to amend access and privacy laws to ensure big data. I used this special occasion to call on the that IPCs across Canada are expressly authorized Ontario government to modernize our access and to compel the production of records over which privacy laws to ensure that public institutions solicitor-client privilege is claimed. This is critical harness data analytics in a privacy-protective if we are to safeguard the independent review of manner. FIPPA and MFIPPA were designed such claims and verify that institutions are prop- almost 30 years ago, prior to the emergence of big erly applying this exemption. data analytics as tools to identify trends, detect patterns and gather other valuable findings from Student Privacy the massive amount of information available to government institutions. With more organiza- My office collaborated with our federal counter- tions relying on data to develop evidence-based parts on another important front in 2017. This programs and policies, the need for legislative time we partnered with the Office of the Privacy reform in this area has never been greater. My Commissioner of Canada in a joint research effort office will continue to work closely with institu- to evaluate online educational services. Our work tions to ensure that the great promise of big data was part of a larger, annual initiative coordinated respects and protects their privacy rights. by the Global Privacy Enforcement Network, made up of over 60 privacy enforcement author- Joint Resolution on Solicitor-Client ities around the world who work to strengthen Privilege privacy protections in an increasingly data-rich landscape. In 2017, I represented the IPC at the annual fed- eral, provincial and territorial meeting of Infor- As part of this privacy initiative, our offices eval- mation and Privacy Commissioners in Iqaluit, uated a number of online educational services to Nunavut. At the top of the agenda was a discussion determine what personal information is collected, about the Supreme Court of Canada’s (SCC) 2016 how it is used and disclosed, and what control decision in Alberta (Information and Privacy Com- users have over their personal information.
2 3 Our review included best practices for protecting Global Privacy Award for IPC student privacy and recommended that educators De-identification Guidelines carefully examine privacy policies and terms of service to understand how students’ information In 2017, our De-identification Guidelines for Struc- may be collected, used, and disclosed. We also tured Data won the inaugural International Con- urged educators to consult with school officials ference of Data Protection and Privacy Commis- before selecting online educational services to sioners’ (ICDPPC) award for excellence in research. ensure they comply with Ontario privacy laws. The ICDDPC awards attracted 90 entries from data protection and privacy authorities around the world and were announced at the 39th ICDPPC Prescribed Health Entities and Registries conference in Hong Kong.
Every three years, my office reviews the priva- Our guidelines are the first of their kind in Canada cy-related practices and procedures of prescribed to use plain language to explain sophisticated entities and registries in the health sector. In de-identification concepts for the process of 2017, the IPC conducted this review to determine removing personal information from a record or whether they continue to meet the requirements data set. I was honoured to accept this award on under PHIPA. behalf of the IPC and it was especially gratifying to have our efforts recognized on the global stage. As part of this year-long process, each of the four The IPC’s Crossing the Line: The Indiscriminate prescribed entities* and six prescribed registries** Disclosure of Attempted Suicide Information to US submitted detailed written reports and sworn affi- Border Officials via CPIC was also recognized as a davits to my office, attesting that their respective finalist in the dispute resolution, enforcement and information practices and procedures are consis- compliance category. This report, and the subse- tent with Ontario’s health privacy law. quent court resolution, was the result of working Based on our comprehensive reviews, my office collaboratively with the Toronto Police Service was pleased to confirm that all prescribed entities and privacy, mental health, and human rights and registries continue to have in place practices stakeholders to develop privacy-protective mea- and procedures that protect the health privacy of sures that bring greater clarity and discipline to police disclosure practices. Ontarians, and sufficiently maintain the confi- dentiality of their information. An Ontario-Based Philadelphia Model for * Cancer Care Ontario, Canadian Institute for Sexual Assault Research Health Information, Institute for Clinical Eval- uative Sciences, Pediatric Oncology Group of In 2017, my office engaged with the Kingston Ontario ** Cardiac Care Network of Ontario, INS- and Ottawa police, the Ottawa Rape Crisis Centre, CYTE, Cancer Care Ontario, Children’s Hospital and other policing and violence against women of Eastern Ontario, Ontario Institute for Cancer stakeholders on how to implement the US-based Research, Hamilton Health Sciences Corporation. Philadelphia Model. This is a model where police
2 3 The Privacy Protective Roadmap Understanding Exemptions in FIPPA and MFIPPA Issues and solutions in the context of a collaborative service delivery development: The Situation Table
The success of our webinar series has helped us to overcome geographical barriers to delivering our mandate on behalf of all Ontarians, regardless of where they live or work.
and women’s advocates regularly review closed ing access, privacy, and health privacy issues facing sexual assault files to identify any investigative our public and health care sector stakeholders. shortcomings related to, for example, biases or Our popular Reaching Out to Ontario series is a key stereotypes. The centrepiece of our collaborative element of our outreach program, with visits this work was the development of a model Memo- past year to Thunder Bay and Windsor. These randum of Understanding (MOU) and confiden- events featured a range of topics including the tiality agreement, designed to set the terms for privacy risks of big data; the benefits of open con- the review of sexual assault cases by police and tracting; how institutions can protect against ran- external reviewers. Our Kingston-based model somware attacks; recent developments in access to MOU and confidentiality agreement will help to information laws; and the technical, physical and ensure a privacy-protective framework is in place administrative safeguards that health care pro- for other police services considering the use of the Philadelphia Model. viders should implement to protect their patients’ information.
Outreach and Stakeholder Engagement My office continued to fulfil our commitment to increased engagement with audiences across the So much of what we do at the IPC involves educat- province through our interactive webinar series. ing public and health sector institutions—and the One of the webinars we hosted this year focused people they serve—about their access and privacy on how the IPC interprets FIPPA and MFIPPA rights and obligations. In 2017, IPC staff delivered exemptions. This webinar exceeded all expecta- more than 100 presentations on leading and emerg- tions, attracting more than 600 registrants who
4 5 Understanding Exemptions in FIPPA and MFIPPA The Impact of Records and Information Management on Access and Privacy
watched the live presentation and participated in providing a strong level of accountability for the the Q&A session that followed. The webinar series veracity of their 2017 statistical submissions. has helped us to overcome geographical barriers to engaging with all Ontarians, regardless of where Policy Consultations with Government they live or work. Much of the work at the IPC centres on provid- Annual Statistical Report Attestations of ing advice on proposed legislation, programs FIPPA Compliance and practices to ensure that they comply with Ontario’s access and privacy laws. In 2017 alone, Every year, public institutions must submit an I provided my comments on four bills, including annual statistical report to the IPC – this responsi- Bill 68, Modernizing Ontario’s Municipal Legislation bility forms an important part of their work and Act, 2017; Bill 84, the Medical Assistance in Dying is required by law. One of my 2016 Annual Report Statute Law Amendment Act, 2017; Bill 89, the Sup- recommendations was that all deputy ministers porting Children, Youth and Families Act; and Bill sign and submit an annual attestation to my 160, the Strengthening Quality and Accountability for office, indicating that their respective ministries Patients Act, 2017. A common thread across all of are in compliance with the statistical reporting my submissions was to urge the Ontario govern- requirements set out in FIPPA and that their ment to advance the basic tenets of open govern- statistics are accurate. ment and privacy protection and to ensure that This year my office received attestations from these bills guard against the erosion of Ontarians’ the deputy ministers of Ontario’s 30 ministries, access to information and privacy rights.
4 5 Throughout 2017 my office consulted extensively our Tribunal Services staff responded to this dra- with the Ministry of Children and Youth Services, matic increase in workload. the Ontario Child Advocate and the child welfare sector to support the implementation of the Child, Final Thoughts Youth and Family Services Act (CYFSA). When Part X of this law comes into force, on January 1, 2020, As I reflect on the IPC’s 30-year history, I would the IPC will mark an historic expansion of its like to thank our staff—past and present—for their responsibilities. For the first time, Ontarians will professionalism in meeting the many pressures have the right to access their personal information and demands we have faced as an organization. held by children’s aid societies and other service Our work would not be possible without their providers and file privacy complaints against them dedication to protecting and advancing Ontarians’ with my office. My staff and I look forward to our access and privacy rights. Their ongoing commit- expanded oversight and believe it will usher in an ment to excellence has helped to make the IPC one era of greater public accountability in Ontario. of the most respected oversight agencies in the country. I feel confident that in the years ahead Mandatory Health Privacy Breach my office will continue to build on the progress we Reporting made over the last 30 years.
PHIPA underwent a number of significant amendments in 2017, one of which requires that health care providers, such as hospitals, medical offices and others who deal with patient infor- mation, report certain health privacy breaches to my office. To help health care organizations Brian Beamish and professionals understand and meet their Commissioner new mandatory reporting requirements, the IPC published privacy breach reporting guidelines that outline reporting criteria and explain when and in what circumstances these bodies must notify the IPC of a breach. I was pleased to see this amend- ment come into effect on October 1, and believe it will better protect patient privacy and improve accountability and transparency across Ontar- io’s health care system. Our front-line staff was certainly put to the test by the resulting increase in reports. The number of breaches reported to our office more than doubled for the last three months of 2017, compared to the same period in 2016. I was once again impressed by the agility with which
6 7 Ontarians will have the right to access their personal information held by children’s aid societies and other service providers and file privacy complaints against them with my office.
6 7 OUR VALUES
RESPECT | We treat all people with respect and dignity, and value diversity and inclusiveness. INTEGRITY | We take accountability for our actions and embrace transparency to empower public scrutiny. FAIRNESS | We make decisions that are impartial and independent, based on the law, using fair and transparent procedures. COLLABORATION | We work constructively with our colleagues and stakeholders to give advice that is practical and effective. EXCELLENCE | We strive to achieve the highest professional standards in quality of work and delivery of services in a timely and efficient manner.
OUR STRATEGIC GOALS
Uphold the public’s right to know and right to privacy Encourage open, accountable and transparent public institutions Promote privacy protective programs and practices Ensure an efficient and effective organization with engaged and knowledgeable staff Empower the public to exercise its access and privacy rights
8 For three decades, protecting and advancing access to information and personal privacy rights has been at the forefront of our work.
ABOUT US
Established in 1987, the Office of the Information and Privacy Commissioner of Ontario (IPC) provides independent oversight of the province’s access and privacy laws.
The Freedom of Information and Protection of Privacy Act (FIPPA) applies to over 300 provincial institutions such as ministries, provincial agencies, boards and commissions, as well as community colleges, universities, local health integration networks, and hospitals.
The Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) applies to over 1,200 municipal institutions such as municipalities, police services boards, school boards, conservation authorities, boards of health, and transit commissions.
The Personal Health Information Protection Act (PHIPA) covers individuals and organizations in Ontario that are involved in the delivery of health care services, including hospitals, pharmacies, laboratories, and Ontario’s Ministry of Health and Long-Term Care, as well as health care providers such as doctors, dentists, and nurses.
9 Our Work
Commissioner and made 103 presentations to our front-line response to privacy stakeholder and public audiences. breaches. The Commissioner is appointed by In 2017, our Registrar received: the Legislative Assembly of Ontario and is independent of the gov- Tribunal • 1,392 access appeals ernment of the day. His mandate Intake • 629 health complaints includes resolving access to infor- mation appeals and privacy com- The Registrar receives all access • 268 privacy complaints plaints, educating the public about appeals and privacy complaints, We closed 246 privacy and 538 access and privacy issues, reviewing including health privacy com- health complaints at intake in 2017. information practices and com- plaints, and directs them to the menting on proposed legislation, appropriate department. Intake Investigation and Mediation programs, and practices. can screen out or resolve appeals Our team of investigators gather In 2017, the IPC was mentioned or complaints at an early stage. information and resolve privacy more than 100 times in the media Our intake analysts also serve as complaints, including health
10 11 TRIBUNAL SERVICES privacy complaints, while our team gative report. Our PHIPA inves- of mediators work to resolve or tigators also issued four decisions, OVERVIEW narrow the issues in access appeals closing breach investigations. with a view to a mutually agree- • 1,392 ACCESS APPEALS Adjudication able solution. While our decisions RECEIVED attract the most attention, the When a resolution cannot be majority of access appeals and found through mediation, access • 686 ACCESS APPEALS privacy complaints are resolved appeals and health complaints are SETTLED AT THE through mediation. forwarded to an adjudicator who MEDIATION STAGE In 2017, 686 access to information will decide whether to conduct a appeals were fully resolved at the formal inquiry. The adjudicator • 1,414 ACCESS APPEALS mediation stage. Ten privacy com- collects and reviews evidence and CLOSED plaints moved to Mediation and arguments and issues a final and Investigation and six were closed. binding decision. A court review of • 268 PRIVACY One was resolved through media- IPC decisions is available in some COMPLAINTS RECEIVED tion and five resulted in an investi- limited circumstances. • 273 PRIVACY COMPLAINTS CLOSED
• 629 HEALTH COMPLAINTS RECEIVED
• 617 HEALTH COMPLAINTS CLOSED
• 140 PROVINCIAL ORDERS ISSUED
• 135 MUNICIPAL ORDERS ISSUED
• 26 PHIPA DECISIONS ISSUED
10 11 In 2017, our adjudicators closed IPC’s decisions and in other court analysts to examine and review 140 provincial access to informa- cases regarding access to informa- their access and privacy practices. tion appeals through orders, 135 tion and privacy issues. They also examine and provide municipal appeals through orders and 22 PHIPA decisions. In 2017, our Legal Services Depart- comments on any proposed legis- ment made more than 32 presenta- lation that may affect the rights of tions and represented the Commis- Ontarians. Legal sioner in six court hearings. Legal Services also represented the IPC as Our legal department works in close In 2017, our Policy Department an intervener in a case before the collaboration with and provides released nine guidance documents, Supreme Court of Canada. legal advice and support to the fact sheets and reports, and pro- Commissioner and other depart- ments. Our lawyers frequently Policy vided consultations and advice to provide advice and comments with a variety of public sector organi- respect to proposed legislation, pro- Our policy analysts research, ana- zations and made more than 21 grams and technologies in the gov- lyze, and provide advice on current, presentations where they provided ernment and health sectors. They evolving and emerging access and also represent the Commissioner in privacy issues. Public organiza- information and insight on privacy judicial reviews and appeals of the tions will frequently ask our policy and access issues.
12 13 Health Policy Communications from the public through our public enquiry lines each year. Our health policy team researches Communications promotes the work of the IPC and engages in privacy issues relating to personal Corporate Services and public information campaigns and health information and provides outreach initiatives to inform and Technology guidance through education, con- empower both the public and public From overseeing organizational servants about matters of access sultation, and comment on health operations such as human resources and privacy. Our communications policy and legislation. They also and monitoring expenditures to team also manages the IPC website, conduct reviews of the information providing technical support, our social media channels, media rela- Corporate Services and Technology practices of prescribed entities and tions, and public events. department provides the day-to- persons on a tri-annual basis. In 2017, Communications fielded day operational support and infra- In 2017, Health Policy issued eight more than 76 media calls, devel- structure needed for the Commis- sioner and IPC staff to do their jobs publications, helped develop amend- oped two webinars, and oversaw three major events that attracted effectively and efficiently. ments to health privacy legislation, over 800 people, in person and via and consulted with and presented to webcast. Communications responds numerous organizations. to thousands of calls and emails
12 13 The IPC has long been a
championThe IPC for has increased long been a transparencychampion as for a increasedmeans transparency as a means to to supportsupport accountability accountability and and civic engagement.civic engagement.
Increasing Transparency
ACCESS TO INFORMATION
14 15 OPENNESS AND TRANSPARENCY ARE ESSENTIAL TO MAINTAINING THE PUB- LIC’S TRUST AND CONFIDENCE IN GOV- ERNMENT INSTITUTIONS. The IPC has long been a champion for increased transparency as a means to support accountability and civic engage- ment. Over the past year, the IPC has engaged in activities on a number of fronts to support the pub- lic’s right to know.
Municipal Legislation
Open meetings about government activities are essential to democracy, shining a light on policy development and promoting accountability for public spending. This year the IPC spoke out about changes to Ontario’s Municipal Act and the City of Toronto Act, which expands the criteria a municipality or local board can use to close all or part of a meeting to the public. In its submission to the legislative commit- tee related to Bill 68, the IPC questioned the need to broaden the exceptions to the open meeting require- ment and emphasized the impact of closed-door meet- ings on the public’s right to access information. The government made the legislative changes to the closed meeting rules despite the IPC’s concerns.
Deletion of Emails
In 2017, the gas plants matter came before the courts and in early 2018 one individual was found guilty of criminal offences related to the deliberate destruction of documents. Our office investigated allegations political staff inappropriately deleted emails about the gas plant cancellations when they originally surfaced back in 2013. At that time, we found that the deletions were in violation of the Archives and Recordkeeping Act and recommended amendments to Ontario’s access and privacy laws to address the responsibility of insti- tutions to ensure key decisions are documented. In light of the recent conviction and a resolution passed
14 15 6,000 TOP 10 MUNICIPAL INSTITUTIONS
5,000 Requests Received Requests Completed 4,000 Within 30 Days Over 90 Days
3,000
2,000
1,000
0
Toronto City of Niagara York Durham Peel Hamilton Halton Waterloo Ottawa Police Toronto Regional Regional Regional Regional Police Regional Regional Police Service Police Police Police Police Service Police Police Service Service Service Service Service
by all of Canada’s information their understanding of this topic. lous and Vexatious Requests, and commissioners, the IPC continues Participants had the opportunity Reasonable Search, which address to call on the government to create to hear from a panel of IPC experts the issues of managing excessive a legislated duty for public entities and ask questions. requests and how institutions and in Ontario to document matters requessters can ensure adequate Records and information man- related to their deliberations, searches for records. actions, and decisions. agement (RIM) practices can have far-reaching impacts, helping or hindering an institution’s ability to Significant Access Promoting respond to access requests from the public. In 2017, our office released Decisions Understanding of an educational video for institu- Access Issues tions, to help them understand the Our Tribunal Services team issued relationship between effective RIM a number of decisions this year, A basic principle of Ontario’s practices and their ability to meet providing guidance on the appli- access and privacy laws is that their responsibilities under Ontar- cation of FIPPA and MFIPPA, the public has a right of access to io’s access laws. including: government-held information, and exemptions from this right Over the past year, our office MO-3471 – A request was made for of access should be limited and published a number of guidance access to communications sent or specific. This year, our office materials on access-related topics received by staff of a city council- hosted a webinar for freedom of to increase understanding among lor concerning that councillor’s information coordinators and institutions and the public. These Twitter account. Our office upheld other frontline staff to enhance included fact sheets on Frivo- the City of Toronto’s decision to
16 12,000 TOP 10 PROVINCIAL INSTITUTIONS
10,000 Requests Received Requests Completed 8,000 Within 30 Days Over 90 Days
6,000
4,000
2,000
0
Ministry of Ministry of Ministry of Ministry of Landlord Ministry of Ministry of Ministry of Ministry of Workplace the Community Community Labour and Tenant the Attorney Government Transportation Health and Safety and Environment Safety and and Social Board General and Long-Term Insurance and Climate Correctional Services Consumer Care Board Change Services Services
deny access to the records. The related to the progress of the Dar- system of access was available to adjudicator determined that the lington Nuclear Generating Sta- allow anyone to obtain the records. records were personal, political tion refurbishment. The ministry PO-3691 – A requester made records relating to the councillor’s decided not to release the records numerous requests to the Public activities as an elected represen- on the basis they contained com- tative and were not under the Guardian and Trustee (PGT) for mercial and third-party informa- control of the city. records relating to the estates tion and that release would result in of named deceased individuals MO-3476 – A requester sought harm. Our office found that there (including 40 requests within a information about police street was insufficient evidence to estab- nine-week period and 116 total checks and racial data from the Peel lish the harms to the ministry or requests). When the PGT limited Regional Police. The police denied the third party’s economic or other the number of requests the indi- access to six records, claiming they interests, and ordered their release. vidual could make at one time, the contained advice and recommen- requester appealed to our office. MO-3514 – An individual dations. The IPC partially upheld The IPC found that the number of their decision, denying access to requested access to a motor vehi- requests established a pattern of one record but ordering the release cle collision report related to a car conduct that interfered with the of the others based on a compel- accident they were involved in. The operations of the institution, and ling public interest—the accurate police denied access to the report on that the requests were frivolous and reporting of race data as it related to the grounds that the information vexatious. Our office limited the street checks of individuals. contained in the record was already number of requests the individual PO-3717 – A request was made to publicly available. The IPC upheld could make to five at any given the Ministry of Energy for reports the decision, finding that a regular point in time.
17 A key element of the IPC’s mandate is to resolve access to information appeals under Ontario’s access and privacy laws.
18 Mediated Appeals is not subject to mandatory • Police denied a request by an exemptions. individual for her own report A key element of the IPC’s man- relating to a recent sexual • An individual requested the date is to resolve access to infor- assault on the grounds it was minutes and audio record- mation appeals under Ontario’s part of a continuing investi- access and privacy laws. This is ing of a town meeting held gation. Through mediation, frequently achieved through the in closed session. The town the individual requesting the mediation process, where parties denied access to all records, report was able to explain her have an opportunity to explain citing the closed meeting reasons for the request. The their respective positions, clarify exemption. During mediation, documentation was required issues, and discuss potential settle- to alert a foreign embassy ment options. of her sexual assault claim APPEALS OPENED IN 2017 against an individual who Our office resolves a large was currently traveling to volume of access to information PERSONAL 0 his home country. With the appeals through mediation. INFORMATION Here are some highlights from assistance of a mediator and the past year: additional information about GENERAL the circumstances related to • A police service received a 1 0 1 1 RECORDS the request, the police agreed request from an individual to provide partial access to the for records relating to a 2017 2016 report within hours. security breach involving her credit card. The police • An individual requested denied access to some of APPEALS CLOSED IN 2017 statistical records related to the records on the grounds faculty members at a univer- they contained the personal sity and received a costly fee 1 information of another PERSONAL estimate to locate and prepare individual. The mediator INFORMATION the records. During media- obtained consent from tion, the university detailed the other individual to the technical difficulties they disclose their information, GENERAL were encountering trying to RECORDS which resulted in the police 1 02 1 0 extract the records from an granting full access to a outdated database. During the police report. Following 2017 2016 discussion it was determined clarification of other issues that if the request was nar- during mediation, the police the town agreed to transcribe rowed slightly, it would sig- also granted access to statis- the audio recording of the nificantly speed up the search. tical information previously meeting. The town then exer- The requester amended the withheld. These efforts also cised its discretion to provide resulted in the police changing request and the university partial access to both the aspects of their policy regard- issued a revised fee estimate ing the disclosure of statistical minutes and the transcript, of about half the original cost. information. Going forward, as well as documents consid- The requester received the they will routinely disclose ered by the council during the records and was satisfied with statistical information that meeting. the result.
19 Judicial Reviews Ministry of Health and their medical specialties, is not “per- Long-Term Care—Access sonal information.” The Ontario Court of Appeal will hear appeals to Physicians’ OHIP Billing OUR LEGAL DEPARTMENT from this decision in June 2018. Information REPRESENTS THE COMMISSIONER IN The record at issue in this appeal, Ryerson University and JUDICIAL REVIEWS AND created in response to a request by Third-Party Information APPEALS OF THE IPC’S a journalist, sets out the total dollar DECISIONS. amounts paid annually to the top The university received a request 100 OHIP billers, their names and under FIPPA for an agreement their medical specialties, for the between it and a bank relating to Treasury Board Secretariat years 2008 to 2012. The ministry the issuance of university-branded and Third-Party Records disclosed the dollar amounts and credit cards. The university granted most of the specialties, but with- partial access to the agreement, The Treasury Board Secretariat held the physicians’ names and withholding some information, received a request for access to a some of the specialties under the citing the third-party information personal privacy exemption in copy of a benchmarking report exemption. Both the requester and FIPPA. One of the parties to the prepared by a third party. After the bank appealed the university’s appeal also raised the third-party decision, with the requester argu- consulting with the third party, information exemption in FIPPA. ing that none of the agreement is the Treasury Board granted partial The appellant claimed that the exempt and the bank arguing that access to the report, with portions public interest override applied. In the entire agreement is exempt withheld, citing the third-party Order PO-3617, the adjudicator under that same section of FIPPA. exemption. The requester appealed found that the record does not In Order PO-3598, the adjudicator the Treasury Board’s decision to contain personal information, found that none of the information our office. In Order PO-3663, the and as a consequence, the personal in the agreement was “supplied” to privacy exemption does not apply. adjudicator found that the infor- the university, therefore the exemp- The adjudicator also found that mation at issue was not exempt the third-party exemption did not tion for third-party information did under the third-party records apply, and that there was a compel- not apply. She ordered the univer- exemption because disclosure could ling public interest in the disclosure sity to disclose the agreement in its not reasonably be expected to result of the record. The IPC ordered the entirety to the requester. in any of the commercial or com- ministry to disclose the record in its The bank, as the affected third petitive harms alleged. She ordered entirety to the journalist. party, sought a judicial review of disclosure of the information. The Ontario’s Divisional Court dis- this order in the Divisional Court. affected party sought a judicial missed three applications by doctors’ The Court dismissed the applica- review before the Ontario Divi- groups to quash the order, ruling tion stating that the decision of the sional Court. The Court dismissed that it was reasonable. The Court adjudicator fell within a reasonable the application for judicial review agreed that the names of the doctors, range of outcomes given the terms stating that, in its view, the adjudi- in conjunction with the amounts of the legislation and the facts cator’s decision was reasonable. they receive in OHIP payments and before her.
20 21 IPC INTERVENE IN OT ER Ministry of the Attorney Algoma Public Health APPLICATION OR APPEAL IN 2017 1 General and Office of and a Report Relating to Allegations of Wrongdoing the Children’s Lawyer for RE UESTER COMPLAINANT Ontario—Application of MO-3295—Algoma Public Health (APH) received a request for access FIPPA to the “final report of [the] 2015 KPMG Forensic Review.” The New Judicial Review PO-3520—The Ministry of the applications IPC interventions report related to whether a con- in 2017: 6 Attorney General received a request flict of interest existed regarding for information related to services the appointment of APH’s former interim CFO, and whether any IPC INTERVENE IN OSC 1 provided to the requester’s two funds were subsequently misap- children by the Office of the Chil- IPC OR ER UP EL propriated or lost by APH. While AN OR LEAVE TO APPEAL dren’s Lawyer for Ontario (OCL) APH determined that an exemp- ISMISSE 2 in custody and access proceedings. tion for personal privacy under MFIPPA applied, it granted access The ministry advised that the OCL to the report under the public ABAN ONE OR SETTLE OR took the position that FIPPA does interest override. An affected party ISMISSE FOR ELA IPC OR ER STAN S not apply to litigation files where appealed APH’s decision, claiming it provides services to children. As disclosure would expose her to civil liability. The affected party also a result, the ministry claimed that claimed that the public interest Judicial Reviews IPC interventions records related to these files were override did not apply in the cir- Closed and or Heard not in its custody or under its con- cumstances. The IPC decided that in 2017: 7 the personal privacy exemption trol and denied the request. applied to the record, but agreed IPC INTERVENTON 2 In Order PO-3520, the adjudica- with APH that there was a compel- ling public interest in disclosure tor found that records of the OCL of the record. Accordingly, the IPC AFFECTE PART 2 covered by the request were in the ordered AHP to disclose the record custody or control of the ministry to the requester. and ordered the ministry to issue The affected party sought a judicial an access decision to the requester, review of the order and the asso- RE UESTER COMPLAINANT which could be made by the OCL. ciated reconsideration order and both orders were quashed by the The OCL filed an application for Divisional Court. The appeal was sent back to the Commissioner for a judicial review, which was dis- new hearing. missed by the Ontario Divisional INSTITUTION 2 The IPC was granted leave to appeal Court. The Ontario Court of Appeal the Divisional Court’s decision to the heard the OCL’s appeal in late 2017 Ongoing Judicial Reviews Ontario Court of Appeal. The appeal IPC interventions as of but has not yet issued its decision. is expected to be heard in fall 2018. December 31, 2017: 12
20 21 The IPC remains steadfast in its commitmentThe IPC remains to protectsteadfast in its commitment to protectthe privacy the privacy of of allall Ontarians.Ontarians.
PRIVACY
22 23 IN 2017, IPC’S WORK SPANNED A RANGE OF TOPICS RELATED TO PRIVACY PROTEC- TION IN ONTARIO.
Data Privacy Day
The IPC began 2017 by hosting a public event to mark International Privacy Day. Given that big data is changing the landscape of how Ontario institutions develop public policy and design government pro- grams the topic for 2017 was Government and Big Data.
Four expert panelists and close to 150 attendees engaged in lively discussions that focused on issues such as the benefits and risks of big data, measures to protect privacy, the potential for biased data sets and identifying solutions to the challenges governments face in a big data world.
Participation in the event extended beyond the venue with more than 700 devices tuned in to watch the live webcast. The event also reached more than 22,000 Twitter accounts and more than 800 LinkedIn accounts.
International Privacy Day offered an appropriate occasion to release our new fact sheet, Big Data and Your Privacy, to raise awareness of the public’s right to privacy protection in the big data landscape.
There are tremendous opportunities available to gov- ernment to develop evidence-based programs and pol- icies using big data. To support this, the IPC has called on Ontario to modernize access and privacy laws to ensure that government institutions use data linking and big data analytics in a privacy-protective manner.
The IPC remains steadfast in its commitment to pro- tect the privacy of all Ontarians. We will continue to work closely with government institutions to ensure that their use of big data respects and protects individ- ual privacy rights.
22 23 ing with the Ministry of Children use or disclosure cannot violate the Child, Youth and and Youth Services, the Ontario privacy of individuals. Families Services Act, Child Advocate, the child welfare Our guidelines are the first of sector and other sectors to prepare 2017 their kind in Canada to use plain for implementation. language to explain sophisticated Throughout 2017, we consulted This legislation represents a great de-identification concepts, with and collaborated extensively with step forward for Ontario’s child and the benefit of being useful to a very the Ministry of Children and Youth youth sector and will usher in an era wide audience. Services to support the develop- of greater public accountability in ment of the new Child, Youth and Ontario. Family Services Act, 2017 (CYFSA), Privacy in Education and its regulations. IPC’s De-identification The IPC recognizes that, more Under Part X of the CYFSA, and for than ever, educators and students the first time, Ontarians will have Publication Wins benefit from privacy education and the right to access their personal at International digital literacy skills. information held by child, youth, and family service providers, Conference In May 2017, we worked with the including children’s aid societies. Office of the Privacy Commissioner In September, our De-identifica- They will also be able to file pri- of Canada to review free online tion Guidelines for Structured Data vacy complaints if these service educational tools and services used won the inaugural International providers do not follow the rules in Ontario classrooms. The review Conference of Data Protection and for collection, use and disclosure was part of a larger international Privacy Commissioners’ (ICDPPC) of personal information contained “sweep” effort coordinated by the award for excellence in research. in the act. Our office has been Global Privacy Enforcement Net- The ICDPPC awards attracted 90 designated as the oversight body in work (GPEN). entries, in a variety of categories, relation to Part X of the act, bring- In October, we published our from data protection and privacy ing child, youth, and family service GPEN Sweep Report summarizing authorities around the world providers within our jurisdiction. our findings and outlining best and the winning entries were practices for ensuring student pri- In March 2017, Commissioner announced at the 39th ICDPPC vacy and compliance with Ontario Beamish appeared before the Stand- conference in Hong Kong. privacy laws when using online ser- ing Committee on Justice Policy “De-identification” is the general vices. We advised educators to con- to provide the IPC’s comments term for the process of remov- sult school officials before choosing and recommendations to help ing personal information from a an online educational service and strengthen the privacy protections record or data set. De-identification recommended that school board in the CYFSA. protects the privacy of individuals officials carefully examine privacy The majority of the CYFSA was because once a data set is de-identi- policies and terms of service before proclaimed on April 30, 2018, with fied, it no longer contains personal approving their use in the class- Part X scheduled to come into effect information. If a data set does not room. We also recommended that in January 2020. Our office is work- contain personal information, its educators provide students with
24 ongoing guidance on how to config- Police Services Act systemic racism and advance racial ure and use the educational services equality. The government also has the authority to mandate public in privacy-enhancing ways. For On November 2, the government sector organizations to collect example, we learned that students introduced Bill 175, the Safer defined race-related information to Ontario Act, the largest transforma- could use pseudonyms instead of support the purposes of the act. their real identities when using tion in policing and public safety The ARA requires the development some online tools. in Ontario in over 25 years. The bill included a new Police Services Act, of data standards governing the In November, the IPC jointly spon- which gives the Minister of Com- management of personal infor- sored a workshop with the Ontario munity Safety and Correctional mation, and that the government consult with the IPC on these Association of School Business Services broad powers to collect and share personal information standards to ensure robust privacy Officials at the annual “Bring IT protections are in place. to enhance evidence-based deci- Together” conference on educa- sion-making. Our office worked The IPC is the oversight body for tional technologies. The workshop, with the ministry to ensure that the privacy requirements under Privacy in the Networked Class- measures to support a privacy the ARA. Under this act, we have room, brought together teachers, protective approach to data collec- the authority to order an organi- school board administrators and tion and integration were included zation to change or discontinue IT staff to examine the uses and in the legislation. Our office also its personal information handling impacts of technology in schools. helped to ensure that improved practices if the practices contravene the ARA or the data standards. Renowned Canadian scholars transparency was at the heart of This order-making power is key to shared new research on the benefits the bill. For example, we helped protecting the privacy of affected the ministry develop rules under and risks posed by networked class- individuals. We can also make com- the new Policing Oversight Act that room technologies and the use of ments or recommendations on the require the publication of SIU educational software in classrooms. privacy implications of any matter investigation reports that conclude related to the ARA. The IPC joined our fellow federal, police should not face criminal provincial and territorial privacy charges in connection with the death or serious injury of a member regulators to encourage the Council Big Data of the public. The bill received of Ministers of Education to take Royal Assent on March 8, 2018. Government institutions are steps to ensure that future genera- increasingly relying on the analysis tions of Canadians develop strong of big data to shape and improve the digital and privacy skills. These Anti-Racism Act programs and services they provide skills are the key to ensuring that to the public. While big data may In June, Ontario passed the young people are well equipped to benefit individuals, it also raises a Anti-Racism Act, 2017 (ARA). number of privacy, fairness, and exercise their privacy rights and Under this legislation, the govern- ethical concerns about how insti- responsibilities as digital citizens, ment is responsible for developing tutions use advanced technologies and to succeed in a networked and and maintaining an anti-racism to process personal information. data-driven world. strategy that aims to eliminate Institutions should understand and
25 address these concerns to prevent and Protecting Privacy. This guide may result in recommendations to unexpected, invasive, inaccurate, outlines methods for designing, ensure compliance with Ontario’s or discriminatory uses of personal implementing, and monitoring access and privacy laws. information. open government programs to sup- port transparency while addressing In May, the IPC released its Big Data Privacy Complaint PI16-3 Guidelines to inform institutions of potential privacy risks. the key issues to consider and best Ministry of Community practices to follow when they Safety and Correctional conduct big data projects. These PRIVACY COMPLAINTS Services guidelines offer practical advice OPENED IN 2017 to ensure that personal informa- The IPC opened a Commission- tion is appropriately collected, er-initiated privacy complaint linked, analyzed, and used when under FIPPA, against the making automated decisions MUNICIPAL 1 1 Ministry of Community Safety about individuals. Institutions with the legal authority to and Correctional Services. conduct big data projects should The complaint related to the PROVINCIAL follow the best practices devel- 110 11 collection and destruction of oped in these guidelines. personal information captured 2017 2016 in a recording made by a police The IPC will continue to work officer on his personal cell on issues related to big data phone during a traffic stop. The and plans to release additional PRIVACY COMPLAINTS guidance documents aimed at CLOSED IN 2017 IPC was unable to make a find- specific sectors of government ing as to whether the record and at providing further infor- at issue contained personal mation on some of the best information because the device MUNICIPAL practices identified in the Big 1 1 that contained the recording Data Guidelines. had been discarded. We con- cluded that, in the particular PROVINCIAL circumstances, collection of the 11 10 Open Government personal information would and Privacy 2017 2016 have been authorized under the act. Our report included In our view, proactively address- the recommendation that the OPP ing privacy risks from the outset is amend its personal device policy key to carrying out open govern- Privacy Investigations ment initiatives that enhance public to require staff to copy any opera- services without compromising pri- Our privacy investigations look at tional information obtained on a vacy. To assist institutions in putting whether government institutions personal device to an authorized open government into practice, this are protecting the personal infor- OPP system or device within a rea- year we published Open Government mation they collect and retain, and sonable time.
26 PRIVACY COMPLAINTS CLOSED BY TYPE OF RESOLUTION OUTCOME OF ISSUES IN PRIVACY COMPLAINTS
Resolved - Finding not Resolved 178 (65.2 ) necessary 169 (90.9 ) Screened out 56 (20.5 ) Complied in full 7 (3.8 )
Withdrawn 30 (11.0 ) Act does not apply 8 (4.3 ) Abandoned 4 (1.5 ) Not complied 1 (0.5 ) Report 5 (1.8 ) Order issued 1 (0.5 )
*The number of issues does not equal the number of complaints closed, as some complaints may involve more than one issue. Abandoned, withdrawn and screened out complaint files are not included.
200 NUMBER OF PRIVACY COMPLAINTS OPENED 2008-2017 Municipal Provincial
150
100 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
ISSUES IN PRIVACY COMPLAINTS
Disclosure (72.0%) General privacy issue (12.4%) Security (5.4%) Collection (3.8%) Access (2.7%) Use (2.2%) Consent (0.5%) Notice of collection (0.5%) Retention (0.5%)