Français
|
Contact Us
|
Site Map
|
Advanced Search
IPC Search
Google
Order/Report No.
Main Menu
> For the Public
Access Personal Information
Your Privacy Rights
Privacy Complaints
Protecting Your Privacy
> For Professional
Collecting Personal Information
Using Personal Information
Accessing Information
Disclosing Information
Retaining and Disposing Information
Stop. Think. Protect.
Toolkit
Privacy Emergency Kit
> Privacy by Design
Introduction to PbD
> Stop Bullying... by Design
Stop Bullying... by Design
What is Bullying
What To Do
Online Safety
Resources
> For the Public
Accessing Public Information
Accessing Personal Information
Complaints
Correction
Appeals
> For Professional
Openness with Information
Appeals
Toolkit
> Access by Design
Introduction to AbD
AbD in Action
Individual Ambassadors
Organizational Ambassadors
Right to Know
> Hospitals under FOI
For the Public
For Hospital Staff
Annual Reports
Best Practices and Professional Guidelines
Discussion Papers
Educational Material
Events
Forms
IPC Corporate
Legislation
Links
News Releases
Newsletters
Presentations and Speeches
Reports and Submissions
Browse All Decisions & Resolutions
Subject Index listing
Advanced Findings Search
Reconsideration Table
Judicial Review of Municipal Orders
Judicial Review of Provincial Orders
Judicial Review of Privacy Complaint Reports
The Acts
Recent Orders
About the Commissioner
Role and Mandate of the IPC Office
IPC Customer Service Standard
IPC Procedures
Annual Report
Newsletters
News Releases
Educational Resources
How to Reach Us
What's New
Home
|
Decisions and Resolutions
| MR09-35
E-mail
|
Print
|
Accessibility
|
Share:
|
Subject Index Listing
Reconsideration Table
Judicial Review of Municipal Orders
Judicial Review of Provincial Orders
Judicial Review of Privacy Complaint Reports
The Acts
Recent Orders
MR09-35
Document
MR09-35
File #
MR09-35
Institution/HIC
Toronto Hydro Corporation
Summary
Unauthorized access to customer billing records
Section 2(1) (definition of personal information) - the records in question contained personal information.
Section 32 (disclosure) - the disclosure of the personal information was not in accordance with the Act.
Section 3(1) of Regulation 823 (security) - there were not adequate security measures in place at the time of the breach.
Recommendations:
1. Hydro should implement measures to enhance security at the e-bill account creation stage.
2. Hydro should take measures to prevent, limit, and to detect the ability of employees to access lists of all Hydro customers.
3. Hydro should implement robust access controls.
4. Hydro should implement additional mechanisms to detect and limit unusual online account activities.
5. Hydro should repair the software coding that allowed for the unauthorized override of password protections.
6. Hydro should provide a quarterly report to the IPC regarding system enhancements designed to protect customer privacy.
Legislation
MFIPPA
Regulation 823 s.3(1)
2(1) personal information
Section 32
Subject Index
Personal Information (Definition)
Signed by
Mark Ratner
Published
Mar 01, 2010
Type
Privacy Complaint Report
Orders and Reports Considered
PO-1880
<< Back
Back to Top
Privacy
|
Access to Information
|
Resources
|
Decisions & Resolutions
|
About Us
Français
|
Contact Us
|
Site Map
|
Advanced Search
|
RSS
|
Accessibility
|
Twitter Policy
|
Privacy Policy
© Copyright 2013
Information and Privacy Commissioner of Ontario. All Rights Reserved.
To search for a specific word or phrase, use quotation marks around each search term. (Example: "smart meter")
Information and Privacy Commissioner of Ontario. All Rights Reserved.