IPC - Office of the Information and Privacy Commissioner/Ontario | What's New http://www.ipc.on.ca en-us Peterborough Hospital PHIPA Lawsuit http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=339 <P style="TEXT-ALIGN: justify"><SPAN style="FONT-FAMILY: 'Arial', 'sans-serif'; FONT-SIZE: 12pt"><FONT style="FONT-SIZE: 10pt">The </FONT><A href="http://www.thestar.com/news/gta/2014/09/03/peterborough_lawsuit_to_set_precedent_for_ontario_patient_privacy_rights.html"><FONT style="FONT-SIZE: 10pt" color=#0000ff>Toronto Star</FONT></A><FONT style="FONT-SIZE: 10pt"> has reported on a lawsuit&nbsp;involving a&nbsp;Peterborough hospital that could have wide-ranging implications for patient privacy in all of Ontario’s hospitals. At issue, is whether </FONT></SPAN><SPAN style="FONT-FAMILY: 'Arial', 'sans-serif'; FONT-SIZE: 12pt"><FONT style="FONT-SIZE: 10pt">patients whose privacy has been breached can sue a hospital directly. The hospital in Peterborough has argued that the Superior Court has no jurisdiction to hear the lawsuit because under Ontario’s <I>Personal Health Information Protection Act</I>, (<I>PHIPA</I>) personal health information privacy violations are solely the domain of the Information and Privacy Commissioner of Ontario. However, Acting Commissioner, Brian Beamish has stated that his office does not have exclusive jurisdiction over matters of patient privacy and that <I>PHIPA</I> does not prevent the courts from hearing cases related to the improper handling of personal health information.</FONT> </SPAN></P> Wed, 03 Sep 2014 00:00:00 GMT TCDSB releases documents after extensive FOI battle http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=337 Documents pertaining to Toronto Mayor Ford’s football coaching role with the Toronto Catholic District School Board (TCDSB) were released Wednesday after a <A href="http://www.thestar.com/news/city_hall/toronto2014election/2014/08/28/rob_ford_threatened_teacher_made_players_roll_in_goose_scat_documents_show.html">lengthy freedom of information battle</A>. The TCDSB has initially declined the request for information. The IPC had ruled the documents should be released after the Toronto Star filed an appeal. Mayor Ford registered an appeal of this decision; however, after not presenting any arguments, the file was closed and the information was released. Fri, 29 Aug 2014 00:00:00 GMT Rouge Valley informs more patients of potential breach http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=338 This week, Rouge Valley Health System sent out <A href="http://www.thestar.com/news/gta/2014/08/27/rouge_valley_hospital_privacy_breach_affects_6000_more_patients.html">notices to additional patients </A>that their personal health information may have been misused by two former employees. As part of the investigation into the breach, it was discovered that the two employees may have accessed health information of patients from Ajax and Pickering campus before being terminated. The IPC is continuing to investigate this breach and will release a full report of our findings this fall. Fri, 29 Aug 2014 00:00:00 GMT IPC Launching Web Analytics Platform on September 15 http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=335 <P>On September 15, we will be implementing a privacy-protective web analytics platform called <A href="http://piwik.org/" target=_blank>Piwik</A>. This program will be hosted on our website and will be used to record non-identifiable information about your site visit. The data collected will be stored on the IPC web server and will not be shared with Piwik. We will also take this opportunity to update our <A href="/site_documents/2014-Proposed_Priv_Pol.htm" target=_blank>Privacy Policy</A>.</P> <P><STRONG>Why is the IPC Doing This?</STRONG></P> <P>By using a web analytics program the IPC can gain valuable insight into who is visiting our website, how often they visit, which content they view and how our website is being used. The results will also assist us in planning for a new website, expected to launch in early 2016. </P> <P><STRONG>What Data is the IPC Collecting?</STRONG><BR> <BR> The non-identifiable data that the Piwik software collects about your visit includes:</P> <UL type=disc> <LI>The operating system you are using. <LI>The type of device, model, and operating system you are using. <LI>Your browser type, plugins, and version. <LI>Pages you viewed on our site. <LI>The length of time you spent on our site. <LI>Which website referred you to the IPC website. <LI>The language of your browser. <LI>Your country (determined by Internet Protocol (IP) address). </LI> </UL> <P>The new analytics platform will not collect any identifiable information about you. </P> <P><STRONG>How Will the IPC Protect My Privacy?</STRONG></P> <P>The Piwik platform is one of the most privacy-protective analytics solutions available. Many government agencies trust Piwik (in Europe, Asia, North America, Africa) for providing self-hosted web analytics. In March 2011, the Independent Center for Privacy Protection in Germany (ULD) recommended Piwik as privacy-compliant web analytics software. In January 2014, the Center for Data Privacy Protection in France (CNIL) recommended Piwik as the only tool that can easily ensure full compliance with privacy regulations. The Centre for Democracy and Technology in the United States uses and recommends the platform.</P> <P>To protect your privacy, we have configured Piwik in the following manner:</P> <UL type=disc> <LI>We have configured the software to operate without using cookies. <LI>We will only retain the first two octets of your IP address. <LI>We have kept the default setting of the software to respect the DoNotTrack option in browsers. <LI>We will provide you with the option to opt-out of web analytics.&nbsp;This will set a cookie for Piwik to recognize your preference. <LI>All data collected will be deleted within one month and only aggregate data will be retained. </LI> </UL> <P>We will not share or disclose any information that we collect about our site visitors, except to report malicious attacks or as required by law.</P> <P><STRONG>Can I give feedback on this?</STRONG></P> <P>Absolutely, your feedback is always welcome! You are also invited to provide us with general feedback about our website. Please feel free to email us at <A href="mailto:info@ipc.on.ca">info@ipc.on.ca</A>.</P> Wed, 27 Aug 2014 00:00:00 GMT Statement from Brian Beamish, Acting Commissioner on the Rouge Valley Health System Privacy Breach http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=336 <P>Our investigation into the incidents involving two staff members at Rouge Valley Health System misusing and disclosing patient information for the purposes of selling Registered Education Savings Plans is ongoing. We have met with senior hospital staff and we continue to gather information about these incidents. </P> <P>The Rouge Valley Health System (RVHS) has two hospital facilities - Rouge Valley Centenary Hospital and Rouge Valley Ajax and Pickering.&nbsp;The two hospitals share an electronic information system to which the two employees who have been identified as responsible for the breach had access. Initially, the hospital reported that the employees had used and/or disclosed information relating to patients at the Centenary site, only.&nbsp;However, we have learned that the two employees may have also used and/or disclosed the personal health information of patients who had given birth at the Ajax and Pickering site.&nbsp;</P> <P>As a consequence, the RVHS has decided to notify any patients who gave birth to a child at the Rouge Valley Ajax and Pickering site in the period from July 2009 to April 2014 as they may have been affected by the privacy breach. The number of potentially affected patients from the Ajax and Pickering site who will receive letters of notification totals 6,150. <BR> <BR> We are reviewing the hospital’s policies and procedures and information systems to ensure that it is complying with all of its responsibilities under the <EM>Personal Health Information Protection Act</EM>. We are continuing to look at the steps taken to ensure that this does not occur again in the future. </P> <P>We also have received a number of calls from members of the public and read reports in the media of the possibility that this may be occurring in other hospitals in Ontario. No others are under investigation as of yet, however, we have reached out to the hospitals mentioned by callers and in the media as part of our investigation and we will be looking into the possibility that this may be occurring in these other hospitals. We will also be following up with individuals who contact us to complain about the possibility that their information might have been inappropriately used or disclosed.</P> <P>At the present time, we have no evidence to suggest that the employees involved in this incident at the Rouge Valley Health System had access to records relating to patients of other hospitals under a shared electronic health record.&nbsp; However, in our investigation we are also looking into this possibility.<BR> <BR> Our office plans to release the findings of this investigation in a report this fall.</P> Wed, 27 Aug 2014 00:00:00 GMT Police record checks under scrutiny in Ontario http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=333 <P>Acting Commissioner Brian Beamish was <A href="http://www.cbc.ca/news/canada/sudbury/police-record-checks-under-scrutiny-in-ontario-1.2726935" target=_blank>interviewed by the CBC </A>regarding the disclosure of non-conviction information through police record checks and the recent revisions by the Ontario Association of Chiefs of Police to their voluntary LEARN Guideline for Police Record Checks which aims to limit the practice. Mr. Beamish called it a step in the right direction and would further like to see the reporting of non-conviction information eliminated from police records altogether. He further adds that there is a need to have some kind of provincial standard that police forces can guide their actions by – such as the force of law.</P> <P><A href="http://www.cbc.ca/news/canada/sudbury/police-record-checks-under-scrutiny-in-ontario-1.2726935" target=_blank>Read the full story.</A></P> Tue, 05 Aug 2014 00:00:00 GMT OACP Update Guidelines for Police Record Checks http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=331 <P>Recently the Ontario Association of Chiefs of Police (OACP) updated their <A href="http://www.oacp.on.ca/news-events/resource-documents/learn-guidelines-police-reference-checks">LEARN Guideline for Police Record Checks</A>. We applaud the OACP for taking this important step, which has the potential to have a positive effect on the lives of thousands of law-abiding Ontarians. </P> <P>While the guidelines are voluntary, this is an important step to ensuring a proper and consistent approach to how information is disclosed when police record checks are conducted. We strongly encourage all of Ontario’s 57 police forces to adopt the OACP’s guidance on limiting the disclosure of non-conviction and non-criminal records to a limited class of exceptional circumstances. </P> <P>Similar to the recommendations of our recent <A href="http://www.ipc.on.ca/English/Resources/Reports-And-Submissions/Reports-And-Submissions-Summary/?id=1391">Crossing the Line</A> investigation into the disclosure of attempted suicide to US boarder officials through the CPIC database, the OACP recommends police forces to keep mental health police contacts confidential unless exceptional circumstances are present. </P> <P>The position of the IPC has long been that non-conviction and non-criminal information should only be disclosed during the course of a police records check only in exceptional circumstances, consistent with focused, objective public safety-related criteria. </P> Wed, 30 Jul 2014 00:00:00 GMT Police Encounters with People in Crisis http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=332 <P>Retired Supreme Court of Canada Justice Frank Iacobucci is to be congratulated for the care and attention he has given to the vital issues associated with lethal encounters between police and people in crisis <A href="http://www.torontopolice.on.ca/publications/files/reports/police_encounters_with_people_in_crisis_2014.pdf">in his recent report and its innovative recommendations</A>. Toronto Police Service Chief William Blair should also be commended for committing to act on the recommendations and not let it gather dust. </P> <P>Privacy is an important theme that runs throughout the report, especially as it relates to personal health information and the use of body warn cameras by police. The IPC is committed to giving these issues the attention they deserve and working collaboratively with the Toronto Police Service to improve outcomes for people in crisis. Recently, Acting Commissioner Brian Beamish <A href="http://www.thestar.com/news/gta/sammyyatim/2014/07/26/innovative_recommendations_for_toronto_police_dealing_with_the_mentally_ill.html">provided his thoughts to the Toronto Star</A>.</P> Wed, 30 Jul 2014 00:00:00 GMT Six recruiting tips for Canadian small business owners http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=329 <P><STRONG><A href="http://www.theglobeandmail.com/report-on-business/small-business/sb-managing/human-resources/recruiting-in-the-age-of-social-media-best-practices-for-canadian-small-businesses/article19812302/" target=_blank>Six recruiting tips for Canadian small business owners</A></STRONG><BR> David Goodis And Jessa Chupik<BR> Contributed to The Globe and Mail<BR> July 29, 2104</P> <P><A href="http://www.theglobeandmail.com/report-on-business/small-business/sb-managing/human-resources/nine-tips-for-using-social-media-to-make-the-right-hire/article19000449/" target=_blank>A recent article</A> in the <EM>Globe and Mail</EM> provided an American perspective on how small businesses can use social media to supplement a candidate’s job application. The article’s recommendations include browsing the candidate’s online photos, evaluating the candidate’s online content for proper grammar and spelling, and examining their Facebook friends.</P> <P>While tempting, engaging in these practices may expose a business to significant legal risks. Obtaining a candidate’s personal information, without consent, may be a violation of Canadian privacy laws, even if the information is publicly available online.</P> <P>Small business owners or employees performing these searches also run the risk of collecting information about the wrong person. In addition to potentially breaching privacy laws, this may lead small business owners or entrepreneurs to make decisions about candidates based on erroneous information.</P> <P>Invariably, when searching social media, recruiters will obtain information about people other than the candidate, such as their Facebook friends, increasing the risk of a privacy law breach.</P> <P>Human rights laws may also be violated, particularly where it can be shown that an online search revealed information such as a candidate’s race, religion or sexual orientation.</P> <P>To assist small business owners, we have developed a list of best practices that can be used when recruiting in Canada:</P> <P><STRONG>1.</STRONG> <STRONG>Be transparent.</STRONG> If you’re considering performing a social media search, tell the candidate up front about the specific types of searches you wish to conduct.</P> <P><STRONG>2.</STRONG> <STRONG>Get consent.</STRONG> Ask the candidate for written consent to search their public profiles. This consent can even be requested on the job application form. Avoid conducting a reconnaissance search for photos or usernames without written consent.</P> <P><STRONG>3.</STRONG> <STRONG>Verify results.</STRONG> Ask the candidate to verify or explain any damaging results that you find.</P> <P><STRONG>4.</STRONG> <STRONG>Limit collection.</STRONG> Reserve searches for your shortlist candidates, rather than conducting searches on the initial pool of applicants.</P> <P><STRONG>5.</STRONG> <STRONG>Consider alternatives</STRONG>:<BR> &#183; Speak to the candidate: Ask them if there is anything that your business should be aware of prior to proceeding with the recruitment process.<BR> &#183; Reference checks: Ask the candidate for a comprehensive list of referees with official titles, company email addresses and office phone numbers. You can also ask the candidate for consent to contact individuals other than those included in their list of referees. Reference calls, when done strategically, will allow you to verify information provided by the candidate during the recruitment process.<BR> &#183; Be creative: Instead of using social media to evaluate whether a candidate is a team player, consider including a networking breakfast, for example, in your recruitment process. Develop an evaluation tool to assess how the candidate interacted with the team members and clients in attendance. This real life test provides a more informative indication of social skills than information you can glean online.</P> <P><STRONG>6.</STRONG> <STRONG>Ask for help.</STRONG> Consult your province’s or territory’s privacy commissioner’s office for guidance. Most offices provide educational workshops and helpful privacy-protective best practices for hiring that are specific to the legislation in your province or territory.</P> <P><EM>David Goodis is the director of Legal Services and General Counsel for the Information and Privacy Commissioner of Ontario. Jessa Chupik is the strategic lead, recruitment and employment equity, at Ryerson University.</EM></P> Tue, 29 Jul 2014 00:00:00 GMT Public Sector and MPP Accountability and Transparency Act, 2014 http://www.ipc.on.ca/english/About-Us/Whats-New/Whats-New-Summary/?id=328 Today, Hon. Deb Matthews, Deputy Premier of Ontario, and President of the Treasury Board reintroduced legislation to make the Ontario government more open, accountable, transparent and accessible. <EM>Public Sector and MPP Accountability and Transparency Act, 2014 </EM>is partly based on recommendations from the Information and Privacy Commissioner’s report <EM>Deleting Accountability: Records Management Practices of Political Staff </EM>which was released in June of 2013. Since that time, the IPC has worked closely with the Minister of Government Services to bring forward the proposed amendments to the <EM>Freedom of Information and Protection of Privacy Act </EM>and the <EM>Municipal Freedom of Information and Protection of Privacy Act </EM>that are contained within this legislation. If passed, this bill will greatly improve government record retention and protect important records from wilful destruction. Tue, 08 Jul 2014 00:00:00 GMT