Showing 15 of 104 results
| Order Numbers | Type | Collection | Adjudicators | Date Published | |
|---|---|---|---|---|---|
| MR21-00114 | Privacy Complaint Report | Privacy Reports | Read moreExpand | ||
The Toronto Transit Commission (TTC) was the victim of a cyberattack. A threat actor gained access to its systems via a phishing attack, used malware to encrypt these systems, and exfiltrated data. The TTC notified the IPC, its employees, and the public of this privacy breach. It was later able to restore nearly all of its systems from backups and hired experts to determine the information that had been exfiltrated, and how the attack occurred. They found that the TTC’s failure to install a patch for a known security vulnerability contributed to the attack. In this report, I conclude that the TTC did not have reasonable security measures in place to prevent unauthorized access to the personal information on its systems. However, the TTC put additional security measures in place following the attack. It also implemented detailed revised guidance on scanning for vulnerabilities and installing patches. These set out timelines and state who is responsible for these tasks. Based on the measures that the TTC has taken since the breach, I am generally satisfied with their response to the breach, though I recommend that they implement guidance on using encryption as a default. |
|||||
| PI21-00001 | Privacy Complaint Report | Privacy Reports | Patricia Kosseim | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a complaint about McMaster University’s (McMaster or the university) use of Respondus exam proctoring software under the Freedom of Information and Protection of Privacy Act (FIPPA or the Act). The software comprises two programs. Respondus LockDown Browser limits what users can access on their computers and Respondus Monitor analyzes audio and video of students during the exam to scan for possible cheating. The complainant did not want the IPC to provide their name and complaint to the university, so the IPC opened this Commissioner-initiated complaint to address the university’s use of this exam proctoring software. This report concludes that conducting exams and appointing examiners is a lawfully authorized activity of the university. Proctoring exams online to ensure their integrity is an appropriate component of conducting certain types of exams and is therefore also a lawfully authorized activity. On the question of whether the collection of personal information through the use of Respondus exam proctoring software is necessary to proctor exams, I find that Respondus LockDown Browser collects little personal information, and only collects and uses what it needs to function. Respondus Monitor collects more sensitive personal information, including biometric information, and uses artificial intelligence (AI) technology, which carries heightened concerns. Because the personal information collected by Respondus Monitor on behalf of the university is necessary for that tool to fulfill its function of exam proctoring, it is authorized under section 38(2) of the Act. However, the university has not provided adequate notice for its collection of personal information as required by section 39(2) of the Act and the use of students’ personal information through Respondus Monitor is not in compliance with section 41(1). Moreover, the current contractual arrangement between the university and Respondus is contrary to section 41(1) of the Act in so far as it does not adequately protect all of the personal information collected and allows Respondus to use personal information for system improvement purposes without the consent of students. In this report, I make a number of recommendations for the university to bring itself into compliance with the Act. Given the heightened risks associated with AI technologies, I also recommend that the university adopt additional guardrails around its use of Respondus Monitor and incorporate these stronger protections into its ongoing use of the software and any future agreement with Respondus. Note: By November 1, 2024, McMaster had implemented the recommendations outlined in this report to the IPC’s satisfaction, and the file was closed. |
|||||
| PI21-00001 | Privacy Complaint Report | Privacy Reports | Patricia Kosseim | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a complaint about McMaster University’s (McMaster or the university) use of Respondus exam proctoring software under the Freedom of Information and Protection of Privacy Act (FIPPA or the Act). The software comprises two programs. Respondus LockDown Browser limits what users can access on their computers and Respondus Monitor analyzes audio and video of students during the exam to scan for possible cheating. The complainant did not want the IPC to provide their name and complaint to the university, so the IPC opened this Commissioner-initiated complaint to address the university’s use of this exam proctoring software. This report concludes that conducting exams and appointing examiners is a lawfully authorized activity of the university. Proctoring exams online to ensure their integrity is an appropriate component of conducting certain types of exams and is therefore also a lawfully authorized activity. On the question of whether the collection of personal information through the use of Respondus exam proctoring software is necessary to proctor exams, I find that Respondus LockDown Browser collects little personal information, and only collects and uses what it needs to function. Respondus Monitor collects more sensitive personal information, including biometric information, and uses artificial intelligence (AI) technology, which carries heightened concerns. Because the personal information collected by Respondus Monitor on behalf of the university is necessary for that tool to fulfill its function of exam proctoring, it is authorized under section 38(2) of the Act. However, the university has not provided adequate notice for its collection of personal information as required by section 39(2) of the Act and the use of students’ personal information through Respondus Monitor is not in compliance with section 41(1). Moreover, the current contractual arrangement between the university and Respondus is contrary to section 41(1) of the Act in so far as it does not adequately protect all of the personal information collected and allows Respondus to use personal information for system improvement purposes without the consent of students. In this report, I make a number of recommendations for the university to bring itself into compliance with the Act. Given the heightened risks associated with AI technologies, I also recommend that the university adopt additional guardrails around its use of Respondus Monitor and incorporate these stronger protections into its ongoing use of the software and any future agreement with Respondus. Note: By November 1, 2024, McMaster had implemented the recommendations outlined in this report to the IPC’s satisfaction, and the file was closed. |
|||||
| PI22-00007 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from a children’s aid society about the Ontario Provincial Police (OPP) disclosing personal information contrary to the Freedom of Information and Protection of Privacy Act (FIPPA or the Act). The children’s aid society stated that the OPP had implemented new reporting system software (Child Protection Agency Notification Plug-in) and since that time, had sent several occurrence reports in which a youth was listed a witness or victim of a serious crime, but where there was no indication of a child protection concern. The children’s aid society stated that the OPP should not send reports absent a child protection concern, and that to do so was a breach of the youth’s privacy. The IPC opened a Commissioner-initiated privacy complaint file against the Ministry of the Solicitor General (the ministry), the ministry responsible for the OPP, regarding the use of the reporting system noted above. In this report, I find that the guidance the ministry provided for use of the Child Protection Agency Notification Plug-in is contrary to section 125 of the Child, Youth, and Family Services Act (CYFSA) and section 42 of FIPPA. Section 125 of the CYFSA sets out a number of harms or risks to children and imposes a duty to report in cases where an individual, including an OPP officer, has reasonable grounds to suspect one or more of those harms or risks. The guidance provided by the ministry requires officers to send a report to a children’s aid society in all cases where a youth is listed as a victim or witness to a serious crime. Mandating these disclosures, rather than having the officer use their judgment as to whether a duty to report exists under section 125 of the CYFSA, allows for the possibility that the OPP may disclose personal information to a children’s aid society when there is no duty to report, which would be contrary to the Act. I recommend that the ministry change its guidance to reflect that officers are to send reports to a children’s aid society when the officer judges they have a duty to report, and to remove guidance stating that such reports are mandatory when a youth is listed as a victim or a witness. |
|||||
| PC20-00017 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner received a privacy complaint about the disclosure of a certified copy of a death registration for a deceased individual (the deceased) by the Ministry of Public and Business Service Delivery (the ministry) to an applicant who is not the deceased’s next of kin or extended next of kin. The complainant, who is the deceased’s mother and next of kin, believed that the disclosure was unauthorized and, therefore, a privacy breach under the Freedom of Information and Protection of Privacy Act (the Act). In this report, I find that the information at issue is “personal information” within the meaning of section 2(1) of the Act and that the ministry’s disclosure of this information was not in accordance with section 42(1) of the Act. I also find that the ministry did not have reasonable measures in place to prevent unauthorized access to the personal information in accordance with section 4(1) of Regulation 460 made under the Act. As a result, I recommend that the ministry take reasonable steps to be satisfied as to the identity of an applicant before granting them access to a certified copy of a death registration. Further, as I found that the ministry did not respond adequately to the breach with respect to containment, I recommend that the ministry consider pursuing other means to retrieve the deceased’s certified copy of a death registration. |
|||||
| MC19-00058 and MC19-00059 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | Read moreExpand | |
The Toronto Police Services Board (the police or the TPS) was notified that a TPS employee may have inappropriately accessed the complainants’ personal information from a police database. The TPS investigated and found that the TPS employee accessed and disclosed the complainants’ personal information to another TPS employee in violation of the Municipal Freedom of Information and Protection of Privacy Act (the Act). In this report, I find that the TPS employee conducted database searches of the complainants’ personal information without authorization, and verbally disclosed their personal information to another TPS employee contrary to the Act. I conclude that the TPS does not have reasonable measures in place to protect personal information in its database, as required by section 3(1) of Regulation 823 to the Act. I recommend improvements to the TPS verification and auditing protocols. I also recommend improvements to its privacy guidance documents, and privacy training program. In addition, I recommend notifying additional parties whose privacy was breached and who the TPS identified during this investigation. |
|||||
| MC19-00104 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner received a privacy complaint about the Toronto Police Service (the police)’s disclosure of information relating to an individual’s arrest and drug-related charges to their employer, the Correctional Service of Canada. The complainant believed that the disclosure breached their privacy under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report finds that the information at issue is “personal information” within the meaning of section 2(1) of the Act. It also finds that the police’s disclosure of this information was not in accordance with section 32 of the Act. |
|||||
| MC20-00002 | Privacy Complaint Report | Privacy Reports | Alanna Maloney | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the City of Toronto contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it posted the complainant’s Committee of Adjustment application, which included her personal information, on the internet. In this report, I find that the City’s Committee of Adjustment applications are a public record, pursuant to section 27 of the Act, and are therefore not subject to the privacy rules under Part II of the Act. Although I find that the City’s Committee of Adjustment applications are outside the scope of the Act, I recommend that the City pursue its intended review of its Committee of Adjustment application forms with the view of implementing data minimization principles. The City should also proceed with developing criteria to determine when it is appropriate to remove personal information from its forms. |
|||||
| PI21-00003 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received three related privacy complaints about the University of Guelph (the university). The complaints concerned the university’s collection of information relating to the COVID-19 vaccination status of students who wished to live on residence for the 2021–2022 academic year. The complainants believed that the collection breached the students’ privacy under the Freedom of Information and Protection of Privacy Act (the Act). This report finds that the information at issue is “personal information” as defined in section 2(1) of the Act. It also finds that the collection of the personal information and the notice of collection were in accordance with sections 38(2) and 39(2) of the Act, respectively. |
|||||
| MC18-17 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parents of students of the Halton District School Board (the board), objecting to the board’s use of third party apps (“apps”), and the associated collection, use, and disclosure of students’ personal information. The complainant alleged that the board’s utilization of these apps contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainants’ concerns included a failure to regulate the third party apps available to students via the board’s platform, a failure to track which apps had collected students’ personal information and what information they had collected, the posting of students’ personal information without knowledge or consent, and third party apps advertising to students. The complainants also stated that the board does not have reasonable measures in place to ensure that third party vendors protect the security of student personal information. This report concludes that the board’s catalogue system regulating the apps that collect, use, and disclose students’ personal information is in partial compliance with the Act, but that the board’s notice of collection was deficient. This report concludes that personal information was used for advertising or marketing purposes, contrary to the provisions of the Act. This report recommends that the board review its usage agreements with vendors, and revise the agreements to expressly prohibit the use of personal information by vendors for advertising or marketing purposes and to ensure that vendors only use personal information for the board’s education-related purposes. This report further recommends that the board review which apps use personal information for marketing or advertising purposes, and take the steps needed to prevent vendors from using personal information for those purposes going forward. This report also concludes that the board does not have reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of its students. This report recommends that the board revise its usage agreement to require vendors to notify the board when they have been compelled by law to disclose personal information. This report further recommends that the board revise its usage agreement to include both a requirement that vendors delete data for accounts no longer in use and a commitment by vendors to confirm, on the board’s request, that this deletion had occurred. Finally, this report recommends that the board’s usage agreement include both an audit requirement and a term stating that vendors’ obligations regarding personal information continue to apply, regardless of any changes to a vendor’s business name, structure, or ownership. |
|||||
| PC19-00003 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Ministry of Transportation (the ministry) contravened the Freedom of Information and Protection of Privacy Act (the Act) when it disclosed the complainant’s personal information to a parking lot operator and a collection agency. This report finds that the information at issue is “personal information” as defined in section 2(1) of the Act and that the personal information was disclosed in accordance with sections 42(1)(c) and 43 of the Act. |
|||||
| PC18-00074 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | Read moreExpand | |
The complainant alleged that a staff member of the Ontario Provincial Police (the OPP) had inappropriately accessed and disclosed an OPP incident report that contained her personal information. The ministry responsible for the OPP admitted that the complainant’s personal information had been accessed in violation of the Freedom of Information and Protection of Privacy Act (the Act). In this report, I find that the complainant’s incident report was accessed by an OPP sergeant without authorization on at least two occasions. In the absence of sufficient evidence, I do not find that the incident report was subsequently disclosed to the complainant’s spouse, but I do conclude that the incident report number was disclosed by an unknown OPP employee contrary to the Act. I conclude that the ministry does not have reasonable measures in place to protect personal information in its database, as required by section 4(1) of Regulation 460. I recommend improvements to the privacy policies and procedures, privacy training, and auditing of accesses to personal information. I also recommend that the ministry disclose the disciplinary measures imposed on the sergeant as a result of the inappropriate accesses. |
|||||
| MC18-6 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint alleging that the Township of Tay (the township) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it published council meeting minutes with the complainants' personal information online and made a hard copy of those minutes available to the public. The IPC opened a privacy complaint to review the township’s disclosure of the information at issue. During the early stages of the complaint, the township removed the complainants’ names and address from the version of the meeting minutes available online. This report finds that the some of the information contained in the meeting minutes is personal information. This report also finds that the township’s disclosure of the personal information in the meeting minutes was not in accordance with section 32 of the Act. |
|||||
| PR20-00027 | Privacy Complaint Report | Privacy Reports | Lucy Costa | Read moreExpand | |
This investigation file was opened after the Ministry of the Solicitor General (the ministry) contacted the Office of the Information and Privacy Commissioner of Ontario (the IPC) to report a privacy breach under the Freedom of Information and Protection of Privacy Act. The breach related to the ministry’s look-up tool web portal for COVID-19 status information (the Portal). Specifically, the ministry advised that an audit of the Portal had determined that a number of police services had conducted broad ranging community searches rather than performing a more specific search of individuals tested for COVID-19. This report concludes that the ministry did not have adequate measures in place to protect the personal information contained in the Portal. It also finds that the ministry did not respond adequately to the breaches. |
|||||
| PC18-12 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the Human Rights Tribunal of Ontario (HRTO). The complaint was that the HRTO had inappropriately disclosed personal information in a Case Assessment Direction (CAD). The complainant believed that the disclosure had breached his privacy under the Freedom of Information and Protection of Privacy Act (the Act). |
|||||