Showing 15 of 104 results
| Order Numbers | Type | Collection | Adjudicators | Date Published | |
|---|---|---|---|---|---|
| MC17-52 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parent of a student of the Toronto District School Board (the board), objecting to the board’s use of Google’s G Suite for Education services. The complainant alleged that the board’s utilization of G Suite for Education contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainant’s concerns included a failure to notify, and obtain the consent of, parents and children for the collection, use, and disclosure of students’ personal information; the use of personal information beyond the scope of what is permitted under the Act; the storage of personal information outside of Canada; inadequate security protections for the students’ personal information; and a lack of adequate deletion and retention practices for the personal information. This report concludes that the board’s collection, uses, and disclosures of the students’ personal information were in compliance with the Act, but that the board’s notice of collection was deficient. This report also concludes that the board has reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of its students. This report makes recommendations to strengthen the board’s oversight of those security measures. |
|||||
| MI18-1 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the Corporation of the Village of Newbury (Newbury). The complaint was about Newbury’s installation of a video surveillance system in a park. The complainant was concerned that Newbury’s operation of the surveillance system breached the privacy of individuals under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report concludes that Newbury’s notice of collection is not in accordance with the Act. However, it finds that Newbury’s collection, use and disclosure of the personal information is in accordance with the Act. Further, it finds that there is a right of access to this information and that the Newbury has reasonable protection measures and proper retention periods in place. |
|||||
| MI18-5 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the City of Cambridge (the city). The complaint was about the city’s installation of a video surveillance system in its downtown core areas. The complainant was concerned that the city’s operation of the system breached the privacy of individuals under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report finds that the city has not conducted an assessment of whether the video surveillance system is necessary to achieve its objectives and recommends that it do so, to ensure compliance with the Act. In the event that the city’s assessment determines that the system is necessary and the collection of personal information is thus consistent with the Act, this report considers whether the city’s notice of collection and use and disclosure of the personal information is in accordance with the Act. It also considers whether the city provides a right of access to this information, as well as whether the city has reasonable privacy protection measures and retention periods in place. This report finds that the city’s notice of collection and use and disclosure of the personal information is in accordance with the Act. It also finds that there is a right of access to this information and that the city has reasonable protection measures and proper retention periods in place. |
|||||
| MC18-48 | Privacy Complaint Report | Privacy Reports | Lucy Costa | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parent of a student of the York Region District School Board (the board) objecting to the board’s implementation of a cloud-based data management service (Edsby), under contract with Corefour Inc. (Corefour), to store and process information pertaining to the attendance of the board’s students. The complainant alleged that the board’s use of Edsby contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainant’s concerns included the board’s failure to secure parental consent to the use of Edsby, the adequacy of its notice of collection, potential misuse of information by Edsby service providers, the adequacy and enforceability of the terms of the board’s contract with Corefour and the adequacy of the board’s oversight in relation to various Edsby security measures. The complainant also raised concerns relating to the Edsby Terms of Use and Privacy Policy and a specific security vulnerability that was exploited by the complainant. This report concludes that the board’s collection, notice of collection, use and disclosure of the students’ personal information were in compliance with the Act. This report also concludes that the board has reasonable contractual measures in place to ensure the privacy and security of the personal information of its students. However, this report concludes that the board has not demonstrated that it has reasonable oversight measures in place in relation to the performance of the board’s and Corefour’s contractual security obligations, in accordance with the requirements of the Act and its regulations. In particular, the board did not have reasonable measures in place to prevent the security vulnerability that was exploited. This report makes recommendations as to the steps the board should take to strengthen and document the board’s oversight of security measures. This report also make recommendations with respect to its contract with Corefour and the Edsby Terms of Use and Privacy Policy. |
|||||
| MC18-23 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the Municipality of Leamington (the municipality). The complaint was that the municipality had inappropriately disclosed an email containing personal information to third parties. The complainant was concerned that the disclosure breached his privacy under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report finds that the municipality’s disclosure of the complainant’s information was not in accordance with section 32 of the Act. |
|||||
| MC18-39 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint from a parent (the complainant) in which he advised that a supply teacher employed by the Conseil scolaire catholique Providence (the Board) had inappropriately collected his children’s personal information by video recording them without his consent. The parent was concerned that the teacher’s actions breached his children’s privacy under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report finds that the Board’s collection of the children’s personal information was not in accordance with section 28(2) of the Act and, therefore, breached their privacy. It also finds that the Board did not respond adequately to the breach because it did not notify them of the steps it has taken to address the breach. As a result, I recommend that, going forward, the Board take steps to ensure that adequate notification is provided to parties affected by a breach. |
|||||
| MC17-35 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint from an individual in which he advised that the County of Norfolk (the County), without notice to him, disclosed his personal information in response to two access requests made under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report finds that the County’s disclosure of the complainant’s information was not in accordance with section 32 of the Act. |
|||||
| PR17-23 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Ministry of Community and Social Services (the ministry) reported a privacy breach under the Freedom of Information and Protection of Privacy Act (the Act) to the Office of the Information and Privacy Commissioner of Ontario (IPC). The ministry advised that a Family Responsibility Office (FRO) employee inappropriately accessed the case files of multiple FRO clients and disclosed the personal information of some of them to an unauthorized individual. This report finds that the disclosure of information was not in accordance with section 42(1) of the Act. It also finds that, at the time of the breach, the ministry did not have reasonable measures in place to prevent unauthorized access to the records. However, in the light of the steps taken by the ministry to address its deficiencies in protecting personal information, no further recommendations are required. |
|||||
| PC18-18 | Privacy Complaint Report | Privacy Reports | Lucy Costa | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Ministry of Transportation contravened the Freedom of Information and Protection of Privacy Act when it disclosed the complainant’s personal information to the War Amputations of Canada. This report finds that the information at issue is “personal information” as defined in section 2(1) of the Act and that the personal information was disclosed in accordance with section 42(1)(c) of the Act. |
|||||
| MC17-48 | Privacy Complaint Report | Privacy Reports | Alanna Maloney | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Town of East Gwillimbury (the town) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it released a record with the complainant’s personal information to the public. A complaint was opened to review the town’s collection, use and disclosure of the information at issue. In this report, I find that the some of the information contained in the record at issue is personal information. I find that the town’s collection and use of that information was in accordance with the Act. However, I find that the disclosure of the personal information in the publicly available record was not in accordance with section 32 of the Act. |
|||||
| MC17-32 | Privacy Complaint Report | Privacy Reports | John Gayle | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Halton Regional Police Services Board (the police)’s online application process for a police record check, which involves a third party company, collects and uses applicants’ personal information contrary to the Municipal Freedom of Information and Protection of Privacy Act (the Act). |
|||||
| MC17-49 | Privacy Complaint Report | Privacy Reports | Alanna Maloney | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the City of Toronto contravened the Municipal Freedom of Information and Protection of Privacy Act when it disclosed four video records containing the complainant’s personal information in response to a Freedom of Information request. This report finds that the records at issue were used by the city as the basis for an investigation of the complainant’s conduct as a city employee and are excluded from the scope of the Act pursuant to section 52(3)3. |
|||||
| PR16-40 | Privacy Complaint Report | Privacy Reports | Lucy Costa | Read moreExpand | |
On November 9, 2016, the Ontario Lottery and Gaming Corporation (OLG) notified the Office of the Information and Privacy Commissioner/Ontario (the IPC) of a possible privacy breach under the Freedom of Information and Protection of Privacy Act (FIPPA or the Act). OLG advised that a hacker had managed to steal information about employees and patrons of Casino Rama Resort (CRR) and was threatening to make the information public unless he was paid a ransom. OLG could not confirm the amount or extent of information in possession of the hacker. OLG further stated that the hacker claimed to have 154 gigabytes of CRR data and had posted examples of the information online. On November 21, 2016, the hacker released 4.49 gigabytes of CRR data on the Internet reported to consist of more than 14,000 documents. In this report, I conclude that CRR did not have reasonable security measures in place to prevent unauthorized access to records of personal information of CRR patrons and individuals registered for OLG’s self-exclusion program (OLG self-exclusion registrants); however, since the breach, CRR has taken steps to address the gaps in its systems and processes. Although I am generally satisfied with CRR’s response to the breach in this regard, this report makes additional recommendations to address some specific shortcomings. The other pillar of the IPC’s investigation concerns the contract between OLG and the private-sector company responsible for operating CRR on behalf of OLG, CHC Casinos Canada Limited (CHC or the Operator). In this report, I conclude that OLG did not have reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of CRR patrons and OLG self-exclusion registrants. This report also makes recommendations to address these shortcomings. |
|||||
| PC17-15 | Privacy Complaint Report | Privacy Reports | Alanna Maloney | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Human Rights Tribunal of Ontario (the Tribunal) contravened the Freedom of Information and Protection of Privacy Act (the Act) when it disclosed personal information in a public decision. A complaint was opened to review the Tribunal’s use and disclosure of personal information. In this report, I find that the Tribunal’s decisions are not covered by the privacy rules in Part III of the Act because the information in those decisions is maintained for the purpose of creating a record available to the general public. |
|||||
| PC17-9 | Privacy Complaint Report | Privacy Reports | Alanna Maloney | Read moreExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Human Rights Tribunal of Ontario (the Tribunal) contravened the Freedom of Information and Protection of Privacy Act (the Act) when it disclosed personal information in a public decision. A complaint was opened to review the Tribunal’s collection, use and disclosure of personal information. In this report, I find that the Tribunal’s decisions are not covered by the privacy rules in Part III of the Act because the information in those decisions is maintained for the purpose of creating a record available to the general public. |
|||||