Showing 15 of 448 results
| Decision Number | Type | Collection | Adjudicator | Published | |
|---|---|---|---|---|---|
| MO-4545 | Order | Access to Information Orders | Katherine Ball | Read moreExpand | |
The Toronto Transit Commission (the TTC) received a multi-part request under the Act for records relating to its investigation into the requester’s complaint and to information about transit fare enforcement and revenue. The TTC granted partial access to responsive records, withholding portions on the basis of the exemptions in sections 14(1) (personal privacy) and 38(b) (discretion to refuse requester’s own information) of the Act. The TTC denied access to the investigation file claiming the exclusion in section 52(3)3 (employment or labour relations). In addition, the TTC stated that other requested records did not exist. The requester appealed the TTC’s decision to pursue access to the withheld information and records and stated that additional records ought to exist. |
|||||
| MO-4544 | Order | Access to Information Orders | Anna Kalinichenko | Read moreExpand | |
The township received a request under the Act, in part, for a report that was discussed at a closed session of the township council. The township relied on section 6(1)(b) of the Act to deny access to the report on the basis that it revealed the substance of deliberations of the closed session. In this order, the adjudicator upholds the township’s decision. |
|||||
| MO-4543 | Order | Access to Information Orders | Marian Sami | Read moreExpand | |
The City of Kawartha Lakes (the city) received a request under the Act for all city expenses over $1,000 over three and a half years. The city determined that it had reasonable grounds to consider the request as frivolous or vexatious under section 4(1)(b) of the Act. In this order, the adjudicator upholds the city’s decision, and dismisses the appeal. |
|||||
| PHIPA DECISION 256 | Decision - PHIPA | Health Information and Privacy | Justine Wai | Read moreExpand | |
An individual asked the appointed guardian of her late doctor’s medical records (the custodian) for access to her complete medical records. While the custodian originally claimed he found the individual’s medical records, he later said he did not find any. In this interim decision, the adjudicator finds the custodian did not conduct a reasonable search for the individual’s medical records and orders him to conduct another search. |
|||||
| PO-4527 | Order | Access to Information Orders | Jessica Kowalski | Read moreExpand | |
The appellant sought access from the WSIB to records relating to his claims. The WSIB granted partial access, withholding information from one of 17 responsive records because it contains another individual’s personal information. The appellant challenges the WSIB’s claim that the withheld information is exempt and claims that the WSIB narrowed the scope of his request, resulting in a restricted search for responsive records. The adjudicator finds that the WSIB’s clarification of the request and its search for responsive records were reasonable and that the withheld information at issue is exempt under the discretionary personal privacy exemption in section 49(b). She dismisses the appeal. |
|||||
| MO-4541 | Order | Access to Information Orders | Meganne Cameron | Read moreExpand | |
The appellant sought access to records related to investigations conducted by the Thunder Bay Police Services Board (the board). The board withheld some of the responsive records pursuant to the law enforcement and personal privacy exemptions, and the labour relations exclusion, in the Municipal Freedom of Information and Protection of Privacy Act (the Act). The appellant appealed the access decision to this office, and also challenged the reasonableness of the board’s search. |
|||||
| MO-4542 | Order | Access to Information Orders | Steven Faughnan | Read moreExpand | |
The appellant made a request under the Act to the Halton Regional Police Services Board (the police) for records revealing inquiries made about him by all police services across Canada on several identified law enforcement databases. The police took the position that they do not have custody or control over the information sought by the appellant. In this order, the adjudicator finds that while the police do not have custody or control over records relating to whether officers or employees of other police services made inquiries about the appellant on the identified databases, they have custody or control over records, if they exist, regarding whether their own officers or employees accessed those databases in relation to the appellant. The adjudicator orders the police to conduct a search for records relating to inquiries made about the appellant on the identified databases by their own officers or employees and to issue a decision on access to the appellant. |
|||||
| PHIPA DECISION 254 | Decision - PHIPA | Health Information and Privacy | Jenny Ryu | Read moreExpand | |
In June 2021, the respondent Kingston, Frontenac and Lennox & Addington Public Health (KFL&A) was the subject of a ransomware attack. The attack resulted in the encryption of multiple KFL&A servers, including those containing personal health information. |
|||||
| CYFSA Decision 19 | Decision | Child, Youth, and Family Information and Privacy | Jenny Ryu | Read moreExpand | |
In February 2022, the respondent Halton Children’s Aid Society (CAS) was the subject of a ransomware attack. While the CAS’s investigation did not find any evidence that the threat actor had accessed or exfiltrated any data stored in the CAS’s environment, it found that the threat actor had encrypted several CAS servers, including those containing personal information. The IPC initiated a review of the matter under Part X of the Child, Youth and Family Services Act, 2017 (CYFSA). Section 308(2) of the CYFSA sets out a duty on service providers like the CAS to notify individuals at the first reasonable opportunity if their personal information is stolen, lost, or used or disclosed without authority. The CAS asserts that because the ransomware attack targeted its servers at the external or “container” level, the attack did not “individually impact” file folders and files of personal information held inside the encrypted containers. The CAS takes the position that the encryption event did not result in a theft, loss, or unauthorized use or disclosure of personal information within the meaning of section 308(2), and that the duty to notify does not apply. In this decision, the adjudicator finds that the threat actor’s encryption of CAS servers at the container level affected the personal information in those servers, by making that personal information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal information within the meaning of section 308(2). As a result, the CAS had a duty to notify affected individuals “at the first reasonable opportunity” of the incident. After taking into account relevant circumstances, including the evidence of diligent efforts by the CAS to contain and to mitigate the risks of the privacy breach, the adjudicator finds that the notice requirement can be met in this case through the posting of a general notice on the CAS’s website, or another form of indirect public notice. The adjudicator orders the CAS to provide this notice within 30 days of the date of this decision. |
|||||
| PHIPA DECISION 255 | Decision - PHIPA | Health Information and Privacy | Jenny Ryu | Read moreExpand | |
In July 2022, the respondent Simcoe Muskoka District Health Unit (SMDHU) was the subject of an email phishing attack. As a result of the attack, a threat actor gained access to one SMDHU email account containing approximately 20,000 emails, including about 1,000 emails containing personal health information. SMDHU reports that the threat actor’s access to the compromised email account was limited to one hour, and that its forensic analysis found no evidence that the threat actor viewed, downloaded, copied, sent, forwarded, or removed any emails while in the compromised account. |
|||||
| PHIPA DECISION 253 | Decision - PHIPA | Health Information and Privacy | Jenny Ryu | Read moreExpand | |
In December 2022, the respondent the Hospital for Sick Children (the hospital) was the subject of a ransomware attack. The attack resulted in the encryption of numerous hospital servers, including those containing personal health information. However, the hospital’s investigation did not find evidence of any access to or exfiltration of personal health information by the threat actor, or of any impact to the hospital’s primary medical records system. The IPC initiated a review of the matter under the Personal Health Information Protection Act, 2004 (PHIPA). Section 12(2) of PHIPA sets out a duty on health information custodians like the hospital to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or used or disclosed without authority. The hospital asserts that because the threat actor encrypted virtual servers at the “container” level, it did not “directly interact” with personal health information housed in the encrypted servers. The hospital takes the position that the attack did not result in a theft, loss, or unauthorized use or disclosure of personal health information within the meaning of section 12(2), and that the duty to notify does not apply. In this decision, the adjudicator finds that the threat actor’s encryption of hospital servers at the container level affected the personal health information in those servers, by making that information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal health information within the meaning of section 12(2). As a result, the hospital had a duty under PHIPA to notify affected individuals “at the first reasonable opportunity” of the incident. In the immediate aftermath of the attack, and in the weeks following, the hospital posted updates on its website and on social media informing the public about the attack, and of the progress of its investigation and remediation efforts. While the hospital’s notice did not comply with section 12(2) because it did not include a statement about the right to complain to the IPC, the adjudicator finds no useful purpose in directing that notice of the right to complain be given now. She concludes the review without issuing an order. |
|||||
| MO-4540 | Order | Access to Information Orders | Steven Faughnan | Read moreExpand | |
This order determines whether the Toronto District School Board (the board) conducted a reasonable search for records responsive to a request made under the Act. In this order, the adjudicator finds that the board conducted a reasonable search for responsive records in accordance with its obligations under section 17 and dismisses the appeal. |
|||||
| MO-4538 | Order | Access to Information Orders | Anna Kalinichenko | Read moreExpand | |
The city denied access to records relating to a trespass notice issued by it to the appellant. Responsive records were withheld pursuant to section 38(a) (discretion to refuse requester’s own information) read with law enforcement exemptions at section 8(1) of the Act. In this order, the adjudicator upholds the city’s decision to deny access to responsive records pursuant to section 38(a) read with section 8(1)(e) (endanger life or safety). |
|||||
| PHIPA DECISION 252 | Decision - PHIPA | Health Information and Privacy | Stella Ball | Read moreExpand | |
The complainant asserted that a doctor had not conducted a reasonable search for his medical records. The complainant relied on an affidavit of documents from an existing court proceeding between himself and the doctor to identify the allegedly missing records and to argue that they should exist. |
|||||
| MO-4539 | Order | Access to Information Orders | Katherine Ball | Read moreExpand | |
The City of Ottawa received a request under the Act for access to records relating to the successful bid response to a specified RFP for healthcare procurement services. The city granted partial access to the records, withholding portions pursuant to various exemptions. The requester appealed the city’s decision and claimed a public interest in the disclosure of the withheld information. |
|||||