Dernières décisions

Five hospitals and a health care clinic (collectively, the custodians) reported a privacy breach under the Personal Health Information Protection Act, 2004 (the Act) involving a ransomware attack against their network operated by a shared IT service provider. The threat actor exfiltrated electronic records containing personal health information of hundreds of thousands of patients and encrypted many network servers. After discovering the attack, the service provider shut down its network and engaged security and forensic experts. The threat actor published the stolen files. The custodians issued public releases about the incident and notified patients whose personal health information was stolen.
The threat actor launched its attack by leveraging the network’s administrative accounts. A forensic investigation could not determine how these accounts were compromised.
To remediate the incident, the service provider implemented additional safeguards to reinforce the security of its systems, including increased detection measures, traffic restrictions and multi-factor authentication.
In this decision, the investigator finds that the data exfiltration was an unauthorized use and disclosure of personal health information. He also finds that the hostile encryption of the servers resulted in an unauthorized use and loss of personal health information of the custodians’ patients and, therefore, the custodians were required to notify the affected patients as required by section 12(2) of the Act. The investigator finds that, although the custodians did not notify as required, there is no useful purpose in ordering additional notification in this case.
In light of the measures taken to contain, investigate and remediate the incident, the investigator finds that the custodians have responded adequately to the breach and concludes that a review of this matter under Part VI of the Act is not warranted.

The Office of the Information and Privacy Commissioner of Ontario (IPC) received complaints from students at the University of Waterloo (the university) regarding “smart” snack vending machines installed on campus by a third-party service provider. The complaints alleged that the machines appeared to use facial recognition technology that was collecting facial images without consent or proper notice.

In this report, I find that the machines used cameras and face detection technology to capture identifiable facial images amounting to a collection of personal information within the meaning of section 38(1) of the Freedom of Information and Protection of Privacy Act (FIPPA). Further, I find that this collection did not comply with section 38(2) of FIPPA and, therefore, was a privacy breach. I also find that affected individuals were not given notice of the collection, as required under section 39(2) of FIPPA.

Although the university had reasonable contractual safeguards in place with the third-party service provider, it was unaware that personal information was being collected through the machines’ face detection technology. This oversight was due to shortcomings in the university’s procurement process for the vending machines which failed to apply the necessary level of due diligence by conducting a privacy impact assessment, or requiring prospective service providers to do so, in order to identify and assess the privacy implications of the technology.

In this report, I recommend that the university take adequate steps in the procurement process to ensure it evaluates third-party service providers and any technology to be used, and fulfills its obligations to protect personal information under its control in accordance with section 4(1) of Regulation 460 under FIPPA.

An individual asked the Ministry of Economic Development, Job Creation and Trade for records about the Government of Ontario’s investment in a facility to manufacture N95 respirators. The ministry partially disclosed to the individual the two responsive records it located, a conditional grant agreement and a letter of offer. It withheld some information in the records under the mandatory third party information exemption.

In this order, the adjudicator finds that the withheld information is not exempt because it was a product of negotiations between the ministry and an affected party. The adjudicator orders the ministry to disclose the withheld information to the individual.

An individual asked the Toronto Police Services Board for records about facial recognition technology. The police granted partial access to the requested records. To date, the police have not released the records they agreed to release in its decision letter, despite the appellant paying for the records. The decision-maker finds that the police failed to disclose records in its decision, as required under section 19 of the Act, and orders the police to release those records by June 19, 2025.

An individual made a request for records relating to the backyard water drainage system of a specified address. The Town of LaSalle located and granted partial access to records.

The individual appealed the town’s decision on the basis of his belief that additional records should exist.

In this order, the adjudicator finds that the town conducted a reasonable search for records responsive to the request and dismisses the appeal.

This decision disposes of the outstanding issue of the reasonableness of a search conducted by the Queensway Carleton Hospital (the hospital) for correspondence, messages or documentation relating to a patient’s hospital stay.
In PHIPA Decision 275, the adjudicator did not uphold the hospital’s search for responsive records and ordered it to conduct further searches, including for email records between doctors specified in the request.
In this decision, the adjudicator finds the hospital’s further searches conducted in accordance with PHIPA Decision 275 to be reasonable. She upholds the hospital’s search for records responsive to the complainant’s request and dismisses the complaint.

An individual submitted a request to the Ministry of Children, Community and Social Services under the Freedom of Information and Protection of Privacy Act for general information relating to arrears owed to the Family Responsibility Office (FRO).

The ministry issued a fee estimate and declined to grant a fee waiver. The individual appealed the ministry’s fee estimate and fee waiver decisions, seeking a fee waiver on the basis of financial hardship and that dissemination of the records would benefit public health or safety.

In this order, the adjudicator upholds the ministry’s fee estimate and fee waiver decisions. The appeal is dismissed.

The appellant is a union who asked the Municipality of Chatham-Kent for the names and email addresses of two employees who had forwarded to senior management a union email urging employees not to come to work on a particular day.
The municipality refused to give the appellant this information because it claimed that it is in labour relations or employment records that are excluded from the Municipal Freedom of Information and Protection of Privacy Act by section 52(3)3.
In this order, the adjudicator concludes that the emails containing the names and email addresses of the two employees are excluded from the Act by section 52(3)3. He dismisses the appeal.

An individual submitted a request for reconsideration of PHIPA Decision 275, where the adjudicator ordered the hospital to conduct a further search, which was to include searching for emails between identified doctors. The individual stated that there was a reasonable basis to order the hospital to conduct additional searches of the entirety of the patient’s legal health record, rather than the locations that the hospital had identified as containing communications between doctors.
In this reconsideration decision, the adjudicator finds that the complainant has not established grounds for reconsideration under section 27.01 of the Code of Procedure for Matters under the Personal Health Information Protection Act, 2004 and denies the request.

The appellant asked Tribunals Ontario for records related to vaccine passports, vaccine mandates and exemption grounds. The requester filed an appeal with the IPC because the tribunal did not issue an access decision within the prescribed time limit. The decision-maker agrees that the tribunal is deemed to have refused the access request under section 29(4) of the Act and orders the tribunal to issue a final access decision by June 20, 2025.

An individual made a complaint under the Personal Health Information Protection Act (the Act) about the use of their personal health information by Sunnybrook Health Sciences Centre (the hospital) and the Sunnybrook Foundation (the foundation) for the purpose of fundraising activities. The complaint relates to the personal health information that the hospital provided to the foundation, as well as the content of the fundraising letter sent to the complainant by the foundation. In this decision, the adjudicator finds that the foundation is the hospital’s agent and that the provision of personal health information to it for the purpose of fundraising activities is a “use” of that personal health information.

The adjudicator also finds that the collection, use and disclosure of personal health information for the purpose of fundraising activities is exclusively covered under section 32 of the Act and section 10 of its associated Regulation, and that the permitted uses in sections 37(1)(c) and (d) do not apply to fundraising.

The adjudicator finds that the hospital’s use of personal health information for fundraising purposes was generally permitted under the implied consent provision of section 32(1)(b) of the Act and section 10 of the Regulation, but that the fundraising letter the foundation sent to the complainant contained more personal health information than was permitted under the Regulation.

The ministry received a request under the Freedom of Information and Protection of Privacy Act for a report on the Ontario government’s approach to caring for individuals with specified medical conditions. The ministry located the report but withheld it under section 13(1) of the Act because it contained advice or recommendations to the government.
In this order, the adjudicator finds that the report does not qualify for exemption under section 13(1) because it falls within the section 13(2)(f) exception for records about the performance or efficiency of a government program. He orders the ministry to disclose the record.

This reconsideration order corrects two errors to the description of MPAC’s commercial revenue in Order MO-4626, and corrects the omission of a statutory reference in two other paragraphs. The corrections are made pursuant to section 15.01(c) of the IPC’s Code of Procedure, which permits reconsideration where there is a clerical error, accidental error or omission, or other similar error.

A student made a request to the University of Waterloo under the Freedom of Information and Protection of Privacy Act for records relating to his own vaccine accommodation request, as well as general information for religion-based accommodation requests. The university withheld some of the responsive records citing the discretion to refuse a requester’s own information (section 49(a)), read with the exemption for advice or recommendations (section 13) and the exemption for solicitor-client privileged information (section 19).

In this order, the adjudicator partially upholds the university’s decision, finding that some of the records are wholly exempt under section 49(a), read with section 13, and others are partially exempt under section 49(a), read with sections 13 and 19. She orders the university to disclose the non-exempt information.

An individual made a request under the Municipal Freedom of Information and Protection of Privacy Act for access to witness statements for a specified incident. The police denied access in full to a video recording of a witness statement because its disclosure would constitute an unjustified invasion of another individual’s personal privacy (section 38(b)).

In this order, the adjudicator upholds the police’s decision. She finds that the police properly withheld another individual’s personal information under section 38(b) and that the public interest override does not apply to permit its disclosure. The adjudicator also finds that the police’s search was reasonable.