Affichage de 15 sur 740 résultats
Order Numbers | Type | Collection | Adjudicators | Date Published | |
---|---|---|---|---|---|
PHIPA DECISION 284 | Decision - PHIPA | Health Information and Privacy | Francisco Woo | En savoir plusExpand | |
Five hospitals and a health care clinic (collectively, the custodians) reported a privacy breach under the Personal Health Information Protection Act, 2004 (the Act) involving a ransomware attack against their network operated by a shared IT service provider. The threat actor exfiltrated electronic records containing personal health information of hundreds of thousands of patients and encrypted many network servers. After discovering the attack, the service provider shut down its network and engaged security and forensic experts. The threat actor published the stolen files. The custodians issued public releases about the incident and notified patients whose personal health information was stolen. |
|||||
PX24-00001 | Privacy Complaint Report | Privacy Reports | John Gayle | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner of Ontario (IPC) received complaints from students at the University of Waterloo (the university) regarding “smart” snack vending machines installed on campus by a third-party service provider. The complaints alleged that the machines appeared to use facial recognition technology that was collecting facial images without consent or proper notice. In this report, I find that the machines used cameras and face detection technology to capture identifiable facial images amounting to a collection of personal information within the meaning of section 38(1) of the Freedom of Information and Protection of Privacy Act (FIPPA). Further, I find that this collection did not comply with section 38(2) of FIPPA and, therefore, was a privacy breach. I also find that affected individuals were not given notice of the collection, as required under section 39(2) of FIPPA. Although the university had reasonable contractual safeguards in place with the third-party service provider, it was unaware that personal information was being collected through the machines’ face detection technology. This oversight was due to shortcomings in the university’s procurement process for the vending machines which failed to apply the necessary level of due diligence by conducting a privacy impact assessment, or requiring prospective service providers to do so, in order to identify and assess the privacy implications of the technology. In this report, I recommend that the university take adequate steps in the procurement process to ensure it evaluates third-party service providers and any technology to be used, and fulfills its obligations to protect personal information under its control in accordance with section 4(1) of Regulation 460 under FIPPA. |
|||||
PO-4662 | Order | Access to Information Orders | Anna Kalinichenko | En savoir plusExpand | |
An individual asked the Ministry of Economic Development, Job Creation and Trade for records about the Government of Ontario’s investment in a facility to manufacture N95 respirators. The ministry partially disclosed to the individual the two responsive records it located, a conditional grant agreement and a letter of offer. It withheld some information in the records under the mandatory third party information exemption. In this order, the adjudicator finds that the withheld information is not exempt because it was a product of negotiations between the ministry and an affected party. The adjudicator orders the ministry to disclose the withheld information to the individual. |
|||||
MO-4661 | Order | Access to Information Orders | Alline Haddad | En savoir plusExpand | |
An individual asked the Toronto Police Services Board for records about facial recognition technology. The police granted partial access to the requested records. To date, the police have not released the records they agreed to release in its decision letter, despite the appellant paying for the records. The decision-maker finds that the police failed to disclose records in its decision, as required under section 19 of the Act, and orders the police to release those records by June 19, 2025. |
|||||
MO-4660 | Order | Access to Information Orders | Anda Wang | En savoir plusExpand | |
An individual made a request for records relating to the backyard water drainage system of a specified address. The Town of LaSalle located and granted partial access to records. The individual appealed the town’s decision on the basis of his belief that additional records should exist. In this order, the adjudicator finds that the town conducted a reasonable search for records responsive to the request and dismisses the appeal. |
|||||
PHIPA DECISION 282 | Decision - PHIPA | Health Information and Privacy | Jennifer Olijnyk | En savoir plusExpand | |
This decision disposes of the outstanding issue of the reasonableness of a search conducted by the Queensway Carleton Hospital (the hospital) for correspondence, messages or documentation relating to a patient’s hospital stay. |
|||||
PO-4660 | Order | Access to Information Orders | Anda Wang | En savoir plusExpand | |
An individual submitted a request to the Ministry of Children, Community and Social Services under the Freedom of Information and Protection of Privacy Act for general information relating to arrears owed to the Family Responsibility Office (FRO). The ministry issued a fee estimate and declined to grant a fee waiver. The individual appealed the ministry’s fee estimate and fee waiver decisions, seeking a fee waiver on the basis of financial hardship and that dissemination of the records would benefit public health or safety. In this order, the adjudicator upholds the ministry’s fee estimate and fee waiver decisions. The appeal is dismissed. |
|||||
MO-4659 | Order | Access to Information Orders | Colin Bhattacharjee | En savoir plusExpand | |
The appellant is a union who asked the Municipality of Chatham-Kent for the names and email addresses of two employees who had forwarded to senior management a union email urging employees not to come to work on a particular day. |
|||||
PHIPA DECISION 283 | Decision - PHIPA | Health Information and Privacy | Jennifer Olijnyk | En savoir plusExpand | |
An individual submitted a request for reconsideration of PHIPA Decision 275, where the adjudicator ordered the hospital to conduct a further search, which was to include searching for emails between identified doctors. The individual stated that there was a reasonable basis to order the hospital to conduct additional searches of the entirety of the patient’s legal health record, rather than the locations that the hospital had identified as containing communications between doctors. |
|||||
PO-4661 | Order | Access to Information Orders | Asma Mayat | En savoir plusExpand | |
The appellant asked Tribunals Ontario for records related to vaccine passports, vaccine mandates and exemption grounds. The requester filed an appeal with the IPC because the tribunal did not issue an access decision within the prescribed time limit. The decision-maker agrees that the tribunal is deemed to have refused the access request under section 29(4) of the Act and orders the tribunal to issue a final access decision by June 20, 2025. |
|||||
PHIPA DECISION 281 | Decision - PHIPA | Health Information and Privacy | En savoir plusExpand | ||
An individual made a complaint under the Personal Health Information Protection Act (the Act) about the use of their personal health information by Sunnybrook Health Sciences Centre (the hospital) and the Sunnybrook Foundation (the foundation) for the purpose of fundraising activities. The complaint relates to the personal health information that the hospital provided to the foundation, as well as the content of the fundraising letter sent to the complainant by the foundation. In this decision, the adjudicator finds that the foundation is the hospital’s agent and that the provision of personal health information to it for the purpose of fundraising activities is a “use” of that personal health information. The adjudicator also finds that the collection, use and disclosure of personal health information for the purpose of fundraising activities is exclusively covered under section 32 of the Act and section 10 of its associated Regulation, and that the permitted uses in sections 37(1)(c) and (d) do not apply to fundraising. The adjudicator finds that the hospital’s use of personal health information for fundraising purposes was generally permitted under the implied consent provision of section 32(1)(b) of the Act and section 10 of the Regulation, but that the fundraising letter the foundation sent to the complainant contained more personal health information than was permitted under the Regulation. |
|||||
PO-4659 | Order | Access to Information Orders | Chris Anzenberger | En savoir plusExpand | |
The ministry received a request under the Freedom of Information and Protection of Privacy Act for a report on the Ontario government’s approach to caring for individuals with specified medical conditions. The ministry located the report but withheld it under section 13(1) of the Act because it contained advice or recommendations to the government. |
|||||
MO-4658-R | Reconsideration Order | Access to Information Orders | Jessica Kowalski | En savoir plusExpand | |
This reconsideration order corrects two errors to the description of MPAC’s commercial revenue in Order MO-4626, and corrects the omission of a statutory reference in two other paragraphs. The corrections are made pursuant to section 15.01(c) of the IPC’s Code of Procedure, which permits reconsideration where there is a clerical error, accidental error or omission, or other similar error. |
|||||
PO-4658 | Order | Access to Information Orders | Jennifer Olijnyk | En savoir plusExpand | |
A student made a request to the University of Waterloo under the Freedom of Information and Protection of Privacy Act for records relating to his own vaccine accommodation request, as well as general information for religion-based accommodation requests. The university withheld some of the responsive records citing the discretion to refuse a requester’s own information (section 49(a)), read with the exemption for advice or recommendations (section 13) and the exemption for solicitor-client privileged information (section 19). In this order, the adjudicator partially upholds the university’s decision, finding that some of the records are wholly exempt under section 49(a), read with section 13, and others are partially exempt under section 49(a), read with sections 13 and 19. She orders the university to disclose the non-exempt information. |
|||||
MO-4657 | Order | Access to Information Orders | Lan An | En savoir plusExpand | |
An individual made a request under the Municipal Freedom of Information and Protection of Privacy Act for access to witness statements for a specified incident. The police denied access in full to a video recording of a witness statement because its disclosure would constitute an unjustified invasion of another individual’s personal privacy (section 38(b)). In this order, the adjudicator upholds the police’s decision. She finds that the police properly withheld another individual’s personal information under section 38(b) and that the public interest override does not apply to permit its disclosure. The adjudicator also finds that the police’s search was reasonable. |