Affichage de 15 sur 104 résultats
| Order Numbers | Type | Collection | Adjudicators | Date Published | |
|---|---|---|---|---|---|
| MR21-00114 | Privacy Complaint Report | Privacy Reports | En savoir plusExpand | ||
The Toronto Transit Commission (TTC) was the victim of a cyberattack. A threat actor gained access to its systems via a phishing attack, used malware to encrypt these systems, and exfiltrated data. The TTC notified the IPC, its employees, and the public of this privacy breach. It was later able to restore nearly all of its systems from backups and hired experts to determine the information that had been exfiltrated, and how the attack occurred. They found that the TTC’s failure to install a patch for a known security vulnerability contributed to the attack. In this report, I conclude that the TTC did not have reasonable security measures in place to prevent unauthorized access to the personal information on its systems. However, the TTC put additional security measures in place following the attack. It also implemented detailed revised guidance on scanning for vulnerabilities and installing patches. These set out timelines and state who is responsible for these tasks. Based on the measures that the TTC has taken since the breach, I am generally satisfied with their response to the breach, though I recommend that they implement guidance on using encryption as a default. |
|||||
| PI21-00001 | Privacy Complaint Report | Privacy Reports | Patricia Kosseim | En savoir plusExpand | |
Le Bureau du commissaire à l’information et à la protection de la vie privée de l’Ontario (le « CIPVP ») a reçu une plainte concernant l’utilisation par l’Université McMaster (« McMaster » ou l’« université ») du logiciel de surveillance d’examens Respondus, en vertu de la Loi sur l’accès à l’information et la protection de la vie privée (la « LAIPVP » ou la « Loi »). Ce logiciel se compose de deux applications. L’application Respondus LockDown Browser limite l’accès des utilisateurs au contenu de leur ordinateur, et l’application Respondus Monitor analyse des données audio et vidéo des étudiants au cours des examens pour déterminer s’il y a tricherie. Le plaignant ne souhaitait pas que le CIPVP communique son nom et sa plainte à l’université; la commissaire a donc ouvert un dossier de plainte concernant l’utilisation par l’université de ce logiciel de surveillance d’examens. Ce rapport conclut que la tenue d’examens et la nomination d’examinateurs constituent des activités de l’université qui sont autorisées par la loi. La surveillance des examens en ligne pour assurer leur intégrité représente un élément approprié de la tenue de certains types d’examens, et constitue également une activité autorisée par la loi. Quant à savoir s’il est nécessaire de recueillir des renseignements personnels au moyen du logiciel de surveillance d’examens Respondus pour surveiller les examens, j’estime que l’application Respondus LockDown Browser recueille peu de renseignements personnels, et qu’elle recueille et utilise uniquement ceux qui sont nécessaires à son fonctionnement. L’application Respondus Monitor recueille des données plus délicates, dont des données biométriques, et utilise la technologie de l’intelligence artificielle (IA), ce qui est plus préoccupant. Comme les renseignements personnels recueillis par Respondus Monitor au nom de l’université sont nécessaires aux fins du fonctionnement de cet outil aux fins de la surveillance d’examens, cette collecte est autorisée en vertu du paragraphe 38 (2) de la Loi. Cependant, l’université n’a pas donné un avis suffisant de la collecte de renseignements personnels, comme l’exige le paragraphe 39 (2) de la Loi, et l’utilisation des renseignements personnels des élèves au moyen de l’application Respondus Monitor n’est pas conforme au paragraphe 41 (1). En outre, le contrat actuel entre l’université et Respondus est contraire au paragraphe 41 (1) de la Loi car il ne protège pas adéquatement tous les renseignements personnels recueillis et il permet à Respondus d’utiliser ces renseignements sans le consentement des étudiants à des fins d’amélioration du système. Dans ce rapport, je formule à l’intention de l’université un certain nombre de recommandations pour qu’elle se conforme à la Loi. Étant donné les risques accrus qui sont associés aux technologies de l’IA, je recommande également à l’université de poser des balises supplémentaires pour encadrer son utilisation de l’application Respondus Monitor et d’assujettir en permanence l’usage de ce logiciel et tout contrat futur avec Respondus à ces mesures de protection plus strictes. Nota : En date du 1er novembre 2024, McMaster avait donné suite aux recommandations formulées dans ce rapport à la satisfaction du CIPVP, et le dossier a été clos. |
|||||
| PI21-00001 | Privacy Complaint Report | Privacy Reports | Patricia Kosseim | En savoir plusExpand | |
Le Bureau du commissaire à l’information et à la protection de la vie privée de l’Ontario (le « CIPVP ») a reçu une plainte concernant l’utilisation par l’Université McMaster (« McMaster » ou l’« université ») du logiciel de surveillance d’examens Respondus, en vertu de la Loi sur l’accès à l’information et la protection de la vie privée (la « LAIPVP » ou la « Loi »). Ce logiciel se compose de deux applications. L’application Respondus LockDown Browser limite l’accès des utilisateurs au contenu de leur ordinateur, et l’application Respondus Monitor analyse des données audio et vidéo des étudiants au cours des examens pour déterminer s’il y a tricherie. Le plaignant ne souhaitait pas que le CIPVP communique son nom et sa plainte à l’université; la commissaire a donc ouvert un dossier de plainte concernant l’utilisation par l’université de ce logiciel de surveillance d’examens. Ce rapport conclut que la tenue d’examens et la nomination d’examinateurs constituent des activités de l’université qui sont autorisées par la loi. La surveillance des examens en ligne pour assurer leur intégrité représente un élément approprié de la tenue de certains types d’examens, et constitue également une activité autorisée par la loi. Quant à savoir s’il est nécessaire de recueillir des renseignements personnels au moyen du logiciel de surveillance d’examens Respondus pour surveiller les examens, j’estime que l’application Respondus LockDown Browser recueille peu de renseignements personnels, et qu’elle recueille et utilise uniquement ceux qui sont nécessaires à son fonctionnement. L’application Respondus Monitor recueille des données plus délicates, dont des données biométriques, et utilise la technologie de l’intelligence artificielle (IA), ce qui est plus préoccupant. Comme les renseignements personnels recueillis par Respondus Monitor au nom de l’université sont nécessaires aux fins du fonctionnement de cet outil aux fins de la surveillance d’examens, cette collecte est autorisée en vertu du paragraphe 38 (2) de la Loi. Cependant, l’université n’a pas donné un avis suffisant de la collecte de renseignements personnels, comme l’exige le paragraphe 39 (2) de la Loi, et l’utilisation des renseignements personnels des élèves au moyen de l’application Respondus Monitor n’est pas conforme au paragraphe 41 (1). En outre, le contrat actuel entre l’université et Respondus est contraire au paragraphe 41 (1) de la Loi car il ne protège pas adéquatement tous les renseignements personnels recueillis et il permet à Respondus d’utiliser ces renseignements sans le consentement des étudiants à des fins d’amélioration du système. Dans ce rapport, je formule à l’intention de l’université un certain nombre de recommandations pour qu’elle se conforme à la Loi. Étant donné les risques accrus qui sont associés aux technologies de l’IA, je recommande également à l’université de poser des balises supplémentaires pour encadrer son utilisation de l’application Respondus Monitor et d’assujettir en permanence l’usage de ce logiciel et tout contrat futur avec Respondus à ces mesures de protection plus strictes. Nota : En date du 1er novembre 2024, McMaster avait donné suite aux recommandations formulées dans ce rapport à la satisfaction du CIPVP, et le dossier a été clos. |
|||||
| PI22-00007 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from a children’s aid society about the Ontario Provincial Police (OPP) disclosing personal information contrary to the Freedom of Information and Protection of Privacy Act (FIPPA or the Act). The children’s aid society stated that the OPP had implemented new reporting system software (Child Protection Agency Notification Plug-in) and since that time, had sent several occurrence reports in which a youth was listed a witness or victim of a serious crime, but where there was no indication of a child protection concern. The children’s aid society stated that the OPP should not send reports absent a child protection concern, and that to do so was a breach of the youth’s privacy. The IPC opened a Commissioner-initiated privacy complaint file against the Ministry of the Solicitor General (the ministry), the ministry responsible for the OPP, regarding the use of the reporting system noted above. In this report, I find that the guidance the ministry provided for use of the Child Protection Agency Notification Plug-in is contrary to section 125 of the Child, Youth, and Family Services Act (CYFSA) and section 42 of FIPPA. Section 125 of the CYFSA sets out a number of harms or risks to children and imposes a duty to report in cases where an individual, including an OPP officer, has reasonable grounds to suspect one or more of those harms or risks. The guidance provided by the ministry requires officers to send a report to a children’s aid society in all cases where a youth is listed as a victim or witness to a serious crime. Mandating these disclosures, rather than having the officer use their judgment as to whether a duty to report exists under section 125 of the CYFSA, allows for the possibility that the OPP may disclose personal information to a children’s aid society when there is no duty to report, which would be contrary to the Act. I recommend that the ministry change its guidance to reflect that officers are to send reports to a children’s aid society when the officer judges they have a duty to report, and to remove guidance stating that such reports are mandatory when a youth is listed as a victim or a witness. |
|||||
| PC20-00017 | Privacy Complaint Report | Privacy Reports | John Gayle | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner received a privacy complaint about the disclosure of a certified copy of a death registration for a deceased individual (the deceased) by the Ministry of Public and Business Service Delivery (the ministry) to an applicant who is not the deceased’s next of kin or extended next of kin. The complainant, who is the deceased’s mother and next of kin, believed that the disclosure was unauthorized and, therefore, a privacy breach under the Freedom of Information and Protection of Privacy Act (the Act). In this report, I find that the information at issue is “personal information” within the meaning of section 2(1) of the Act and that the ministry’s disclosure of this information was not in accordance with section 42(1) of the Act. I also find that the ministry did not have reasonable measures in place to prevent unauthorized access to the personal information in accordance with section 4(1) of Regulation 460 made under the Act. As a result, I recommend that the ministry take reasonable steps to be satisfied as to the identity of an applicant before granting them access to a certified copy of a death registration. Further, as I found that the ministry did not respond adequately to the breach with respect to containment, I recommend that the ministry consider pursuing other means to retrieve the deceased’s certified copy of a death registration. |
|||||
| MC19-00058 and MC19-00059 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | En savoir plusExpand | |
The Toronto Police Services Board (the police or the TPS) was notified that a TPS employee may have inappropriately accessed the complainants’ personal information from a police database. The TPS investigated and found that the TPS employee accessed and disclosed the complainants’ personal information to another TPS employee in violation of the Municipal Freedom of Information and Protection of Privacy Act (the Act). In this report, I find that the TPS employee conducted database searches of the complainants’ personal information without authorization, and verbally disclosed their personal information to another TPS employee contrary to the Act. I conclude that the TPS does not have reasonable measures in place to protect personal information in its database, as required by section 3(1) of Regulation 823 to the Act. I recommend improvements to the TPS verification and auditing protocols. I also recommend improvements to its privacy guidance documents, and privacy training program. In addition, I recommend notifying additional parties whose privacy was breached and who the TPS identified during this investigation. |
|||||
| MC19-00104 | Privacy Complaint Report | Privacy Reports | John Gayle | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner received a privacy complaint about the Toronto Police Service (the police)’s disclosure of information relating to an individual’s arrest and drug-related charges to their employer, the Correctional Service of Canada. The complainant believed that the disclosure breached their privacy under the Municipal Freedom of Information and Protection of Privacy Act (the Act). This report finds that the information at issue is “personal information” within the meaning of section 2(1) of the Act. It also finds that the police’s disclosure of this information was not in accordance with section 32 of the Act. |
|||||
| MC20-00002 | Privacy Complaint Report | Privacy Reports | Alanna Maloney | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the City of Toronto contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it posted the complainant’s Committee of Adjustment application, which included her personal information, on the internet. In this report, I find that the City’s Committee of Adjustment applications are a public record, pursuant to section 27 of the Act, and are therefore not subject to the privacy rules under Part II of the Act. Although I find that the City’s Committee of Adjustment applications are outside the scope of the Act, I recommend that the City pursue its intended review of its Committee of Adjustment application forms with the view of implementing data minimization principles. The City should also proceed with developing criteria to determine when it is appropriate to remove personal information from its forms. |
|||||
| PI21-00003 | Privacy Complaint Report | Privacy Reports | John Gayle | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner of Ontario received three related privacy complaints about the University of Guelph (the university). The complaints concerned the university’s collection of information relating to the COVID-19 vaccination status of students who wished to live on residence for the 2021–2022 academic year. The complainants believed that the collection breached the students’ privacy under the Freedom of Information and Protection of Privacy Act (the Act). This report finds that the information at issue is “personal information” as defined in section 2(1) of the Act. It also finds that the collection of the personal information and the notice of collection were in accordance with sections 38(2) and 39(2) of the Act, respectively. |
|||||
| MC18-17 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parents of students of the Halton District School Board (the board), objecting to the board’s use of third party apps (“apps”), and the associated collection, use, and disclosure of students’ personal information. The complainant alleged that the board’s utilization of these apps contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainants’ concerns included a failure to regulate the third party apps available to students via the board’s platform, a failure to track which apps had collected students’ personal information and what information they had collected, the posting of students’ personal information without knowledge or consent, and third party apps advertising to students. The complainants also stated that the board does not have reasonable measures in place to ensure that third party vendors protect the security of student personal information. This report concludes that the board’s catalogue system regulating the apps that collect, use, and disclose students’ personal information is in partial compliance with the Act, but that the board’s notice of collection was deficient. This report concludes that personal information was used for advertising or marketing purposes, contrary to the provisions of the Act. This report recommends that the board review its usage agreements with vendors, and revise the agreements to expressly prohibit the use of personal information by vendors for advertising or marketing purposes and to ensure that vendors only use personal information for the board’s education-related purposes. This report further recommends that the board review which apps use personal information for marketing or advertising purposes, and take the steps needed to prevent vendors from using personal information for those purposes going forward. This report also concludes that the board does not have reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of its students. This report recommends that the board revise its usage agreement to require vendors to notify the board when they have been compelled by law to disclose personal information. This report further recommends that the board revise its usage agreement to include both a requirement that vendors delete data for accounts no longer in use and a commitment by vendors to confirm, on the board’s request, that this deletion had occurred. Finally, this report recommends that the board’s usage agreement include both an audit requirement and a term stating that vendors’ obligations regarding personal information continue to apply, regardless of any changes to a vendor’s business name, structure, or ownership. |
|||||
| PC19-00003 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Ministry of Transportation (the ministry) contravened the Freedom of Information and Protection of Privacy Act (the Act) when it disclosed the complainant’s personal information to a parking lot operator and a collection agency. This report finds that the information at issue is “personal information” as defined in section 2(1) of the Act and that the personal information was disclosed in accordance with sections 42(1)(c) and 43 of the Act. |
|||||
| PC18-00074 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | En savoir plusExpand | |
The complainant alleged that a staff member of the Ontario Provincial Police (the OPP) had inappropriately accessed and disclosed an OPP incident report that contained her personal information. The ministry responsible for the OPP admitted that the complainant’s personal information had been accessed in violation of the Freedom of Information and Protection of Privacy Act (the Act). In this report, I find that the complainant’s incident report was accessed by an OPP sergeant without authorization on at least two occasions. In the absence of sufficient evidence, I do not find that the incident report was subsequently disclosed to the complainant’s spouse, but I do conclude that the incident report number was disclosed by an unknown OPP employee contrary to the Act. I conclude that the ministry does not have reasonable measures in place to protect personal information in its database, as required by section 4(1) of Regulation 460. I recommend improvements to the privacy policies and procedures, privacy training, and auditing of accesses to personal information. I also recommend that the ministry disclose the disciplinary measures imposed on the sergeant as a result of the inappropriate accesses. |
|||||
| MC18-6 | Privacy Complaint Report | Privacy Reports | Jennifer Olijnyk | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint alleging that the Township of Tay (the township) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it published council meeting minutes with the complainants' personal information online and made a hard copy of those minutes available to the public. The IPC opened a privacy complaint to review the township’s disclosure of the information at issue. During the early stages of the complaint, the township removed the complainants’ names and address from the version of the meeting minutes available online. This report finds that the some of the information contained in the meeting minutes is personal information. This report also finds that the township’s disclosure of the personal information in the meeting minutes was not in accordance with section 32 of the Act. |
|||||
| PR20-00027 | Privacy Complaint Report | Privacy Reports | Lucy Costa | En savoir plusExpand | |
This investigation file was opened after the Ministry of the Solicitor General (the ministry) contacted the Office of the Information and Privacy Commissioner of Ontario (the IPC) to report a privacy breach under the Freedom of Information and Protection of Privacy Act. The breach related to the ministry’s look-up tool web portal for COVID-19 status information (the Portal). Specifically, the ministry advised that an audit of the Portal had determined that a number of police services had conducted broad ranging community searches rather than performing a more specific search of individuals tested for COVID-19. This report concludes that the ministry did not have adequate measures in place to protect the personal information contained in the Portal. It also finds that the ministry did not respond adequately to the breaches. |
|||||
| PC18-12 | Privacy Complaint Report | Privacy Reports | John Gayle | En savoir plusExpand | |
The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint involving the Human Rights Tribunal of Ontario (HRTO). The complaint was that the HRTO had inappropriately disclosed personal information in a Case Assessment Direction (CAD). The complainant believed that the disclosure had breached his privacy under the Freedom of Information and Protection of Privacy Act (the Act). |
|||||