PRIVACY COMPLAINT REPORT

 

 

PRIVACY COMPLAINT NO. MC-060024-1

 

 

The Corporation of the City of Oshawa

 

 

 

 

 

 

 

 

PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NO.                   MC-060024-1

 

 

 

INVESTIGATOR:                                       Mark Ratner

 

 

 

INSTITUTION:                                            The Corporation of the City of Oshawa

 

 

 

SUMMARY OF COMMISSIONER INITIATED COMPLAINT:

 

In April 2006, the Office of the Information and Privacy Commissioner/Ontario (IPC) received a letter from a not-for-profit hockey organization located in the City of Oshawa (the City).  The author of the letter, (the source of the complaint) who was a volunteer and officer of the organization, objected to the City’s collection of personal information about the organization’s participants when processing permit applications pertaining to the use of ice-time at municipal arenas.  The IPC initiated a privacy complaint investigation to determine whether the City’s actions constituted a contravention of the provisions of the Municipal Freedom of Information and Protection of Privacy Act (the Act).

 

Background

 

In the summer of 2005, the City adopted a new Ice Allocation Policy (the Policy) governing the way in which organizations apply for ice time at City-owned and operated facilities, as well as facilities owned by third parties with a user agreement for community access.  The Policy established mandatory application requirements that all organizations were required to fulfill in order to obtain permits for ice time.

 

One of the requirements introduced was that all organizations were now instructed to provide the following information about each participant:

 

• full name,
• address, and
• year of birth.

 

The City advised organizations that failing to provide the requested information would result in the denial of the permit application.

 

In addition, as part of the Policy, the City stated that all organizations were required to include a waiver on each registration form stating:

 

By signing below, I hereby provide authorization to [name of organization] to release the name, address and year of birth of the registrant identified on this registration form to the City of Oshawa. This information is being collected pursuant to the Municipal Freedom of Information and Protection of Privacy Act and under the authority of the Municipal Act for the sole purpose of verifying participation numbers and the allocation of ice time in the community.

 

The City has stated that it requires organizations to provide this information in order to identify and verify the residency status of both participants and members.  Youth groups, as well as groups that are comprised primarily of City residents, are provided with preferential status in terms of the allocation of ice time.  In addition, the fee charged for ice time differs depending on the age of the participants.

 

The City stated that City staff routinely use surnames and addresses to search online databases in order to determine the accuracy of membership rosters.  The other information collected is used to determine the facilities required for a given group.

 

In response to this privacy complaint, the City stated that it would be willing to modify the way in which it collects information relating to participants.  These proposed modifications will be discussed below.

 

DISCUSSION:

 

The following issues were identified as arising from the investigation:

 

Is the information “personal information” as defined in section 2(1) of the Act?

 

As stated above, the City has requested that organizations provide full names, addresses, and year of birth for all participants.

 

Section 2(1) of the Act states, in part:

 

“personal information” means recorded information about an identifiable individual, including,

 

(a)                information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

…

(d)                the address, telephone number, fingerprints or blood type of the individual,

…

 

(h)             the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual; [emphasis added]

… .

 

Based on the above definition, I am satisfied that the information in question clearly qualifies as “personal information” under the Act.  The City does not dispute this conclusion.

 

Was the collection of the “personal information” in accordance with sections 28(2) and 29(1) of the Act?

 

The circumstances under which an institution may collect personal information are set out in section 28(2) (which deals with any collection of personal information) and section 29(1) (which deals only with indirect collections of personal information).

 

In this case, the City is not collecting personal information directly from participants, but rather is collecting information indirectly through the provision of member information by the organizations.  The collection is therefore considered to be “indirect” and I must separately address whether the City’s actions are in accordance with both section 28(2) and section 29(1) of the Act.  I will consider the application of each section below.

 

Section 28(2)

 

Collections of personal information are dealt with generally at section 28(2) of the Act, which states:

 

No person shall collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity.

 

This provision limits permissible collections of personal information to the three circumstances set out above.  In order for an institution to demonstrate that a given collection of personal information is permissible, it must show that the collection is in accordance with one of the three branches of section 28(2).

 

In this instance, based on the information provided by the City, the branch that is most likely to apply is the branch that permits the collection of personal information where it is necessary to the proper administration of a lawfully authorized activity.

 

To support its position that the collection of personal information is lawfully authorized, the City has cited Part XII of the Municipal Act, which provides, among other things, that municipalities are authorized to charge fees for the use of municipal facilities on a cost-recovery basis.  The City has stated:

 

In order to implement a residency-based policy, the City must receive information about the residency “status” of organizations and their participants. The City also needs the ability to verify the residency information provided, to ensure the integrity of the ice allocation system, and prevent fraud or inadvertent misinformation being used as a basis for ice allocation. In this respect, the City requires a number of pieces of information, to be used solely for the purpose of establishing and verifying residency requirements.

 

In recognition of the fact that its ice facilities are subsidized by municipal ratepayers, the City has implemented a residency-based policy governing the use of City ice.  By collecting this personal information, the City has stated that it has the ability to verify that organizations are meeting the residency requirements.

 

As stated above, the City periodically uses the personal information provided to validate residency by the registrant within the municipality by searching online directories.  The City stated that other municipalities in the province of Ontario have also adopted similar validation systems.

 

I have considered the information provided by the City and I am satisfied that the City’s collection of personal information is necessary to the proper administration of a lawfully authorized activity.  The City has provided information that demonstrates that it is authorized under the Municipal Act to charge fees on municipal owned and operated facilities, including ice-rinks.  The City has developed a policy giving preference to municipal residents regarding the use of ice time.  I accept that it is therefore legitimate and necessary for the City to collect and verify residency information in order to reduce the risk of abuse of the permit application system.

 

While the process in place does not provide complete assurances that organizations are adhering to residency requirements, the fact that the process requires the provision of residency information entails that the City is providing itself with some tools that may be used to confirm the accuracy of information provided.

 

Accordingly, I am satisfied that the City’s collection of this personal information is in accordance with section 28(2) of the Act.

 

Section 29(1)

 

Section 29(1) of the Act deals with the circumstances under which an institution may indirectly collect personal information.  This provision establishes a basic prohibition on the indirect collection of personal information, but states that personal information may be collected indirectly where at least one of the statutory exceptions applies to make the indirect collection in question permissible.

 

In this case, the City has taken the position that its collection of personal information through the permit process is in accordance with section 29(1)(a) of the Act.

 

Section 29(1)(a) of the Act states:

 

An institution shall collect personal information only directly from the individual to whom the information relates unless,

 

(a)        the individual authorizes another manner of collection … .

 

Effectively, this provision entails that an indirect collection of personal information may take place where the individual in question has provided his or her consent to the collection.

 

In support of this position, the City has stated:

 

It is the City’s position that this collection of personal information is collected with consent, either direct consent or implied. Consent can be implied by the participants or their parent/guardian providing the detailed information after being made aware of the City’s collection and use of the information, and the officer to whom inquiries may be made.

 

I note that the precise manner in which participants are informed that information will be disclosed to the City is under review. Currently, (as stated above) the City requests that all organizations provide a Notice of Collection on each registration form informing participants that information will be provided to the City.

 

As a result of this investigation, the City has proposed to amend the way in which Notice is provided to participants.  I will address this proposal below.

 

With respect to the current process, and the determination of whether the City’s indirect collection is permissible under the Act, I am mindful of the fact that I have already concluded that the City has demonstrated that its collection of this information is “necessary to the proper administration of a lawfully authorized activity”.

 

I also note that the statement that organizations are required to include on registration forms states that the signatory “provide[s] authorization to [name of organization] to release the name, address and year of birth of the registrant identified on this registration form to the City of Oshawa”.

 

In my view, an individual reading the form would understand that the act of completing the form would mean that the City will be provided with the personal information contained on the form. The person filling out the form would then have the option of either completing the form (thereby authorizing the City’s indirect collection) or refusing to complete the form. Because notice is provided, the individual would understand that refusing to complete the registration form may result in their being unable to participate in the activity.

 

As the current system provides for individual choice through this notice, and because of the fact that organizations obtain the authorization of registrants to release of personal information, I am satisfied that participants that have properly completed the registration process have provided their authorization to “another manner of collection” in accordance with section 29(1)(a) of the Act.

 

Was notice of collection provided in accordance with section 29(2) of the Act?

 

Section 29(2) of the Act states that where personal information is collected on behalf of an institution, the individuals who are subject to the collection must be provided with notice of the legal authority for the collection, the principal purpose for which the information will be used, and the contact information of a person who may answer questions about the collection of information.

 

In this instance, the City has attempted to comply with this statutory requirement with the Notice that is excerpted above, which is provided by the organization to its members.

 

I have reviewed the Notice, a copy of which has been provided to the IPC, and note that it satisfies only one out of the three section 29(2) criteria.

 

The Notice states that the information is being collected “pursuant to the Municipal Freedom of Information and Protection of Privacy Act and under the authority of the Municipal Act … .” Previous Privacy Complaint Reports issued by the IPC [see, for example, I96-002] have stated that in order for a Notice of Collection to satisfy the requirement to provide the legal authority for the collection, a specific section or sections of the statute, or by-law in question must be cited.

 

In this case, the current form only generally makes reference to being “under the authority of the Municipal Act,” but does not make reference to a particular section or sections of that Act. Accordingly, I am not satisfied that the first criterion is met in this instance.

 

With respect to the second criterion, the Notice states that the information is being collected “… for the sole purpose of verifying participation numbers and the allocation of ice time in the community”.  This statement satisfies the requirement that the Notice include a statement regarding the principal purpose for which the information will be used.

 

With respect to the third criterion, the Notice does not contain the contact information of someone who is available to answer participants’ questions regarding the collection of personal information.

 

In light of the above, I am of the view that the statutory requirements established by section 29(2) of the Act are not currently being met.

 

Is the City’s retention of personal information in accordance with the General Regulation to the Act?

 

Ontario Regulation 823 (the General Regulation), made pursuant to the Act establishes rules that relate to security and retention of records (including records of personal information) in the custody of an institution.  With respect to security of records, section 3(1) of the General Regulation states:

 

Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.

 

Section 5 of the General Regulation states:

 

Personal information that has been used by an institution shall be retained by the institution for the shorter of one year after use or the period set out in a by-law or resolution made by the institution or made by another institution affecting the institution, unless the individual to whom the information relates consents to its earlier disposal.

 

With respect to security and retention of permit application information, the City has described its current practices as follows:

 

• Permit application information is currently collected and retained in either paper or electronic format.
• Electronic permit application information is only accessible on a need-to-know basis by staff.
• Hard copy files are kept in a locked office.
• When use of the data is complete, paper documents are shredded and electronic files are deleted.

 

Based on the above information, it would appear that the personal information is currently retained for less than one year.  However, the City has recognized this and addressed it in their proposals set out below.

 

Therefore, based on all of the above, it is my view that the City’s practices with respect to retention and security of permit application information are in accordance with the general principles enunciated in the General Regulation, and are therefore in accordance with the Act.

 

As a result of this privacy complaint, the City has proposed revisions to its policies relating to security and retention of permit application information. Consequently, these further revisions will be addressed below.

 

PROPOSALS MADE BY THE CITY:

 

During the course of this privacy investigation, the City has stated that, subject to the results of this investigation, it may be willing to modify the way in which it processes permit applications for ice time.

 

Reducing the scope of information collected

 

One suggestion put forward by the City is to reduce the scope of information collected pertaining to each participant.  The City has stated that it would likely be able to verify the residency status of participants with the following information:

 

• Surname (of participant or a parent/guardian filling out the form on behalf of a minor)
• Year of birth
• Address (Street name and municipality only)
• Postal Code
• Telephone number (optional if address is provided)

 

In my view, this proposed reduction in the information collected would represent a positive development, as it would reduce the scope of personal information collected by the City.

 

Modifying the Notice of Collection

 

In recognition of the fact that the current notice in use may not satisfy the statutory requirements pertaining to Notices under the Act, the City has expressed that it would be willing to amend its Notice of Collection to state the following:

 

The personal information is being collected by the City of Oshawa for the sole purposes of allocating ice time to organizations and individuals in accordance with the City’s Ice Allocation Policy, City of Oshawa Bylaw 13-2003, General Fees and Charges and pursuant to section 11(2) of Municipal Act, 2001 as amended. All information shall be kept in strict confidence and not used for any other purpose. Once collected, the information will be used only for this allocation purpose, retained and disposed of in accordance with the City’s Records Retention By-law and provincial law.  By providing this information during registration, participants or their parents/guardians are authorizing the disclosure of personal information to the City, specifically the following information about the participant:

 

•         Surname

•         Parent/guardian’s surname if different

•         Year of birth

•         Parts of their address: street name, city/town, postal code

•         Telephone number of participant or of their parent/guardian

 

Any questions may be directed to: Sandra Kranc, City Clerk, 5^th Floor, Rundle Tower 50 Centre Street South Oshawa ON L1H 3Z7 tel 905-436-5639 fax: 905-436-5697 email: infoservices@oshawa.ca

 

In addition, the City has stated that it would provide the above form of Notice to organizations to distribute to potential participants, prior to registration and has stated that:

 

[t]he City would require the organization to post or distribute this Notice prominently at each registration session, whether online, or in person. The City would further require that if registration is taken over the phone, that the organization ensure the participant (or parent/guardian as applicable) is aware of the notice before registration is finalized.

 

In my view, the proposed revised Notice of Collection, as well as the proposed means of distribution contains improvements over the system currently in place.  The proposed revised Notice of Collection also addresses the deficiencies that I noted in my analysis of the current Notice on page 6 of this Report.

 

Retention and Security of permit application information

 

In order to enhance the security of permit application information kept on file, the City has stated that it intends on securing all hard copy permit application files in a lockable filing cabinet in a controlled-access area that is locked on a nightly basis.  (Currently files are kept in a locked office).

 

In my view, this change of procedure would represent a positive improvement as it would further enhance the protection of personal information contained in permit application files.

 

With respect to retention periods, the City has indicated that it intends on extending the retention period to two years.  In doing so, the City has stated that the retention period would become consistent with the City’s Retention by-law as well as the provisions of the General Regulation to the Act.  In my view, this change would also represent an improvement as it would establish a clear timetable for the destruction of records, while providing individuals an adequate timeframe to request access to records of their own personal information.

 

CONCLUSION:

 

I have reached the following conclusions based on the results of my investigation:

 

• The information in question qualifies as “personal information” as defined in section 2(1) of the Act.

 

• Personal information is collected in accordance with sections 28(2) and 29(1) of the Act.

 

• Notice of collection is not provided in accordance with section 29(2) of the Act.

 

• The City’s retention of personal information is in accordance with the General Regulation to the Act.

 

RECOMMENDATIONS:

 

As previously indicated, during the course of this privacy investigation, the City made a number of proposals for improving the permit process.  I commend the City for turning its mind to this and for its co-operation throughout the course of this investigation.  The City’s proposals together with any additional recommendations are as follows:

 

1.            Reducing the personal information collected to include only the surname, year of birth, street name and municipality, postal code, and phone number of each participant.

 

2.            Revising the Notice of Collection in accordance with the City’s proposal outlined above.  The City should require that the revised Notice of Collection be distributed to registrants by organizations prior to collection and disclosure of registration information.  With respect to individuals who register over the phone, the notice requirement may be satisfied by verbal notice.

 

3.            Amending security and retention procedures to reflect its obligations under legislation.  I recommend that these amendments be implemented by securing all hard copies of permit application information in lockable filing cabinets in controlled access areas, and by retaining permit application information for a period of two years, as set out in applicable by-laws and the General Regulation to the Act.

 

By July 9, 2007, the City should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendations.

 

 

 

 

 

 

 

Original signed by:                                                                              January 9, 2007

Mark Ratner Investigator