PRIVACY COMPLAINT REPORT

 

 

PRIVACY COMPLAINT NO.  MC-060029-1

 

 

City of Toronto

 

 

 

 

 

 

 

 

PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NO.                   MC-060029-1

 

 

 

INVESTIGATOR:                                       Mark Ratner

 

 

 

INSTITUTION:                                            City of Toronto

 

 

 

SUMMARY OF COMMISSIONER INITIATED COMPLAINT:

 

In January 2006, the Office of the Information and Privacy Commissioner/Ontario (IPC) was copied on a letter that was sent to the Director of the Corporate Access and Privacy Office for the City of Toronto (the City).  The author of the letter (the source of the complaint) stated his concern about the City’s Parks, Forestry & Recreation Department’s collection of personal information on permit applications where the applicant is seeking the use of seasonal space.  The IPC initiated a privacy complaint investigation to determine whether the City’s practices were in accordance with the provisions of the Municipal Freedom of Information and Protection of Privacy Act (the Act).

 

The City’s Parks, Forestry & Recreation Department is the department within the City that is responsible for the allocation of permits relating to ice hockey rinks, gymnasiums, outdoor sports fields and meeting rooms.  As part of the permit process, the organization requesting the space is required to provide the City with a “Membership Roster” that contains information relating to every individual that is a participant with the organization seeking the use of City space.

 

The Membership Roster form that is currently in place requires that organizations provide the following information about each participant:

 

• name,
• age,
• postal code, and
• phone numbers.

 

According to information provided by the City, participant information collected is used, in part, to verify that organizations using City facilities meet the age and residency requirements that have been established by the City.

 

Background

 

During the course of the IPC’s investigation, the City indicated that privacy concerns relating to the permit application process had been brought to the attention of the Corporate Access and Privacy Office in the past.  Prior to January 2005, the City had been requiring that organizations seeking the use of facilities provide the following information about participants:

 

• full name,
• date of birth,
• birth registration number, and
• full address. 

 

In 2005, in response to the concerns raised, the City decided to review the way in which it processed permit applications.  As a result of the review, the City amended the Membership Roster forms by modifying the information that organizations are required to provide.  The revised form contained the following amendments:

 

• year of birth replaced date of birth,
• postal code and phone number replaced full address, and
• birth registration number was removed from the form.

 

The City also created a Notice of Collection that organizations are required to provide to members (or their parents) at the time of registration.  The Notice explains that the personal information collected on the membership form will be disclosed to the City.  The Notice states the authority for the collection of personal information and explains the purpose of the collection and contains contact information with a name and telephone number.

 

The City stated that all team roster information collected is included in the permit application files, which are maintained in locked filing cabinets, in secure access areas.  According to the City, contents of team rosters are not disclosed to any staff outside of the application area except as is necessary and proper in the performance of their duties.

 

The City further advised that these records are currently maintained for a period of five years, at which time they are archived.  During the 2005 review, the City’s Corporate Access and Privacy Office recommended a two-year retention period, with records being securely destroyed once two years have passed.  To date, the City’s 2005 recommendation regarding retention remain under consideration and has not yet been acted upon.

 

DISCUSSION:

 

The following issues were identified as arising from the investigation:

 

Is the information “personal information” as defined in section 2(1) of the Act?

 

Section 2(1) of the Act states, in part:

 

“personal information” means recorded information about an identifiable individual, including,

 

(a)                information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

 

   

 

(c)                any identifying number, symbol or other particular assigned to the individual,

 

(d)               the address, telephone number, fingerprints or blood type of the individual,

…

 

(h)               the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

 

I have reviewed the Membership Roster form and note that, as expressed above, the form requests the provision of the member’s name, age, postal code and phone number.  In light of the definition of “personal information” set out in the Act, I am satisfied that the information in question clearly qualifies as “personal information”.

 

The City does not dispute the conclusion that the information qualifies as “personal information”.

 

Was the collection of the “personal information” in accordance with sections 28(2) and 29(1) of the Act?

 

The circumstances under which an institution may collect personal information are set out in section 28(2) (which deals with any collection of personal information) and section 29(1) (which deals only with indirect collections of personal information).

 

In this case, the City is not collecting personal information directly from members, but rather is collecting information indirectly thorough the provision of member information by the organizations.  As such, the collection is considered to be indirect, and the City must demonstrate that its information collection practices are in accordance with both sections 28(2) and 29(1) of the Act.  I will proceed to consider the application of each provision, below.

 

Section 28(2)

 

Section 28(2) of the Act states:

 

No person shall collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity.

 

In order for a given collection of personal information to be permissible under the Act, an institution must demonstrate that it is in accordance with at least one of the three branches of section 28(2).

 

The City relies on the branch of section 28(2) that permits the collection of personal information that is “necessary to the proper administration of a lawfully authorized activity”.

 

In support of its position that the City’s permit process is lawfully authorized, the City has cited sections 11(2) and 391(1) of the Municipal Act, which provide that the City is entitled to enact by-laws establishing fee structures that govern the use of City-owned and operated facilities.

 

Under this authority, the City has enacted By-laws 504-2001 and 741-2004 which set out the City’s Permit Allocation Policy and establishes differential fees for user groups.

 

In support of the position that the collection of personal information is necessary to this lawfully authorized activity, the City has expressed that the collection of member information is required under the Harmonized Permit Allocation Policy (the Policy).  Under the Policy, certain groups, by virtue of their membership, are given priority in the fee structure.

 

For instance, the City has stated that youth groups, or groups comprised only of Toronto residents are charged reduced fees for permits.  It is the City’s position that the collection of identifying information is required in order to confirm that a given group qualifies for a particular fee reduction.

 

In addition, the City has expressed the position that the existence of this process reduces the risk that organizations may fraudulently misrepresent their membership in order to obtain reduced rates for permits.

 

The City has stated:

 

The information required on the team roster submitted to the City is required for the administration of permit application processes.  These requirements can be defined as follows:

1.      The age and postal code information present on the form is required to determine the fee applicability.

 

2.      The name and telephone information is required to audit the process including the possibility of investigation into possible fraud and misrepresentation in the process.

 

In sum, the City takes the position that it is necessary to collect the personal information contained on the Member Roster form in order to properly process permit applications.  Having information pertaining to the residency and age of members of the organization allows the City to charge the proper fee for the use of its property.  Having contact information (i.e., the phone number of applicants) provides that the City may audit forms in the event that it receives a complaint alleging that an organization has misrepresented the composition of its membership.

 

I have reviewed the materials provided by the City, and I am satisfied that the rationale provided regarding the collection of Membership Roster information is legitimate.  Accordingly, I am of the view that its collection of the information contained in the Member Roster is “necessary to the proper administration of a lawfully authorized activity” and is therefore in accordance with section 28(2) of the Act.

 

Section 29(1)

 

Section 29(1) of the Act sets out the circumstances under which an institution may indirectly collect an individual’s personal information.  This provision establishes a basic prohibition on the indirect collection of personal information, but states that personal information may be collected indirectly when one of the enumerated statutory exceptions applies.

 

In this case, the City relies on section 29(1)(a) of the Act to justify its indirect collection of information on the Membership Roster.

 

Section 29(1) of the Act states, in part:

 

An institution shall collect personal information only directly from the individual to whom the information relates unless,

 

(a)                the individual authorizes another manner of collection; … .

 

The City bases its position on the fact that, prior to registration with a given organization, all members are provided with a Notice informing participants (or their parents) that registration information is collected by the City.  In the City’s view, by registering with the organization after having been provided with the Notice, members are effectively authorizing the City’s indirect collection of their personal information.

 

In support of this position, the City has stated:

 

The distribution of this notice by the registrant [organization] to team members prior to the collection of information on the form is a mandatory provision in the registration package.

 

It is the City’s contention that the provision of this notice to team members allows them to decide whether or not to include their personal information on the team roster for provision to the City.  … Individuals who object to the inclusion of their personal information on the form or to the collection may refuse to disclose this information to the registrant and thus the City.  … The City states that the decision to apply for a permit or to play on a team at a City facility is the voluntary choice of the individual or the organization.

 

In considering whether the City’s manner of indirect collection is permissible under section 29(1)(a), I am mindful of the fact that I have already concluded that the City’s collection of the information on the Member Roster is necessary to the proper administration of the permit process.  I am also mindful that in previous privacy complaint reports (see I94-001M) the IPC has concluded that an individual’s provision of a written consent will entail that an indirect collection of that individual’s personal information is in accordance with section 29(1)(a) of the Act.

 

It is also my view that the current system, where information is provided indirectly, is preferable to the creation of some new system where members would be responsible for directly providing their personal information to the City.  Such a system would be logistically difficult to implement and would most likely prove to be less efficient than the permit process currently in place.  Effectively, if direct collections were required, members would be placed in a position where they are forced to “register” twice – once with the organization and once with the City.

 

I also note that the City has taken steps to limit the scope of the personal information collected, and has implemented processes to ensure that the information is maintained in a secure manner.

 

Finally, I am also mindful of the fact that the City’s Notice of Collection, which has been provided to the IPC, states:

 

Please note that as a condition of application for registration of use for a City of Toronto facility the personal information collected on the membership form will be disclosed to the City of Toronto Parks and Recreation Administration … .

 

While the current notice states that acceptance of the fact that personal information will be provided to the City is a condition of registration, it does not contain language clarifying that the act of registering is akin to the authorization of the disclosure of this personal information.

 

Accordingly, while I am satisfied that a Notice of Collection may be used to authorize the indirect collection of personal information, I am not satisfied that the current wording of the notice that is provided by the City to participants entails that the act of registering means that participants have authorized “another manner of collection” in accordance with section 29(1)(a) of the Act.  However, I am of the view that alternate wording may be employed in the Notice to make the indirect collection permissible under Act.  I will outline potential wording in a recommendation below.

 

Was notice of collection provided in accordance with section 29(2) of the Act?

 

Section 29(2) of the Act states that where personal information is collected on behalf of an institution, the individuals who are the subject of the collection must be provided with notice of the legal authority for the collection, the principal purpose for which the information will be used, and the contact information of a person who may answer questions about the collection of information.

 

The City has addressed this statutory requirement by creating a Notice that would be distributed to all team members prior to the City’s collection of information on the registration form.  The Notice of Collection includes the following statements:

 

• that the organization will be disclosing personal information to the City;

 

• the legal authority for the collection (which is supported by reference to City By-laws as well as provincial statutes);

 

• that the City has approved a harmonized permit allocation policy;

 

• that the policy has implemented the same permit fee policy for ice rinks, gymnasiums, outdoor sports fields, and meeting rooms;

 

• that the collection of participant information is required for determining the category of permit group and the fee amounts payable, and is therefore a required component of the application process; and

 

• that questions may be directed to the Manager of Customer Service for the City.  (Contact information is provided).

 

I have reviewed the City’s Notice of Collection, and I am satisfied that it meets the requirements pertaining to Notice under section 29(2) of the Act.  As discussed above, however, the Report will contain a recommendation for improving the Notice in order to clarify that registrants are authorizing the City’s indirect collection of personal information.

 

OTHER MATTERS

 

One additional matter that arose in this investigation relates to the period of time that the City retains the personal information collected through the permit application process.

 

Currently, the City securely maintains all permit records collected for a period of five years.  At the culmination of this five-year period, all permit application information is archived.  In its 2005 review of the permit application process, the City recommended that the Parks, Forestry and Recreation Department adopt a two-year retention period, followed by the secure destruction of all Membership Rosters.

 

The City has stated that, to date, the recommended modifications to the retention period have not yet taken place.  The City has noted that Membership Rosters are maintained in the same file as other permit application records, and the files are scheduled as “financial records,” which are subject to a five-year retention period under the retention schedule.  Accordingly, all of the information contained in the permit application file (including Membership Rosters) are currently subject to the five-year retention and archival process.

 

In my view, from a privacy perspective, the adoption of the recommended two-year retention schedule would be preferable to the current system.  There is a generally-accepted fair information practice that dictates that personal information should only be retained for the length of time that is required to achieve a stated purpose.[1]

 

This general principle is expressed in Ontario’s municipal privacy laws at section 5 of Regulation 823, made pursuant to the Act, which states:

 

Personal information that has been used by an institution shall be retained by the institution for the shorter of one year after use or the period set out in a by-law or resolution made by the institution or made by another institution affecting the institution, unless the individual to whom the information relates consents to its earlier disposal.

 

In this case, the purpose of the City’s collection of Membership Roster information is to determine the appropriate permit fee for members, and to verify the accuracy of Membership Rosters, in the event that a complaint has been received and acted upon.

 

In my view, there is limited utility for the retention of Membership Rosters beyond the 2-year period recommended by the Corporate Access and Privacy Office.  As such, I would urge the City to work towards reducing the current retention period by implementing the Corporate Access and Privacy Office’s recommendation in this regard.

 

CONCLUSION:

 

I have reached the following conclusions based on the results of my investigation:

 

• The information in question qualifies as “personal information” as defined in section 2(1) of the Act.

 

• Notice of collection is provided in accordance with section 29(2) of the Act.

 

• The personal information was collected in accordance with section 28(2) of the Act.

 

• The indirect collection of personal information is not in accordance with section 29(1) of the Act.

 

RECOMMENDATIONS:

 

1. I recommend that the City revise its retention schedules so that Membership Rosters are retained for no more than two years.

 

2. I recommend that the City amend its Notice of Collection so that the text of the Notice makes it clear that by completing the registration, parents are authorizing the disclosure of personal information by the organization to the City.

 

By March 20, 2007, the City should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendations.

 

 

 

 

 

 

 

 

Original signed by:                                                                              December 20, 2006

Mark Ratner Investigator