Privacy Reports

Decision Information

PC07-71

Collection Privacy Reports
Date 2008-02-07
File Numbers PC07-71
Type Privacy Complaint Report
Subjects Personal Information (Definition)
Applicable Legislation FIPPA; FIPPA - 2(1) personal information; FIPPA - 42(1)(c); FIPPA - 39(1)(g)
Summary:



• Disclosure of personal information by a university to a collection agency, as a result of a parking infraction at the university and pursuant to the Ministry of Transportation’s Authorized Requester Program.

• Section 2(1) (definition of personal information) – the information disclosed to the collection agency was personal information

• Section 42 (disclosure of personal information) - the disclosure was not in accordance with section 42 of the Act

• Recommendation made to comply with the terms of the Authorized Requester Program and to review its records back to 2006 for any other violations under the Act and notify the affected individuals of the privacy breach

Decision Content

 

 

 

 

 


PRIVACY COMPLAINT REPORT

 

 

PRIVACY COMPLAINT NO. PC07-71

 

 

McMaster University

 

 

 

 

 

 

 

 


PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NO.                   PC07-71

 

 

 

INVESTIGATOR:                                       Cathy Hamilton

 

 

 

INSTITUTION:                                            McMaster University

 

 

 

SUMMARY OF COMPLAINT:               

 

The Office of the Information and Privacy Commissioner/Ontario (IPC) received a privacy complaint from an individual involving McMaster University (McMaster). In the complainant’s opinion, McMaster had improperly disclosed his personal information to Canadian Bonded Credit Limited (CBCL), a collection agency, in contravention of the provisions of the Freedom of Information and Protection of Privacy Act (the Act).

 

The complainant feels that the disclosure of his personal information, specifically his name and address, by McMaster to CBCL was inappropriate and in contravention of the provisions of the Act.

 

Background Information to the Complaint

 

The complainant provided the IPC with the following information.  He received a parking ticket notice from McMaster’s Parking Services, as a result of a parking infraction presumably committed by the complainant’s son.

 

The complainant sent the payment for the parking infraction to McMaster via regular mail, but because the payment was delayed, and the matter had been forwarded to CBCL, he subsequently received two pieces of correspondence from CBCL related to the outstanding parking ticket notice.

 

In an effort to understand why CBCL was contacting him and how they obtained his contact information, the complainant conducted his own independent research and learned that McMaster is an approved organization in the Ministry of Transportation’s (MTO) Authorized Requester Program.

 

McMaster had obtained the complainant’s name and address from the MTO and forwarded that information on to CBCL.

 

The complainant also advised the IPC that it was his belief that McMaster was in violation of the Authorized Requester Agreement between itself and the MTO, as McMaster was only to disclose his license plate information to CBCL and not his name and address.

 

The complainant provided copies of correspondence he received from the MTO in response to his inquiries relating to this incident.  The MTO provided the complainant with the following information:

 

Access to residential address information is restricted to Authorized Requesters who enter into a contractual agreement with the Ministry of Transportation after the purpose of their request is reviewed and determined to meet the Ministry’s criteria.  Only those organizations with a legitimate need for this information may become Authorized Requesters.  Examples of such needs include parking enforcement, investigation of claims and judicial services, debt collection and automobile insurance underwriting.  In addition, Authorized Requesters must be properly licensed to conduct their business. 

 

Authorized Requester compliance is measured against specific standards determined by the Ministry and set out in the contractual agreement between the Ministry and the Authorized Requester. 

 

The Ministry recently conducted an investigation to determine if the use and disclosure of personal information by McMaster was in accordance with the terms and conditions of their Authorized Requester agreement.  The investigation revealed that McMaster was in violation of their Authorized Requester agreement.  Rather than providing only the license plate number to their collection agency – CBCL – which is also an Authorized Requester with the Ministry, the name and address of the plate owner was also provided.  As a result, the Ministry suspended McMaster’s access to Ministry information for a period of three months.

 

[emphasis added]

 

In response to the complaint, McMaster provided the following information to the IPC regarding the incident.  On January 12, 2007, a parking citation was issued for a car illegally parked at McMaster.  The ticket was left on the car’s windshield. 

 

As the outstanding parking fine had not been satisfied as of February 16, 2007, McMaster proceeded to conduct a search with the MTO, based on the license plate of the vehicle.  Upon receiving the personal information, McMaster issued a notice to the complainant regarding the amount owed. 

 

The records submitted by the complainant to McMaster indicate that he received the notice, dated March 1, 2007.  The notice provided that the outstanding invoice needed to be settled within 14 business days from the date of the notice and that unpaid accounts may be referred to third party collections for further action.  As the account was not paid within the time frame indicated, McMaster forwarded the account to CBCL. 

 

McMaster also acknowledged that it had “failed to abide by its agreement with the MTO.”  In addition, McMaster advised the IPC that it has been in contact with the MTO regarding this matter and “further undertakes to review its internal procedures in order to ensure this does not happen again.”

 

 

DISCUSSION:

 

The following issues were identified as arising from the investigation:

 

Is the information “personal information” as defined in section 2(1) of the Act?

 

At issue in this complaint is the information that was provided by McMaster to CBCL. The information includes the complainant’s name and residential address.

 

The definition of “personal information” is set out in section 2(1) of the Act, which states in part:

 

“personal information” means recorded information about an identifiable individual, including,

 

(c)    any identifying number, symbol or other particular assigned to the individual,

 

(d)   the address, telephone number, fingerprints or blood type of the individual,

 

(h)   the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

 

 

Based on the above definition, I am satisfied that the information in question clearly qualifies as “personal information” under the Act.  The parties do not dispute this conclusion.

 

 

 

 

 

 

 

Was the disclosure of the “personal information” in accordance with section 42 of the Act?

 

Section 42(1) of the Act imposes a general prohibition on the disclosure of personal information but states that personal information may be disclosed in a number of enumerated exceptional circumstances. Section 42(1) states, in part:

 

An institution shall not disclose personal information in its custody or under its control except,

 

(a)    in accordance with Part II;

 

(b)   where the person to whom the information relates has identified that information in particular and consented to its disclosure;

 

(c)    for the purpose for which it was obtained or compiled or for a consistent purpose;

 

(d)   where disclosure is made to an officer, employee, consultant or agent of the institution who needs the record in the performance of their duties and where disclosure is necessary and proper in the discharge of the institution’s functions; …

 

[emphasis added].

 

In order for a given disclosure of personal information to be permissible under the Act, the institution in question must demonstrate that the disclosure was in accordance with at least one of the section 42(1) exceptions.

 

In this instance, McMaster has taken the position that its disclosure of the complainant’s personal information to CBCL was in accordance with section 42(1)(c), (i.e., that the disclosure had taken place for the original purpose for which it had been obtained or compiled, or for a purpose that was consistent with that original purpose).

 

In determining whether a given disclosure of personal information is in accordance with section 42(1)(c), it is first necessary to determine the original purpose of the collection. Next, it is necessary to assess whether the disclosure of this information can be properly characterized as being either for the original purpose of the collection, or for a purpose that is consistent with that original purpose.

 

In information provided to the IPC, McMaster has stated:

 

Quite simply, the information in the case at hand was collected for the purpose of enforcing the parking violation (the “Violation”).  It was used to notify (the complainant) of the outstanding fine related to the Violation and, upon his failure to pay the fine within a reasonable period of time, the information was disclosed to a third-party collection agency for the purpose of enforcing the consequent fine related to the Violation.

 

McMaster also advised the IPC that it was relying on section 39(1)(g) for its collection of personal information from the MTO.  Section 39(1)(g) states:

 

Personal information shall only be collected by an institution directly from the individual to whom the information relates unless,

 

                        (g) the information is collected for the purpose of law enforcement.

 

Based on the information provided by McMaster, I am satisfied that the purpose of McMaster’s collection of driver personal information from the MTO is for the purpose of enforcing parking fines.

 

The next step in the section 42(1)(c) analysis is to determine whether the disclosure was for the original purpose of the collection or for a purpose that was consistent with that original purpose.

 

McMaster’s position is that the disclosure to CBCL constitutes an “original purpose” under the Act, and stated in its representations that “the information was disclosed to a third party collection agency for the exact same purpose [italics added].”  As previously stated, the purpose of the collection of the personal information was for the purpose of enforcing parking fines.

 

Before making a conclusion on the section 42(1)(c) issue, there is another important consideration to analyse, and that is McMaster’s non-compliance with the terms of the Authorized Requester Agreement.

 

I have reviewed the MTO’s notice of collection appearing on its website, which states:

 

Personal information is collected by the Ministry of Transportation under the authority of section 205 of the Highway Traffic Act.  The information is used for creating a record that is maintained as public record and used for the administration of the ministry’s driver, vehicle and carrier programs.  Notwithstanding the above and subject to the paragraph below, residence address information which is collected, is not part of public record and is not available to the general public.

 

Only “authorized” requesters who have been approved and have entered into a contractual agreement with the ministry may obtain residence address information for the purposes set out below:

 

         Safety recalls by auto manufacturers

         Law enforcement

         Service of documents and for legal investigations which may give rise to legal proceedings (i.e., from lawyers, process servers, private investigators and security guards and for locating persons in connection with claims/litigation/accidents)

         Verification of information by financial institutions

         Debt collection

         Road toll collection

         Postal code verification (first 3 digits only)

         Key tag service

         Automobile insurance purposes

         Parking violations

         Government use for program delivery where authorized by statute

         Statistical/Educational (research by educational, research organization)

         Public Interest

 

[emphasis added]

 

I have also reviewed the Authorized Requester Agreement between the MTO and McMaster, which stipulates that McMaster may use license plate numbers in order to locate owners of abandoned/illegally parked vehicles.

 

In this case, it is notable that MTO has acknowledged that the Authorized Requester (McMaster) improperly disclosed the complainant’s personal information to CBCL.  As previously indicated, rather than providing only the license plate number to CBCL, the name and address of the plate owner was also provided.   Accordingly, the MTO suspended McMaster’s authorized requester privileges for a period of three months.  Even McMaster itself acknowledged that it failed to abide by its Authorized Requester Agreement with the MTO.

 

Notwithstanding that McMaster has acknowledged that it failed to abide by its Authorized Requester Agreement with the MTO, it argues that it still complied with the Act.

 

I have considered the position put forward by McMaster and I do not agree. 

 

McMaster’s non-compliance with the Authorized Requester Agreement is pivotal in determining if McMaster complied with section 42(1)(c), as McMaster was only able to collect the complainant’s personal information by virtue of the MTO’s Authorized Requester program and agreement.

 

The MTO’s Authorized Requester Program was developed in consultation with the IPC to set out the parameters within which organizations/institutions can collect personal information from the MTO, and subsequently use and/or disclose that information.  These parameters are clearly set out in Authorized Requester Agreements.  Without the Authorized Requester Program, McMaster would not have been able to collect the complainant’s personal information from the MTO.

 

Furthermore, the term of the Authorized Requester Agreement that McMaster failed to comply with was the term that set out the type of information that McMaster could disclose to CBCL.  Given that the Act deals with the collection, use and disclosure of personal information, compliance with this contractual term is relevant to an analysis of whether McMaster complied with the Act.

 

To conclude that McMaster’s non-compliance with the Authorized Requester Agreement was not a breach of the Act would diminish the importance of Authorized Requester Agreements and undermine the purpose and intent of the Authorized Requester Program.  It would mean that institutions like McMaster could enter into Authorized Requester Programs and then disregard the terms of the Authorized Requester Agreement.  This is unacceptable.

 

Therefore, I conclude that McMaster, in breaching the terms of the Authorized Requester Agreement relating to permitted disclosure of personal information, was not in compliance with section 42(1)(c) of the Act.

 

Moreover, the IPC has previously provided comments to the MTO on the Authorized Requester Program.  The Commissioner has called on the MTO to limit the scope of organizations that have access to the Authorized Requester Program and noted that she had been advocating this position for several years. 

 

In particular, the Commissioner has stated that the Authorized Requester Program should be restricted to purposes related to licensing, registration and administration of drivers and vehicles; road and vehicle safety; litigation; law enforcement; and compliance with legislation.  She noted that the use of personal information for unrelated purposes, such as debt collection or investigations by private investigators, should be revisited.

 

In fact, the Commissioner, in media interviews, has stated that it was “completely outrageous” that, for example, a parking lot operator could use a government database to hound a citizen over a parking ticket.

 

 

CONCLUSIONS:

 

I have reached the following conclusions based on the results of my investigation:

 

  • The information in question qualifies as “personal information” as defined in section 2(1) of the Act.

 

  • The personal information was not disclosed by McMaster in accordance with section 42(1)(c) of the Act.

 

 

 

 

 

 

 

 

RECOMMENDATIONS:

 

In light of the above conclusions, I make the following recommendations:

 

  1. That McMaster abide by the terms of the Authorized Requester Agreement with the MTO by ceasing the practice of disclosing the name and address of individuals contained in the driver license database to third party contractors.

 

  1. That McMaster review its records dating back to June 2006 for any other violations of the Act as described in this report and notify the affected individuals of the privacy breach.

 

 

By 3 months from the date that this report becomes final, the institution should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendations.

 

 

 

Original signed by:                                                                  February 7, 2008

Cathy Hamilton

Investigator

 

 

 

 

 You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.