Privacy Reports

 

 

 

 

 

PRIVACY COMPLAINT REPORT

 

 

PRIVACY COMPLAINT NO. MC10-4

 

 

City of Vaughan

 

January 31, 2011

 

 

 

 

 

 

 

PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NO.                   MC10-4

 

 

 

INVESTIGATOR:                                       Mark Ratner

 

 

 

INSTITUTION:                                            City of Vaughan

 

 

 

SUMMARY OF COMPLAINT:               

 

The Office of the Information and Privacy Commissioner/Ontario (IPC) received a privacy complaint under the Municipal Freedom of Information and Protection of Privacy Act (the Act) from an individual (the complainant) concerning the City of Vaughan (the City).

 

The complainant stated his concern that the City was improperly collecting and using personal information supplied to it by PowerStream Inc. (PowerStream), a hydro utility serving customers living in a number of municipalities, including the City.  PowerStream also provides water meter reading and water billing services for the City.

 

The complainant specifically identified his concern that the names, addresses, and phone numbers of new PowerStream customers were being collected and used by members of City Council for the purposes of sending promotional mailers to residents. The complainant believed that the customer information collected from PowerStream may also have been used for preparing a list of potential voters for future municipal elections.

 

In response, the IPC opened this privacy complaint file to assess if the City was collecting and using the personal information of customers of PowerStream, and, if so, whether such collection and use was in accordance with the Act.

 

Background Information

 

The following background information was provided by the City and PowerStream.

 

The City is the sole shareholder of Vaughan Holdings Inc. (VHI).  PowerStream is jointly owned by VHI and two other shareholders. A Shared Services Agreement exists between the City and PowerStream, which outlines the responsibility for the provision of services between the parties.

 

The agreement states that PowerStream provides water meter reading and water billing services on behalf of the City, and PowerStream provides the City with resident billing information to coordinate the billing services.

 

The information that is the subject matter of this complaint is not shared by PowerStream under the authority of the Shared Services Agreement.

 

With respect to the information that is the subject of this complaint, the City acknowledged that it did receive information relating to PowerStream’s new customers via electronic documents (the electronic records). Specifically, the City stated that PowerStream provided it with electronic records containing the names, addresses, and in some cases, the phone numbers of new customers after they had signed up for services. The City acknowledged that this sharing of new customer information was outside the scope of the Shared Services Agreement as it was unrelated to the coordination of water billing services.

 

During the course of this investigation, I contacted PowerStream, who confirmed that the new customer information had been shared since June 30, 2005. The electronic records were provided to a staff person in the City Clerk’s office. On February 26, 2010, as a result of being made aware of this complaint, this sharing of information via the electronic records was stopped.

 

PowerStream has also confirmed that it does not provide similar electronic records to other municipalities. PowerStream has further stated that it intends to hold sessions on privacy with staff to improve their understanding of the need to protect the information of their customers.

 

The City has acknowledged that the information in the electronic records, once received by the City, was provided to the office of the Mayor as well as to the offices of members of City Council. The City has further stated that this information was then used, on a periodic basis, by the Mayor and members of Council for the purposes of sending a “Welcome” letter to new City residents. The City stated that it was not aware that this information was used for any purpose other than the sending of these letters.

 

The City has confirmed that it has requested that the Mayor and members of Council cease the use of the personal information of PowerStream’s customers contained in the electronic records. The City has further advised that the City Clerk has requested that staff in both the Mayor’s office and in Council offices securely dispose of any personal information obtained from the electronic records in both hard copy and electronic format.

 

The City has further acknowledged that the personal information received from PowerStream in the electronic records was collected without notice and was not appropriately used under the Act. The City has also stated that it continues to have a relationship with PowerStream, which requires that certain information be shared with it for the provision of services, and that this arrangement is outlined in, and in accordance with, the Shared Services Agreement between the City and PowerStream.

 

 

 

DISCUSSION:

 

The following issues were identified as arising from the investigation:

 

Is the information “personal information” as defined in section 2(1) of the Act?

 

The information contained in the electronic records collected by the City includes the names, addresses, and in some cases, phone numbers of new customers who signed up for services with PowerStream.

 

The definition of “personal information” is set out in section 2(1) of the Act, which states, in part:

 

“personal information” means recorded information about an identifiable individual, including,

…

 

(d) the address, telephone number, fingerprints or blood type of the individual, [emphasis added]

… .

 

Based on this definition, I am satisfied that the information in question clearly qualifies as personal information. The City concurs with this conclusion.

 

Was the collection of the personal information in accordance with section 28(2) of the Act?

 

The collection of personal information at issue is the collection of PowerStream’s new customer information by the City.

 

Where personal information is collected by an institution, it must demonstrate that the collection is in accordance with section 28(2) of the Act, which states:

 

No person shall collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity.

 

This provision states that the collection of personal information is only permissible where it is authorized by statute, used for law enforcement, or is necessary to the proper administration of a lawfully authorized activity.

 

The City has acknowledged that the personal information was collected from PowerStream for the sole purpose of sending out “Welcome” letters to new City residents, and that this collection does not accord with any of the exceptions contained in section 28(2). The City acknowledged that this collection was therefore not in accordance with the Act, and has now ceased.

 

I concur with the City’s position and conclude that the collection of the personal information was not in accordance with section 28(2) of the Act.

 

Was the use of the “personal information” in accordance with section 31 of the Act?

 

In the letter of the complaint, the complainant noted that the records in question were provided to the City in electronic format. The complainant explained that these records could be used to create labels that would be attached to envelopes.

 

As noted above, the City has acknowledged that the personal information collected by the City was used for the sole purpose of sending out “Welcome” letters to new residents of the City. Section 31 of the Act contains a basic prohibition on the use of personal information that is subject to three exceptions:

 

An institution shall not use personal information in its custody or under its control except,

 

(a)     if the person to whom the information relates has identified that information in particular and consented to its use;

 

(b)     for the purpose for which it was obtained or compiled or for a consistent purpose; or

 

(c)     for a purpose for which the information may be disclosed to the institution under section 32 or under section 42 of the Freedom of Information and Protection of Privacy Act.

 

In Privacy Complaint MC07-64, the IPC considered whether a municipality’s use of residents’ personal information obtained from a property tax roll for the purpose of sending them an application for a “MuniCard” credit card was a permitted use under the Act. In MC07-64, Investigator Cathy Hamilton concluded that the use of the personal information in question (mailing application forms for a credit card) was inconsistent with the purpose for which the information was originally obtained or compiled (administration of the property tax regime).

 

I am satisfied that similar considerations apply in the circumstances of this case. For the same reasons that I concluded above that the collection of the personal information in question by the City was not permitted under the Act, I also conclude that the use of the personal information does not accord with any of the exceptions contained in section 31. In addition, I note that the City has acknowledged that this use of personal information is not authorized under the Act.

 

Based on all of the above, I conclude that the City’s use of the personal information in the electronic records was not in accordance with section 31 of the Act. Given that the collection of this information from PowerStream has ceased, this use has also come to an end.

 

 

 

Has the City properly destroyed the information in question?

 

The City has acknowledged that it had collected and used the information contained in the electronic records in a manner that did not accord with the Act. The City has also explained that it has now ceased collecting this information from PowerStream.

 

The remaining issue to consider relates to whether the City has disposed of the personal information that had been improperly collected and used, and whether this destruction has taken place in a secure manner.

 

Section 30(4) of the Act states:

 

A head shall dispose of personal information under the control of the institution in accordance with the regulations.

 

Section 3(1) of Ontario Regulation 823, made pursuant to the Act, states that:

 

Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.

 

One of the ways in which the City can demonstrate that it has taken reasonable measures to prevent unauthorized access to records as required under section 3(1) of Ontario Regulation 823 is to demonstrate that it has properly disposed of records that were improperly collected under the Act.

 

The City has confirmed that the City Clerk had requested that the offices of each Council Member and the Mayor securely dispose of any personal information obtained outside the scope of the Shared Services Agreement. The request specifically noted that both hard copies and electronic copies of information obtained from the electronic records should be destroyed and requested that each office respond to confirm that the records in question had been destroyed.

 

The City indicated that it had subsequently received an affirmative response from every Council office, including the Mayor, indicating that they had disposed of all of the records in question.

 

A draft of this privacy complaint report was provided to both the complainant and the City. As a result of his review of the draft, the complainant raised a number of additional issues that were not addressed in the draft report. Included among the concerns raised by the complainant were the following:

 

•         Concerns regarding the backup tapes that are created of electronic information stored on the City’s computer servers. These would contain backup copies of the electronic records that had been deleted by staff in the offices of Council members.

 

 

•         Concerns regarding the possibility that staff in Council offices may not have deleted all copies of the electronic records in all media in which they may be stored, including all hard drives, archived CDs, and memory keys.

 

•         Concerns that members of the incoming City Council be made aware of the provisions made to protect the safety of the electronic records contained on the backup tapes.

 

In response to these concerns, the City provided additional information to the IPC on how it regulates access to the backup tapes that contain electronic information previously deleted from the City’s computers. With respect to the manner in which access may be granted to this information, the City stated:

 

In the event that someone wishes to have data recovered from back-up tapes, there is a protocol in place in the IT Department, involving the completion of a form and an approval procedure.

 

If the request for recovery is from the original ‘owner’ of the data, the form requires the signature of the owner’s Director, the Commissioner of the applicable Department and a final approval from a Manager in the IT Department.… If the request is from someone other than the original owner of the data, formal approval is required from all of the above, as well as the City Manager.

 

In this case, Members of Council would not be considered the original owners of the data and therefore, any recovery would be subject to the second process.

 

The City also stated that it is unlikely that Members of Council would be granted access to the backups of the electronic records that are at issue in this complaint.

 

With respect to the complainant’s concern that the City may not have completely deleted all copies of the electronic records, I note, as discussed above, that the City Clerk requested that the offices of all Council members securely dispose of all records maintained in either hard copy or electronic format. The City Clerk then obtained written confirmation from staff in the Mayor’s office as well as the offices of each Council member that that the records in question had all been securely disposed of and deleted.

 

Based on the information provided by the City and described above, I am satisfied that it has reasonable measures in place to prevent unauthorized access to the back-up tapes maintained by the City’s IT department. I am also satisfied that the City has adequately addressed the issue of the secure disposal of the records in both hard copy and electronic formats.

 

The City noted that it provides privacy training to the new members of City Council.

 

Based on all of the above, I am satisfied that the City has taken reasonable steps to ensure the destruction of the personal information obtained from PowerStream. I therefore conclude that the City has properly destroyed the personal information in question.

CONCLUSIONS:

 

1.      The electronic records contained “personal information” as defined under section 2(1) of the Act.

 

2.      The City’s collection of the electronic records was not in accordance with section 28(2) of the Act.

 

3.      The City’s use of the electronic records was not in accordance with section 31 of the Act.

 

4.      The City has properly disposed of the personal information in question.

 

5.      PowerStream has ceased its practice of sharing the “personal information” with the City other than as necessary to provide water billing services in compliance with the Shared Services Agreement.

 

Given the above conclusions, specifically, the steps taken by the City to cease collecting the electronic records from PowerStream, it is unnecessary for me to make any recommendations.

 

 

 

 

 

 

 

Original Signed by:                                                                             January 31, 2011

Mark Ratner Investigator