PRIVACY COMPLAINT REPORT PRIVACY COMPLAINT NO. PC-040033-1 and PC-040044-1 INVESTIGATOR: Leslie McIntyre INSTITUTION: Management Board of Cabinet SUMMARY OF COMMISSIONER INITIATED COMPLAINT: The Office of the Information and Privacy Comissioner/Ontario (the IPC) was contacted by Management Board Secretariat (MBS) regarding a disclosure of personal information relating to the Ontario Student Award Program (OSAP) by the Ministry of Training, Colleges and Universities and a private collection agency. Subsequently, this Office was contacted by MBS regarding a second disclosure of personal information relating to the same program by another private collection agency. On the basis of this information, the IPC initiated two privacy complaints under the Freedom of Information and Protection of Privacy Act (the Act). Background The first complaint involves the Student Support Branch of the Ministry of Training, Colleges and Universities (the Ministry), and both complaints involve the Collections Management Unit (CMU) of the Shared Services Bureau (SSB) of MBS. The Student Support Branch of the Ministry manages OSAP, a program of student financial assistance administered by the Ministry and composed of a variety of programs funded by the province of Ontario and the government of Canada. The CMU manages the collection of overdue non-tax debts owing to the government, by hiring private sector debt collection agencies to undertake the collection of unpaid debts on behalf of the Ontario government. When a debtor defaults on the repayment of an OSAP loan and the Ministry is unable to settle the account with the debtor, the Ministry refers the debt to the CMU at MBS for collection, and these accounts are then assigned by the CMU to private collection agencies. Particulars of the two incidents In the first complaint, PA-040033-1, a private collection agency retained by MBS received a request from a debtor for supporting information about her student loan. In response, the agency [IPC Privacy Complaints PC-040033-1 and PC-040044-1 / December 17, 2004]
- 2 - forwarded the request to the Ministry, which in turn sent a copy of a bulk report prepared by a bank to the agency. The agency then forwarded this report to the debtor. However, the report contained the personal information of thirty-eight other individuals in addition to that of the debtor. In the second instance, PA-040044-1, another private collection agency mailed information to a debtor regarding her student loan and inadvertently enclosed the personal information of another debtor in the envelope. In both instances, MBS was made aware of the incidents by the two recipients of the records. The personal information in the records at issue included the student debtors’ names, social insurance numbers (SIN) and details regarding the student loans. Actions taken in response to these incidents PC-040033-1 Management Board Secretariat MBS advised that it undertook the following steps to address this incident. On receipt of the telephone call from the debtor’s mother advising that her daughter had received a record from a collection agency retained by MBS containing the personal information of individuals other than her daughter, staff in the SSB alerted senior management in the CMU, and obtained the debtor’s written consent for the SSB to communicate with her mother on this issue. A client services officer in the CMU then contacted the mother, who confirmed that her daughter received a record containing the names, social insurance numbers and details of the loans relating to 38 other individuals. The record was sent to the daughter by a private collection agency retained by the CMU. This information was provided to her daughter as a result of a request for supporting information from the Ministry regarding the daughter’s outstanding OSAP loan. At MBS’ request, the mother faxed the record to the CMU, and advised that she would shred her copy. Subsequently, MBS arranged to pick up the record by courier and has since returned it to the Ministry. The CMU then contacted the collection agency, which confirmed that it sent the information at issue to the daughter. It also confirmed that it had originally received this record from the Ministry. The CMU also contacted the Student Support Branch of the Ministry, which confirmed that the record was sent to the collection agency by the Ministry. The Ministry indicated that the record is one of a series of quarterly statements prepared for the years 1996 and 1997 for a particular bank identifying individuals who have participated in the interest relief program. The record identifies 38 individuals including the recipient. It contains the individuals’ social insurance number, given name and surname, and other details of the loans relating to these individuals. [IPC Privacy Complaints PC-040033-1 and PC-040044-1 / December 17, 2004]
- 3 - MBS notes that it has established comprehensive contractual provisions in its contracts with the PCA [private collection agency] agents it retains in order to protect the personal information that is collected, used and disclosed in the course of debt collection… at the behest of the CMU all [staff at the collection agency] were reminded that when receiving back-up information about debtors from Ministries they must conduct a thorough review of all documents to ensure that only the personal information of the debtor is mailed out; the CMU, the MBS legal services branch, and the Access and Privacy Office of MBS [conducted] a comprehensive privacy training session for staff of all PCAs retained by the CMU.[…] A training session [was] conducted for staff in the [CMU]. Ministry of Training, Colleges and Universities The Ministry advised that it undertook the following steps to address this incident. Specifically it sent letters to all 38 individuals, advising them that as the result of a mailing error, their personal information (name, social insurance number and the principal and interest of their OSAP loan) was inadvertently sent to another individual. The director of Student Support Branch, who signed the letter, apologized for the breach, stated that the record had been returned without being copied, and provided the name and telephone number of the Senior Manager of Operations as a contact person to provide them with additional information. We also informed the individuals that the ministry has changed the process by which banks and collection agencies report on OSAP loans and we have enhanced internal measures to protect client privacy. The letters were sent by registered mail to the most recent address that the ministry could obtain for each of the individuals. However, many of these addresses are several years old. To date, 21 of the letters have been returned to the ministry. These letters are being kept in the files of the individuals concerned. The Ministry indicated that in light of this incident, it has reviewed its policies and procedures and made the following changes: • The processes under which disclosure of personal information is made to private collection agencies, upon request for proof of an OSAP debt, has been enhanced. Before disclosure is made by a financial services clerk, the disclosure is reviewed by an accounts receivable clerk to ensure that [IPC Privacy Complaints PC-040033-1 and PC-040044-1 / December 17, 2004]
- 4 - only the personal information of the debtor is being disclosed to the private collection agency. • The process by which banks report activity on old OSAP loans require that a separate document be produced for each individual rather than allowing a bulk report such as the report that was inadvertently disclosed. • Similarly, the process by which MBS’ private collection agencies make requests to MTCU for proof of an OSAP debt, now requires them to make each request individually (rather than in bulk) to avoid the possibility that records could be incorrectly batched and transmitted to debtors. The Ministry has also undertaken a number of steps to address the issue of education and training of Ministry staff as a result of the Ministry’s investigation into this matter, and after the review of its policies and procedures. …the Manager of the Finance Unit met with her staff to explain what had happened and to reiterate the importance of privacy protection. …the Senior Manager, Operations and the Manager of the Information Systems Unit met with the staff in the document handling area to discuss the changes in procedure and to review the information that is to be scanned into an individual’s OSAP file. …the Senior Manager, Operations and the Manager of the Finance Unit met with all Finance Unit Staff to explain the changes in procedure and to stress the importance of caller verification before any OSAP information is disclosed. …the Senior Manager, Operations and the Manager of the Program Unit met with all Program Unit staff to explain the changes in procedure and to stress the importance of caller verification before any OSAP information is disclosed. …the ministry’s FOI Coordinator and Senior Legal Counsel delivered two privacy training sessions to [Student Support Branch] staff in the Thunder Bay office. PC-040044-1 Management Board Secretariat MBS advised that it sent a letter by registered mail to the individual whose personal information was inadvertently disclosed to another, notifying him of the incident, the steps MBS has taken to deal with the situation and providing him with the contact information for the Manager of the CMU if he has any questions or concerns. As his SIN was in the information disclosed, MBS also provided him with information on the Human Resources Development Canada web-site which sets out advice on steps that can be taken in the event a SIN number is lost or stolen. [IPC Privacy Complaints PC-040033-1 and PC-040044-1 / December 17, 2004]
- 5 - The Manager of the CMU contacted the collection agency to determine the events that led to this incident, and confirmed that the disclosure was limited to the one recipient. The Manager of the CMU then contacted the recipient of the personal information and arranged for a courier to pick up the record. The recipient confirmed that the record had not been copied. In addition to the training initiatives undertaken in response to the first complaint, as described above, MBS advised that in response to this second incident, the Manager of CMU issued a bulletin to all of the collection agencies which it retains regarding document handling and security procedures. The bulletin reads as follows: This direction pertains to all accounts where supporting documentation is requested by and or mailed to a consumer for proof of debt outstanding. The PCA is to continue to ensure that all correspondence, especially supporting documentation, contains only information intended for the client. • All pertinent documents will require a secondary review by the Supervisor or Manager designated on the CMU portfolio prior to leaving the PCA office or being mailed internally and prior to mailing externally. • All addresses for service and external mail are to be confirmed with a written note line entry on the file indicating verification has been performed. • These procedures will be subject to audit, especially in the event of incorrect external addresses and/or incorrect content for the intended individual. The above is to further ensure only correct and confidential information is provided while maintaining the responsibility for safeguarding the collection and distribution of individuals’ confidential information from an undisclosed third party. MBS further stated that after the MBS training session the collection agency advised that it initiated additional procedures to ensure the security of personal information. The agency will now be assigning a staff member to conduct a secondary review of all documents to be mailed to debtors prior to their being posted, to ensure that only the personal information of the recipient is included. Also, during the course of our investigation into both of these privacy complaints, I reviewed a copy of the standard agreement between MBS and the collection agencies. It appears that this agreement contains a number of terms and conditions aimed at protecting personal information and that they do not raise any significant concerns. DISCUSSION: The following issues were identified as arising from the investigations: [IPC Privacy Complaints PC-040033-1 and PC-040044-1 / December 17, 2004]
- 6 - Is the information “personal information” as defined in section 2(1) of the Act? Section 2 (1) of the Act states, in part: “personal information” means recorded information about an identifiable individual, including, … (b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved, (c) any identifying number, symbol or other particular assigned to the individual, (d) the address, telephone number, fingerprints or blood type of the individual, … (h) the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual; In both complaints, the records in question contained the names of the debtors, the SINs and details of the loans. I find that the information contained in the records is clearly personal information as defined in one or more of the subsections of section 2(1) of the Act as set out above. MBS and the Ministry concur. Was the disclosure of the “personal information” in accordance with section 42 of the Act? Section 42 of the Act sets out a number of circumstances under which an institution may disclose personal information. Clearly, in situations where personal information has been inadvertently mailed to an individual to whom it does not relate, none of these circumstances applies. The disclosures, therefore, were not in accordance with the Act. [IPC Privacy Complaints PC-040033-1 and PC-040044-1 / December 17, 2004]
- 7 - CONCLUSION: I have reached the following conclusions based on the results of my investigations: 1. The information in question was personal information as defined in section 2(1) of the Act. 2. The disclosure of personal information was not in accordance with section 42 of the Act. 3. The disclosure of personal information was inadvertent and a result of human error. In view of the circumstances of this case and the initiatives undertaken by both MBS and the Ministry described above, no further action is necessary with respect to this matter. December 17, 2004 Leslie McIntyre Investigator [IPC Privacy Complaints PC-040033-1 and PC-040044-1 / December 17, 2004]