Privacy Reports
Decision Information
Summary:
The Office of the Public Guardian and Trustee (OPGT) notified the Office of the Information and Privacy Commissioner/Ontario (the IPC) of an incident involving misdirected faxes. Specifically, the Toronto Community Housing Corporation (TCHC) received a fax sent by the OPGT, and others, intended for the Ministry of Community and Social Services, now the Ministry of Community, Family and Children's Services (the Ministry).
The OPGT advised that it had faxed a special needs application to the Ministry's Ontario Disability Support Program (the ODSP). The fax was sent to the number provided by the ODSP Special Needs office. However, the next day, the TCHC telephoned the OPGT to advise that it had received this faxed document and as well as a number of similar documents intended for the ODSP.
In total, there were five faxes sent by various sources during the course of the day that were intended for the ODSP but which were received by TCHC instead. As mentioned above, one of these faxes was sent by the OPGT. The remainder consisted of a fax sent by a Ministry employee from a different location; faxes sent by two ODSP clients; and a fax sent by a private company. The following is a brief description of each of these faxes:
1. Fax sent by the OPGT consisted of a special needs application form and included an ODSP client's name, date of birth, OPGT file number, and the need for replacement glasses (1 page).
2. Fax sent by a Ministry employee consisted of a cover page with an ODSP client's name on it (1 page), a financial statement of entitlements for the client (2 pages), and a memo advising of re-admittance of the client to a mental health centre (1 page).
3. Fax sent by an ODSP client consisted of the client's earnings statement, description of her current medication, and timelines for back-to-work possibilities (2 pages).
4. Fax sent by another ODSP client consisted of his name, his wife's name and a reassessment decision regarding the status of his disability (1 page).
5. Fax sent by a private company pertained to the amount of rent paid by two ODSP clients, and contained the address and date of birth of one of the clients (2 pages).
As a result, three privacy complaints were initiated by the IPC involving the OPGT, the Ministry and the TCHC.
...
Decision Content
PRIVACY COMPLAINT REPORT PRIVACY COMPLAINTS Office of the Public Guardian and Trustee - PC-020010-1 Ministry of Community and Social Services - PC-020011-1 Toronto Community Housing Corporation - MC-020020-1 December 6, 2002
PRIVACY COMPLAINT REPORT PRIVACY COMPLAINT NOs. PC-020010-1, PC-020011-1 and MC-020020-1 MEDIATOR: Susan Ostapec INSTITUTIONS: Office of the Public Guardian and Trustee Ministry of Community and Social Services Toronto Community Housing Corporation SUMMARY OF COMMISSIONER-INITIATED COMPLAINT: The Office of the Public Guardian and Trustee (OPGT) notified the Office of the Information and Privacy Commissioner/Ontario (the IPC) of an incident involving misdirected faxes. Specifically, the Toronto Community Housing Corporation (TCHC) received a fax sent by the OPGT, and others, intended for the Ministry of Community and Social Services, now the Ministry of Community, Family and Children’s Services (the Ministry). The OPGT advised that it had faxed a special needs application to the Ministry’s Ontario Disability Support Program (the ODSP). The fax was sent to the number provided by the ODSP Special Needs office. However, the next day, the TCHC telephoned the OPGT to advise that it had received this faxed document and as well as a number of similar documents intended for the ODSP. In total, there were five faxes sent by various sources during the course of the day that were intended for the ODSP but which were received by TCHC instead. As mentioned above, one of these faxes was sent by the OPGT. The remainder consisted of a fax sent by a Ministry employee from a different location; faxes sent by two ODSP clients; and a fax sent by a private company. The following is a brief description of each of these faxes: 1. Fax sent by the OPGT consisted of a special needs application form and included an ODSP client’s name, date of birth, OPGT file number, and the need for replacement glasses (1 page). 2. Fax sent by a Ministry employee consisted of a cover page with an ODSP client’s name on it (1 page), a financial statement of entitlements for the client (2 pages), and a memo advising of re-admittance of the client to a mental health centre (1 page). 3. Fax sent by an ODSP client consisted of the client’s earnings statement, description of her current medication, and timelines for back-to-work possibilities (2 pages). [IPC Privacy Complaints PC-020011-1, PC020011-1 & MC-020020-1/December 6, 2002]
- 2 - 4. Fax sent by another ODSP client consisted of his name, his wife’s name and a reassessment decision regarding the status of his disability (1 page). 5. Fax sent by a private company pertained to the amount of rent paid by two ODSP clients, and contained the address and date of birth of one of the clients (2 pages). As a result, three privacy complaints were initiated by the IPC involving the OPGT, the Ministry and the TCHC. Steps taken by the TCHC when it received the misdirected faxes. • The TCHC telephoned the OPGT immediately to advise them that it had received several misdirected faxes. • The next day, the TCHC returned all of the misdirected faxes to the OPGT by way of facsimile transmission. • The TCHC subsequently destroyed its copies of all of the misdirected faxes it had received. Steps taken by the OPGT once it was notified that the fax it had sent was misdirected. • The OPGT immediately contacted the Ministry’s ODSP Special Needs Office by telephone to apprise them of the situation and to obtain confirmation that the fax number used by the OPGT was correct. The ODSP confirmed that the number dialled was correct. • The OPGT staff were advised not to use the fax number in question until further notice. • Queries were made of the OPGT staff to ascertain whether any other material had been sent to the fax number in question. OPGT staff did not report any other instances. • After receiving copies of all of the misdirected faxes from the TCHC, the OPGT wrote to the Manager of the ODSP Special Needs Office advising that the TCHC had received numerous faxes intended for the ODSP, including information faxed from a Ministry employee who “works from our office and uses an independent fax machine from the OPGT Staff”. The OPGT enclosed a copy of all of the misdirected faxes for the Manager’s examination. • The OPGT was advised by the ODSP that there “appeared to be a technical problem with the telephone lines which resulted in misdelivery of the material, and that Bell could not confirm or locate the source of the problem which apparently corrected itself within a few hours”. [IPC Privacy Complaints PC-020011-1, PC-020011-1 & MC-020020-1/December 6, 2002]
- 3 - • The OPGT also sent a letter to the TCHC requesting that the faxed material received from the OPGT be destroyed and that TCHC staff should not disclose any of the clients’ personal information. The OPGT requested that the TCHC confirm this and included a written statement to this effect for the TCHC Manager to sign. The OPGT has provided the IPC with a copy of the signed statement. • The OPGT did not inform its client of the disclosure of her personal information “due to the client’s mental incapacity to understand the information concerning this event”. Initial steps taken by the Ministry • The Ministry’s Toronto Region confirmed that the fax number provided to the OPGT was the correct number. • The Ministry attempted to determine the extent of the breach, the number of clients affected and the content of the information included in the faxes, which had gone astray. The Ministry contacted the OPGT and requested the names of the clients and copies of the faxes as well as the time the faxes were sent. • The Ministry contacted the TCHC to find out how many other faxes went astray and was advised that all of the misdirected faxes were returned by TCHC to the OPGT, as it believed the OPGT to be the originator. • The Ministry contacted its Telecommunications Support unit to try to obtain the initial report by Bell Canada of the telephone/fax lines. However, since Bell was contacted the day after the incident, it could not identify any transmission errors and reported the fax lines were fully functional on both dates. Subsequent Steps taken by the Ministry • The Ministry requested that Telecommunications Support conduct a further investigation and “…. obtain records of all in and out calls on the dates in question.” The Ministry’s Telecommunications Support unit subsequently advised that there is no database for local calls and that there is, consequently, no way to track secondary lines. In addition, when the unit was requested to conduct a further search into the matter with Bell, Bell advised that there is no longer a record of its investigation into the telephone lines because it destroys its repair records after three months. • The Ministry contacted the employee who had sent a fax to the ODSP Special Needs Office which was also misdirected to the TCHC. She produced a copy of the confirmation slip that showed that her fax was sent to the correct ODSP fax number. • The Ministry notified the relevant ODSP clients about the incident and the inadvertent disclosure of their personal information. [IPC Privacy Complaints PC-020011-1, PC-020011-1 & MC-020020-1/December 6, 2002]
- 4 - • The Ministry issued a Directive reminding its employees of the requirements of the Act with respect to ensuring the privacy and protection of client records. It referred to this incident wherein another institution had received Ministry faxes and advised employees of the procedures to be followed where a privacy breach has occurred. DISCUSSION: The following issues were identified as arising from the investigation. Was the information “personal information” as defined in section 2(1) of the Act? Section 2(1) of the Act states, in part, that “personal information” means recorded information about an identifiable individual. As described above, the information contained in the faxes included the names of ODSP clients, together with the date of birth, certain financial information and/or other information about these individuals. Such information clearly qualifies as “personal information” as defined in section 2(1) of the Act. None of the institutions involved in this complaint dispute this finding. Issue B: Was the disclosure of the personal information in compliance with section 42 of the Act? Section 42 of the Act sets out a number of circumstances under which an institution may disclose personal information. Faxes sent by the OPGT and the Ministry Clearly, in light of the circumstances surrounding the misdirected faxes from the OPGT and the Ministry, none of the circumstances set out in section 42 of the Act apply. As a result, the disclosure of the personal information was not in compliance with the Act. Having said this however, it is clear that, in both instances, the correct fax number was dialled and the faxes were misdirected due to a technical glitch completely outside the control of all of the senders as well as the receiver. There are, however, certain steps that can be taken in order to maximize the security of faxed information and these will be discussed below. Faxes sent by the TCHC to the OPGT None of the circumstances set out in section 42 apply to the disclosure of the personal information in the faxes sent by the TCHC to the OPGT, with the exception of the one fax that originated with the OPGT. Accordingly, the disclosure of personal information contained in the faxes that did not originate with the OPGT was not in compliance with the Act. In this case, however, the reason the TCHC sent all of the faxes to OPGT, as opposed to just the one that originated with the OPGT, is that it believed the OPGT to be the originator of all of the [IPC Privacy Complaints PC-020011-1, PC-020011-1 & MC-020020-1/December 6, 2002]
- 5 - faxes. Once again, there are a number of practices that should be followed in the event that an institution receives a fax in error, which will be discussed below. Fax Guidelines Given that facsimile transmission of personal information by telephone lines, unless encrypted, is not secure, if personal information must be faxed it is important that appropriate policies and procedures be in place in order to maintain the confidentiality and integrity of information transmitted by fax. The OPGT The OPGT follows the Ministry of the Attorney General’s (MAG) policy entitled Confidential Information. Part C of the policy paper is entitled “Faxing Procedures” and includes the following direction: “Notify the intended recipient that you are faxing the information and confirm the destination fax number. The recipient should stand by to receive the material.” The OPGT provided this office with a copy of MAG’s policy and the OPGT’s Best Practices which adds that the recipient should call [the sender] when he or she receives the fax. In addition, the OPGT makes the following statement on its fax cover sheet: This facsimile may contain PRIVILEGED and CONFIDENTIAL INFORMATION only for use of the Addressee(s) named below. If you are not the intended recipient, you are hereby notified that any dissemination or copying of this facsimile is strictly prohibited. If you have received this facsimile in error, please immediately notify us by telephone to arrange for the return or destruction of this document. Thank you. The Ministry The Ministry provided this office with a copy of its policies and procedures entitled Transmission of Confidential Information. A section entitled “Preferred Procedures for Sending a Fax with Personal Information” includes the following directions: • Photocopy the document(s) in question. • Sever all personal information from the document(s) to be faxed. • Telephone the party to whom the fax is addressed and inform him/her that a fax is being sent and provide any necessary personal information on the phone. • Fax the severed version of the documents(s). • Follow-up the fax by sending through confidential mail an unsevered version of the document(s) where necessary. The following statement also appears on the Ministry’s fax cover sheet: [IPC Privacy Complaints PC-020011-1, PC-020011-1 & MC-020020-1/December 6, 2002]
- 6 - This facsimile may contain Privileged and Confidential Information only for the use of the addressee(s) named above. If you are not the intended recipient of this facsimile or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination or copying of this facsimile is strictly prohibited. If you have received this facsimile in error, please immediately notify us by telephone and return the original facsimile to us at the above address via first class mail. Thank You. [original emphasis] The TCHC The TCHC does not presently have its own fax guidelines. The TCHC explained that it is a newly formed corporation comprised of two entities which integrated on January 1, 2002. The two entities are the Local Housing Corporation established under the Social Housing Reform Act, 2000 to which was transferred the public housing portfolio formerly operated by the Metropolitan Toronto Housing Authority (MTHA), a provincial Crown agency, and Toronto Housing Company Inc., the non-profit housing provider owned and operated by the City of Toronto. The TCHC advised that information and privacy matters for the two former entities were governed by different policies, and that it is currently in the process of integrating these policies which will include privacy considerations in facsimile transmissions. The TCHC explained that it will be developing such a policy and associated communications and education of staff as soon as practicable within its current policy development initiative to meet its newly forming mandate. In the meantime, it has advised that TCHC staff will be informed of the requirement to return misdirected facsimile transmissions to their originator and not to the addressee. The IPC In June of 1989, the IPC issued Guidelines on Facsimile Transmission Security, the objective of which is to ensure that proper privacy practices are followed in order to protect the privacy and confidentiality of faxed information. The guidelines recommend that personal information not be faxed unless protected by encryption. However, the guidelines also state the following: While it is not advisable, there may be certain situations where unencrypted personal information must be faxed, and personal identifiers cannot be removed. Often, the destination fax does not have a confidential mailbox. In situations such as these, the sender should telephone the recipient prior to the transmission to advise that such information is about to be faxed and to await its receipt. Once received, the recipient should confirm receipt by telephone. The IPC’s fax cover sheet also contains a statement concerning the confidentiality of the faxed information and request that if the fax is received in error to notify this office immediately at a particular telephone number. [IPC Privacy Complaints PC-020011-1, PC-020011-1 & MC-020020-1/December 6, 2002]
- 7 - In reviewing these guidelines during the course of this investigation, it became clear that although the guidelines address various aspects of facsimile transmissions, they do not address what should be done in the event that an organization receives a fax that was intended for a different recipient. Accordingly, the IPC is in the process of revising its guidelines to address this. As neither the OPGT’s nor the Ministry’s policies address this issue either, I will be making a recommendation that they too amend their policies accordingly. When an institution receives a misdirected fax, the first step should be to immediately notify the sender. This will alert the sender so that they can investigate whether it was a result of a technical glitch or human error, and take steps to ensure the integrity of future fax transmissions. At the same time, the recipient should confirm with the sender whether the errant fax should be returned to the sender by means other than by fax or be destroyed. The recipient should not forward the fax to the intended recipient. Additional Comments: With respect to the incidents in question, I would like to point out the following. It is highly commendable that the TCHC telephoned the OPGT immediately to alert them to the fact that it had received information intended for the ODSP. The OPGT’s response to take immediate action to investigate why its document was transmitted to the wrong destination, and to notify the ODSP, is also highly commendable. Although both the OPGT and the Ministry have excellent policies and procedures in place respecting the facsimile transmission of personal information, it is unfortunate that neither of these institutions followed their own guidelines. Had they done so, and notified the ODSP by telephone to advise that a fax containing personal information was being sent, and to request that the ODSP confirm receipt by telephone, both the senders and the receiver would have known immediately that the documents had not been received by the ODSP. Although the TCHC does not have any fax guidelines in place, it acted appropriately by telephoning the OPGT to advise that it had received their fax in error. However, the absence of a policy regarding the faxing of personal information likely contributed to the TCHC improperly disclosing personal information when it returned the misdirected faxes of other senders to the OPGT. CONCLUSION: I have reached the following conclusions based on the results of my investigations: 1. The information in question was personal information as defined in section 2(1) of the Act. 2. The disclosure of the personal information was not in compliance with section 42 of the Act. [IPC Privacy Complaints PC-020011-1, PC-020011-1 & MC-020020-1/December 6, 2002]
- 8 - 3. The disclosure of personal information by the OPGT and the Ministry was inadvertent and a result of a technical glitch. The disclosure of personal information by the TCHC was due to human error. Recommendations: The OPGT and the Ministry 1. The OPGT and the Ministry should amend their policies and procedures concerning the faxing of personal information to address what steps should be taken in the event that they receive a fax that was intended for a different recipient. At a minimum, the policies and procedures should specify that the recipient should notify the sender of the fax immediately and determine whether the errant fax should be returned to the sender by means other than by fax or be destroyed. 2. The OPGT and the Ministry should take steps to ensure that the appropriate employees are aware of the policies and procedures relating to the faxing of personal information. The TCHC 1. The TCHC should complete and implement the policies and procedures which are aleady in the developmental stage with respect to sending and receiving facsimile transmissions containing personal information. In this respect, the TCHC may wish to refer to the IPC’s guidelines, and should also address what steps should be taken in the event that it receives a fax that was intended for a different recipient, as outlined in the first recommendation to the OPGT and the Ministry. 2. The TCHC should ensure that the appropriate employees are aware of the policies and procedures relating to the faxing of personal information. The OPGT, the Ministry and the TCHC should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendations no later than March 6, 2003 following the issuance of the final report. December 6, 2002 Susan Ostapec Mediator [IPC Privacy Complaints PC-020011-1, PC-020011-1 & MC-020020-1/December 6, 2002]
You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.