Privacy Reports
Decision Information
Summary:
• Telephone survey of residents of the Township of Wainfleet.
• Section 2(1) (personal information) - the information qualifies as personal information.
• Section 28(2) (collection) - the personal information was collected in accordance with the Act.
• Section 29(2) (notice) - the notice requirement was only partially satisfied.
• Section 3(1) of O.R. 823 (security) - the Region did not have adequate security measures in place.
• Recommendation: In future, the Region should ensure that language is included in purchase authorization documents or contracts providing that all personal information is dealt with in accordance with the Act.
Decision Content
PRIVACY COMPLAINT REPORT PRIVACY COMPLAINT NO. MC09-9 The Regional Municipality of Niagara October 15, 2010 Tribunal Services Department Services de tribunal administratif Tel: 416-326-3333 2 Bloor Street East 2, rue Bloor Est 1-800-387-0073 Suite 1400 Bureau 1400 Fax/Téléc: 416-325-9188 Toronto, Ontario Toronto (Ontario) TTY: 416-325-7539 Canada M4W 1A8 Canada M4W 1A8 http://www.i pc.on.ca
PRIVACY COMPLAINT REPORT PRIVACY COMPLAINT NO. MC09-9 INVESTIGATOR: Mark Ratner INSTITUTION: The Regional Municipality of Niagara SUMMARY OF COMPLAINT: The Office of the Information and Privacy Commissioner/Ontario (IPC) received a complaint from an individual concerning a telephone survey conducted by the Regional Municipality of Niagara (the Region). The survey consisted of information collected from residents of the Township of Wainfleet (the Township). The Township is a lower-tier municipality located within the Region. In the complainant’s view, the questions on the telephone survey were inappropriate and constituted an improper collection of the personal information of residents of the Township. The complainant raised particular concerns regarding questions on the survey related to the financial information of respondents. In response to this complaint, the IPC commenced a privacy investigation to determine whether the survey had been implemented in accordance with the provisions of the Municipal Freedom of Information and Protection of Privacy Act (the Act). Background Information The complainant and the Region provided the following background information on this matter to the IPC. The Wainfleet Water and Wastewater Servicing Project (the Project) is a sewer project planned for the lakeshore of the Township. In September 2006, the Minister of the Environment wrote to the Region and imposed conditions on the Project. One of these conditions was that the Region and/or the Township prepare a socio-economic impact assessment to assess the potential impact of this project on the residents of the Township. The information collected through the telephone survey was collected as part of the socio-economic impact assessment process.
- 2 - As part of this process, the Region retained an agent, who in turn, hired a third party service provider (the polling firm) to conduct the telephone survey. The telephone survey took place in July and August of 2007. The residents of approximately 1130 properties were contacted and 324 surveys were completed. Included among the questions in the telephone survey were questions about household income, household net worth, and the medical condition of the individuals residing in the household. The list of resident names and contact information for the survey was compiled using Municipal Property Assessment Corporation (MPAC) data, which was provided by the Region to the polling firm. The Region confirmed that the polling firm conducted the survey and collected the survey data on its behalf. DISCUSSION: The following issues were identified as arising from the investigation: Is the information “personal information” as defined in section 2(1) of the Act? The Region provided a copy of the survey questionnaire to the IPC. The survey questionnaire contains questions relating to the age of the respondents, their marital status, income, and their home. The survey questionnaire also included questions about the respondents’ medical condition, financial status, and their opinion of the Project. The responses to the survey were matched with resident names and address information obtained from MPAC. The definition of “personal information” is set out at section 2(1) of the Act, which states, in part: “personal information” means recorded information about an identifiable individual, including, (a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual, (b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved, … (e) the personal opinions or views of the individual except if they relate to another individual…. I have reviewed the survey questionnaire and I conclude that the information collected in response to the survey qualifies as “personal information” under the Act. The Region concurs with this conclusion.
- 3 - Was the collection of the “personal information” in accordance with section 28 of the Act? Section 28(2) of the Act states: No person shall collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity. Section 28(2) of the Act sets out the circumstances under which personal information may be collected on behalf of an institution. In order for such a collection to be permissible under section 28(2) of the Act, the institution must demonstrate that it meets at least one of the conditions listed in that section. In this case, the collection of the personal information in question is not expressly authorized by statute, and the information is not being used for the purposes of law enforcement. Accordingly, in order for the collection of personal information to be permissible under the Act, it must be shown to be necessary to the proper administration of a lawfully authorized activity. The test for determining whether a collection of personal information is necessary to the proper administration of a lawfully authorized activity was enunciated by the Ontario Court of Appeal in Cash Converters Canada Inc. v. Oshawa (City) 1 (Cash Converters) as follows: the institution must show that each item or class of personal information that is to be collected is necessary to properly administer the lawfully authorized activity. Consequently, where the personal information would merely be helpful to the activity, it is not “necessary” within the meaning of the Act. I refer to this requirement set out above as the “necessity test.” In order to satisfy this condition, an institution must identify the lawfully authorized activity in question, and then explain how the collection of personal information is necessary to its administration. With respect to the lawfully authorized activity, the Region has stated: The information is being collected under the power of municipalities to pass bylaws regarding public utilities in s. 11 of the Municipal Act, 2001. The information is being collected in response to the Minister of Environment’s decision that a social-economic impact assessment be performed as a condition of the mandatory environmental assessment which is required for infrastructure projects under the Environmental Assessment Act. It is therefore the position of the Region that the activity in question is the implementation of the Project (i.e., the public infrastructure sewer project), and that it is lawfully authorized pursuant to 1 (2007) O.J. No. 2613.
- 4 - powers set out in the Municipal Act, 2001. The Region has further stated that it was required to conduct a socio-economic impact assessment as a condition of the Project. I have reviewed section 11(1) of the Municipal Act, and note that it confers a broad authority on municipalities to “provide any service or thing that the municipality considers necessary or desirable for the public….” In this case, the “service or thing” in question is the public infrastructure sewer project. I am therefore satisfied that the Project qualifies as a lawfully authorized activity. With respect to whether the collection of personal information through the survey was necessary to the proper administration of the lawfully authorized activity, the Region pointed out that it was part of the socio-economic impact assessment required for the mandatory environmental assessment for infrastructure projects. The Region stated: The survey collects information on income, assets, net worth, property information (age, size), type of service, and household information (age, marital status, health status, and presence of children, for example). In order to complete a thorough analysis and fulfill the Minister of Environment’s condition imposed on the Environmental Assessment, analysis must be able to cross-tabulate information (for example, number of low income seniors; number of seniors with or without a mortgage; number of low income families with or without a mortgage). Further, the Region also stated that “the analysis needed requires the records to be kept with an identifying information component attached to each completed survey.” The Region was asked why it was required to collect information with “an identifiable information component” rather than information in anonymized form. In response, the Region stated that the survey data was collected in identifiable form for three reasons: (1) verification of information in cases where people have moved, (2) questions raised by individuals regarding their own information, and (3) identifying individuals for a hardship policy. In summary, the Region stated that it was necessary to collect identifiable information through the survey because the survey was a component of the socio-economic assessment required by the Minister of the Environment. Based on all of the above, I am satisfied that the information collected through the survey satisfies the “necessity test” enunciated by the Ontario Court of Appeal in Cash Converters, and that the collection was necessary for the proper administration of the Project, a lawfully authorized activity. Accordingly, I am satisfied that the collection of personal information through the survey was in accordance with section 28(2) of the Act.
- 5 - Did the Region provide Notice of Collection in accordance with section 29(2) of the Act? Section 29(2) of the Act states: If personal information is collected on behalf of an institution, the head shall inform the individual to whom the information relates of, (a) the legal authority for the collection; (b) the principal purpose or purposes for which the personal information is intended to be used; and (c) the title, business address and business telephone number of an officer or employee of the institution who can answer the individual’s questions about the collection. Section 29(2) states that when personal information is collected on behalf of an institution, the institution is required to provide the individuals whose information is collected with a Notice containing the attributes listed above. In this case, the Region has provided the text of the script used by the polling firm to accompany the survey questionnaire. Good morning/afternoon/evening, my name is ___________ and I am calling from the research firm … on behalf of the Niagara Region. We are conducting a survey on the potential social impacts, quality of life and servicing issues in the Lakeshore area of Wainfleet Township. This is being conducted in connection with the proposal to put municipal water and sewer services into the Lakeshore area. This survey will take about 5-7 minutes of your time and all responses will be kept confidential. Please be assured that the information gathered is for research purposes only and only overall results will be provided back to the Region. I have reviewed this script to assess whether it accords with the section 29(2) Notice requirements. The script satisfies subsection 29(2)(b) because it describes the purpose for which the information will be used (i.e., to assess potential impacts of the Project on members of the community). However, I note that the script does not contain the legal authority for collection (section 29(2)(a)) nor the contact information of an employee of the institution who can answer questions about the collection (section 29(2)(c)). Based on this analysis, I conclude that the Region has not complied with the statutory notice requirements under section 29(2). I note that the Region has acknowledged that the script does not fulfill the requirements of section 29(2). It stated that it has since conducted an additional survey regarding a different
- 6 - Project component. With respect to this second survey, the Region stated that it provided a Notice of Collection that satisfies the requirements under section 29(2) of the Act. The Region has provided me with a copy of the revised Notice of Collection. I have reviewed this Notice and conclude that it now contains the attributes required under section 29(2). I am pleased that the Region has proactively taken steps to address the shortcomings with respect to its original Notice of Collection. Did the Region have adequate security measures in place to protect the information provided by respondents to the survey? Section 3(1) of Ontario Regulation 823 made pursuant to the Act states: Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected. This provision requires that institutions define, document, and put in place measures that are reasonable to prevent unauthorized access to the records in their custody or control, including records containing personal information. With respect to personal information collected as part of a survey undertaken by a municipal institution, the IPC has published Best Practices for Protecting Individual Privacy in Conducting Survey Research 2 (Best Practices). The Best Practices provide guidance on how institutions can conduct surveys in a manner that is protective of individual privacy, and lists a total of 35 practices that are considered to be ideal in this regard. Two practices listed in the Best Practices are applicable to the present investigation. Best Practice #3 addresses situations where a third party service provider conducts the survey on behalf of an institution and states: Where an external consultant or private company conducts the research, establish a contractual agreement to ensure that personal information is collected, retained, used, disclosed and disposed of, in accordance with the Acts. This Best Practice requires that institutions contracting with service providers to conduct surveys on their behalf, should include provisions in their contracts for the protection of personal information. Best Practice #7 is also applicable and states: If the survey cannot be carried out anonymously, design it so that all personal information is replaced with a special code that can only be used to link the survey data to personal information when it is necessary to do so (i.e., a coded survey). 2 http://www.ipc.on.ca/images/Resources/up-1bestpr_f.pdf .
- 7 - This Best Practice requires that identifiable information, (e.g., individual names and addresses) should be kept separate from the survey data, and that a special “code” should be used to link the data, if required. I will address both of these practices in the context of the survey conducted by the Region. The survey was conducted by a third-party service provider, the polling firm. The Region hired an agent to assist with the environmental assessment process, who in turn, sub-contracted the polling firm to implement the survey. With respect to the question of whether the Region’s contractual agreements with its agent and polling firm contained references to the requirement to protect personal information, the Region has stated: We did not draft a written agreement when we purchased services from [the agent] instead using a simple purchase authorization to evidence the contract we have with them…. It was our understanding that they would be conducting themselves according to industry standards and that they were experienced in this area. They … retained … an experienced polling company, who have confirmed that they operate according to industry standards, specifically the standards of the MRIA – Marketing Research and Intelligence Association. Even without a written contract, it is clear that we have a contract with [the agent] and they in turn subcontracted with [the polling firm]. Going forward, we will consider covering issues of information confidentiality in writing in similar new contracts the Region may enter into, but our reliance on the experience of these agencies does not seem to have resulted in any difficulties as against the privacy legislation of this province. Indeed, they seem to be operating in line with the best practice recommendations of the IPC, which exceed the provincial legal standard. The IPC then sought clarification as to the nature of the contract that the Region had with its agent and in particular, with respect to the Region’s obligation to protect personal privacy as an institution under the Act. The Region responded that: … the contract [it] had with [the agent] was partially written and partially unwritten, as would be the case with many contracts for which [the Region] use[s] purchase authorizations.… Not all the terms or details related to the contract would have been written down, but they would nevertheless be part of the contract, forming an understanding as to how the contract would be performed. In my view, the absence of a written contractual agreement addressing privacy between the Region and the polling firm represents a significant shortcoming in the Region’s approach to collecting personal information through the survey. In cases where institutions covered by the Act contract out the handling of personal information to third parties, it is incumbent that they properly account for privacy by ensuring that third parties only deal with the records in accordance with the Act. By including such privacy protective wording in a written contract, the
- 8 - third parties’ obligations are made explicit, and the institution is provided with a legal cause of action for any potential breach of the contract. Upon reviewing a draft of this Privacy Complaint Report, the Region objected to my conclusion that it had not implemented reasonable security measures due to the absence of a written contractual agreement with the polling firm specifying privacy protections. The Region has taken the position that the Best Practices do not have the force of law and stated: … I do not believe that not following a best practice should be a reason for finding fault with an institution. A conclusion that practices were lacking should only be founded upon identifying a violation of the statutes or regulations which have the force of law. The Region also elaborated on the nature of its legal relationship with the service provider: Our contract was not formally written to the extent that our discussions about privacy and information security were detailed. But we had investigated such issues with our contractor and subcontractor and we were aware that [the third party subcontractor] conducted itself according to industry standards…. So it was part of our contract that these were the standards being followed and we believe this should lead to a finding that we took reasonable measures to prevent unauthorized access to the records, as required by s. 3(1) of the Regulation. In sum, it is the Region’s position that the IPC’s Best Practices do not have the force of law and that it is not required to adhere to these Best Practices in order to be in compliance with section 3(1) of Ontario Regulation 823. Further, the Region stated that it had satisfied itself that the third party subcontractor adhered to industry practices with respect to privacy. I have considered the information provided by the Region. While I agree with the Region that a best practice is not necessarily the equivalent of a requirement imposed under a statute or regulation, I note that the principle expressed in Best Practice #3 complements the requirement in section 3(1) that reasonable measures be defined and documented. Section 3(1) of Ontario Regulation 823 states that the reasonable measures to prevent unauthorized access to records should take “into account the nature of the records to be protected.” This provision implies that records that are more sensitive in nature should be subject to higher levels of protection. In this case, the information in question is personal information of a highly sensitive nature (i.e., information pertaining to individuals’ financial status and medical condition). Due to the nature of this information, a higher level of protection and security should be in place to ensure that the personal information is maintained in a secure manner. The Region has also maintained that while it did not have a contract in place that set out privacy requirements in writing, it did state that it satisfied itself that the agent and subcontractor polling firm would be proceeding in accordance with industry standards, which include privacy standards.
- 9 - The Region has stated: Confirming, as we did, that our contractor/sub-contractor would be proceeding according to industry best practices is an alternative and sound way of ensuring that security is adequate, and is probably a very common one as it relies on the expertise of the polling company, who know their business best. To support this statement, the Region explained that it contracted with an expert (the agent), who, in turn, subcontracted its duties to the subcontractor to conduct “legally authorized work according to industry standards.” I do not agree with the Region’s position that merely confirming that a service provider conforms to industry standards complies with section 3(1) of Ontario Regulation 823. The Region has also noted that the subcontractor would be subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), which contains privacy requirements similar to those that exist under the Act. The Region also provided the IPC with a letter from its agent outlining its privacy practices, which stated that it adhered to the IPC’s Best Practices. It is correct that in Ontario, private sector entities are subject to PIPEDA, which imposes rules on the personal information collected by these entities, and these rules are similar to those under the Act. However, the mere fact that an entity is subject to legislation such as PIPEDA does not, in itself, guarantee that such legislation will be respected. Accordingly, the implementation of contractual language requiring conformity with privacy principles is a prudent measure. Furthermore, this complaint against the Region was filed with the IPC to investigate under the Act. The Region is an institution under the Act and is subject to its provisions. Consequently, in my investigation into this complaint I am required to consider whether the Region has met its obligations under the Act, which, in this case, also includes any contractual agreements it may have with service providers handling personal information on its behalf. As noted above, the information at issue included personal information of a highly sensitive nature relating to Township residents. When an institution contracts with a service provider to handle the processing of personal information, it is entrusting that the service provider will provide the same level of protection that the institution is required to provide under the Act. By including explicit privacy protective wording in a contract, the institution gives legal effect to this principle, and ensures that failure to adhere to privacy rules would constitute a breach of contract. Importing such language in a contract entails a higher level of assurance that individuals’ personal information will be protected. Based on all of the above, and having regard to the sensitivity of the information at issue, I am satisfied that the Region should have entered into a written contract with the third party service provider that included provisions relating to the protection of privacy. Because a written contract setting out privacy protection requirements was not present in this case, I conclude that the Region had not implemented adequate security measures as required under section 3(1) of Ontario Regulation 823.
- 10 - Best Practice #7 makes reference to a “coded survey,” which means that survey data should be maintained in a separate database and this information should only be linked by a special code. With respect to this issue, the Region stated that the names and addresses of survey respondents are maintained by the polling firm, separate from the survey data. The Region further stated that this information can only be matched to the names and addresses with an identifying number. In my view, this treatment of the survey data by the Region and the polling firm is appropriate and accords with Best Practice #7. In sum, I conclude that the absence of a written contractual agreement between the Region and the third party service provider specifying privacy protections means that the Region has not defined, documented and put in place reasonable measures to protect the privacy of personal information collected on its behalf as required under section 3(1) of Ontario Regulation 823. CONCLUSION: I have reached the following conclusions based on the results of my investigation: 1. The information collected through the survey qualifies as “personal information” under the Act. 2. The collection of the personal information was in accordance with section 28(2) of the Act. 3. While the original script that accompanied the survey did not meet the notice provisions as outlined in section 29(2) of the Act, the revised Notice of Collection provided by the Region, which was included with its second survey, contains wording that is now in compliance with section 29(2) of the Act. 4. The Region had not implemented adequate security measures as required under section 3(1) of Ontario Regulation 823, made under the Act. RECOMMENDATION: 1. The Region should ensure that it has either language in its purchase authorization documents or a written contract in place with service providers that handle personal information. Such contracts or purchase authorization documents must provide that all personal information is collected, retained, used, disclosed and disposed of, in accordance with the Act.
- 11 - By November 15, 2010, the institution should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendation. Original signed by: October 15, 2010 Mark Ratner Investigator
You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.