Privacy Reports
Decision Information
Use of complainant’s e-mail address by former City Councillor and TTC Chair to send e-mail advising that he would no longer be serving in those capacities.
Issues:
• Section 2(1) (personal information) – the complainant’s e-mail address qualifies as personal information.
• Custody or control (City of Toronto) – the e-mail record was in the City’s custody or control.
• Custody or control (TTC) – The e-mail record was in the TTC’s custody or control.
• Section 31 (use) – the City’s use of the record was not in accordance with the Act.
• Section 31 (use) the TTC’s use of the record was not in accordance with the Act.
Recommendations:
1. The City should amend the Code of Conduct for Members of Local boards to clarify that correspondence should only be used in accordance with the Act.
2. The City should strongly encourage all current members of Council to attend a training session on access and privacy.
3. The TTC should circulate a memorandum to all of its current board members addressing the importance of protecting the privacy of the personal information contained in correspondence received from members of the public.
Decision Content
PRIVACY COMPLAINT REPORT
PRIVACY COMPLAINT NOS. MC10-75 and MC11-18
City of
August 31, 2011
PRIVACY COMPLAINT REPORT
PRIVACY COMPLAINT NOS. MC10-75 and MC11-18
INVESTIGATOR: Mark Ratner
INSTITUTION: City of
SUMMARY OF COMPLAINT:
The Office of the Information and Privacy Commissioner (IPC) received a privacy complaint from an individual (the complainant) under the Municipal Freedom of Information and Protection of Privacy Act (the Act). The complainant advised that in November of 2010, he received an e-mail from a member of City Council for the City of
The complainant’s principal concern is that the former member acquired his personal e-mail address as a result of being a City Councillor and Chair of the TTC and the former member subsequently used the e-mail address for his own personal purposes. The complainant explained that the former member had acquired the complainant’s e-mail address when the complainant sent an e-mail to the former member regarding a TTC customer service issue. The e-mail, which was addressed to the former member in his capacity as Chair of the TTC, included the complainant’s e-mail address, his name, along with the details of his service complaint. The complainant was of the view that it was inappropriate for the former member to use his e-mail address for his own personal purposes.
In response to this complaint, the IPC opened privacy complaint file MC10-75 with the City of
During the course of this investigation, the IPC noted that because the complainant’s e-mail address had originally been received by the former member in his capacity as Chair of the TTC, related to a TTC service issue, and because the TTC is a separate institution under the Act, it may be necessary to obtain the position of the TTC on this matter. Consequently, and with the consent of the complainant, privacy complaint file MC11-18 was opened with the TTC. This Report relates to both complaint files MC10-75 and MC11-18.
BACKGROUND:
The following background information has been provided by the complainant, the City, and the TTC.
As noted above, the complainant sent an e-mail to the former member to complain about a TTC service matter. The complainant stated that he sent his e-mail complaint to the e-mail address for the former member, which was in the form of “councillor_[name]@toronto.ca”. The complainant explained that he is not a constituent of the former member and his e-mail did not relate to a constituency matter.
Upon receipt of the complainant’s e-mail, the former member forwarded it to a TTC Manager, and a response was eventually received from the TTC. Because the complainant’s email was forwarded to the TTC, a copy of the complainant’s e-mail was saved on a TTC server.
The former member’s toronto.ca e-mail account included a function that automatically saved the complainant’s e-mail address. The e-mail address was subsequently used by the former member to send unsolicited correspondence to the complainant about a matter that was unrelated to the subject of the complainant’s original e-mail. The former member’s e-mail stated:
It has been a great pleasure and honour to serve as a City Councillor for the past seven years and as the chair of the TTC for the past four years. Effective December 1st, you may reach me at [e-mail address].
The City explained that individuals who are elected to City Council have two separate e-mail accounts assigned to them by City Information Technology staff, one taking the form “councillor_[name]@toronto.ca” (which is intended to be used for constituent related business); and the other taking the form “[name]:@toronto.ca” (which is intended to be used for City related business). The e-mail accounts reside on different servers but both are set up and are administered by City Information Technology staff.
With respect to the relationship between the City and the TTC, the City describes the TTC as a public transportation institution that is “separate from the City.” Section 394 of the City of
Section 141(1) of the COTA sets out the relationship between the City and its Boards, stating:
Without limiting sections 7 and 8, those sections authorize the City to establish a city board and to provide for the following matters:
1. The name, composition, quorum and budgetary process of the board.
2. The eligibility of persons to hold office as board members.
3. The manner of selecting board members, the resignation of members, the determination of when a member’s seat becomes vacant and the filling of vacancies.
4. The term of office and remuneration of board members.
5. The number of votes of the board members.
6. The requirement that the board follow rules, procedures and policies established by the City.
7. The relationship between the City and the board, including their financial and reporting relationship.
In sum, section 141(1) of COTA confers upon the City the power to establish City boards; provides that the City has the power to determine the name, composition, and quorum of those boards; requires that boards follow rules and procedures established by the City; and sets out the relationship between the City and the board, including their financial and reporting relationship.
The City has enacted a by-law respecting the TTC, which is Chapter 279 of the City’s Municipal Code. The by-law states that TTC Board members are appointed by an affirmative vote of a majority of City Council, and are appointed for a period of two years. Section 279-3 of the by-law further states that all TTC budgetary requests must be submitted for approval to the City.
The process for determining which member of the TTC Board will serve as its Chair is set out in the TTC By-Law to Govern Commission Proceedings. Section 19 of that by-law states that the Chair of the TTC is selected by a vote of the TTC members on the TTC Board. The TTC Board is currently comprised solely of members of City Council, although the TTC has stated that it may, from time to time, include non-City Council members.
A draft of this privacy complaint report was provided to the parties to this matter prior to this final report being issued. Where appropriate, the comments of the parties have been incorporated into this final version of the privacy complaint report.
DISCUSSION:
The following issues were identified as arising from the investigation:
Is the information at issue “personal information” as defined in section 2(1) of the Act?
The information at issue in this complaint is the complainant’s personal e-mail address contained in the e-mail letter of complaint, which was subsequently used by the former member to send the outgoing e-mail in November of 2010. Although the complainant’s e-mail address, viewed in isolation, does not contain the complainant’s name, it is associated with the complainant’s name because any individual receiving an e-mail from the complainant would be able to see his name as the sender in his or her e-mail inbox. In addition, the e-mail was “signed” by the complainant (i.e. his name appeared at the bottom of the message).
The City took the position that the complainant’s e-mail address contained in the e-mail letter of complaint qualifies as personal information under the definition contained in section 2(1) of the Act. The TTC took the position that because the e-mail address is non-descript and contains no personal identifiers, it does not qualify as the complainant’s personal information under the Act.
The definition of “personal information” is contained at section 2(1) of the Act, which states, in part:
“personal information” means recorded information about an identifiable individual, including:
…
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, telephone number, fingerprints or blood type of the individual,
(e) the personal opinions or views of the individual except if they relate to another individual,
(f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
(g) the views or opinions of another individual about the individual, and
(h) the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual; ….
The IPC has previously held that information will qualify as personal information if it is reasonable to expect that an individual may be identified if the information is disclosed [Order PO-1880, upheld on judicial review in Ontario (Attorney General) v. Pascoe, [2002] O.J. No. 4300 (C.A.)]. I will adopt the same approach here.
In this case, the e-mail address by itself does not reveal the identity of the complainant as it contains a series of words that does not include the complainant’s name. However, the e-mail address appears in the text of the complainant’s e-mail which includes the complainant’s name at the bottom of the e-mail and in the sender’s address line. As such, any individual who reviewed the e-mail in question would be able to match the non-descript e-mail address with the complainant’s name and identify the complainant. As such, in this case, I am satisfied that the complainant’s e-mail address qualifies as “information about an identifiable individual.”
For these reasons, I am satisfied that it is reasonable to expect that the complainant may be identified in the circumstances of this complaint. As such, I am satisfied that the complainant’s e-mail address appearing on the record in question qualifies as personal information under the definition in section 2(1) the Act.
Do the City and/or the TTC have custody or control of the e-mail address?
As stated above, at issue in this privacy complaint investigation is the question of whether the former member’s use of the complainant’s e-mail address was permissible under the Act. The permissible uses of personal information under the Act are set out in section 31, which states that an institution shall not use personal information in its “custody or under its control” except in a limited number of enumerated circumstances. The question of whether an institution has custody or control of personal information is therefore a threshold issue that must be determined before a finding can be made as to whether a particular use of personal information was in accordance with the Act.
Because the words “custody” and “control” are not defined in the Act, it is necessary to consider rules of statutory interpretation in order to give meaning to these terms. The modern approach to statutory interpretation requires that:
[T]he words of an Act are to be read in their entire context, in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament. [see City of Ottawa v. Ontario, 2010 ONSC 6835 (CanLII) (City of Ottawa) citing R. Sullivan in Driedger on the Construction of Statutes, 4th ed. (Toronto: Butterworths, 2002)].
This approach can also be called the “purposive approach” to statutory interpretation. The purposes of the Act, which are set out in section 1, provide a clear indication of the objects of the Act. In this case, section 1(b), which states that one purpose of the Act is to protect the privacy of individuals with respect to personal information about themselves held by institutions, is relevant. It states, in part:
The purposes of this Act are,
(b) to protect the privacy of individuals with respect to personal information about themselves held by institutions and to provide individuals with a right of access to that information [emphasis added].
The purposive approach is consistent with the approach that has been applied to access to information decisions. In that context, the courts and this office have applied a broad and liberal approach to the custody or control question [
Guidance can also be drawn from a number of access orders issued by the IPC that deal with the question of whether an institution has custody or control of a record. In Order P-120, former Commissioner Sidney B. Linden set out a number of factors to consider in determining whether an institution has custody or control of a record as follows:
Was the record created by an officer or employee of the institution?
What use did the creator intend to make of the record?
Does the institution have possession of the record either because it has been voluntarily provided by the creator or pursuant to a mandatory statutory or employment requirement?
If the institution does not have possession of the record, is it being held by an officer or employee of the institution for the purposes of his or her duties as an officer or employee?
Does the institution have a right to possession of the record?
Does the content of the record relate to the institution’s mandate and functions?
Does the institution have the authority to regulate the record’s use?
To what extent has the record been relied upon by the institution?
How closely is the record integrated with other records held by the institution?
Does the institution have the authority to dispose of the record?
These factors are non-exhaustive [Order P-120]. In a given situation, some of the listed factors may not apply, while other unlisted factors may apply.
In this case, there are two institutions that are the subject of this privacy complaint investigation: the City and TTC. Accordingly, I will separately consider whether the personal information in question – the complainant’s e-mail letter of complaint - is in the custody or control of either or both institutions.
To assist with this assessment, I asked each institution to provide its position on the issue, with specific reference to the 10 factors identified above. I now turn to consider the parties’ position on these factors.
The City
Although I asked the City to provide its position on whether the complainant’s e-mail of December 19, 2008 is in its custody or under its control, the City’s response appears to primarily address the question of whether the related outgoing e-mail sent in November of 2010 by the former member was in its custody or under its control. Notwithstanding this fact, the City’s response does make reference to both e-mails, and the determination of custody or control for either record involves similar considerations as both contain the complainant’s e-mail address, and both were saved in the former member’s e-mail account.
As a result of its consideration of the factors listed above, the City took the position that the complainant’s e-mail is not in the City’s custody or under its control. It stated that the former member was not an officer or employee of the City, and when he received the e-mail in question, he was acting in his capacity as Chair of the TTC, which is a separate institution from the City for the purposes of the Act.
The City stated that it only has bare possession of the complainant’s e-mail and e-mail address as it is maintained in the backup server of the former member’s e-mail account. In this regard, the City stated:
E-mail accounts are considered to be the property of the Councillor and are not collected, used or disclosed by any employee or officer of the institution. Councillor e-mail is kept on separate servers from staff e-mail. … There is no mandatory or statutory requirement to retain the record or for the former Councillor to provide the record to the City, and the former Councillor did not do so.
As noted, the City stated that the e-mail account in question was issued by the City and was intended to be used by the former member for constituency purposes. The City also stated that it does not regulate the use of the e-mail accounts that it sets up for constituency records of Council members. In addition, the City stated that the e-mails in that account have not been integrated with other records held by it, nor does it have the authority to dispose of the e-mails in those accounts under the records retention by-law applicable to other City business records. Also, as noted above, the City explained that it assigns City Councillors a separate e-mail address in order to deal with City business.
With respect to the question of whether the e-mail related to the City’s mandate and function, the City stated that it is not “responsible for” the complainant’s e-mail as it related to a customer service concern regarding the TTC, which is a separate institution under the Act.
In sum, while the City acknowledges that it has bare possession of e-mails in the account of the former member, it states that it does not have custody or control because they reside in an e-mail account that was set up by the City for the purpose of allowing Council members to address constituency matters, and the substance of the e-mail in question relates to the TTC’s role and mandate.
Analysis and Findings
Previous decisions of the IPC and the courts have concluded that a record will be subject to the Act if it is in the custody or under the control of an institution; it need not be both. [Order P-239, Ministry of the Attorney General v. Information and Privacy Commissioner, 2011 ONSC 172 (
Possession
While the City acknowledges that it has possession of the complainant’s personal information and in particular the e-mail in question, it states that it only has bare possession of the record.
With respect to the City’s possession, I note that while the record at issue is situated on a separate server tasked with retaining e-mail activity associated with “councillor_[name]@toronto.ca” e-mail addresses, it is nonetheless a server owned, operated, and maintained by the City. In addition, the City has acknowledged that “members of the public routinely contact individual Councillors to make complaints … concerning services available within the City.” As in the circumstances at issue in this investigation, it is likely that a number of such complaints are routinely conveyed to the City through “councillor_[name]@toronto.ca” e-mail accounts and stored on the relevant server. In such circumstances, it is reasonable to conclude that the City would have some right to deal with such a record of complaint, for example, when it is necessary to do so in order to respond to or resolve a complaint about a service provided by a department, agency, or board of the City.
With respect to the City’s authority to regulate the record’s use, I note that section 157 of the City of Toronto Act (COTA), requires that the City establish a Code of Conduct governing the conduct of members of local boards, such as the TTC. In this case, the Code of Conduct that has been established is entitled Code of Conduct for Members of Local Boards (Restricted Definition) City of
Confidential information includes information in the possession of, or received in confidence by a local board that the local board is either prohibited from disclosing, or is required to refuse to disclose, under the Municipal Freedom of Information and Protection of Privacy Act (often referred to as “MFIPPA”), or other legislation. Generally, the Municipal Freedom of Information and Protection of Privacy Act restricts or prohibits disclosure of information received in confidence from third parties of a corporate, commercial, scientific or technical nature, information that is personal, and information that is subject to solicitor-client privilege.
No member shall disclose or release by any means to any member of the public, any confidential information acquired by virtue of their office, in either oral or written form, except when required by law, or authorized to do so by the local board or, if applicable, by Council.
Nor shall members use confidential information for personal or private gain, or for the gain of relatives or any person or corporation. As one example, no member should directly or indirectly benefit, or aid others to benefit, from knowledge respecting bidding on the sale of property or assets of the local board or City. [Emphasis added.]
While it may not be intended to be a comprehensive information management policy, the existence of this Code of Conduct indicates that the City has assumed some responsibility for the care and protection of the kind of record at issue. In governing the behaviour of Councillors who sit on local boards, the City has demonstrated an intent to regulate personal information that comes into the possession of board members as a result of their service on those boards. (Similarly, the City has also demonstrated a similar intent with respect to members’ service on City Council in its Code of Conduct for Members of Council City of Toronto. [2] )
Upon reviewing a draft of this privacy complaint report, the City raised a number of concerns over the content of the Report. One such concern related to the way in which the Report characterized the issue of custody or control. In this regard, the City asserted that:
The Draft Report concludes that, the fact that the City has established a policy for acceptable use of resources provided to an individual Councillor, combined with the bare possession of the City over these electronic resources is sufficient to establish the City’s custody or control over these records for the purposes of MFIPPA. This conclusion is contrary to the
In the City of
The
The circumstances before me in this complaint are not analogous to those in the City of
For the reasons set out above, I find that not only does the City have possession of the complainant’s personal information; it has some right to deal with the record and some responsibility for the care and protection of this information. These are, in my view, factors weighing in favour of a finding that the City has custody of the personal information at issue.
City’s Functions and Mandate
As noted above, one of the factors that must be considered is the relationship between the content of the record and the City’s mandate and functions. The e-mail address was contained in an email that relates to the former member’s duties as Chair of the TTC. In substance, it was a letter of complaint regarding transit service on the TTC which, in my view, and for the reasons set out below, is a service that falls squarely within the functions and mandate of the City.
The mandate of the City is set out, in part, in section 1 of the COTA, which states:
The City of
As noted above, the COTA sets out the power of the City to establish Boards, and section 395(1) of COTA designates the TTC as the City Board having the responsibility to operate a local passenger transportation system within the City. Section 3 of the COTA defines the term “local board” to encompass a transportation commission.
It is also notable that the TTC is owned by the City, and the members of the TTC Board are voted on, and approved by City Council. The Chair of the TTC is selected by the Board membership. I also give significant weight to the fact that the parameters of the financial and reporting relationship between the TTC and the City are wholly determined by the City under section 141 of the COTA. Furthermore, the TTC receives an operating subsidy from the City which comprises a significant portion of the City’s annual budget.
The fact that the provision of transit services falls within the mandate of the City is also evident in a number of recent activities undertaken by the City. Toronto City Council recently passed a motion requesting that the provincial government designate public transit within the City as an essential service. [3] Similarly, the City also announced that it has entered into a Memorandum of Understanding (MOU) with the
With respect to the City’s contention that the complainant’s e-mail containing his e-mail address was received at an e-mail address intended to be used for constituency matters, I note that members of City Council deal with a wide variety of records, and for that reason it may be reasonable for the City to create a separate e-mail account for members of City Council to use for the conduct of City business, and a separate e-mail account for constituency related matters. However, the mere fact that an individual corresponds with a Councillor or Board member using one address or another is not, on its own, determinative of the issue of custody or control.
Further, taking a purposive approach, it would not be reasonable to find that an individual’s access and privacy rights are diminished by virtue of the fact that he or she elected to correspond with a Councillor at an address that the City asserts has been designated for the purposes of constituency use only. In terms of considering whether a record is in the custody or control of an institution, the proper approach is to consider the substance of the record itself in conjunction with all other material circumstances that relate to the custody or control issue.
In my view, the complainant’s e-mail containing his e-mail address relates to the City’s provision of transit services which falls well within the functions, mandate and business of the City. In these circumstances, it is not material to the analysis that the complainant’s e-mail was sent to the member using an address that was intended by the City to be used primarily for communications on constituency matters.
Having reviewed the
The City has also objected to the finding that the record in question was in the custody of the City because Councillors are not officers or employees of the City. In the City’s view, the record holdings of members of Council are constituency records, and therefore not in the custody or control of the City, in which case they are not subject to the Act.
A number of IPC decisions have held that records received by a member of a municipal council where the member is acting in his or her capacity as a constituent representative are not in the custody or under the control of the institution [see, for example, Order M-813]. However, the IPC has also concluded that records that are not held by a council member solely in his or her capacity as a constituent representative (for example, where the record does not relate to a constituency matter) are subject to the Act if they are otherwise within the custody or control of the municipality in question [see Privacy Complaint Report MC-020030-1].
Therefore, in properly characterizing the record in the present case, it is necessary to consider whether the record in question was held in the former member’s capacity as a constituent representative, such that it could be characterized as a “constituency record.”
Although the terms “constituent” and “constituency” are not defined in either the Act, or in the COTA, the Concise Oxford Dictionary defines “constituency” as “a body of voters in a specified area who elect a representative member to a legislative body.” [6]
A City publication, A Guide to Access and Privacy for Councillors [7] is also helpful in assessing the parameters of what constitutes a constituency record and states:
Documents and records received or created interacting with constituents are considered personal. Constituency records generally relate to issues the Councillor is dealing with involving one or more members of the public who either live or own a business within the Councillor’s ward. Constituency records may include letters, emails, faxes, telephone messages, and mailing lists [emphasis added].
According to this publication, “constituency records” are those that generally relate to an issue that a member of Council is dealing with involving an individual or business within the member’s ward, which is consistent with the dictionary definition above.
In applying these concepts to this case, I note that the complainant did not reside within the member’s constituency. In addition, it is evident that the complainant was contacting the former member in his capacity as Chair of the TTC, rather than as a constituent representative. I am satisfied that the e-mail record in question was not received by the member in relation to his duties as a constituent representative, and that the record is not outside of the custody or control of the City by virtue of the fact that it was originally received at the member’s “councillor_[name]@toronto.ca” e-mail address.
The City has also objected to findings contained in the draft report by stating that the “analysis of the relationship between an individual City Councillor and the City is incorrect” as, in the City’s view, the draft report improperly treats the TTC and the City as if they were one institution under the Act. In support of its position that the TTC is a separate legal entity from the City, the City has noted that it has the power to act independently with respect to the purchase of property and in setting fees, and that the TTC was created by statute in 1920, and existed prior to the current amalgamated City of Toronto. Due to the fact that the TTC is a separate legal entity and distinct institution under the Act, the City asserts that “it is incorrect that any documents held by the TTC or an individual commissioner are under the custody or control of the City for the purposes of MFIPPA.”
In response to the concerns raised by the City in this regard, I acknowledge, and am in agreement with the City’s assertion that the TTC is a separate institution under the Act. I am also in agreement that the record in question relates to a TTC matter, and I address the question of whether the e-mail record is in the custody or under the control of the TTC for the purposes of the Act below.
However, I do not agree with the City that the fact that a given record may be in the custody or control of one institution precludes a finding that the record is also in the custody or control of a different institution. A record can simultaneously be in the custody or control of two (or more) institutions.
In sum, with respect to the issue of whether the e-mail was in the custody or under the control of the City, I have considered the respective positions of the parties to this matter, including the specific objections raised by the City in response to the Draft Report. I note the following:
The City has enacted a Code of Conduct governing the conduct of members of Council sitting on boards. The Code of Conduct addresses confidentiality with respect to information in the possession of board members as a result of their service on these boards, which means that the City has recognized and assumed some responsibility for the care and protection of these records.
The record in question is in the possession of the City on a server maintained by the City.
The mere fact that a record is sent to an e-mail address that the City has established to be used for constituency purposes does not, in itself, dictate the conclusion that the record in question is a constituency record.
The record in question relates to City business as the operation of a public transportation service falls within the City’s mandate and functions. The record was originally conveyed voluntarily by the complainant to the former member who was identified by the complainant as the Chair of the TTC, and who subsequently passed the record on to TTC staff for processing as a service complaint.
Viewed in light of the circumstances in which it was originally obtained or compiled, the record in question is not solely or primarily a constituency record.
Based on my consideration of the Act, applicable principles of statutory interpretation, relevant case law, and prior decisions of the IPC, and in view of the City’s Code of Conduct, the fact that the record relates to the City’s mandate and functions, and the fact that the record is in the City’s possession, I am satisfied that the record in question is in the custody of the City.
Before I consider the TTC’s position on this issue, I want to address the City’s concerns that the result of my findings here would mean that the City would have custody or control over all records in the possession of a member of an agency, board, or commission with members appointed by City Council. I do not agree with this conclusion. The determination of custody or control issues relating to councillors or other members of such agencies, boards or commissions will continue to depend on the substance and subject of the records at issue, in addition to other relevant factors.
The TTC
While the TTC acknowledged that it received a forwarded copy of the December 19, 2008 e-mail from the complainant, and that the copy of the e-mail received was in its custody or under its control, it states that it did not have custody or control of the original record that was received in the former member’s City of Toronto e-mail account.
The TTC stated that the original e-mail was not created by an officer or employee of the TTC, but was created by a member of the public for the purpose of making a complaint about TTC service. Like the City, the TTC also stated that the former member was neither an officer nor an employee of the TTC. The TTC asserted that the record in question was not collected by the institution from the complainant, but that it acquired possession after it had been forwarded to TTC staff by the former member. The TTC stated that its right of possession extended only to the copy of the record received by TTC staff.
The TTC acknowledged that the complainant’s e-mail relates to the TTC’s mandate and functions, and that it has the authority to regulate the use of the copy of the record obtained from the former member. However, the TTC also submits that it did not have the authority to regulate the original e-mail record as it existed in the former member’s City e-mail account. Likewise, the TTC has stated that it has the authority to dispose of the copy of the e-mail, but not the original e-mail.
In sum, the TTC stated that it does not have custody or control of the original December 19, 2008 e-mail which was sent to the former member at his City of
Analysis and Findings
The issue before me is whether the TTC had custody or control of the record containing the complainant’s e-mail address that was subsequently used by the former member to send the e-mail of November 2010. This e-mail was in the possession of the former member and was electronically situated on a server of the City, and it was this copy of the e-mail that led to the complainant’s address being one of those to which the November 2010 e-mail was sent, and not the copy that the member provided to the TTC. As noted, in order for the Act to apply, only custody or control over the record in question must be demonstrated. In this case, I will consider whether the e-mail in question was in the control of the TTC.
In this context, I note that, while there may be sufficient basis to conclude that the former member was, as TTC Chair, an officer of the TTC, it is not necessary for me to decide this question for the purposes of the analysis that follows. Applying previous orders of this office, I find that regardless of whether or not Board members are officers or employees of an institution, their record holdings may still be subject to the Act, if another basis for establishing custody or control can be found [See for example, Orders P-239, M-813 and MO-1403].
In my view, the following relevant circumstances are deserving of significant weight, and support a finding that the TTC had control over the e-mail and the personal information it contained:
The record was originally obtained and compiled as part of the complainant’s e-mail letter of complaint. The content of the complainant’s e-mail relates to the mandate and functions of the TTC. Section 395(1) of the COTA provides that the TTC is responsible for establishing, operating, and maintaining “a local passenger transportation system within the City….” Concomitant with those responsibilities, the TTC would receive, and deal with, complaints from members of the public. Therefore, I find that the receipt of and response to customer service complaints is an integral part of the core function of the TTC.
The e-mail was received and initially dealt with by the former member as Chair of the TTC for the purposes of his duties as Chair of the TTC, and in relation to its core function and mandate, and not for any other purpose. As noted above, consistent with this view, a copy of the e-mail was forwarded by the Chair to the TTC General Manager for response.
The customary practice of the TTC in relation to e-mails of this nature is set out in its written operating procedure titled Standard Operating Procedure – Customer Service Section (the Procedure), which governs customer service queries. [8] The Procedure advises that the TTC’s Customer Services Section is responsible for “receiving, documenting and responding to complaints from the public about TTC Operations,” and further notes that customer service communications are also sometimes received by TTC Executives, which the Procedure defines to include “the Chief General Manger, Chair or a TTC Commissioner.” The Procedure states that queries directed to these individuals are supposed to be dealt with in the same manner as other customer service queries.
After reviewing a draft of this report, the TTC reiterated its position that it did not have control of the record in question and stated:
With respect to a document stored on a third party server (i.e. City of
Having regard to the concerns expressed, I note that the existence of the TTC’s Procedure referenced above is indicative of the fact that it had asserted authority over communications relating to customer service complaints.
Further, in regard to the concern expressed by the TTC, I note that in
The Federal Court of Appeal agreed with this test, holding that, in the context of these cases where the record requested is not in the physical possession of a government institution, the record will nonetheless be under its control if two questions are answered in the affirmative: (1) Do the contents of the document relate to a departmental matter? (2) Could the government institution reasonably expect to obtain a copy of the document upon request? [9]
By adopting this test in the context of the present case, the appropriate questions to ask are:
Whether the contents of the record in question relate to a TTC matter; and
Whether the TTC could reasonably expect to obtain a copy of the record on request.
If the answer to both of these questions is “yes,” then the record would be deemed to be under the control of the TTC.
With respect to the first question, I note that the record in question is an e-mail query sent by a member of the public to the former Chair regarding a TTC service issue. I find that this record clearly relates to a TTC matter.
The second part of the test asks whether the TTC would reasonably expect to obtain a copy of the record on request. In explicating this part of the test, the Supreme Court addressed the factors that are determinative in assessing this question as follows:
Under step two, all relevant factors must be considered in order to determine whether the government institution could reasonably expect to obtain a copy upon request. These factors include the substantive content of the record, the circumstances in which it was created, and the legal relationship between the government institution and the record holder…. The reasonable expectation test is objective. If a senior official of the government institution, based on all relevant factors, reasonably should be able to obtain a copy of the record, the test is made out ….
In addressing how these factors apply in the present case, I note that the record consisted of a customer service query, which was created by the complainant so that the TTC could address, and respond to his concerns. In terms of the legal relationship between the TTC and the Chair, the TTC Chair is the head of the TTC Board of Commissioners, which is responsible for governance of the TTC.
As noted above, the receipt of complaints from members of the public is integral to the operation of the TTC, and the TTC Procedure explicitly contemplates the receipt of queries originally sent to the TTC Chair or a Commissioner. In my view, all of these factors support a finding that, on request, a TTC official could reasonably expect to receive the record in question. This conclusion is supported by the fact that the former member did in fact provide a copy of the record to the TTC.
Because the answer to both parts of the test expressed above are “yes,” I find that the TTC has control of the record in question.
In sum, having regard to the material circumstances set out above, as well as the objections raised by the TTC, I find that the record in question was under the control of the TTC, and therefore subject to the Act.
Was the City’s use of the personal information in accordance with section 31 the Act?
In November of 2010, as noted above, the complainant’s e-mail address was used by the former member to send an e-mail to a list of undisclosed recipients. The e-mail stated that the former member would no longer be serving as a member of City Council or as TTC Chair, and included contact information. The complainant was among the recipients of that e-mail.
I have concluded above that the complainant’s e-mail address, which was contained in the e-mail letter of complaint that was sent on December 19, 2008, was in the custody or control of both the City and the TTC. As a result of this finding, the act of sending the outgoing e-mail in question constituted a use of the complainant’s personal information by both the City and the TTC.
I will now proceed to consider whether the use of the complainant’s e-mail address by the City was permissible under the Act. I will then conduct the same analysis regarding the TTC.
The use of personal information is addressed at section 31 of the Act, which states:
An institution shall not use personal information in its custody or under its control except,
(a) if the person to whom the information relates has identified that information in particular and consented to its use;
(b) for the purpose for which it was obtained or compiled or for a consistent purpose; or
(c) for a purpose for which the information may be disclosed to the institution under section 32 or under section 42 of the Freedom of Information and Protection of Privacy Act.
In order for an institution to show that a given use of personal information was in accordance with the Act, the institution must show that the use accords with at least one of the section 31 exceptions listed above. In this case, the City has taken the position that the e-mail address in question was not in the custody or control of the City, and therefore, it was not used by the City. As such, the City did not initially address the exceptions contained in section 31. However, the City did address section 31 in its response to the draft Report.
In my view, the only provision of section 31 that may apply in the present circumstances is section 31(b), which permits the use of personal information for the purpose for which it was obtained or compiled, or for a consistent purpose. As such, it is necessary to determine whether the e-mail in question was used for the original purpose for which it was obtained, or whether it was used for a purpose consistent with that original purpose.
In this case, the e-mail address in question was obtained by the City when it received the complainant’s e-mail of December 19, 2008. The purpose of the e-mail in question was to raise a TTC customer service issue with the former member in his capacity as Chair of the TTC. The complainant’s e-mail address was subsequently used by the former member in November of 2010 for the purpose of sending the outgoing e-mail in question. Because these two purposes are different, the purpose of the use of the e-mail cannot be said to be the same as the original purpose for which the e-mail was obtained or compiled.
I will now consider whether the use of the e-mail constitutes a “consistent purpose” under section 31(b) of the Act. Section 33 of the Act gives meaning to the term “consistent purpose,” and states:
The purpose of a use or disclosure of personal information that has been collected directly from the individual to whom the information relates is a consistent purpose under clauses 31 (b) … only if the individual might reasonably have expected such a use or disclosure.
In other words, where information is directly obtained from an individual, any subsequent use of the information will only be considered to be a consistent purpose, if the individual in question would have reasonably expected the use in question to have taken place.
In this case, the complainant has stated that he did not expect the use in question to have taken place:
My contact information was obtained from the former City Councillor in his capacity as Chair of a Commission of the City as part of the resolution of a complaint and as such, I believe this to be an institutional record that he is using for his own purpose upon departure from office. I do not believe that it is “quite normal” for municipal elected officials or other employees of that municipality to use contact information collected as part of their duties … to send such emails offering the opportunity for that person to build a personal contact list.
For instance, would it be considered appropriate for employees at TeleHeath
The nature of the email was clearly personal and not related to his duties at the City of
The complainant explained that he expected that his e-mail address would only be used for the purpose of addressing, and following up on his complaint about the TTC, and he stated that he did not expect that it would be used by the former member to send the outgoing e-mail.
I am in agreement with the complainant that it is not reasonable for someone sending an e-mail letter of complaint to an institution to expect to receive an e-mail from a representative of that institution for a purpose unrelated to the subject of the original e-mail.
In my view, the contents of letters of complaint sent to institutions, whether they are in e-mail or hard copy form should only be used for the purpose which the sender intended; namely, to allow the institution to deal with the subject matter of the correspondence. An individual sending a letter of complaint to an institution has a reasonable expectation that the letter in question will not be used for any purpose other than the purpose of responding to the concern that is the subject of the letter.
In the circumstances of this case, I am satisfied that an individual writing an e-mail letter of complaint to a Council member, acting in the capacity of Chair of the TTC would not have reasonably expected that their e-mail address would be used to send the outgoing e-mail. As such, I conclude that the use of the personal information was not in accordance with section 31(b) of the Act.
I have considered the remaining exceptions contained in section 31, and I am satisfied that none of these would apply in the present case to make the use in question permissible. As such, I conclude that the use of personal information in question was not in accordance with section 31 of the Act.
In its response to the draft report, the City expressed disagreement with the finding that it used the personal information in question, and that the use of the personal information contravened section 31 of the Act.
With respect to the City’s first objection, that it did not use the information in question, I note that I have concluded above that the e-mail record was in the City’s custody. Previous decisions of the IPC have concluded that a council member’s actions with respect to a record in the custody or control of a municipal institution are subject to the privacy provisions of the Act, including those relating to the use and disclosure of personal information [see, for example, Privacy Complaint Reports MC-020030-1 and MC-050018]. Accordingly, I am satisfied that the former member’s actions with respect to the record at issue constituted a use of personal information by the City under the Act.
The City’s second objection was that, even if the former member’s actions with respect to the record constituted a use of personal information under the Act, it would have been reasonable for an individual to expect that their e-mail address would be used for the purpose of sending the outgoing e-mail in question. As such, the City’s position is that the use in question would have been permissible under section 31(b) of the Act. In this regard, the City stated that there were many possible reasons why members of the public may expect to receive an e-mail similar to the one sent by the former member, including:
Members of the public who requested the former member’s assistance in resolving constituency issues may prefer to continue to seek their assistance.
Members of the public would appreciate the ability to contact the former member, if there was a problem in resolving a constituency issue arising from the change in members of the TTC.
Members of the public may wish to contact the former member so that the former Chair could provide background information on an issue to his successor.
To further support its position that the former member’s conduct with respect to the e-mail was reasonable, the City noted that out of the “potential thousands” of people who had received the e-mail in question, only one individual (the complainant) complained to either the City or the IPC.
I have considered the City’s position in this regard, and I disagree with the City’s contention that the fact that a member of the public may wish to have continued communication with the former member justified the sending of the e-mail in question. If there was a particular individual who was dealing with a matter for which they required the ongoing assistance of the former member in his capacity as a private citizen, it would be appropriate for the former member to contact that person on an individual basis, rather than in the mass e-mail communication in question.
I reiterate that the former member obtained the e-mail address of the complainant along with the e-mail address of other members of the public as a result of his service to both the City and the TTC. In this case, the fact that there were a large number of potential recipients of the e-mail in question underscores, rather than undermines, the importance of protecting the privacy of the individuals. Members of the public who choose to correspond with representatives of government on a given issue should have confidence that their information will only be used in the context of addressing the issue that is the subject of the correspondence, and should not have concerns that their personal information will be used for other extraneous purposes.
In addition, the City also objected to the fact that the draft Report did not include an analysis of the issues related to the City’s collection of the e-mail.
In regard to this concern, I note that the Report did not address the question of whether the collection of the e-mail was permissible because it had been sent to the former member on an unsolicited basis and was therefore not “collected” under the Act (see, for example, Privacy Complaint Report No. MC08-91 and MC08-92). For this reason, it was not necessary to address the question of the permissibility of the collection of personal information in this Report.
Although the e-mail was not collected by the City, it was “obtained or compiled” by the City as a result of its unsolicited receipt. The permissibility of the subsequent use of the e-mail by the City is addressed above.
In consideration of all of the above, I find that the use of the complainant’s e-mail address was not in accordance with section 31 of the Act.
Was the TTC’s use of the personal information in accordance with section 31 the Act?
As noted above, the former member sent an e-mail to the complainant advising him that the former member, would be leaving his position as Chair of the TTC. As this e-mail was sent in the former member’s capacity as TTC Chair, the use of the complainant’s e-mail address qualified as a use by the TTC.
The TTC’s use of the complainant’s e-mail address is also subject to section 31 of the Act, which is reproduced above. In this case, the TTC has taken the position that its use of the complainant’s e-mail by the former member to send the outgoing e-mail in question was a “consistent purpose” under section 31 of the Act. In this regard, the TTC has stated:
The purpose of the outgoing email sent by the former Chair of the TTC was for a consistent purpose for which it was obtained or compiled….
As part of the Complainant’s email of December 2008 raising TTC service issues with [the former member] the Complainant voluntarily provided his email address so that [the former member] could correspond with him…. [I]t is clear that the email was provided to [the former member] in his capacity as Chair of the TTC and in an effort to have [the former member] help the Complainant with respect to his specific complaint. In other words, the Complainant voluntarily provided [the former Chair] with his personal email address … so that [the former Chair] could respond to him with respect to TTC related matters.
…
[The former member] elected not to run again for City Council and as of November 30, 2010 his term as a City Councillor and as a Member of the Toronto Transit Commission was ending….. [The former member], as a courtesy, emailed the Complainant to advise that he was no longer the Chair of the TTC. This appears to be reasonable given the Complainant’s previous correspondence with [the former member] complaining about service. Arguably this was done in order to ensure that if the Complainant had any further complaints with respect TTC service, that the Complainant was aware to re-direct his complaint to other individuals associated with the TTC. In our respectful submission, the use of personal information by [the former member] to advise an individual that had previously voluntarily contacted him with respect to a [complaint] while serving as Chair of the TTC with respect to TTC service (while the person was Chair of the TTC) that he was no longer serving in the capacity as Chair as of a specific date is a consistent purpose for which the information was obtained. … [The] email of November 30, 2010 was a courtesy email to ensure that the Complainant was made aware that he would no longer be responding to TTC service complaint issues similar to the one previously made by the Complainant. Courtesy should not be mistaken with privacy breach.
In sum, the TTC has taken the position that the use of the complainant’s e-mail address by its former member was reasonable, and therefore constituted a “consistent purpose” under section 31(b) of the Act.
The TTC’s position on this issue does not address the fact that the former member’s e-mail to the complainant included new contact details for the former member. In my view, if the former member had intended only to inform the complainant that all future communications on TTC service matters should be directed to other TTC employees or departments, he would have provided that contact information rather than his own personal e-mail address. The inclusion of this new contact information strongly suggests that the e-mail had a purpose that was broader than simply alerting the recipient of the former member’s departure.
For the same reasons as those outlined above respecting the City of Toronto, I am not in agreement with the TTC that the use of the e-mail address qualified as a “consistent purpose” under section 31(b) of the Act. I note that the outgoing e-mail of November 2010 was sent by the former member almost two years after the time the original e-mail from the complainant was originally sent, and was not related to the subject matter of the original complaint. In this case, the complainant would not have reasonably expected that his e-mail address would have been used in this manner.
When a government institution receives correspondence from a member of the public, it is reasonable for the individual to expect that the personal information contained in that correspondence will only be used in order to address the issues raised in the correspondence in question. Other uses of personal information that are unrelated to the purpose of the correspondence would not be reasonably expected, and would therefore not qualify as a “consistent purpose” under section 31(b).
In this case, the TTC has also stated that its use of the complainant’s e-mail address was permissible because the complainant had consented to its use. In this regard, the TTC has stated:
…[T]he Complainant by voluntarily providing his email address in his earlier correspondence provided an implied consent for [the former member] to use that information to provide additional correspondence consistent with serving as Chair of the TTC, including advising that he was no longer associated with the TTC as of a given date.
I am not in agreement with the TTC that the complainant’s provision of his e-mail address to the former member qualifies as valid consent to its future use. Section 31(a) of the Act, which is reproduced above, addresses the issue of consent and provides that an institution may use an individual’s personal information where “the person to whom the information relates has identified that information in particular and consented to its use.”
In order for the complainant to have provided valid consent to the future use of his personal information, he would have had to have identified the information in particular (i.e., his e-mail address) and he would have had to consent to a particular use. This consent was not provided in this instance, and I therefore conclude that the TTC’s use of the complainant’s e-mail address was not permissible under section 31(a) of the Act.
Having considered section 31 of the Act in its entirety, I conclude that the use of the complainant’s e-mail address by the TTC was not permissible under section 31 of the Act.
Conclusion on the use of personal information
In the foregoing, I have concluded that the use of the complainant’s e-mail address for a purpose unrelated to the original purpose for which it was obtained and without consent constituted a contravention of the Act.
It is important to recognize the value of e-mail address information to business and individuals in this era of electronic communication. In addition, with the proliferation of electronic advertising, promotion, and unsolicited e-mail, (also known as “spam”), the privacy of personal e-mail addresses is of great importance.
When a public official or employee acquires access to address or other contact information in the course of carrying out their duties, it is not appropriate to use that information for a purpose unrelated to the original purpose for which the information was provided.
Members of City Council may have the privilege to sit on a variety of boards and commissions such as the TTC, during their term in office. As a result of such service, they may acquire possession or access to records of personal information, some of which will be more sensitive than others.
Where such information is received, it is important that the Council member receiving the information respects the privacy of the individual to whom it relates, which includes ensuring that the information is only used for a purpose related to the purpose for which it was received. Where the record in question is correspondence containing a complaint about a municipal matter, the correspondence should only be used for the purpose of addressing, and responding to the subject-matter of that correspondence.
The primary way in which institutions such as the City and the TTC can take steps to protect the privacy of individuals choosing to correspond with board members and Councillors is through the development of policies and training. I note that in this case, the City does have a policy respecting the conduct of members of Council who are appointed as members of local boards such as the TTC, the Code of Conduct for Members of Local Boards (Restricted Definition) City of
Indeed, the Code of Conduct references the inappropriate use of confidential information, and states, in part:
Nor shall members use confidential information for personal or private gain, or for the gain of relatives or any person or corporation. As one example, no member should directly or indirectly benefit, or aid others to benefit, from knowledge respecting bidding on the sale of property or assets of the local board or City.
While this sentiment is sound, I note that the Code of Conduct does not explicitly address the improper use of records of personal information, including the use of personal information that may have been received as a result of correspondence received from members of the public.
In order to address situations such as those that led to the present complaint, I will be recommending that the City amend the Code of Conduct. Specifically, I will request that the Code of Conduct be amended to address the receipt of correspondence, including e-mail correspondence, from members of the public and make clear that the information contained in such records that qualifies as personal information under the Act is subject to the restrictions in the Act regarding improper use and disclosure. Further, the Code of Conduct should also state that personal information that comes into the possession of Council members who serve on local boards should only be used, in accordance with the Act, for purposes related to addressing the subject matter of the correspondence, and without consent, it should not be used for any other purpose.
With respect to the training of members of City Council on the importance of protecting the privacy of members of the public, the City has stated that Council members are invited to information sessions about access and privacy at the beginning of each new term in office; however, because members are not considered to be officers of the institution, they are not required to attend.
In my view, given the scope and volume of personal information that Council and Board members have access to, training on access and privacy issues should be mandatory. More particularly, such training should include information about the appropriate way to deal with correspondence received from members of the public concerning municipal business. If the City is unable to legally require Council members to attend such a training session, attendance should be strongly encouraged by the City through other appropriate means.
I will be directing these two recommendations to the City in my recommendations that appear below. In my view, the City is in the best position to train members of Council and to develop codes of conduct in relation to their work on City boards. This will ensure consistency in training and communications about these important issues and recognizes that it is the City who is responsible for establishing local boards as set out in the COTA.
I will also be recommending that the TTC circulate a memorandum to all of its current Board members that addresses the importance of protecting privacy with respect to the records they may receive as a result of their service on the TTC Board. The memorandum in question should particularly address, and distinguish between appropriate and inappropriate uses of the personal information contained in records of correspondence received from members of the public. In the future, the memorandum should also be provided to new Board members as part of the orientation program with the TTC.
OTHER MATTERS:
Former Member’s Website
During the course of the investigation, the complainant advised the IPC that a website maintained by the former member was still online. This website was not current, which made it appear that the former member was still a member of City Council and Chair of the TTC and it invited individuals to submit their contact details in order to receive newsletters from the former member and his staff. The website also contained the logos of both the TTC and the City of
The matter was brought to the attention of the City, who later advised that it had written to the former member to request that he remove any reference to being a current City Councillor as well as the City and TTC logos in question. As of April 1, 2011, the website in question had been taken down. This office did not conduct an investigation in relation to this aspect of this complaint.
CONCLUSION:
I have reached the following conclusions based on the results of my investigation:
The complainant’s e-mail address qualified as personal information under section 2(1) of the Act.
The complainant’s personal information was in the custody of the City.
The complainant’s personal information was under the control of the TTC.
The City’s use of the complainant’s e-mail address was not in accordance with section 31 of the Act.
The TTC’s use of the complainant’s e-mail address was not in accordance with section 31 of the Act.
RECOMMENDATIONS
During the course of this investigation, the City Clerk wrote a letter to the complainant in care of this office. In the letter, while the City Clerk maintained that the City did not have jurisdiction over the conduct of a City Councillor, it apologized for the use of the complainant’s personal information by the former member. This letter was forwarded to the complainant by the IPC.
The letter also stated that the City will take steps to raise awareness as to how members of Council should manage information given to them in their capacity as members of City agencies. The letter stated that the Clerk’s office will undertake the following:
an update to A Guide to Access and Privacy for Councillors;
work with the TTC to reinforce how to manage records;
recommend the TTC create a separate e-mail address for any Councillor appointed as a Chair or member of a Commission; and
request that the IPC provide and communicate guidelines and materials for Councillors who are appointed to City Boards.
I am pleased that the City has taken the initiative to undertake the measures listed above. With respect to the final point, that the IPC communicate guidelines and materials on this subject to Council members, I make the following recommendations below.
City of
The City should amend the Code of Conduct for Members of Local Boards (Restricted Definition) City of
That correspondence, including e-mail correspondence, received from individual members of the public that is identifiable constitutes “personal information” under the Act; and
That such correspondence and the personal information it contains should only be used in accordance with the Act, and should not be used, without consent, for any purposes unrelated to the purpose for which it was received.
The City should strongly encourage all current members of City Council to attend a training session on access and privacy where instruction regarding privacy protective measures for the handling of personal information should be provided. Training on access and privacy should also be a mandatory component of the orientation of
TTC
The TTC should circulate a memorandum to all of its current Board members addressing the importance of protecting privacy with respect to the records they receive as a result of their service on the TTC Board. The memorandum should particularly address the appropriate and inappropriate uses of the personal information contained in records of correspondence received from members of the public. In the future, the memorandum should be provided to new Board members as part of the orientation program with the TTC.
By December 2, 2011, both the City and the TTC should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendations.
Original signed by: August 31, 2011
| Investigator
|
|
|
[1] The Code of Conduct is available online:
http://www.toronto.ca/integrity/pdf/code-conduct-local-boards.pdf .
[3] See statement by the Hon. Charles Sousa to the provincial legislature on 22 February 2011 regarding Bill 150, Toronto Transit Commission Labour Disputes Resolution Act, 2011, session 2 parliament 39, online:
[6] Concise
[7] Available online: http://www.toronto.ca/cap/pdf/councillors_guide.pdf .
[8] The TTC’s Standard Operating Procedure – Customer Services Section is available online:
[9]