CYFSA DECISION 26

Complaint FR22-00051

A Children’s Aid Society

April 23, 2025

Summary: A children’s aid society contacted the Information and Privacy Commissioner of Ontario to report privacy breaches under the Child, Youth and Family Services Act (the Act). The breaches involved 73 incidents of unauthorized uses of personal information by nine of its employees. In this Decision, I find that although the CAS did not have reasonable measures in place to protect personal information at the time of the breaches, it has since taken steps to effectively remediate the breaches. As a result, I find that a review of this matter under section 318(1) of the Act is not necessary.

Statutes Considered: Child, Youth and Family Services Act, 2017, S.O. 2017, c.1. Sched. 1, sections 308(1) and 318(1).

INTRODUCTION:

[1] On December 14, 2022, a children’s aid society (CAS) notified the Information and Privacy Commissioner of Ontario (the IPC) of 73 privacy breaches under the Child, Youth and Family Services Act (the Act). The breaches involved unauthorized uses of the Child Protection Information Network (CPIN) database for non-work-related purposes by nine employees. This type of breach is commonly referred to as “snooping”.[1]

[2] The IPC opened a complaint file to address this matter.

[3] During the early resolution stage of this complaint, the CAS provided details of the breaches and its response. After reviewing the information, this office had concerns with the privacy training provided to staff, the signing of confidentiality agreements, and the CAS’s privacy related policies and procedures.

[4] The file was moved to the investigation stage of the complaint process, and as part of the investigation, I requested and received written representations from the CAS.

[5] In this decision, based on the information provided, I find that the CAS did not have reasonable measures in place to protect personal information at the time of the breaches. However, the CAS has since taken steps to remediate the situation and accordingly, I am satisfied that the CAS now has adequate measures in place to comply with section 308(1) of the Act, and a review of this matter is not warranted.

BACKGROUND:

[6] On October 6, 2022, during an exit interview with an employee, the exiting employee expressed concerns that multiple employees of the CAS had inappropriately accessed a file that had recent media attention.

[7] In response to this allegation, the CAS completed an audit of the identified file, as well as an audit of three other files that were deemed high profile. The audits raised concerns about possible inappropriate accesses by 12 employees.

[8] The CAS interviewed each of the 12 employees and it was determined through those interviews that nine employees accessed at least one file without authorization. These employees held a range of roles within the CAS and had been employed for varying lengths of time ranging from 11 months to 22 years.

[9] To determine the full scope of the breaches, further audits were conducted for each of the nine employees and additional interviews were held.

[10] During the review of the audits, accesses were identified as unauthorized if the employee had no clear link to the file or where the employee could not provide a rationale or recollection for accessing the file.

[11] The CAS noted that in some cases, the accesses were months prior to the dates of the interviews so it is possible that some of the accesses could have been for a legitimate reason, however, at the time of the interview, the employee could not provide any rationale, recollection, or documentation to support the access. Nevertheless, each of the nine staff had at least one instance of a clear and unequivocal unauthorized access.

[12] The CAS determined that a total of 73 family files had been accessed without authorization.

[13] Some of the types of records that were accessed without authorization included intake records, investigation records, ongoing records, other child welfare records, child in care records, kinship service records, and historical case records. The types of personal information contained in these types of records could include highly sensitive information such as, parent/caregiver names, names of children, detailed reports of allegations, information about the family relationships, details of criminal charges or history of criminal activity, prior involvement with the CAS and elsewhere in Ontario, findings of investigations and case notes of meetings and correspondence, CAS assessments, coding, child placements, and court information.

[14] In response to the breaches, the CAS placed all nine employees on an unpaid suspension. During the suspension, the employees’ access to CPIN was suspended.

[15] When the employees returned from suspension, probationary terms were put in place for a six-month period from the date that the employee returned to work. These included weekly audits of their CPIN activity and a requirement that employees keep a log of every access to CPIN and the reason for the access. Each employee’s supervisor reviewed the audits weekly to confirm the employees were only accessing the files necessary for their role.

[16] The CAS also alerted the Ministry of Children, Community and Social Services by filing serious occurrence reports for each employee who accessed personal information without authorization.

[17] The CAS confirmed that the affected individuals were notified between December 20, 2022, and January 31, 2023. Affected individuals with active files were notified by telephone and a follow-up letter was also sent. The affected individuals who did not have an active file were notified in writing.

[18] Based on the results of the initial audits, the CAS had concerns that there may be a systemic issue. To investigate that concern, the CAS conducted further audits of CPIN which included random audits on five additional employees. These additional audits were reviewed by the employees’ supervisors and identified no other unauthorized access of personal information.

PRELIMINARY ISSUES:

[19] The CAS does not dispute, and I find, that the CAS is a “service provider” as defined by the Act.

[20] Further, the CAS does not dispute, and I find, that the information accessed by its employees is personal information as defined by section 2 of the Act.

[21] The CAS reported this matter to the IPC as a breach of the Act. I agree and find that the breaches involved unauthorized uses of individuals’ personal information under the Act.

ISSUES:

[22] This decision addresses the following issues:

1. Did the CAS have reasonable steps in place to ensure that personal information was protected?
2. Is a review warranted under section 318(1) of the Act?

RESULTS OF THE INVESTIGATION:

Issue 1: Did the CAS have reasonable steps in place to ensure that personal information was protected?

[23] Section 308(1) of the Act requires that service providers take reasonable steps to ensure that the personal information in their custody and control is protected against theft, loss and unauthorized collection, use, and disclosure, among other things.

[24] Section 308(1) of the Act states:

A service provider shall take reasonable steps to ensure that personal information that has been collected for the purpose of providing a service and that is in the service provider’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

[25] When a CAS suspects that a privacy breach has occurred, they are responsible for taking appropriate steps to respond. These steps include:

1. Identifying the scope of the breach and taking necessary actions to contain it;
2. Notifying the affected individuals;
3. Investigating the cause of the breach; and
4. Taking remedial steps to minimize the risk of similar breaches from recurring.

[26] In addition, a privacy breach that meets certain criteria must also be reported to the IPC and the Minister of Children, Community and Social Services.[2]

[27] In response to these breaches, I am satisfied that the CAS took satisfactory steps to complete steps 1 to 3 above. As such, the focus of this Decision is on the measures in place to protect personal information, at the time of the breaches, as well as the steps taken by the CAS to respond to it.

[28] The investigation of these snooping incidents raised concerns about the inconsistency of privacy training provided to staff, irregular signing of confidentiality agreements, the lack of a privacy notice, as well as gaps in several privacy policies and procedures. My analysis below focuses on these concerns and the steps the CAS took to remediate the breaches to protect personal information as required by section 308(1).

Privacy training

[29] At the time the breaches were identified, the CAS advised that it offered privacy training sessions to its staff but that these sessions were not consistently mandatory. The last mandatory privacy training was provided in 2019, prior to Part X of the Act coming into effect. Subsequent privacy training sessions, in 2020 and 2021, were not identified as mandatory. According to the CAS, the COVID-19 pandemic was not conducive to providing training

[30] The nine employees involved in these reported privacy breaches had not completed privacy training in 2022, the year the breaches were identified. Three of the nine employees had privacy training in 2019, and four employees had completed privacy training in 2021. The remaining two employees had no record of any privacy training at all. The CAS noted that although there is no record of these two employees having completed privacy training, they may have completed the training, but it failed to record it.

[31] In response to the breaches, the Executive Director sent an email to all employees on October 28, 2022, reminding them of their obligations under Part X, the definition and consequences of snooping, and provided a link to the relevant privacy policies.

[32] In November 2022, the CAS held an all-staff town hall to discuss privacy and confidentiality, answer questions, and seek employee input on upcoming remedial privacy training sessions and related activities. Further emails were sent following the town hall to clarify responses to any questions that arose from the meeting. A second all-staff meeting took place to discuss upcoming privacy training sessions, privacy audits, and provided direction on who to contact if employees had any privacy related questions or concerns.

[33] The CAS subsequently held three mandatory all-staff privacy training sessions in December 2022, January 2023 and February 2023. Human resources and staff supervisors ensured all staff completed the training.

[34] In addition, in 2023, employees were asked to complete the Ontario Association of Children’s Aid Society (OACAS) Part X course titled “Part X of the CYFSA-Integrating Privacy into Child Welfare Practices” between August 1 and September 30, 2023. At the end of 2023, human resources and supervisors ensured all staff completed this training as well.

[35] Moving forward, the CAS advised that upon hire, and on an annual basis thereafter, all employees will be required to complete the in-house privacy training module, as well as the OACAS privacy training course. The CAS confirmed that it has returned to providing its employees with regular in-person training and information sharing sessions.

[36] In 2024, the CAS scheduled two internal mandatory privacy training sessions. Fifty-seven employees completed the training on June 5, 2024. The remaining employees attended an in-person fall session. Casual staff were required to watch the recorded spring 2024 privacy training with their supervisor.

[37] The CAS advised that if it identifies an employee who has not completed the required training, a timeline is developed for the employee to complete the required tasks. Should the employee not complete the required training within that timeline, the Director of Service is notified and will work with the employee’s supervisor to ensure that the tasks are prioritized and completed.

[38] The CAS also advised that it has privacy-related resources such as policies created under Part X, taped training sessions, lunch and learns about privacy issues, and frequently asked questions that are available. The CAS noted that there is no way to record or track who is accessing these resources and viewing the videos, however, these resources are available to assist employees in navigating privacy issues as they arise. Employees are also able to contact designated privacy staff with any questions or concerns they have related to privacy. In addition, the CAS also established a dedicated site that allows employees to post questions, concerns, or consult with the CAS’s privacy designates as needed.

[39] The privacy training material is reviewed prior to any scheduled training sessions and, going forward, will also be reviewed on a yearly basis. The CAS advised that in its review of the training material, it will continue to consider and include relevant guidance documents such as the IPC’s “Detecting and Detering Unauthorized Access to Personal Health Information”, as well as noteworthy examples and experiences that the CAS has learned between training sessions. The CAS’s supervisors and directors also provide feedback and suggestions on any additional information that would be particularly important to relay to staff.

Confidentiality agreements

[40] At the time of the breaches, oaths of confidentiality were signed by new hires prior to being assigned a computer and being provided access to the electronic records management systems. These oaths of confidentiality were signed during an employee’s orientation and witnessed by a human resource employee. However, employees at the CAS did not re-sign the oaths of confidentiality on an annual basis.

[41] All nine employees involved in these breaches signed a confidentiality agreement at the time of hire but none afterwards. After these breaches were identified, and as part of the remediation process, these employees have since re-signed an oath of confidentiality (except for one employee who was on leave).

[42] Also, in response to these breaches, the CAS now requires all employees to review and sign the oath of confidentiality not only upon hire, but annually as well. Human resource employees provide supervisors with a package of documents, which includes an oath of confidentiality. Supervisors must review these with each of their employees and have them signed and witnessed at the same time. Once completed, the supervisor is to return the signed and witnessed documents to human resources to scan into the employee’s digital file and have them placed in their physical file.

[43] The signing of oaths of confidentiality is now being carefully tracked by the human resource department. If staff do not complete the oath of confidentiality as required by the policy, a timeline is provided to the employee for completion of this responsibility. If the oath continues to not be signed, the Director of Service is notified and will connect with the employee’s supervisor to ensure these tasks are prioritized and completed.

Tracking of privacy training

[44] This complaint raised concerns about the CAS’s failure to consistently track the privacy training completed by its employees and the CAS acknowledged this gap. Although the CAS has always required participants attending privacy training to confirm their attendance, it discovered that there were, in some cases, employees who missed the sign-in sheet, didn’t receive certificates of completion for virtual training, or simply did not attend the training.

[45] Moving forward, the CAS has confirmed it will consistently track the completion of privacy training in several ways. For in-person training, employees are notified of the importance of confirming their attendance. The sign-in sheet is circulated for employees to sign, and several reminders are provided during the training to sign attendance sheets. In addition, those providing the training now share the attendance sheet at the start and end of training and identify individuals who come late to training so that they can connect with these individuals during the training to ensure they sign the attendance sheet. If someone who confirmed they would be in attendance does not sign the attendance sheet, human resources follows-up with the individual and their supervisor. Human resources will also reconcile the list of all employees with the list of employees who attended training to confirm everyone attends the privacy training sessions offered.

[46] As for virtual training, this occurs through an online platform which generates an attendance list upon request. In addition, employees are asked to have cameras on during virtual training sessions to verify their attendance.

[47] As previously noted, employees were asked to complete OACAS’s course “Part X of the CYFSA – Integrating Privacy into Child Welfare Practices”. Once completed, employees are required to send their certificate of completion to human resources. This information is then tracked through an excel spreadsheet that includes the date the training was requested and the date it was completed.

[48] The information contained in the Excel spreadsheet, along with the certificate of completion, is added to the CAS’s electronic employee management system with an expiry date which prompts the staff member each year to renew their training. It is also contained in the employee’s digital and physical human resource file.

[49] The CAS advised that the Excel spreadsheet is updated regularly by the human resource department and has been an effective method to track completed training and identify any outstanding training for staff.

Policy and Procedures

[50] These snooping breaches also raised concerns about the lack of policies and procedures that clearly outlined expectations in terms of training, confidentiality agreements, auditing, and tracking the review of CAS’ policies.

Training policy

[51] At the time of the breaches, the CAS did not have a written policy that addressed expectations and requirements of privacy training or a policy that included the details about the content of the training.

[52] After the breaches, the CAS developed and implemented a privacy training policy that sets out the expectations of its employees to complete privacy training, as well as the type of content that must be included in privacy training and the frequency of privacy training. This privacy training policy is reviewed annually by the CAS’s executive leadership team. This privacy training policy was approved in May 2024, and is scheduled for review in May 2025.

[53] The CAS also requires that its Director of Service and Privacy Designate and senior legal counsel review the privacy training content annually to account for any changes in the CAS’s policies, legislation, IPC decisions, and learned experiences of the CAS.

Confidentiality Policy

[54] At the time of the breaches, the CAS did not have a policy that set out the requirement to sign a confidentiality agreement on an annual basis.

[55] Although the CAS did require employees to sign an oath of confidentiality upon hire, the CAS has since updated its confidentiality policy to include the requirement to sign an oath of confidentiality on an annual basis thereafter. The policy now states:

Annual Oath Review

All employees, volunteers, independent contractors, and members of the Board of Directors are required to review and sign the Oath of Confidentiality upon hire and annually thereafter serving as acknowledgement of the obligation of privacy and confidentiality and that it is understood accordingly. The Oath of confidentiality is a witnessed document.

Auditing Policy:

[56] These breaches were identified when an employee reported concerns during an exit interview. In response, the CAS conducted audits to determine the scope of the breaches. However, at the time, the CAS did not have a formal auditing policy and did not complete regular random or targeted audits on its employees’ access to CPIN.

[57] To remedy this, the CAS drafted and implemented an auditing policy and now the CAS completes random audits on accesses to CPIN on a quarterly basis.

[58] The CAS explained that when the audit reports are generated, they are sent to the employee’s supervisor for review and validation.

[59] The auditing policy also states that the CAS may complete targeted privacy audits in situations that it identifies as high-risk activity, or in cases of unauthorized or questionable activity, as well as upon service user request.

Tracking reviews of policies

[60] During this investigation, the CAS provided relevant policies to the IPC. All these policies included a date for the next review of that policy. However, during the investigation, it became clear that the policy reviews were not consistently being completed by the required dates.

[61] The CAS advised that at the time of the breaches, it did not have a process for tracking the review of its policies. To address this, the CAS has acquired and are currently implementing a document management application system that allows them to retain, track and revise agency policies and procedures. The CAS advised that this application maintains a history of revisions to policies, forecasts revision dates, and provides email notifications to employees about new or revised policies. The application also allows the CAS to require attestations of staff who read the policies and generate reports to enable tracking.

[62] The CAS advised that policies that are due to be reviewed are presented to the executive leadership team who reviews them and makes any necessary changes.

[63] In addition, the CAS updated its review period for all the relevant privacy policies to one year.

Privacy notice

[64] At the time of these breaches, when logging on to their computers, CAS employees did not view a privacy notice reminding them of the limits to their access privileges and warning them against unauthorized access. The CAS advised that CPIN does not have such a privacy notice when users log on to the system.

[65] As a result of these breaches, the CAS has since implemented a privacy notice. All staff will now view this privacy notice when first logging on to their computers as a way of reminding them of their privacy obligations and warning them against unauthorized collection, use and disclosure.

Access Management

[66] In response to these breaches the CAS completed an agency wide review of the roles of its employees to determine whether access to personal information granted was necessary for the assigned role. During this review, the CAS determined that each role was designated properly, however, they identified a gap related to how assignment and access to files was documented for one role. To address the gap, the CAS has developed a process for assignment and provided clear guidance to staff on how to properly document access for this role.

Analysis

[67] As service providers subject to the Act, children’s aids societies are required to protect personal information in their custody and control in accordance with section 308(1). Although this provision has not yet been interpreted in any published IPC decision, the IPC has considered the application of section 12(1) of the Personal Health Information Protection Act (PHIPA), which is a substantially similar provision.[3] In my view, the treatment of this provision by the IPC in PHIPA Decisions and IPC PHIPA guidance documents that relate to this section are relevant and informative in my decision as to whether the CAS has taken reasonable steps to address the concerns identified as a result of these breaches.

[68] In addition, the IPC has issued a guidance document titled “Part X of the Child, Youth and Family Services Act: A Guide to Access and Privacy for Service Providers” that sets out steps a CAS should take when protecting and managing personal information in its custody and control. This document outlines administrative, technical and physical safeguards that would be considered reasonable measures to protect personal information. To guard against snooping, such safeguards include, but are not limited to, privacy and security policies and procedures, staff training on privacy and security, confidentiality agreements, strong access controls, and logging, auditing and monitoring.[4]

[69] At the time of these breaches, there were a number of significant gaps, particularly in the CAS’s administrative and technical safeguards, that fell short of its obligation to protect personal information pursuant to section 308(1) of the Act.

[70] Namely, the CAS did not provide privacy training to its employees on a regular basis or require employees to sign confidentiality agreements annually and did not consistently track the successful completion of training or signing of confidentiality agreements. In addition, the CAS did not have policies in place that set out clear expectations regarding the obligation to complete privacy training and sign confidentiality agreements annually or include the content requirements of the privacy training. The CAS also did not have policies setting out the requirement for random or targeted auditing of employees’ accesses to CPIN. Moreover, these policies were not being consistently reviewed and updated to ensure that they stay up to date with evolving requirements and best practices.

[71] Requiring employees to complete privacy training and sign a confidentiality agreement are reasonable administrative safeguards to protect the unauthorized collection, use and disclosure of personal information. In my view, all CAS employees should complete privacy training annually and be required to sign confidentiality agreements upon hire and on an annual basis thereafter.

[72] In addition, privacy policies and procedures must be comprehensive and set out employee obligations and expectations when it comes to protecting personal information in the custody or control of a service provider, including prohibitions against snooping. Privacy polices and procedures should be in place to detect, prevent and reduce the risk of unauthorized access to personal information.[5] Further, such policies and procedures must be regularly reviewed to ensure that they are kept up to date and relevant in light of evolving requirements and best practices.

[73] Furthermore, service providers must take proactive measures to audit their employees’ accesses to CPIN and ensure these are limited to only what is necessary for the purposes of their role. Employees must be regularly reminded of these limitations through privacy notices and warned of the consequences of violating their obligations.

[74] During this investigation, it came to light that the CAS did not have a privacy notice viewed by employees when they signed on to their computers to remind them of the limitations on their access privileges and to warn them against unauthorized access. The IPC has previously stated, in relation to PHIPA, that privacy notices may serve to prevent or reduce the risk of unauthorized access as the notices remind custodians and their agents of their obligations and of the consequences of unauthorized access.[6] It is my view that CAS’s should be implementing a privacy notice that employees view prior to accessing personal information as a measure to prevent unauthorized access.

[75] Since the breach, the CAS has taken steps to address the gaps identified from these snooping incidents by implementing mandatory annual privacy training and signing of confidentiality agreements. As well, it now has a systematic method in place to track successful completion of these required tasks.

[76] It has since also created and implemented privacy policies to clearly set out training, confidentiality and auditing requirements and now ensures that these policies are consistently reviewed on an annual basis. The CAS also implemented a privacy notice on all its employees’ computers to remind them of their privacy obligations and warn them against unauthorized access each time they sign on.

[77] The snooping incidents in this case involved highly sensitive information. The nine offending employees committed serious violations of the responsibilities entrusted to them and were duly suspended for their actions. The CAS responded by taking appropriate measures in response to the breach and has since taken the necessary remedial steps to mitigate the risk of a similar breach recurring. Although I find that at the time of the breach that the CAS did not have adequate measures in place to comply with section 308(1), I am satisfied that it now does.

Issue 2: Is a review warranted under section 318(1) of the Act?

[78] Section 318(1) of the Act sets out the Commissioner’s discretionary authority to conduct a review as follows:

The Commissioner may, on the Commissioner’s own initiative, conduct a review of any matter if the Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene a provision of this Part or the regulations and that the subject-matter of the review relates to the contravention.

[79] In accordance with my delegated authority to determine whether a review should be conducted under section 318(1) of the Act, and for the reasons set out above, I find that a review is not warranted.

NO REVIEW:

[80] For the foregoing reasons, no formal review of this matter will be conducted under Part X of the Act.

Original Signed by:		April 23, 2025
Alanna Maloney
Mediator/Investigator