INVESTIGATION REPORT

 

 

 

INVESTIGATION I97-049M

 

 

A MUNICIPAL BOARD OF EDUCATION

 

 

 

 

 

August 21, 1997

INTRODUCTION

 

Background of the Complaint

 

On July 30, 1997, a newspaper reporter contacted the Information and Privacy Commissioner of Ontario (the IPC), to report that a number of confidential school records had blown out of a dumpster located beside a named elementary school.  These records were said to be strewn about the residential area around the school. The reporter had also alerted officials of the school board (the Board) of this matter, as well as a number of parents whose children’s information was contained in some of the records found.

 

Soon after being notified, the principal of the school retrieved the remaining records out of the dumpster. In addition, the principal, accompanied by the school’s vice-principal and chief custodian, and one parent contacted by the media, looked around the vicinity of the dumpster for any other records that may have blown away.

 

Upon first learning of this incident on July 30th, telephone contact was immediately made with the school’s vice-principal and the Board’s Information and Privacy Co-ordinator (the Co-ordinator) that afternoon, followed by investigators from the IPC meeting with officials from the Board the next day.  Our goal was to determine whether the Board’s practices were in compliance with the Municipal Freedom of Information and Protection of Privacy Act (the Act).

 

The local newspaper also published an article on July 31st stating that “hundreds of pages” from the dumpster had blown onto the property of the person living next door to the school.  The reporter then described the types of records found and the information contained in them.  In addition to the student records, it was reported that the Visa receipts of a deceased school employee, the school’s former vice-principal, had also been found “blowing around.”

 

The reporter further stated that the person who had found these records had turned them over to another individual who had been a close friend of the former vice-principal since it was believed that this individual would know whom to contact at the school about this matter.

 

At the end of the article, the school principal, the Information and Privacy Commissioner and Board officials asked anyone possessing any of these records to contact the Board at a particular telephone number.

 

On August 7, 1997, the individual who had been a close friend of the late vice-principal returned the records to the Board, and on August 19th, the records in the newspaper’s possession were also returned to the Board.

 

 

 

Issues Arising from the Investigation

 

The following issues were identified as arising from the investigation:

 

            (A)       Was the information in question “personal information,” as defined in section 2(1) of the Act?  If yes,

            (B)       Was the personal information disclosed in compliance with section 32 of the Act?

 

            (C)       Did the Board dispose of the personal information in a secure manner?

 

 

RESULTS OF THE INVESTIGATION

 

Issue A:          Was the information in question “personal information” as defined in section 2(1) of the Act?

 

Section 2(1) of the Act defines “personal information” as recorded information about an identifiable individual, including,

 

(a)        information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

 

(b)        information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

           

            (c)        any identifying number, symbol or other particular assigned to the individual,

 

(d)        the address, telephone number, fingerprints or blood type of the individual,

 

(e)        the personal opinions or views of the individual except if they relate to another individual,

 

(f)        correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,

 

(g)        the views or opinions of another individual about the individual, and

 

(h)        the individual's name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

 

We reviewed a sample of the documents retrieved from the dumpster.  Some of these documents were general records such as minutes of committee meetings, agendas of principals’ meetings, and educational literature.  These documents did not contain any personal information, as defined in section 2(1) of the Act.

 

However, many of the documents we examined contained detailed student information.  Some of these documents included:

--          Assessment Forms, Evaluation Records, Daily Advisor Information Forms, Student Behaviour Records (Lunchroom), and Lunchtime Registration Forms;

--          classroom lists, a list of students for “Gifted Test Questioning,” and a list of students indicating whether they had been promoted or retained;

--          Vice-Principal’s telephone messages and personal notes;

--          Parent-Teacher Interview Forms, consent forms for the Raven’s Progressive Matrices Test, and Ministry of Education Application Form for Special Students;

--          various pieces of correspondence containing the names of students together with other information about the student (e.g., the fact that they had been referred for assessment, whether they had met certain expectations, etc.).

 

Diagnostic and Resource Team Referral Form

 

Some of the documents we examined contained sensitive student information.  One such document was the “Diagnostic and Resource Team (DART) Referral Form,” of which we found numerous copies. This form included the student’s name, sex, date of birth, grade, name of parent/guardian, address, telephone number, room number, name of the teacher, Brigance test grade levels, and number of schools attended.

 

It also contained a number of categories of information, some of which we have outlined below, along with examples of the types of remarks that were noted in them:

 

Under Main Concern:  “is on medication for ADD”, “promotional concerns”, “becomes confused easily”, “...having problems at home dealing with behaviour”, “progressing in Kindergarten program at a very slow rate.”

 

Under Areas to Develop:   “anxiety”, “difficulty following directions”, “makes strange noises”, “lacks social skills.”   

 

 

Under Pertinent OSR/Documentation File Information:  “Audiological Assessment”, “Functional Vision Assessment (CNIB)”, “Family Divorce ... wants to be with Dad”, “medical report” along with date. 

Under Recommendations:  “Parents waiting for [hospital] (Family Services) Report”, “Psychiatric Assessment”, “speech and language consultation/assessment”, and “hearing and vision testing.”

 

Assessment Form

 

We also found numerous copies of an “Assessment Form” which the vice-principal said were kept by her predecessor.  These forms contained the student’s name, room number, grade, school year, date of birth, and subjects studied.

 

It also included sections entitled as follows: “Special Needs”, “Agency Involvement”, “Office Contacts”,  “Home Contacts”, and “General Comments.”  Under “General Comments,” we noted remarks such as “poor development (slow)”, “family problems”, “possible family break-up”, and “sexual references.”  And, under “Office Contacts,” we noted comments such as “threatened to ‘punch in face,’ parents called.”

 

Records Returned to the Board

 

We reviewed the records returned to the Board by the individual who had been a close friend of the late vice-principal.  Forty-two of the returned pages contained personal information, similar to that noted above.  Another 66 documents, some with multiple pages, did not contain any personal information.  We also found four Visa receipts of the former vice-principal.

 

The information contained in the documents examined met the requirements of paragraphs (a) to (h) of the definition of “personal information” in section 2(1) of the Act.

 

            Conclusion:    The information in question was personal information as defined in section 2(1) of the Act.

 

 

Issue B:           Was the personal information disclosed in compliance with section 32 of the Act?

 

On July 31, 1997, investigators from the IPC interviewed the principal, vice-principal, and the Board’s Co-ordinator.

 

 

We were advised that the school year had ended on June 27, 1997, after which the school was closed for the summer.  However, the vice-principal explained that because she was not returning in September, she had gone to the school on July 2, 3 and 4, 1997, to clean out her files.  (She was also at the school the following Monday, July 7, to meet with her successor.)

 

The vice-principal stated that from July 2nd to July 4th, she had filled two boxes, one plastic and one cardboard, with old school records that required shredding.  She said that because the plastic box had not yet been sealed, she had placed an empty file folder on top of it marked, “To be shredded.” She said she had left this box on the top of a filing cabinet in the school’s main office.

 

The vice-principal also explained that she had tucked the flaps of the cardboard box into each other.  She said that she had not sealed the box with tape that day because she had intended to return to the school to properly seal the plastic box.  She believed she had clearly noted on the cardboard box that its contents were to be shredded, but added that she couldn’t be certain.  The vice-principal said she had left the cardboard box on the floor beside the above-noted filing cabinet in the main office.

 

The vice-principal also stated that she had thrown into her waste basket some non-confidential belongings of her predecessor, such as books, which she had kept during her tenure with the school.  The vice-principal speculated that her predecessor’s Visa receipts may have been tucked into one of these discarded books.

 

The vice-principal indicated that the main office was locked and equipped with an alarm system.  She added that both her office and the principal’s office are located within the main office.

 

The vice-principal stated that after July 7th, she had not returned to the school until July 30th, the day she learned about this matter.  She said that when she returned to the school on the 30th, the plastic box was still in its place, however, the cardboard box could not be accounted for.

 

Neither the principal nor the vice-principal were certain who had put the records in question into the dumpster, but they assumed it must have been one of the school’s six custodial staff.

 

The principal noted that when he retrieved the records from the dumpster, the dumpster had been about a third to half full.  He said that the box containing the confidential information had broken apart, along with a number of the other boxes.  The principal said he could not be sure whether the documents he had retrieved had come only from the box compiled by the vice-principal, but he was confident that he had retrieved the confidential material from the dumpster.

 

After our initial review of the documents, the vice-principal went through a sample of the records retrieved from the dumpster as well as the records returned by the close friend of the former vice principal; she positively identified the majority of them as having been discarded by herself. 

 

 

Although we cannot state conclusively that all of the records placed in the dumpster were documents originating from the vice principal’s office, based on our review of the documents retrieved, it would appear that the majority of the personal information disclosed came from documents which the vice principal had intended to be shredded.

 

Section 32 of the Act sets out the rules for disclosure of personal information other than to the individual to whom the information relates.  This section provides that an institution shall not disclose personal information in its custody or under its control, except in the circumstances listed in sections 32(a) through (l) (See Appendix A for full text).

 

The Board acknowledged that the information in question should have been shredded and that it had been placed in the dumpster in error.

 

We have reviewed the provisions of section 32 of the Act and found that none applied in these circumstances.

 

            Conclusion:    The Board’s disclosure of personal information was not in compliance with section 32 of the Act.

 

 

Issue C:          Did the Board dispose of the personal information in a secure manner?

 

Fair information practices require that care should be used in the disposal and destruction of personal information, to prevent unauthorized parties from gaining access to the information. 

 

Section 30(4) of the municipal Act deals with the disposal of personal information. It states:

A head shall dispose of personal information under the control of the institution in accordance with the regulations.

 

No regulations were made pursuant to section 30(4) of the municipal Act, unlike Regulation 459 under the equivalent section of the provincial Freedom of Information and Protection of Privacy Act, which deals with the disposal of personal information. Although there is no expectation that the Board or other municipal organizations should have been aware of Regulation 459, it is our view that all organizations would benefit from following it. Section 4(1) of Regulation 459 states:

 

Every head shall ensure that all reasonable steps are taken to protect the security and confidentiality of personal information that is to be destroyed, including protecting its security and confidentiality during its storage, transportation, handling and destruction.

 

Section 4(1) is qualified by section 4(3) which states:

 

 

In determining whether all reasonable steps are taken under subsection (1) or (2), the head shall consider the nature of the personal information to be destroyed or transferred.

 

In addition, section 3 of Regulation 823 under the municipal Act outlines the requirements for security measures needed for the protection of personal information.  Sections 3(1) states:

 

(1)        Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.

 

We asked the Board whether it had developed any written policies or procedures to govern the destruction of records containing personal information.

 

The Co-ordinator referred us to section 8 of the “Ontario Student Record (OSR) Guideline, 1989,” which deals with the destruction of the OSR.  Specifically, it states: “The destruction of all or any part of the OSR when its retention is no longer required under this guideline shall be effected under conditions that ensure the complete and confidential disposal of the record.”

 

We were also advised that “Confidential Security Containers” are located on each floor of the Board’s administrative offices, where confidential documents can be placed for eventual shredding.  Security Containers are not, however, available in the schools.

 

The principal noted that the school does not have any written policies on disposal of personal information.  However, he said that at the beginning of each school year, the manner in which  information is to be handled is reviewed with staff.

 

The principal stated that no shredding is done at the school. When confidential records need to be disposed of, staff place the records in sealed boxes or envelopes, and mark them, “To be shredded.”  The records are then picked up on a daily basis by the Board’s mail person, along with any internal mail, and transported to a secure area in the Board’s administrative offices, where it awaits shredding by the shredding truck.  However, it was noted that there is no pick up and delivery service from the school to the Board’s offices during the summer months.

 

As previously noted, the Board acknowledged that the information in question should have been shredded.  We are in agreement.  Accordingly, the Board did not comply with the security requirements outlined in section 3(1) of Regulation 823.

 

Log of Records Disposed

 

Again, while there is no direct equivalent to these requirements in the municipal Act, it is our view that municipal organizations would benefit from following section 6 of Regulation 459, which states:

 

(1)        Every head of an institution shall ensure that the institution maintains a disposal record setting out what personal information has been destroyed or transferred to the Archives and the date of that destruction or transfer.

 

(2)        The head shall ensure that the disposal record maintained under subsection (1) does not contain personal information.

 

It was clear from our discussions with the Board that a log or disposal record had not been maintained in the circumstances of this case.  It is our view that the Board would benefit from maintaining a log of all records disposed and the manner of destruction.

 

Conclusion:    The Board did not comply with the security requirements outlined in section 3(1) of Regulation 823.

 

 

SUMMARY OF CONCLUSIONS

 

●         The information in question was personal information as defined in section 2(1) of the Act.

 

●         The Board’s disclosure of personal information was not in compliance with section 32 of the Act.

 

●         The Board did not comply with the security requirements outlined in section 3(1) of Regulation 823.

 

 

SYNOPSIS OF ACTION TAKEN

 

Corrective Action Taken

 

We commend the Board for its swift action in retrieving the records from the dumpster and surrounding areas, as soon as it learned of this matter, and for the subsequent corrective steps taken, which are outlined below:

 

1)         The principal and vice-principal apprised the trustees, superintendent, and director of this matter shortly after it unfolded.

 

2)         The principal stated that when school resumes in September, he will formally let the school’s parent organizations and its administrative staff know of what happened with respect to this matter, and what actions the school had taken.  The principal noted that while they had attempted to contact the individual who heads up both parent organizations, she could not be reached as she was on vacation.  Nonetheless, the school spoke with two other members of the parent groups -- one of them being the past president -- and apprised them of what had occurred.

 

3)         The principal and Board officials immediately asked anyone possessing any “sensitive material” to contact the Board at a particular telephone number.

 

4)         The Board’s Information and Privacy Co-ordinator wrote to the newspaper asking that it return to the Board any school records in its possession, which it subsequently did.

 

 

We would also like to note that the representatives of the Board, namely the principal, vice-principal and the Co-ordinator, gave us their full co-operation and assistance throughout our investigation of this matter.

 

 

RECOMMENDATIONS

 

Although we recognize that the personal information in question was placed in the dumpster inadvertently, to prevent this from happening again and to improve its information handling practices, we make the following recommendations:

 

1)         The Board should develop written guidelines and implement formal procedures to govern the destruction of personal information. We suggest that the Board adopt the security measures outlined in our paper, Moving Information: Privacy & Security Guidelines, relating to the disposal of personal information. The Board should also ensure that all employees are made aware of the new guidelines and procedures.

 

2)         The Board should consider either purchasing shredders or providing all schools with “Confidential Security Containers.”  While we are mindful of the budgetary constraints all institutions are under, the cost involved in the latter is not high, while the need to provide adequate data protection is pressing. We believe that the sensitive nature of the personal information held by the Board, coupled with the circumstances leading to this incident, would warrant such an expenditure.

           

3)         The Board should maintain a formal disposal record setting out what information has been destroyed, and the date and manner of the destruction.

 

4)         The Board should take reasonable steps to ensure that any outstanding records that may have gone astray as a result of this incident are retrieved and properly shredded.

 

5)         The Board should take steps to ensure that staff are made aware of the requirements of section 3 of Regulation 823, regarding the security measures that are to be in place for the protection of personal information.

 

 

Within six months of receiving this report, the Board should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendations.

 

 

 

 

 

 

 

Original Signed By:                                                    August 21, 1997                                                               

Ann Cavoukian, Ph.D.                                               Date                    

Commissioner

 

 

 

****

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

                                                                                                                                   APPENDIX A

 

32.       An institution shall not disclose personal information in its custody or under its control except,

 

(a)        in accordance with Part I;

 

(b)        if the person to whom the information relates has identified that information in particular and consented to its disclosure;

 

(c)        for the purpose for which it was obtained or compiled or for a consistent purpose;

 

(d)        if the disclosure is made to an officer or employee of the institution who needs the record in the performance of his or her duties and if the disclosure is necessary and proper in the discharge of the institution's functions;

 

(e)        for the purpose of complying with an Act of the Legislature or an Act of Parliament, an agreement or arrangement under such an Act or treaty;

 

(f)        if disclosure is by a law enforcement institution,

 

  (i)       to a law enforcement agency in a foreign country under an arrangement, a written agreement or treaty or legislative authority, or

 

 (ii)       to another law enforcement agency in Canada;

 

(g)        if disclosure is to an institution or a law enforcement agency in Canada to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result;

 

(h)        in compelling circumstances affecting the health or safety of an individual if upon disclosure notification is mailed to the last known address of the individual to whom the information relates;

 

(i)         in compassionate circumstances, to facilitate contact with the next of kin or a friend of an individual who is injured, ill or deceased;

 

(j)         to the Minister

 

(k)        to the Information and Privacy Commissioner;

 

(l)         to the Government of Canada of the Government of Ontario in order to facilitate the auditing of shared cost programs.~