Privacy Reports
Decision Information
The Family Responsibility Office
The Family Responsibility Office (FRO) is part of the Ministry of the Attorney General. FRO operates under the authority of the Family Responsibility and Support Arrears Enforcement Act, 1996 to:
• collect support payments on behalf of recipients;
• enforce court-ordered support payments; and
• enforce certain domestic contracts and paternity agreements filed with the court.
FRO has approximately 172,000 cases. Most cases have three parties who have related but mutually exclusive interests:
• the support payor (the payor);
• the support recipient (the recipient); and
• the income source, which is often, but not always, an employer (for ease of reference I will refer to the income source as "the employer").
The employer is required to deduct income from the payor and remit it to FRO, in accordance with directions issued by FRO.
Each day, FRO mails more than 6,000 pieces of case-related correspondence. These letters and notices are sent to the three parties, as well as to lawyers, the courts, and others involved with the administration of the program. In the middle of each month FRO implements an annual cost of living allowance (COLA) adjustment for those cases which are entitled to an adjustment during that month. This adjustment involves a mail-out of amended support notices and/or COLA notifications to all affected payors, recipients and employers (called the COLA run).
FRO has categorized six employers as "multiple employers" because they garnishee funds from a large number of payors. Rather than sending these multiple employers up to 40 individually amended support notices, FRO mails them batches of the amended notices in a single envelope.
Decision Content
INVESTIGATION REPORT
INVESTIGATION PC-000014-1
Ministry of the Attorney General
July 7, 2000
INTRODUCTION
The Family Responsibility Office
The Family Responsibility Office (FRO) is part of the Ministry of the Attorney General. FRO operates under the authority of the Family Responsibility and Support Arrears Enforcement Act, 1996 to:
• collect support payments on behalf of recipients;
• enforce court-ordered support payments; and
• enforce certain domestic contracts and paternity agreements filed with the court.
FRO has approximately 172,000 cases. Most cases have three parties who have related but mutually exclusive interests:
• the support payor (the payor);
• the support recipient (the recipient); and
• the income source, which is often, but not always, an employer (for ease of reference I will refer to the income source as “the employer”).
The employer is required to deduct income from the payor and remit it to FRO, in accordance with directions issued by FRO.
Each day, FRO mails more than 6,000 pieces of case-related correspondence. These letters and notices are sent to the three parties, as well as to lawyers, the courts, and others involved with the administration of the program. In the middle of each month FRO implements an annual cost of living allowance (COLA) adjustment for those cases which are entitled to an adjustment during that month. This adjustment involves a mail-out of amended support notices and/or COLA notifications to all affected payors, recipients and employers (called the COLA run).
FRO has categorized six employers as “multiple employers” because they garnishee funds from a large number of payors. Rather than sending these multiple employers up to 40 individually amended support notices, FRO mails them batches of the amended notices in a single envelope.
Background of the Complaint
The COLA run for May 2000 was mailed out from May 17-23 and involved approximately 5,136 clients. The COLA run also involves notification to affected employers. Approximately 2,247 of these notices were printed. The six multiple employers were all included in this mail-out.
Between May 18 and May 25, FRO received four telephone calls advising that individuals had received COLA adjustment notices about individuals other than themselves. Two callers were payors, while the other two callers were phoning on behalf of the payors. In each instance, the payors had received a batch of notices that were intended for a multiple employer.
On May 26, I received a call from the Attorney General asking me to investigate what appeared to be an unauthorized disclosure of personal information by FRO as a result of the May 2000 COLA run mail-out. I agreed to conduct an investigation, and thanked the Attorney General for promptly notifying me of a potential breach of the Freedom of Information and Protection of Privacy Act (the Act). I immediately initiated an investigation pursuant to my responsibilities under the Act.
Before discussing the substantive issues and results of my investigation, it is important to note that my Office received the full and complete co-operation of the FRO staff. We were quickly permitted access to all relevant individuals, documentation and premises, and everyone involved conducted themselves in an open and forthright manner. This enabled our investigators to conduct interviews, obtain the information that they required, and to conclude the investigation in a timely fashion.
A list of individuals interviewed during the course of the investigation may be found in Appendix A.
Issues Arising from the Investigation
The following issues were identified as arising from the investigation:
(A) Was the information "personal information" as defined in section 2(1) of the Act?
(B) Was the disclosure of the personal information in accordance with section 42 of the Act?
RESULTS OF THE INVESTIGATION
Issue A: Was the information "personal information" as defined in section 2(1) of the Act?
Section 2(1) of the Act states, in part: "personal information" means recorded information about an identifiable individual, including,
(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, telephone number, fingerprints or blood type of the individual,
...
(h) the individual's name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual;
We reviewed samples of the records mailed to the employers during the COLA run. They contained the payor’s name, address, date of birth, SIN, case number, the court that issued the order, and the amount of support payments required to be paid.
The case number is a unique identifier assigned by FRO to a case file. The payor and recipient for a particular case file have the same case number. Payors and recipients are able to call a FRO automated call centre, enter the case number, and obtain basic account information about their file, such as balance owing, amount/date of last payment, answers to common questions, and enforcement activity to date.
We found that the records clearly contained the “personal information” of both the payors and the recipients, as defined in sections 2(1) of the Act.
FRO does not dispute this finding.
Conclusion: The information in question was "personal information" as defined in section 2(1) of the Act.
Issue B: Was the disclosure of the personal information in accordance with section 42 of the Act?
Section 42 of the Act sets out a number of circumstances under which an institution may disclose personal information. None of these circumstances were present in this case. Accordingly, we find that the disclosure of the personal information by FRO was not in compliance with the Act.
FRO does not dispute this finding.
Conclusion: The disclosure of personal information was not in compliance with section 42 of the Act.
OTHER MATTERS
Extent of the disclosure
Before addressing how the disclosures happened, it is important to understand the extent of the problem.
FRO has been able to confirm that, of the 2,247 cases receiving a COLA adjustment notice in May, a total of 140 cases involved mail-outs to multiple employers as part of the May 2000 COLA run. The actual number of envelopes sent to the six multiple employers cannot be determined with certainty because FRO does not record and track this information. Nor does FRO have a procedure to track the number of individual notices sent in each multiple employer envelope.
FRO has also been able to confirm that:
• Two multiple employers received all envelopes sent to them, accounting for a total of 58 of the 140 notices.
• There were two envelopes addressed to one multiple employer (employer A), which were received by two of its employees who are payors. One payor’s envelope contained nine notice forms. He retained his own form and returned the other eight to FRO. The other payor, who wishes to remain anonymous, had his father return seven notices to FRO via a federal government official. Two other notices sent to employer A could not be accounted for by FRO following discussions with this employer, so FRO assumed that they had been improperly disclosed. FRO assumes that one of these notices belongs to the payor whose father returned the seven notices to the federal government official. Therefore, a total of 17 notices associated with employer A were improperly disclosed (8 + 7 + 2).
• An envelope addressed to another multiple employer (employer B), which contained four notices, was received by one of its employees who is a payor. The payor retained his own notice and returned the other three notices to FRO.
• Another multiple employer (employer C) was sent a total of 11 notices as part of the COLA run mailing. This employer was only able to confirm receipt of two notices, so FRO assumed that the other nine notices had been improperly disclosed.
FRO has been unable to confirm whether or not:
• employer C received the nine notices referred to above;
• envelopes addressed to employer B, containing 34 notices, were received by any of its employees who are payors;
• envelopes addressed to another employer (employer D), containing 17 notices, were received by any of its employees who are payors;
Therefore, at least 20 (17 + 3) and as many as 80 (the confirmed 20, plus 34 + 17 + 9) notices addressed to multiple employers were improperly disclosed to employees of the various multiple employers who are payors under the Family Responsibility and Support Arrears Enforcement Act.
How did some notices addressed to multiple employers end up being disclosed to certain individual payors?
Most of the mailings sent by FRO, including the COLA runs, are processed by an envelope stuffing machine that inserts a single document into a single envelope. However, multiple employer notices are processed manually because the envelopes are large, and they contain varying numbers of notices, up to approximately 40.
Envelopes used for multiple employer mailings contain a window. The COLA amendment notice form which is sent to employers has a printed address that appears in the window of the envelope. The payor’s name and address also appear on the employer’s notice form, in bold, immediately below the employer’s name and address. Because the window envelope is larger than the notice letter, it is possible for documents to shift inside the envelope and allow the name and address of a payor to appear in the window. If this occurs, it is relatively easy for the post office to mistakenly conclude that that payor’s address is the correct mailing address, and deliver the envelope to the payor. FRO informed our investigators that such a mistake had, in fact, occurred some years ago.
FRO officials advised our investigators that they attempted to address this problem in the past by instructing mail room staff to staple multiple notices together and then staple the bundle of notices to the multiple employer envelopes in a way which would ensure that only the employer’s name would appear in the window portion of the envelope. This procedure was not followed for the May 2000 COLA run. Our investigation revealed a number of reasons for this error:
• the two mail room staff were temporary staff, one being quite new;
• there were no written policies or procedures covering this issue. Training was provided by a longer-term temporary employee, based on the verbal training she received in the past. This employee has since left FRO;
• the manager responsible for the mail room was on secondment and the acting manager has not yet fully integrated into the full range of job responsibilities.
The cause of the inappropriate disclosure of personal information associated with the May 2000 COLA run may be explained by the following combination of factors:
• the design of the amended support notice form;
• continued use of large window envelopes;
• the absence of written policies or procedures;
• new temporary staff; and
• inadequate training and supervision.
How did the disclosure come to FRO’s attention?
Between May 18 and May 25, 2000, FRO received four telephone calls reporting the disclosure of personal information.
Caller #1
On May 18, one of the FRO call centres received a call from the payroll department of multiple employer B, advising that an employee who is a payor received one of the packages intended for the employer. This call was not reported to FRO senior management, and only came to light on May 26 when, after subsequent disclosures had been reported, FRO management canvassed all call centre staff to determine if any calls of this nature had been received. Once discovered, FRO management staff called employer B but was unable to confirm whether or not all multiple envelopes sent as part of the May COLA run had been received.
Caller #2
On May 24, a federal government official called a FRO call centre to advise that a payor, who wished to remain anonymous, had received a multiple employer envelope and delivered it to the federal government office. The government official returned the envelope to FRO. The envelope had been opened. The returned envelope, which was addressed to employer A, contained seven notice forms. FRO was not able to confirm whether or not the payor had removed his/her notice form before handing over the envelope to the federal government office, but assumed that he/she had done so.
Caller #3
On May 25, a payor who is also an employee of multiple employer B, called a FRO call centre and spoke to the Director. He said that he had received a multiple employer envelope. This payor identified himself to FRO staff and returned the envelope to FRO after removing his notice form. Three other notice forms were included in the envelope.
Caller #4
Also on May 25, a payor, who is an employee of multiple employer A, called a FRO call centre and spoke with the Director. He said that he had received a multiple employer envelope. He identified himself and told FRO that he had kept his own form, placed the eight other notices back into the envelope, re-sealed it and marked the envelope “confidential,” and delivered the envelope to the office of his local Member of Provincial Parliament, Bruce Crozier. The Ministry of the Attorney General then contacted Mr. Crozier's office and arranged for the return of the envelope to FRO officials on May 25. At a later date, my office received a letter from Mr. Crozier asking that we investigate this matter, at which point our investigation was already well under way.
Steps taken by the FRO in response to the disclosure
Upon learning that the May 2000 COLA run mail-out had resulted in improper disclosures of personal information, FRO staff took the following steps:
1. Disabled the automated telephone service
FRO operates an automated call centre service which is updated nightly. By keying in their case number, payors and recipients are able to get basic account information such as balance owing, amount/date of last payment, answers to common questions and enforcement activity to date.
At the suggestion of our investigators, FRO disabled the entire automated information line system on May 26. This measure prevented access to personal information stored on the FRO system through use of the case number until FRO could determine the extent of the disclosure resulting from the May 2000 COLA run mail-out. Service was restored on May 29, after steps had been taken by FRO to ensure that unauthorized access through use of affected case numbers was no longer possible (see point 4, below).
2. Canvassed all call centre staff
Also on May 26, FRO canvassed all call centre staff to determine whether other calls had been received regarding receipt of multiple employer envelopes. It was as a result of this action by FRO that the first disclosure, on May 18, was discovered.
3. Contacted all multiple employers
Beginning on May 26 and continuing through May 29, FRO contacted the six multiple employers who had been mailed notices as part of the May 2000 COLA run, to determine if they had received all mailed envelopes. By the end of the working day on May 29, FRO had been able to confirm that two of the six multiple employers had received all of their envelopes.
4. Changed the case numbers
The case numbers of all payors and recipients whose notices were sent to multiple employers as part of the May 2000 COLA run, with the exception where receipt of the envelopes had been confirmed by the two multiple employers, were changed by FRO on May 29. A total of 82 case numbers were changed. Confirmation of the two notices received by employer C occurred after the case numbers for these two files had already been changed by FRO.
5. Monitored mail operations
On May 26, FRO began to monitor outgoing mail distribution to ensure that no further breaches took place.
Changed mailing procedures
On May 29, FRO stopped using window envelopes for multiple employer mailings, replacing them with regular envelopes and a mailing label.
7. Notified payors and recipients of disclosure/possible disclosure
In cases where improper disclosures had been confirmed, FRO management attempted to personally contact affected payors and recipients to advise them of the disclosure. FRO also wrote to each of the 164 payors and recipients who had been or could possibly have been the subject of an improper disclosure of their personal information. These notices also asked payors and recipients to contact FRO if they had received one of the multiple employer envelopes containing other individuals’ personal and confidential information.
8. Assigned one Client Service Associate to cases for which case numbers had been changed
Before the automated telephone system was restored on the evening of May 29, a message was programmed for the 82 payors and 82 recipients who had been assigned new case numbers, requiring them to contact a designated Client Service Associate at a specified telephone number for an explanation as to why they were unable to access the automated system. The Client Service Associate was instructed to explain that there may have been a disclosure of personal information, and that to protect the privacy of these individuals, their case numbers had been changed. The Client Service Associate was also required to take additional steps to verify the caller’s identity by checking the file notes regarding last contact, the telephone number of the caller, and passwords, where they existed.
9. Met with mail room staff
On May 29, the FRO Director met with mail room employees to stress the critical importance of privacy and confidentiality in the discharge of their responsibilities.
CONCLUSIONS
We commend FRO staff for their prompt response when learning of the potential improper disclosures of personal information, and their efforts in ensuring that the problems were contained until a solution could be determined.
We have reached the following conclusions based on the results of our investigation:
1. Despite being aware of problems associated with window envelopes, FRO continued to use them, and chose to address the problems through implementation of stapling procedures to be followed by mail room staff. The improper disclosures associated with the May 2000 COLA run were a direct result of the breakdown of these inadequate procedures.
2. Despite the extremely sensitive nature of much of the information mailed out by FRO, the temporary mail room staff were inadequately trained and inadequately supervised, particularly in regards to the handling of sensitive personal information.
3. The absence of written policies and procedures regarding the proper handling of personal information by mail room staff increased the likelihood of error, particularly since FRO uses temporary employees to perform these job responsibilities.
4. FRO lacks adequate tracking procedures for bulk distribution mail-outs sent to multiple employers, which prevented FRO from determining the extent of the disclosures which may have taken place during the May 2000 COLA run.
5. The documents sent to employers for the purpose of implementing COLA adjustments appear to contain more personal information than is necessary for employers to administer the amended support notice component of the FRO program.
RECOMMENDATIONS
We recommend that FRO take the following actions in order to prevent future improper disclosures of personal information during the course of administering its programs. Some of these recommendations are already under active consideration by FRO.
1. Implement procedures to track how many multiple employer envelopes are sent in each COLA run mail-out, and which notices are included in each envelope. Alternatively, if practicable, FRO could consider eliminating the batching of mail-outs to multiple employers and move to a one notice per envelope system.
2. Revise the format of the amended support deduction notice to employers to ensure that there can be no confusion about the address of the intended recipient.
3. Review the seven types of personal information contained on the amended support deduction notices (payor’s name, address, date of birth, SIN, case number, court, and amount of payment), to ensure that only the personal information necessary for employers to administer this component of the FRO program is included on the form.
4. Develop written policies and procedures for mail room staff to follow that include mechanisms for ensuring privacy protection.
5. Given the enormous size of FRO’s client base and the highly sensitive personal information contained in FRO program files, we recommend that all FRO program and mail room staff be given ongoing training on both the access and privacy provisions of the Act. Special attention should be given to the training needs of temporary employees.
6. In order to improve the security and reduce the potential for improper and unauthorized access to sensitive personal information contained in FRO program files, we recommend that FRO implement some form of PIN-protected access as a second layer of security.
On June 16, 2000 I sent the Ministry a draft version of this report, and provided it with an opportunity to identify any errors or omissions. In response, the Ministry advised that work is underway in response to Recommendations 1, 2, 4 and 5. I commend the Ministry for its prompt attention to these recommendations.
My Office would be pleased to assist with any of the above recommendations.
Within three months of receiving this report, the Ministry of the Attorney General should provide the Office of the Information and Privacy Commissioner with proof of compliance with all six recommendations.
FINAL COMMENTS
I feel that a postscript included in a 1997 report issued by this Office entitled “A Special Report to the Legislative Assembly of Ontario on the Disclosure of Personal Information at the Ministry of Health,” is relevant and bears repeating in the circumstances of this investigation:
In my view, the circumstances from which this report arose reflect the ultimate fragility of the protection of personal information held by government organizations. They also point to a basic truth about privacy privacy once lost cannot be regained. Once personal information is “out the door” there is simply no way of eliminating knowledge of it.
I believe it is essential for government organizations to be guided by the premise that they are only the stewards of the personal information entrusted to them. The information belongs to the person to whom it relates. Understandably, governments require personal information in order to perform the various services they provide. However, the fact that the personal information has been provided to them does not mystically transform the information into the “government’s” information. Indeed, this is the essence of the privacy rules contained in Ontario’s two freedom of information and protection of privacy acts.
In my opinion, privacy laws are only part of the answer to privacy protection. As with any law, they cannot provide an absolute guarantee. What is essential is that governments understand and respect the immense level of trust citizens place in government when they relinquish any detail of their personal information. They are disclosing details about their relationships, their finances and their health, after which point they have no control over what happens to the information. This lack of control is even more pronounced in an era of digitized information.
At its root, I feel the best privacy protection is grounded in attitude an attitude which should flow naturally from an appreciation of the nature of the relationship between government and members of the public. Governments exist at the pleasure of the governed and privacy protection is an essential part of the relationship.
Original signed by: July 7, 2000
Ann Cavoukian, Ph.D. Date
Commissioner
APPENDIX A
LIST OF INDIVIDUALS INTERVIEWED
All individuals are employees of the Ministry of the Attorney General, Family Responsibility Office
Director
Manager, Client Services
One Client Services Clerk
One Acting Client Services Associate
Two temporary mail room staff