Privacy Reports

Decision Information

PC-000022-1

Collection Privacy Reports
Date 2001-03-27
File Numbers PC-000022-1
Adjudicators Tom Mitchinson
Type Privacy Complaint Report
Subjects Privacy Complaints
Applicable Legislation FIPPA; FIPPA - 40(4)
Summary:


The Ministry of Community and Social Services (the Ministry) notified the Information and Privacy Commissioner’s Office (the IPC) about a possible breach of the
Freedom of Information and Protection of Privacy Act (the Act). The Ministry explained that a television reporter had contacted the Ministry about confidential information that was found in a garbage bag in a dumpster area near a specified youth Observation and Detention Home (the Home). The Ministry also advised the IPC that it was in the process of conducting an investigation into this matter, and subsequently provided this Office with a copy of its Compliance Review Report (the Report) which outlined the results of the internal investigation.

Decision Content

INVESTIGATION REPORT

 

                                        

INVESTIGATION PC-000022-1

 

 

Ministry of Community and Social Services

 

 

 

 


March 27, 2001

INTRODUCTION:

 

Background of the Complaint

 

The Ministry of Community and Social Services (the Ministry) notified the Information and Privacy Commissioner’s Office (the IPC) about a possible breach of the Freedom of Information and Protection of Privacy Act (the Act).  The Ministry explained that a television reporter had contacted the Ministry about confidential information that was found in a garbage bag in a dumpster area near a specified youth Observation and Detention Home (the Home).  The Ministry also advised the IPC that it was in the process of conducting an investigation into this matter, and subsequently provided this Office with a copy of its Compliance Review Report (the Report) which outlined the results of the internal investigation.

 

Summary of the Ministry’s Investigation and Findings

 

The Report explained that the Home is an eight-bed open custody/detention facility providing services to Phase 1 young offenders, and that the Home is directly operated by the Ministry.  The Report indicates that a local business had found garbage on its property belonging to the Home.  The garbage had apparently been left there by the company under contract with the Home to provide cleaning services.  This company is located next door to the business that found the garbage.

 

The Ministry’s investigation was focussed on determining whether there had been any breach of client confidentiality.  The scope of the Ministry’s investigation included an on-site investigation at the Home.  Information was obtained from the Acting Superintendent at the Home, as well as through a telephone interview with personnel employed by the Ontario Realty Corporation (ORC) who oversee the cleaning company’s contract.  Other information/documents reviewed by the Ministry included the Home’s policies and procedures, client records and all the client-related information which had been returned to the Home following the incident.  A physical site inspection of the Home was also conducted.

 

The findings in the Report indicate that had been a breach of client confidentiality and that the existing practices for maintaining, disposing and destroying personal information were not in compliance with Section 40(4) of the Act and Regulation 459.

 

Issues Arising from the IPC Investigation

 

The following issues were identified by the IPC as arising from the investigation:

 

(A)             Was the information in question “personal information” as defined in section 2(1) of the Act?  If yes,

 

(B)              Was the personal information disclosed in compliance with section 42 of the Act?

           

(C)       Was the personal information disposed of in a secure manner as required by section 40(4) of the Act and Regulation 459?

 

 

RESULTS OF THE INVESTIGATION:

 

Issue A:          Was the information in question “personal information” as defined in section 2(1) of the Act?

 

Section 2(1) of the Act defines “personal information”

 

as recorded information about an identifiable individual, including,

...

           

(h)        the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

 

As a result of the internal investigation, the Ministry determined that no client records were included among the records found in the dumpster area.  However, the Ministry did ascertain that documents such as a staff assignment, a torn teacher’s report, a desk blotter and a note reflecting a scheduled client appointment were included among the records found and returned to the Home.  These records included the names of clients written on “post-it” notes and the desk blotter.

 

It is clear that the names of clients, included on records held by the Home, constitute the personal information of these individuals as defined in section 2(1) of the Act.  The Ministry does not dispute this finding.

 

Conclusion:    The information in question was personal information as defined in section 2(1) of the Act.

 

 

Issue B:          Was the personal information disclosed in compliance with section 42 of the Act?

 

Section 42 of the Act sets out a number of circumstances under which an institution may disclose personal information. 

 

We have reviewed the provisions of section 42 of the Act and found that none applied in these circumstances.

 

The Ministry does not dispute this finding.

 

 

Conclusion:    The disclosure of personal information was not in compliance with section 42 of the Act.

 

Issue C:          Was the personal information disposed of in a secure manner as required by the Act?

Fair information practices require that care should be used in the disposal and destruction of personal information, to prevent unauthorized parties from gaining access to the information. 

 

Section 40(4) of the Act deals with the disposal of personal information.  It states:

 

A head shall dispose of personal information under the control of the institution in accordance with the regulations.

 

Ontario Regulation 459, implemented under the Act, pertains to the disposal of personal information.  Sections 4(1), 5 and 6 of this regulation provide as follows:

 

s.4(1)   Every head shall ensure that all reasonable steps are taken to protect the security and confidentiality of personal information that is to be destroyed, including protecting its security and confidentiality during its storage, transportation, handling and destruction.

 

s.5        Every head shall take all reasonable steps to ensure that when personal information is to be destroyed, it is destroyed in such a way that it cannot be reconstructed or retrieved.

 

s.6(1)   Every head of an institution shall ensure that the institution maintains a disposal record setting out what personal information has been destroyed or transferred to the Archives and the date of that destruction or transfer.

 

s.6(2)   The head shall ensure that the disposal record maintained under subsection (1) does not contain personal information.

 

The Ministry’s investigation determined that the Home had no written policy or procedure on how to dispose of confidential material.  In practice, staff disposed of sensitive client information, such as plans of care, by using a secured shredding bin located in the supervisor’s on-site office. 

 

As part of initial training and orientation, staff of the Home were advised of the shredding practice for client files.  This orientation did not address how to properly dispose of documents such as letters, “post-it” notes, memos and monthly calendar of events.

 

Although regular garbage cans and a shredding bin were located in the Home’s main office, there were no paper saver/security bins in the intake office or classroom.  In addition, the Ministry determined that informal documents such as “post-it” notes were not consistently disposed of in the security shredding bin.

 

The Ministry also determined that the cleaning company under contract with the ORC was responsible for disposing of garbage from the Home, but was not responsible for disposal of shredded paper products.  According to the Ministry, this activity was handled by a separate private shredding company under contract with the Home.  The Ministry was unable to provide this Office with a copy of this contract.  The explanation offered by the Ministry was that it inadvertently placed in an administrative file and was itself shredded in accordance with the records retention schedule for the administrative file.  The Ministry explained that the company has been performing this service since 1994-1995, and that the contract is renewed yearly on an automatic basis.

 

The Ministry’s internal investigation confirmed that the existing disposal practices of the Home did not adequately ensure client confidentiality.  Personal information which was intended to be destroyed was actually found by third parties among the records in the dumpster area, confirming the inadequacy of the Home’s practices. 

 

Accordingly, the Ministry did not take adequate steps to ensure that the personal information was disposed of in a secure manner, and was therefore not in compliance with section 40(4) of the Act and Regulation 459.

 

The Ministry does not dispute this finding.

 

Conclusion:    The personal information was not disposed of in a secure manner as required by section 40(4) of the Act and Regulation 459.

 

 

OTHER MATTERS

 

Immediate steps taken by the Home

 

Upon learning that records had been found in the dumpster area, the Home took the following steps in order to minimize the impact of the privacy breach:

 

 

1.                  The Superintendent of the Home discussed the breach of confidentiality on an individual basis with the clients involved and their legal guardians.  The Superintendent reviewed the clients’ right to confidentiality with them, informed them of the role of the Office of Child and Family Service Advocacy (the Advocacy Office), and advised them of their right to contact the Advocacy Office should they wish to pursue the issue.  Documentation to reflect the discussions was placed in the clients’ files.  The Ministry advised our Office that none of the clients pursued the matter with the Advocacy Office.

 

2.                  A preliminary policy and procedure was developed to address the issue of proper disposal of client-identifying material.  This preliminary policy and procedure was posted in the Home and sent to all employees for immediate implementation.

 

3.                  Paper saver cans were placed at each work site throughout the Home for immediate disposal of paper products containing client information.  The number of garbage cans throughout the Home was reduced to enable employees to better monitor the disposal of personal information.

 

4.                  Current clients were instructed on the procedure for disposing of personal information to ensure confidentiality.

 

5.                  The ORC was asked to follow up with the private cleaning contractor.  The ORC subsequently confirmed that the cleaning company had agreed to dispose of all of the Home’s garbage directly to the city dump.

 

Ministry’s recommendations to the Home

 

After completing its internal investigation, the Ministry made the following recommendations for ways the Home could improve its personal information management practices:

 

 

1.                  All client/collateral-related information be placed in the central secured shredding bin to protect the security and confidentiality of personal information during its storage, transportation, handling and destruction.

 

2.                  The Home finalize the policies and procedures to direct staff on the disposal of information pertaining to clients, based on IPC Practices entitled “Safe and Secure Disposal Procedures for Municipal Institutions.”

 

3.                  All staff receive training regarding the policies and procedures and upon completion, that a record be maintained in the Home indicating that procedures have been reviewed with each staff person.

 

4.         The Home develop policies and procedures to ensure that clients of the Home receive instruction on how to dispose of client-related information.

 

5.         All clients be informed of the policies and procedures during their admission to the Home.

 

6.                  A record be maintained in the Home indicating that each client has been instructed on the disposal of client-related information.

 

7.         The Ministry review its practices regarding electronic communication of client information against the direction from Management Board Secretariat’s policy on the same topic.

 

The Ministry has confirmed to this Office that the Home has implemented all of the above recommendations.

           

The shredding contract

 

Because we were unable to obtain a copy of the shredding contact, we could not determine whether its provisions adequately address the requirements for the proper disposal of personal information.  We are also concerned that the Ministry is operating under the terms of a contract for shredding services without knowing the obligations and responsibilities governing the parties to the contract. 

 

 

CONCLUSIONS:

 

We commend the Ministry and the Home for the prompt action taken in retrieving and securing the garbage bag that was found in the dumpster, and for immediately conducting an investigation and providing us with their Report.

 

We have reached the following conclusions based on the results of our investigation:

 

1.                  The information in question was personal information as defined in section 2(1) of the Act.

 

2.                  The disclosure of personal information was not in compliance with section 42 of the Act.

 

3.                  The personal information was not disposed of in a secure manner as required by section 40(4) of the Act and Regulation 459.

 

4.                  Despite the Home’s intention that the garbage not contain personal information and that personal information be shredded, the absence of proper procedures in place for staff and clients to follow regarding the appropriate manner for disposing of personal information led to the incident.

 

5.                  With the exception of uncertainties that remain due to the inability of the Ministry to produce a copy of the shredding contract, the necessary steps have been taken to prevent any possible future improper disclosure and disposal of personal information at the Home. 

 

 

RECOMMENDATIONS:

 

We recommend that the Ministry take the following actions with respect to their current process for the handling and disposing of personal information:

 

 

1.                  Ensure that the Home’s current policy and procedure clearly establishes what types of information is to be disposed of in the garbage and what types of information should be shredded.

 

2.                  Have the Home confirm the details of the shredding contract with the shredding company in writing ensuring proper privacy protections.

 

3.                  Provide our office with a copy of both the Home’s policy and procedures and the shredding contract for review.

The Ministry should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendation by June 27, 2001.

 

 

           

 

           

 

 

 

Original signed by:                                                                              March 27, 2001                                            Tom Mitchinson                                                      Date

Assistant Commissioner

 You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.