Privacy Reports

 

 

 

 

 

 

 

 

                     PRIVACY COMPLAINT REPORT

 

 

                           PRIVACY COMPLAINT PC‑000042‑1

 

 

                         Office of the Public Guardian and Trustee

 

 

 

 

 

 

May 25, 2001

                     PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT  NO.                  PC‑000042‑1

 

 

MANAGER OF MEDIATION:                 Diane Frank

 

 

INSTITUTION:                                            Office of the Public Guardian and Trustee

 

 

 

SUMMARY OF COMMISSIONER INITIATED COMPLAINT:              

 

The Office of the Information and Privacy Commissioner (the IPC) received a letter, dated November 24, 2000, from the Assistant Deputy Attorney General, Family Justice Services Division, setting out the circumstances surrounding the theft of a briefcase from an Office of the Public Guardian and Trustee (the OPGT) investigator, resulting in the inadvertent disclosure of personal information.  The letter indicated that the OPGT welcomed the IPC’s advice and comments on this matter.  On the basis of this letter, the IPC initiated an investigation under the Freedom of Information and Protection of Privacy Act (the Act) .

 

Theft of the briefcase

 

OPGT investigators conduct property inventories for OPGT clients (incapable adults for whom the OPGT acts as guardian of property, and estates of deceased persons where there is no one else available to administer the estate), and they also investigate allegations of abuse against incapable adults.

 

The letter received from the Assistant Deputy Attorney General sets out the following information regarding this incident:

 

On November 15, 2000, between the hours of 7:30 p.m. and 8:00 p.m., a car belonging to an investigator with the OPGT was broken into, and a briefcase was stolen.

 

The briefcase contained personal information belonging to a number of individuals.  Paper records were stolen that contained basic personal information such as names and phone numbers of persons connected with OPGT investigations.  A computer disk containing identifying information belonging to a number of individuals was also stolen along with a dicta tape containing similar information.  There were also unlabelled keys to a house owned by one OPGT client.

 

The letter stated that the briefcase was locked in the back of a hatchback car, covered by a blanket and gym bag.  The investigator had the information in his car because it was needed for his work duties the following day.  At the time of the break-in, the investigator was attending on a personal errand.

The letter also confirmed that the investigator had reported the theft to the police and that the police were investigating the matter, but that none of the stolen property had been recovered.

 

Immediate steps taken by the OPGT

 

1.                  In the case of the stolen keys, the OPGT acted to ensure that the locks to the client’s house were changed and the property checked.

 

2.                  The Public Guardian and Trustee prepared and circulated an internal memorandum to all staff, dated November 23, 2000, reminding staff of the duty to safeguard OPGT information and property by taking all precautions necessary.  Staff were advised that they must not remove information from the office unless it is needed to perform work of the OPGT.  Staff were reminded that OPGT property must not be left unattended, unless there is no alternative and all reasonable precautions are taken to keep it safe.

 

3.                  The OPGT began the process of notifying two individuals whose personal information was contained in the stolen records.

 

4.                  The OPGT made a decision not to notify the other ten individuals for the reason that they are either incapable and would not understand or appreciate the nature of the information and it may cause harm to their condition; or, that to do so would jeopardize the status of ongoing investigations and possibly put an incapable person at risk of personal or financial harm.

 

DISCUSSION:

 

The following issues were identified as arising from the investigation:

 

Is the information "personal information" as defined in section 2(1) of the Act?

 

Section 2(1) of the Act states, in part:

 

APersonal information means recorded information about an identifiable individual, including,

 

(a)        information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

 

(b)        information relating to the education or medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

 

(d)       the address, telephone number, fingerprints or blood type of the individual,

 

(h)        the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

 

The OPGT confirmed that the names, addresses and telephone numbers, along with other information about twelve individuals (eight clients and four others) was inadvertently disclosed as a result of the theft of the briefcase.  In particular, the briefcase contained:

 

•           Computer disk containing identifying information on three guardianship investigations.

 

•           Two paper files:

 

•           One file is a new investigation file with minimal information regarding the allegation.

 

•           The second file contains allegation information, the investigator’s notes and copies of letters from the investigator to third parties requesting information.

 

•           Two request for investigation memos pertaining to two clients for whom the OPGT is statutory guardian:

 

•           One memo concerns a request to the investigator from the client representative to attend at the client’s property to conduct an inventory of chattels.  The inventory is noted on  a dicta tape.

 

•           The second memo concerns a request to the investigator from the client representative to attend the client’s property to take photos of the property and verify tenancy.

 

•           Information on a dicta tape with inventory of chattels concerning a Crown estate investigation.

 

I  find that the information is clearly personal information as enumerated in clauses (a), (b), (d) and (h) of section 2(1) of the Act.  The OPGT does not dispute this.

 

Was the disclosure of the personal information in accordance with section 42 of the Act?

 

Section 42 of the Act sets out a number of circumstances under which an institution may disclose personal information.  Clearly, in light of the circumstances surrounding this complaint, I find that none of them apply.  The OPGT does not dispute this finding.

Status of the police investigation

 

The incident was reported to the police on the evening of November 15, 2000.  The OPGT has advised that several follow-up phone calls to the police confirmed that the stolen property containing the personal information of the twelve individuals had not been located.  The matter is still under investigation by the police.

 

Additional remedial steps taken:

 

•           Investigators have been told that when they are out doing field work that they are to separate their office equipment (including laptop computer equipment, cell phones and cameras) from client records.  The client records on their own are unlikely to be attractive to thieves. 

 

•           The Public Guardian and Trustee’s memorandum has been posted on the OPGT intranet site.

 

•           The OPGT reported the incident to the Deputy Attorney General at the Ministry of the Attorney General (the Ministry).  All OPGT staff received, via e-mail, an "interim" policy issued by the Deputy Attorney General on the subject of "Transporting Confidential Information".  The policy addresses procedures for the removal of confidential information from the office and, in particular, sets out protocols for the use of laptop computers outside the office.  (This policy is one of a series of four privacy related policies being developed by the Ministry of the Attorney General.  The others deal with faxing, document security, and conveying information over the telephone).

 

The OPGT indicated that, in addition to investigators, there are other OPGT staff that come into contact with client personal information.  Client representatives, who manage the financial affairs of mentally incompetent clients, go out on the road to meet clients and social workers.  Treatment decisions consultants, who make decisions regarding client treatment, will occasionally visit clients. The OPGT recognizes the need to ensure that all OPGT staff, including investigators, client representatives and treatment decisions consultants, are familiar with the November 23, 2000 internal memorandum, the Ministry’s “interim” policy on the transportation of confidential information and the privacy provisions of the Act.

 

CONCLUSIONS:

 

I commend the OPGT staff for their prompt response after learning of the theft and therefore improper disclosure of personal information through its Toronto office, and for the steps the OPGT has taken to address this particular situation and more general privacy issues.  It is clear that the OPGT understands the seriousness of this matter and gave considerable thought to appropriate action in light of the delicate nature of the OPGT's work.

 

I have reached the following conclusions based on the results of our investigation:

 

1.         The personal information of twelve individuals was disclosed in contravention of the Act.

 

2.         The disclosure was inadvertent as it was caused by the theft of an OPGT investigator's briefcase, which contained the personal information in question, from his locked car.

 

3.                  The OPGT provided this office with detailed explanation and reasoning as to why they gave notice of the theft only to certain individuals.  Given the particular nature of the OPGT’s work, I am satisfied with their decision to limit notification in this instance.

 

4.         Thefts of work materials (briefcases, laptop computers, etc.) containing personal information are an increasingly common occurrence generally.  The theft of personal information from the OPGT raises concerns about the awareness of all staff regarding the Act and issues pertaining to privacy protection.

 

RECOMMENDATIONS:

 

In addition to the initiatives already put into place by the OPGT, I recommend the following:

 

1.         The OPGT revise its November 23^rd internal memorandum "Protection of Privacy" to include specific reference to institutions obligations under sections 41, 42 and 43 of the Act, and distribute it to staff as well as post it on bulletin boards and on the intranet.

 

2.         The OPGT provide all new staff with a copy of the revised memorandum as part of an orientation program.

 

3.         The OPGT establish an ongoing training program for all new and current staff on both the access and privacy provisions of the Act, and OPGT privacy policies.

 

4.                  While the OPGT is a separate institution under the Act, the head is the Attorney General.  Just as the OPGT adopted the Ministry of the Attorney General’s interim policy on “Transporting Confidential Information”, I further recommend that the OPGT adopt the Ministry of the Attorney General’s other confidentiality policies, once they have been revised in accordance with the IPC’s comments provided to the Assistant Deputy Attorney General.

 

 

 

 

The OPGT should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendations no later than August 25, 2001.

 

 

 

 

 

 

Original signed by:                                                                            May 25, 2001               

Diane Frank

Manager of Mediation