Privacy Reports
Decision Information
SUMMARY OF COMMISSIONER INITIATED COMPLAINT: The Office of the Information and Privacy Commissioner (the IPC) received a letter dated March 9, 2001, from the Director of the Family Responsibility Office (FRO) setting out circumstances that resulted in an inadvertent disclosure of personal information. Specifically, correspondence intended for one support payor was sent to another support payor. On the basis of receiving this March 9, 2001 letter the IPC initiated an investigation under the Freedom of Information and Protection of Privacy Act (the Act). It should be noted that at the time the IPC initiated this complaint, FRO was part of the Ministry of the Attorney General. Subsequently, FRO was transferred to the jurisdiction of the Ministry of Community and Social Services (the Ministry) The Family Responsibility Office The Family Responsibility Office (FRO) operates under the authority of the Family Responsibility and Support Arrears Enforcement Act, 1966 to: collect support payments on behalf of recipients enforce court-ordered support payments enforce certain domestic contracts and paternity agreements filed with the court FRO mails out more than 6,000 pieces of case related correspondence per day. The disclosure The Director's letter set out additional details regarding the disclosure. A FRO support payor (Client A) telephoned to request that FRO notify the credit bureaus to adjust his credit rating as his case had been closed and no arrears were owing. FRO faxed a notice to the credit bureaus and also prepared a copy of the notice to be sent by mail to the client. A similar request was made by another FRO support payor (Client B). Both requests were handled on the same day, at approximately the same time, by the same FRO employee and unfortunately, Client A was mailed the correspondence intended for Client B. Client B received his own correct information. The matter came to FRO's attention upon receiving a letter from Client A advising of the error. DISCUSSION: The following issues were identified as arising from the investigation: Is the information "personal information" as defined in section 2(1) of the Act ? Section 2(1) of the Act states, in part: "personal information means recorded information about an identifiable individual, including, (a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual, (b) information relating to the education or medical, psychiatric, psychologica l , criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved , (c) any identifying number, symbol or other particular assigned to the individual, (d) the address, telephone number , fingerprints or blood type of the individual, (h) the individual's name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual; I have reviewed the record at issue, namely the copy of Client B's notification to the credit bureau mailed to Client A. The notification contains Client B's name and address, the FRO case number, his social insurance number and date of birth. I find that the information is clearly the personal information of Client B as enumerated in clauses (a), (b), (c), (d) and (h) of section 2(1) of the Act . FRO does not dispute this. Was the disclosure of the personal information in accordance with section 42 of the Act ? Section 42 of the Act sets out a number of circumstances under which an institution may disclose personal information. Clearly, in light of the circumstances surrounding this complaint, I find that none of them apply. FRO does not dispute this finding. Steps taken by FRO 1. Upon receipt of Client A's letter, FRO immediately conducted an investigation and formed a Mail Procedures Ad Hoc Task Force to investigate why the incident occurred and to make recommendations to improve the outgoing mail process. Overall, the Committee's recommendations included an extensive review of current work processes, again with a view to reducing human error, ensuring people are accountable for their own work as well as further training on access and privacy, and ensuring consistency of process in all areas.In particular, expanding use of technology e.g. envelopes prepared by computer rather than hand written; to cut down on the amount of mail handled, that FRO not provide a copy of the letter to the support payor sent to the Credit Bureau. Historically, Credit Bureaus were not meeting standard response time. Currently Credit Bureaus are responding within standard (48 hours) making this courtesy to support payors no longer necessary; examining whether in fact too may people are handling/checking mail reducing accountability for any one person (in this incident, unit assistant and a staff from the mail room checked that the letter and envelope matched, and neither caught the error); limiting access to the mail area of the Intake Department. 2. The Director wrote an apology letter to Client A and began the process of contacting Cl
Decision Content
PRIVACY COMPLAINT REPORT
PRIVACY COMPLAINT PC-010011-1
Ministry of Community and Social Services
July 10, 2001
PRIVACY COMPLAINT REPORT
PRIVACY COMPLAINT NO. PC-010011-1
MEDIATOR: Frances Soloway
INSTITUTION: Ministry of Community and Social Services
(formerly Ministry of Attorney General)
SUMMARY OF COMMISSIONER INITIATED COMPLAINT:
The Office of the Information and Privacy Commissioner (the IPC) received a letter dated March 9, 2001, from the Director of the Family Responsibility Office (FRO) setting out circumstances that resulted in an inadvertent disclosure of personal information. Specifically, correspondence intended for one support payor was sent to another support payor.
On the basis of receiving this March 9, 2001 letter the IPC initiated an investigation under the Freedom of Information and Protection of Privacy Act (the Act).
It should be noted that at the time the IPC initiated this complaint, FRO was part of the Ministry of the Attorney General. Subsequently, FRO was transferred to the jurisdiction of the Ministry of Community and Social Services (the Ministry)
The Family Responsibility Office
The Family Responsibility Office (FRO) operates under the authority of the Family Responsibility and Support Arrears Enforcement Act, 1966 to:
• collect support payments on behalf of recipients
• enforce court-ordered support payments
• enforce certain domestic contracts and paternity agreements filed with the court.
FRO mails out more than 6,000 pieces of case related correspondence per day.
The disclosure
The Director’s letter set out additional details regarding the disclosure. A FRO support payor (Client A) telephoned to request that FRO notify the credit bureaus to adjust his credit rating as his case had been closed and no arrears were owing. FRO faxed a notice to the credit bureaus and also prepared a copy of the notice to be sent by mail to the client.
A similar request was made by another FRO support payor (Client B). Both requests were handled on the same day, at approximately the same time, by the same FRO employee and unfortunately, Client A was mailed the correspondence intended for Client B. Client B received his own correct information.
The matter came to FRO’s attention upon receiving a letter from Client A advising of the error.
DISCUSSION:
The following issues were identified as arising from the investigation:
Is the information "personal information" as defined in section 2(1) of the Act?
Section 2(1) of the Act states, in part:
“personal information means recorded information about an identifiable individual, including,
(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
(b) information relating to the education or medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, telephone number, fingerprints or blood type of the individual,
(h) the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual;
I have reviewed the record at issue, namely the copy of Client B’s notification to the credit bureau mailed to Client A. The notification contains Client B’s name and address, the FRO case number, his social insurance number and date of birth.
I find that the information is clearly the personal information of Client B as enumerated in clauses (a), (b), (c), (d) and (h) of section 2(1) of the Act. FRO does not dispute this.
Was the disclosure of the personal information in accordance with section 42 of the Act?
Section 42 of the Act sets out a number of circumstances under which an institution may disclose personal information. Clearly, in light of the circumstances surrounding this complaint, I find that none of them apply. FRO does not dispute this finding.
Steps taken by FRO
1. Upon receipt of Client A’s letter, FRO immediately conducted an investigation and formed a Mail Procedures Ad Hoc Task Force to investigate why the incident occurred and to make recommendations to improve the outgoing mail process.
Overall, the Committee’s recommendations included an extensive review of current work processes, again with a view to reducing human error, ensuring people are accountable for their own work as well as further training on access and privacy, and ensuring consistency of process in all areas. In particular,
• expanding use of technology e.g. envelopes prepared by computer rather than hand written;
• to cut down on the amount of mail handled, that FRO not provide a copy of the letter to the support payor sent to the Credit Bureau. Historically, Credit Bureaus were not meeting standard response time. Currently Credit Bureaus are responding within standard (48 hours) making this courtesy to support payors no longer necessary;
• examining whether in fact too may people are handling/checking mail reducing accountability for any one person (in this incident, unit assistant and a staff from the mail room checked that the letter and envelope matched, and neither caught the error);
• limiting access to the mail area of the Intake Department.
2. The Director wrote an apology letter to Client A and began the process of contacting Client B.
3. FRO changed the case numbers of both Client A’s and B’s files to ensure the integrity of the automated telephone system. The Director wrote to Client A and B, as well as to their respective support-recipients advising them of the change should they require information in the future.
CONCLUSION:
I commend the FRO staff for their prompt response when learning of the improper disclosure of personal information and for seeking the assistance of this Office. It is clear the FRO understands the seriousness of this matter. FRO immediately took steps to notify the parties, change case numbers, and form an internal task force to investigate the incident and to make recommendations.
I have reached the following conclusions based on the results of our investigation:
1. The personal information of one individual was disclosed, in contravention of the Act.
2. The disclosure was inadvertent, through human error. Although there is a procedure in place which requires that two staff check to ensure that letters are placed in the correct envelopes, neither staff noticed the mistake.
RECOMMENDATIONS:
Over the past year the IPC and FRO have established an excellent working relationship. In response to a previous IPC recommendation in February 2001, FRO completed an independent, comprehensive Privacy Audit aimed at identifying and eliminating, among other things, the potential privacy risks of accidental inappropriate disclosure of personal information. The audit made a series of broad-ranging recommendations which FRO is in the process of implementing.
Taking into consideration the privacy-protective work already being done by FRO in relation to our investigation into this matter, I recommend the following:
1. FRO continue to work toward implementation of the recommendations outlined in their Privacy Audit. In particular, as related to this incident, recommendations related to the increased use of technology to cut down on human error - e.g. having envelopes addressed on the computer from their corresponding letters, and exploring the possibility of increasing capacity to allow for the development of a case management system.
2. FRO implement the recommendation of the Mail Procedures Ad Hoc Task Force Committee that FRO no longer provide copies of credit bureau notifications to clients, thereby reducing the number of items FRO must mail out and therefore reducing to some degree the potential for human error.
FRO should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendations by October 10, 2001.
.
Original signed by: July 10, 2001
Frances Soloway
Mediator