PRIVACY COMPLAINT REPORT

 

 

PRIVACY COMPLAINT NOS. MC-010032-1 & MC-010036-1

 

 

York Region District School Board and York Catholic District School Board

 

 

 

 

 

 

 

 

PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NUMBERS:    MC-010032-1 & MC-010036-1

 

 

 

MEDIATOR:                                                            Lois Friedman

 

 

 

INSTITUTIONS:                                          York Region District School Board

                                                                        York Catholic District School Board

 

 

 

SUMMARY OF COMMISSIONER-INITIATED COMPLAINT:

 

An article appeared in a Toronto newspaper about a Web site that provides school bus schedule information. The article stated that the Web site, designed to help with school bus scheduling in York Region, was “giving out kids’ info” and “stirring up fears about children’s safety”.  It went on to say that while the Web site is intended to allow parents to track the time their children are being picked up and dropped off from school, other individuals could use the Web site as well to obtain information about children, including their school, grade and when and where they are picked up and dropped off by the school bus.      

 

The Web site that was the subject of the article is jointly operated by the York Catholic District School Board and the York Region District School Board (the two school boards for York Region, which I will refer to in this report as “the Boards”). 

 

The Municipal Freedom of Information and Protection of Privacy Act (the Act) contains privacy provisions that require school boards and other institutions covered by the Act to protect personal information in their custody and control, and only disclose personal information in specified circumstances.  As a result of privacy concerns and related safety issues raised by the article, the Information and Privacy Commissioner initiated a privacy investigation under the Act with respect to the information being disclosed on this Web site.

 

As part of its investigation, the IPC reviewed the Web site and met with staff from the Boards.  During the investigation, the Boards advised that, in addition to the Web site, they jointly operate an automated phone system that provides school bus schedule information.  Accordingly, the IPC included the automated phone system within the scope of its investigation. 

 

DESCRIPTION OF AUTOMATED PHONE SYSTEM & WEB SITE

 

1)         Automated Phone System 

 

The formal name for the automated phone system is the Interactive Voice Response System.   It is intended to be used by parents of students enrolled in York Region schools, although it is accessible to anyone.  The system is based on the caller’s home phone number and provides a voice response with the pick-up and drop-off information for the student at that phone number. When the system answers a call, an automated voice prompts the caller to enter his/her home phone number.  If it matches the phone number of a student enrolled at a York Region school, then the automated phone system will state the stop location and pick-up and drop-off time for the phone number provided by the caller (e.g., morning pick-up time at 8:30 a.m., stop located at X, afternoon drop-off time at 3:30 p.m., stop located at Y).  Where there is more than one child and they attend different schools, the system will indicate the names of the schools.  The caller is then asked to select the school and the system will provide the relevant information.

 

Individuals who call the automated phone system and provide a phone number that does not match the number of a child enrolled in York Region schools are re-directed to school board staff because the system does not recognize the phone number.  The Boards advised that they receive a high volume of these calls, which translates into increased phone inquiries for their administrative staff.

 

In their response to the draft Privacy Complaint Report, the Boards indicated that they are considering discontinuing the operation of the automated phone system, but provided no further submissions about it.  Because no final decision has been made to discontinue the automated phone system, this final Report includes analysis and recommendations concerning the automated phone system.

 

2)         Web site

 

The Boards advised that they decided to create a Web site and make the bus schedule information widely available to individuals, so as to reduce the phone calls that would otherwise need to be handled by the administrative staff.  According to the Boards, the majority of calls received by the automated phone system were from individuals moving or considering moving to York Region.  As these individuals did not have children already enrolled in the York Region school system, the automated phone system could not provide them applicable bus information and their calls had to be re-routed to the Boards’ staff.

 

Accordingly, the Web site created by the Boards is not an internal site that may only be viewed by York Region school students or their parents.  Rather, the Web site is an Internet site that may be viewed by anyone with access to the Internet. 

 

The Web site provides similar information to the automated phone system (i.e., pick-up and drop-off locations and times), but in relation to a grouping of addresses on a particular street.  As I will explain in more detail below, the Web site requires that an individual select the name of a school from a list, or provide a street address, to initiate the search on the Web site.  The search results that are displayed indicate the pick-up and drop-off times and locations for a group of addresses on a street (e.g., Jones Avenue #36‑40 and Jones Avenue #35-39). In some cases, the stop location may be a specific address (e.g., 36 Jones Avenue), rather than an intersection (e.g. Jones and 5^th Avenue).  In addition, the search results indicate the street type (e.g., crescent), grade eligibility for bus service (e.g., Junior Kindergarten to Grade 8) and route number.  (According to the Boards, students in lower grades may be eligible for bus transportation for shorter distances than students in higher grades).  Like the automated phone system, the actual names of the students are not included.

 

Individuals can search for bus schedule information on the Web site, using three different query modes:

 

•               Streets by School Report

•               Info by School

•               Info by Address

 

The Web site describes the three query modes as follows:

 

•               Streets by School Report

Report on all streets with transportation information for a selected school.

 

•               Info by School

Look up the bus transportation by Address Range.  Use this information to find your nearest bus stop and eligibility to ride.

 

•               Info by Address 

Look up school transportation information based upon an address. Grade and school must be selected to obtain a response.

 

All three query modes yield essentially the same information:  school bus drop-off and pick-up times and locations for a range of addresses on a street.  The number of fields that appear in the course of accessing detailed pick-up and drop-off information may vary and the information may be configured differently, but the information ultimately produced is the same, regardless of which query mode is used.  

 

With the Streets by School Report query, the individual selects a school from a pick list or types in the name of the school.  The School Street Summary appears, containing a list of all the streets for a particular school that receive school bus service, with address ranges and the corresponding bus stop locations and times for those address ranges.  In some cases, there appears to only be one address within the range.  The list also contains the street type (e.g. crescent), route number and grade range eligibility.

 

With the School query, the individual types in a school name.  This produces a list of the streets for that school with address ranges.  The person submitting the query selects an address range, and the Web site displays the pick-up and drop-off times for that range of addresses on that particular street.  This type of query also produces grade eligibility information. 

 

For the Address query, the individual types in a street name and number.  (Grade does not appear to be required).  This produces a list of schools that might be attended by students living at that address (similar to the School search above).  The individual selects a school, and the relevant pick-up and drop-off times and locations are then provided for the address (or the range that includes it), together with grade eligibility.  This mirrors the results obtained under the School query method.

 

ANALYSIS  

 

Both the Web site and automated phone system disclose detailed information about school bus routes, pick-up and drop-off times and locations.  For the automated phone system, the information provided is in response to a particular phone number that the caller has entered, and pertains to the student at that particular phone number.  For the Web site, the information is in relation to an address or set of addresses on a particular street.

 

The Boards are of the view that neither the automated phone system nor the Web site involve disclosure of students’ personal information.  They believe that as the names of students are not communicated in the voice response or displayed in the Web site’s search results, no personal information is involved.  They consider the automated phone system and Web site to pose no privacy risks or safety concerns, contending that providing information on school bus schedules via an automated phone system or the Internet is no different than if an individual were to follow a school bus, observing and recording its stop times and locations.

 

1)         Is the information “personal information”?

 

Section 2 of the Act defines personal information, in part, as “recorded information about an identifiable individual.”  [emphases added]

 

For the purposes of a disclosure, this definition indicates that the information must be “recorded”.  While this requirement is clearly met in the case of the Web site, the information disclosed by the phone system is verbal.  However, the response by the phone system is an automated disclosure of information taken from electronic records, and therefore also qualifies as a disclosure of “recorded” information.

 

I am also satisfied that the information being disclosed by the Web site and phone system in relation to school busing arrangements is, in at least some cases, about identifiable individuals.  Clearly, an individual’s travel arrangements would be information “about” the individual.  As to whether the students are “identifiable”, it is important to bear in mind that the purpose of both the voice system and the Web site is to provide information to parents and students about bus scheduling.  In most cases, the identity of the student would already be known to the person submitting the query, and in such cases, the individual is clearly “identifiable”.  While some individuals may query the Web site system to find out the schedule in connection with a possible move to a particular neighbourhood, as suggested by the Boards, this does not change the fact that many of the persons submitting queries to the Web site and using the voice system, would already know the identity of the student they are inquiring about.

 

Past orders have held that even where individuals are not named, the information can be about identifiable individuals, given the context or small numbers involved.  For example, in Order P-644, former Adjudicator Anita Fineberg found that records contained “personal information” because physicians, although not named in the record, could be identified due to the small number of physicians billing for a particular type of medical service.  In the circumstances of this investigation, although the students are not identified by name in the disclosure itself, the information provided is either in relation to a student residing at a particular phone number (voice system) or to a student residing within a small range of addresses on a street (Web site).  In some instances, the range may consist of only one address or could involve a small street (e.g., a cul de sac).

 

In their response to the draft Privacy Complaint Report, the Boards indicate an intention to “eliminate from search results those stops that service the needs of one family only at their home address.”  That change would address the problem of ranges containing only one address, but it does not alter the fact that the identity of children would frequently be known to the person submitting the query, in which case any information disclosed is “about an identifiable individual”.  Pre-existing knowledge by the person submitting a query can render an individual “identifiable” even in the absence of personal identifiers.  By way of analogy, records identified in response to a request under Part I of the Act for access to information about an individual identified in the request, contain that individual’s personal information regardless of whether the individual’s name is or is not stated in the record.

 

A previous line of IPC decisions has determined that, in some cases, certain information about a property owned by an individual is not personal information, including estimated market values, work orders and building permit information (see Orders P-23, M-138 and Investigation Report I94-079M).  Similarly, it might be suggested that the information disclosed by the phone system and the Web site is about a property, or a transportation service, rather than identifiable individuals.  I do not agree with this view.  In my opinion, much of what is disclosed is information about the travel arrangements of identifiable school children, and therefore constitutes their personal information.  Indeed, the phone and Web service is designed exclusively for the purpose of linking bus route information to identifiable individuals.

 

It might also be suggested that if the information under consideration here qualifies as personal information, so should the schedules of a municipal transit body such as the Toronto Transit Commission (TTC).  However, this analogy is flawed because even assuming an inquiry were made of the TTC to obtain the possible routing and times for a student to get from their municipal address to the school, there would be a number of options for pick-up and drop-off times, and in most cases, a number of routes would also be available.  In my view, the TTC scheduling information is much more generic and, unlike the information disclosed by the Boards via the phone service and Web site, it does not disclose a fixed personal itinerary that is clearly linked to an identifiable individual.

 

For all these reasons, I have concluded that both the voice system and the Web site have disclosed, and continue to disclose, personal information.

 

2)         Is the disclosure of  “personal information” in accordance with the Act?

 

Part III of the Act outlines an institution’s obligations regarding the collection, use, disclosure and retention of personal information.  For school boards, this of course, involves protection of students’ personal information.  An institution may not be able to control how information is used by individuals, once it is placed on its Web site.  However, an institution is able to control the information it discloses and should exercise caution with respect to personal information in order to comply with the provisions of Part III.

Section 32 of the Act outlines the situations where an institution is permitted to disclose personal information.  The only parts of this provision that could apply in these circumstances are sections 32(b) and (c), which provide for disclosure upon consent or if the information is being disclosed for a purpose consistent with the purpose for which it was obtained or compiled.  Sections 32(b) and (c) state:

32. An institution shall not disclose personal information in its custody or under its control except,

…

(b)     if the person to whom the information relates has identified that information in particular and consented to its disclosure;

(c)     for the purpose for which it was obtained or compiled or for a consistent purpose.

With respect to section 32(b), the Boards have not obtained the required consents from the individual parents or students (as the case may be, depending on whether the student has reached the age where his or her consent is required instead of a parent’s) to support their disclosures of personal information via the Web site or the automated phone system.  Disclosures via the Web site would require the consent of all parents and/or students in the York Region school system in order to qualify under section 32(b).  This is also true of the automated phone system.  In my view, the requirements of section 32(b) have not been met.

As far as section 32(c) is concerned, it authorizes disclosure of an individual’s personal information if it is disclosed for a purpose similar to or consistent with the purpose for obtaining or compiling it.  Where information is collected directly from a student, section 33 of the Act provides that its purpose would qualify as consistent “only if the individual might reasonably have expected such a use or disclosure.”

 

During the investigation, the Boards advised that “students and their parents/guardians are provided notice of the collection and possible subsequent use when they register for school and annually via school newsletters and student agendas.”  I understand that these notices identify the following kinds of purposes for “disclosures beyond the board”:

•               parent/teacher association class lists;

•               emergency phone networks;

•               Student Council;

•               to an insurer, in case the student is involved in or witnesses an accident (name and home address disclosed);

•               with photographs, artwork, writing or other schoolwork, to the media for publicity (name, age, grade disclosed);

•               in the school yearbook (names, photographs, etc., disclosed).

Clearly, this notice does not refer to the disclosure of busing information about a student.  In its response to the draft Report, the Boards argue that “… the use and/or release of registration data in accordance with section 32(1)(c) of the Act is consistent with the provision of transportation services pursuant to section 190 of the Education Act and the expectation of parents that information regarding the transportation available to students or potential students be easily accessible …”.  In my view, these legislative provisions are not sufficient to support a conclusion that the individuals “might reasonably have expected such a use or disclosure”, and I am not satisfied that section 33 of the Act provides any basis for concluding that this disclosure would be permitted by section 32(c).

 

Moreover, most if not all of the information disclosed would not have been collected from the students or parents (e.g., actual times and locations for pick-ups and drop-offs).  Where personal information has not been collected directly from the individual concerned, previous investigation reports have determined that, in order to qualify under “consistent purpose”, the use or disclosure must be “reasonably compatible” with the purpose for which it was obtained or compiled (see Investigation Report #I95-008M).  The collection notice referred to by the Boards identifies that student information is collected pursuant to the Education Act and Immunization of Schools Pupils Act.  In particular, the Boards referred to section 190 of the Education Act, also referenced above.  In my view, however, the transportation of students does not require that school boards disclose school bus drop-off and pick-up times and locations through an automated phone system or through an Internet Web site that is available to the general public.  Therefore, even if section 190 were to qualify as an identified purpose for the collection or disclosure of student information, I am not satisfied that the disclosures under consideration in this report are “reasonably compatible” with this purpose.

 

For all these reasons, I have concluded that section 32(c) does not apply.

 

The Boards’ submissions in response to the draft report also claim that “… in circumstances when the identity of the student is already known by the person submitting the query, the information provided by [the Boards] is that individual’s own personal information.”  In cases where the caller is the custodial parent and the child is under 16, section 54(c) of the Act would indicate that the parent can exercise any rights of the child, which may include access to the child’s personal information.  But this does not address the issue of queries by other individuals who are not entitled to information about the child’s travel arrangements, and in my view section 54(c) does not authorize the Boards to disclose personal information via a publicly accessible Web site.

Since section 54(c) does not assist the Boards, and none of the provisions under section 32 apply, I have concluded that the disclosures are not permissible under the Act.

Although that is sufficient to resolve the matter, I would like to comment on the Boards’ view that their systems (automated phone system and Web site) do not pose a safety threat for the students.  I believe that these systems do, at least potentially, facilitate the tracking of children’s whereabouts and may therefore place them at risk.  While the Boards liken the situation to an individual following a school bus, these systems, particularly the Web site, allow anyone to easily research and gather information on the whereabouts of specific children at designated times of the day. The risks to the children’s safety may be remote, but the possible harm, should it materialize, could be grave.  I have already concluded that the Act does not mandate this type of disclosure, but even from a policy perspective, it would appear to me that the possibility of grave harm would outweigh any possible benefits associated with making the personal information available in this manner.  I also question the administrative burden to the Boards and the corresponding benefits the system provides to parents.  Most parents would need to know the children’s drop-off and pick-up points prior to the school year and would not need to rely on the automated phone system or Web site after an initial notification.  And as for non-parents being able to obtain the bus schedules through the Web site, it is difficult to see why they would need such detailed information.  Additionally, while administrative staff may have had to deal with fewer calls as a result of the Web site, in my view this is not a compelling justification, given the nature of the information and its possible nefarious uses.

CONCLUSIONS & RECOMMENDATIONS:

 

I have concluded that the Web site and phone system disclose personal information, and that these disclosures are not authorized by section 32 of the Act.  In addition, these disclosures have the potential to seriously threaten the safety of students.

 

Accordingly, I recommend that the Web site and automated phone system be dismantled by June 30, 2003.  The Boards should provide the Office of the Information and Privacy Commissioner with proof of compliance that the Web site and automated phone system have been dismantled by July 11, 2003.

 

 

 

 

 

Original signed by Mona Wong:         _                      ____________May 15, 2003______

Lois Friedman, Mediator per:                        

Mona Wong, Team Leader, Mediation (Mun.)