PRIVACY COMPLAINT REPORT

 

 

PRIVACY COMPLAINT NO. PC-030043-1

 

 

Ministry of Labour

 

 

 

 

 

 

 

 

PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NO.                   PC-030043-1

 

 

MEDIATOR:                                                            Maria Tzimas

 

 

INSTITUTION:                                            Ministry of Labour

 

 

 

SUMMARY OF COMMISSIONER INITIATED COMPLAINT:

 

On October 6, 2003, the Office of the Information and Privacy Commissioner/Ontario (the IPC) was informed by the Manager of the Freedom of Information and Privacy Office of the Ministry of Labour (the Ministry) of a theft of a briefcase that very day from the vehicle of an Employment Standards Officer working in the London South District Office.

 

On the basis of this information, the IPC initiated a privacy complaint under the Freedom of Information and Protection of Privacy Act (the Act).

 

Particulars Concerning the Incident

 

During the course of the investigation, the Ministry provided the IPC with information in relation to the incident, the details of which are outlined below.

 

On October 6, 2003, between the hours of 6:30 and 8:30 AM, the vehicle of an Employment Standards Officer (ESO) of the Ministry’s London South District Office was broken into by an unknown person in a public parking lot.  As a result of the break-in, the ESO’s briefcase was stolen from the locked trunk that contained a laptop computer, calculator, and five employment standards files.  The London City Police were notified of the theft on that same day as was the Ministry’s Regional Director, the Freedom of Information and Privacy Office (FOI Office), and Information Technology (IT) personnel.

 

The Ministry clarified that the laptop computer contained some information from the five employment standards files relating to five individuals including their names and addresses.  The laptop computer was password protected with a unique password and was turned off at the time of the theft.  The five employment standards files contained a standard claim form and may have also contained T4 slips, medical information, photographs, Workplace Safety and Insurance information and other personal notes and records depending on the nature of the claim.  The standard claim form contains information such as the name, address, phone number, social insurance number, occupation, employment history and remunerations level of the employee and the name and address of the employers.

 

On October 7, upon receiving direction from the Ministry’s Legal Services and FOI Office, the District Manager of the London South District Office notified the five affected individuals about the theft by telephone, followed by a letter dated October 9.  In the letter, the Ministry advised the five individuals that their employment standards claim files were stolen from the ESO’s vehicle and that the police was notified about the incident.  The Ministry provided the five individuals with information from Human Resources Development Canada on steps they may wish to take with respect to their social insurance numbers.  The Ministry also indicated that they would notify the five individuals should there be any recovery of the stolen material by the police.

 

On October 8, the ESO was instructed to reconstruct all five files by contacting the claimants and employers in relation to the five stolen files.  By the end of the day on October 9, the ESO had made contact with all of the claimants and employers involved in the five claims and had initiated requests to begin reconstructing the documentation in the files.

 

As of October 28, all files had been fully reconstructed with the exception of one claim form but the ESO had sufficient documentation to proceed with a determination on that particular file.  To-date, none of the stolen materials have been recovered by the police.

 

Additional Comments

 

The Ministry advised that it currently does not have any policies and procedures in place for the handling of confidential materials containing personal information including guidelines for protecting these materials when working outside the office.  However, it plans to develop such policies and procedures upon the completion of a Ministry wide initiative that is currently underway involving the Office of the Worker Advisor (OWA), the Economics and Business Cluster and Management Board.  As part of this initiative, a comprehensive network attachment storage solution (NAS) is being developed and the project will incorporate a data classification initiative to ensure effective management and classification of confidential information files.  A completion date of this initiative has not yet been determined.

 

DISCUSSION:

 

The following issues were identified as arising from the investigation:

 

Issue A:  Is the information “personal information” as defined in section 2(1) of the Act?

 

Section 2(1) of the Act states, in part:

 

"personal information" means recorded information about an identifiable individual, including,

 

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

 

(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

 

(c) any identifying number, symbol or other particular assigned to the individual,

 

(d) the address, telephone number, fingerprints or blood type of the individual,

 

(e) the personal opinions or views of the individual except where they relate to another individual,

 

(f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,

 

(g) the views or opinions of another individual about the individual, and

 

(h) the individual's name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual;

 

As noted above, a laptop computer and five employment standards files were stolen from the ESO’s vehicle.  According to the Ministry, the laptop computer contained some information from the five employment standards files relating to five individuals including their names and addresses.

 

I find that the information contained in the laptop computer is clearly personal information as defined in one or more of the subsections of section 2(1) of the Act as set out above.  The Ministry does not dispute this finding.

 

The Ministry confirmed that the five employment standards files contained information relating to five individuals including names, addresses, phone numbers, social insurance numbers, occupations, employment histories, remuneration levels, and the names and addresses of employers.  These files may have also contained other information such as T4 Slips, medical information and other personal notes and records depending on the nature of the claim.

 

I find that the information contained in the five employment standards files is clearly personal information as defined in one or more of the subsections of section 2(1) of the Act as set out above.  The Ministry does not dispute this finding.

 

Issue B:  Was the disclosure of the “personal information” in accordance with section 42 of the Act?

 

Section 42 of the Act sets out a number of circumstances under which an institution may disclose personal information.  Clearly, in situations where there has been a theft of personal information, none of these circumstances apply.

 

The laptop computer was protected by a unique password and although this does not guarantee that an unauthorized user can never access the information, there is no evidence to suggest that there was a disclosure of such information.  However, the same cannot be said about the five employment standard files.  Accordingly, the disclosure of personal information contained in the five files was not in accordance with the Act.

 

CONCLUSION:

 

I have reached the following conclusions based on the results of my investigations:

 

1.      The information in question was personal information as defined in section 2(1) of the Act.

 

2.   The disclosure of personal information within the employment standards files was inadvertent as it was caused by the theft of these materials from the ESO’s vehicle.

 

RECOMMENDATION:

 

With the absence of policies and procedures on the handling of materials containing personal information when working outside the office, the Ministry exposes itself to future incidents involving significant breaches that may be minimized or avoided altogether with the dissemination of some general guidelines to employees on the proper handling of such materials when working outside the office.

 

Accordingly, I recommend that the Ministry develop interim policies for the protection of personal information when working outside the office or adopt the IPC’s Guidelines for Protecting the Privacy and Confidentiality of Personal Information When Working Outside the Office until such time as the data classification and NAS initiatives have been completed and the Ministry has developed its own comprehensive policies in this area.  The Ministry should also notify and make staff aware of these policies.

 

By May 31, 2004, the Ministry should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendation.

 

 

 

 

 

 

 

 

Original Signed by:                                                                             February 23, 2004

Maria Tzimas, Mediator per: Irena Pascoe, Team Leader