Information and Privacy Commissioner, Ontario, Canada

Commissaire à l’information et à la protection de la vie privée, Ontario, Canada

PRIVACY COMPLAINT REPORT

PRIVACY COMPLAINT PR11-33

Ministry of Labour

November 9, 2012

Summary: The Office of the Information and Privacy Commissioner/Ontario (IPC) received a notice from the Ministry of Labour (the ministry) advising that it had disclosed personal information in response to an Ontario Labour Relations Board order. Two individuals filed complaints in response to the ministry’s disclosure of their personal information. In response, the IPC opened a privacy complaint file to assess if the collection, disclosure and transfer of personal information were in compliance with the Freedom of Information and Protection of Privacy Act  (the Act ).

The Privacy Complaint Report upholds the ministry’s decision to disclose the records of personal information, but concludes that the ministry did not implement adequate measures to prevent unauthorized access to the records at issue as required under section 4 of Regulation 460, made pursuant to the Act .

Statutes Considered: Freedom of Information and Protection of Privacy Act , R.S.O. 1990, c. F.31 , as amended, section 2(1) (definition of personal information), Regulation 460, section 4; Personal Health Information Protection Act, 2004 , S.O. 2004, c. 3 , Regulation 329/04; and Employment Standards Act, 2000 S.O. 2000, c. 41.

Orders and Investigation Reports Considered: IPC HO-011

OVERVIEW:

This complaint concerns an allegation of unauthorized disclosure of personal information under the Freedom of Information and Protection of Privacy Act (the Act) by the Ministry of Labour (the ministry). The incident under investigation relates to a letter dated September 1, 2011, and an enclosed CD-ROM, that was sent by the ministry to all of the parties to an Ontario Labour Relations Board (OLRB) proceeding.

The letter, with enclosed CD-ROM, was sent by regular mail to the legal counsel representing the former directors of four bankrupt corporations. Copies of the letter and the CD-ROM were also sent to 309 of the former employees of the corporations who were also parties to the OLRB matter.

The CD-ROM contained information such as the names, addresses, employment history, remuneration and social insurance numbers of each of the 309 former employees, and included copies of their T4 forms. The information on the CD-ROM was unencrypted and therefore, it could be read by anyone with access to a computer. The ministry sent each of the 309 former employees the personal information, including the T4 forms, of all the other employees. Approximately 26 of the 309 employee letters and enclosed CD-ROMs were returned as undeliverable.

The ministry contacted the Office of the Information and Privacy Commissioner/Ontario (IPC) to advise that it had disclosed the information contained in the CD-ROM in compliance with an OLRB Order dated February 24, 2011 and the OLRB’s Rules of Procedure.

One day prior to the ministry contacting the IPC, one of the former employees filed a complaint with the IPC. This individual expressed a concern that the distribution of the personal information on the CD-ROM placed both him and the other former employees at risk of identity theft. The individual also noted that some of the former employees may not have received the letter because he believed that the addresses used by the ministry were not up to date. Following this complaint, a second former employee contacted our office to express concern about the ministry’s actions.

BACKGROUND

The circumstances of this investigation arise from a matter under the Employment Standards Act, 2000 (the ESA). The ministry is responsible for the ESA and the appointment of employment standards officers to enforce the ESA.

As a result of a court ordered receivership, four corporations were dissolved due to bankruptcy on or about October 25, 2008. The bankruptcy resulted in the loss of employment of the 309 individuals.

The ministry stated that it received Employment Standards Claim forms from several of the employees affected by the bankruptcy. The claims were for unpaid wages, vacation pay, termination pay and/or severance pay. In response, the ministry appointed an employment standards officer to investigate the claims, and to determine if any of the employees affected by the bankruptcy were entitled to payment under the ESA.

Section 91(6) of the ESA authorizes an employment standards officer conducting an investigation or inspection to:

1. (a) examine a record or other thing that the officer thinks may be relevant to the investigation or inspection;
2. (b) require the production of a record or other thing that the officer thinks may be relevant to the investigation or inspection;
3. (c) remove for review and copying a record or other thing that the officer thinks may be relevant to the investigation or inspection;
4. (d) in order to produce a record in readable form, use data storage, information processing or retrieval devices or systems that are normally used in carrying on business in the place; and
5. (e) question any person on matters the officer thinks may be relevant to the investigation or inspection.

The ministry explains that it was pursuant to these powers that the employment standards officer collected from the trustee in bankruptcy a list of all of the 309 employees affected by the bankruptcy of the four corporations and the dissolved partnership, including the contact information and a summary of the wages owed.

The employment standards officer determined that the bankrupt corporations were liable for the wages, vacation pay and termination pay and/or severance pay of the 309 employees and in November 2008 issued Directors Orders to Pay to the company directors on the basis that where an employer is insolvent, a director of an employer is liable for the wages and vacation pay of the employees affected by the insolvency.

The companies’ directors appealed the Directors Orders to Pay to the OLRB. The ministry explains that because the Directors Orders to Pay concerned the entitlement to wages and vacation pay of all 309 employees identified by the employment standards officer, and the directors were seeking a review of the order issued against them, each of the 309 former employees became parties to the review. In reaching this conclusion, the ministry relies on section 116(7) of the ESA which states:

The following are parties to the review:

2. If the person against whom an order was issued applies for the review, the employee with respect to whom the order was issued.

The ministry explains that during the course of the proceedings, counsel for the company directors requested the production of information from the Director of Employment Standards, including documents concerning the amount of wages owed to the former employees. The Director of Employment Standards did not have the requested information – it was being held by the trustee in bankruptcy – but agreed to consent to a production order from the OLRB.

The ministry states that on November 4, 2010, the scheduled date for the OLRB proceeding, counsel for the Director of Employment Standards provided a verbal undertaking to the former employees present at the hearing. The counsel stated that, in the interest of fairness, all of the parties would receive a copy of all of the records obtained by the Director of Employment Standards from the trustee in bankruptcy and provided to legal counsel for the companies’ directors.

On February 24, 2011 the OLRB issued an order to the Director of Employment Standards to produce records to the legal counsel for the companies’ directors. A copy of the Order was provided to all of the parties, including all of the former employees. The Order stated, in part:

1. 1. By correspondence dated February 23, 2011, counsel to the Director of Employment Standards advised that they had consented to a request from the applicant directors for a Board Order regarding certain documents.
2. 2. The Director of Employment Standards is ordered to produce to counsel for the applicant directors the following documents:
   • • All time sheets (time cards) for hourly employees for the pay period ending November 14, 2008;
   • • The payroll register for the period ending November 14, 2008;
   • • Documents signed by managers of the various corporations showing personnel additions and deletion for the pay period ending November 14, 2008;
   • • Spread sheets showing commission calculations for October and November 2008;
   • • All documents showing write-offs from customer accounts provided to customers after November 14, 2008, to the present;
   • • Documents showing all credit notes given to customers after November 14, 2008 to the present; and
   • • Any documentation indicating the direct employer of each of the claimants with respect to this matter (i.e. contracts of employment, contracts for service etc.).
3. 3. The documents must be provided to counsel for the applicant directors by March 31, 2011.

It is the ministry’s position that the T4s were necessary to establish the nature of the employment relationship between the former employees of the bankrupt corporations and the amount of wages earned by the employees. The Director of Employment Services intended to rely on the T4s in the OLRB proceeding in order to support the employment standards officer’s Directors Orders to Pay which was the subject of the appeal.

The ministry states that on September 1, 2011, a cover letter and a CD-ROM containing the unencrypted information referred to above was sent to each of the parties to the appeal, namely the companies’ directors and all 309 former employees. The letter identified that the records were produced in accordance with the OLRB’s February 24, 2011 Order, and that they were not to be used, copied or distributed for any other purpose. The cover letter and attached CD-ROM were sent to the last known addresses of each of the former employees on file with the ministry. As noted, of those sent by mail, 26 were returned as undeliverable.

The ministry subsequently contacted the IPC to report what it described as a potential breach of the Act and to seek guidance on its containment. The ministry explained that it was informing the IPC because the ministry had been contacted by some of the former employees who had expressed concern about the disclosure. Once notified of the incident, the IPC requested that the ministry take steps to recover the letters and CD-ROMs from the 309 employees. At the IPC’s request, the ministry sent a letter by courier to each of the former employees, except those for whom the CD-ROM was returned as undeliverable in the initial mailing. Therefore, the letter seeking the return of the CD-ROMs was sent to 283 of the 309 employees. The letter requested the return of the CD-ROMs to the ministry by courier that included a parcel tracking service and provided each recipient with a pre-paid, ministry-addressed envelope with instructions to place the CD-ROM inside the envelope and deposit it with Canada Post.

The ministry states that it tracked the status of returned packages, the returned CD-ROMs and any undeliverable letters. Subsequently, the ministry contacted by telephone any parties who did not respond to its correspondence seeking the return of the packages. As of February 3, 2012, the ministry reports that its letter seeking the return of the CD-ROMs had been received by all intended recipients and that 137 CD-ROMs have not been returned.

The IPC invited the ministry to submit comments in response to the issues raised in this investigation. This office received the ministry’s response and then invited the two complainants to submit comments in response. The complainants did not respond. The OLRB was also invited to comment on the ministry’s response.

I note that the ministry submitted comments on the issue of its authority to collect the personal information at issue here. I agree that the ministry had the authority in the circumstances of this matter and I will not be addressing its specific comments on that issue in this Report.

DISCUSSION:

Is the information personal information as defined in section 2(1) of the Act?

The CD-ROM sent on September 1, 2011 contained each of the 309 employees’ names, social insurance numbers, total annual remuneration, period of earnings and address information. In this case, the ministry does not dispute that the information at issue qualifies as the personal information of the 309 former employees. I agree with the ministry.

Therefore, I find that this information falls within the definition of personal information in section 2(1).

Was the disclosure of the personal information in accordance with the Act?

Section 42(1) of the Act  provides a general prohibition against disclosure of personal information in the custody of an institution unless the circumstances fall within one of the exceptions in the Act .

The ministry takes the position that section 64 of the Act  overrides any limitations with regards to the disclosure of personal information set out in section 42. Section 64 of the Act  provides that:

1. (1) This Act  does not impose any limitation on the information otherwise available by law to a party to litigation.
2. (2) This Act  does not affect the power of a court or a tribunal to compel a witness to testify or compel the production of a document.

The ministry’s argument on the application of section 64 is as follows:

Section 64 of the FIPPA operates to override any limitations that may be imposed with respect to the disclosure of information under s. 42 of the FIPPA during the course of litigation proceedings.

…

… where there is a question as to the appropriateness of disclosing personal information as part of disclosure obligations, that issue falls squarely within the jurisdiction of the tribunal, pursuant to s. 64 of the FIPPA, and therefore could, and should, be taken to the tribunal for a decision and direction.

…

The OLRB has the authority to issue production orders pursuant to Rule 40.6 of the OLRB’s Rules of Procedure.

Rule 40.6 Provides [sic] as follows:

The Board may also require a person to provide any further information, document or thing that the Board considers may be relevant to a case and to do so before or during a hearing.

Furthermore, pursuant to Rule 8.3 of the OLRB’s Rules of Procedures … because the DES [Director of Employment Services] intends to rely on the records as evidence in the litigation proceedings, the DES is required to deliver a copy of the documents to all of the parties to the proceedings.

Rule 8.3 provides as follows:

Each party must file with the Board not later than ten (10) days before the first date set for hearing or consultation two (2) copies of all documents upon which it will be relying in the case. At the same time, each party must deliver copies of those documents to each of the other parties.

Therefore, pursuant to s. 64 of the FIPPA and based on the OLRB’s Order and its Rules of Procedure, s. 42 of the FIPPA does not apply with respect to information obtained or disclosed during the course of litigation proceedings and the MOL [the ministry] was required by law to comply with the OLRB’s Order and its Rules of Procedure.

Having considered the ministry’s response and the impact of section 64 of the Act , I find that the ministry’s disclosure of the personal information to the companies’ directors and the 309 former employees was in accordance with the Act .

In concluding that the ministry’s disclosure of the personal information was in accordance with the Act , I also considered whether parties appearing before the OLRB could limit the disclosure of personal information. In doing so, I am cognizant that the OLRB has the authority to interpret its own Rules of Procedure and to determine the scope and manner of disclosure consistent with the law and its own policies.

In its Policy on Openness and Privacy, the OLRB recognizes that the parties that appear before it may have concerns about the privacy of their personal information. The policy states:

… in some instances the disclosure of an individual’s personal information during a hearing or in a written decision may have an impact on that person’s life. Privacy concerns arise most frequently when identifying aspects of a person’s life are made public. These include information about an individual’s address, date of birth, medical or financial details, SIN or driver’s license numbers, credit cards or passport details. The Board endeavours to include this information only to the extent necessary for the determination of the dispute.

While this policy focuses on the conduct of hearings and the publication of information in decisions, other OLRB policies illustrate that it may grant requests to maintain the confidentiality of specific evidence, for example, by providing for the redaction of sensitive information where its disclosure is not necessary.

Although the OLRB’s Rules of Procedure do not explicitly provide for the making of any requests or applications for comparable privacy related relief, it appears that parties to a proceeding may make a whole range of applications. For example, there appears to be nothing in the OLRB’s policies and procedures that would prevent the ministry from making an application to the OLRB for direction regarding the secure transfer of the personal information of parties, the need to limit disclosure or more generally for directions to ensure the confidentiality of specific evidence, including personal information.

In my opinion, the right of parties to seek an order limiting the disclosure of personal information set out in the Policy on Openness and Privacy should be expanded to explicitly provide that parties may seek an order from the OLRB to maintain the confidentiality of evidence containing personal information by requiring that the manner and scope of disclosure be restricted as may be appropriate in the circumstances of any matter before it.

I will be providing the OLRB with a copy of this Report so that it can consider this recommendation.

Did the ministry meet its obligation to define, document and put in place reasonable measures to prevent the unauthorized access to the records at issue as required under section 4 of Ontario Regulation 460?

Section 4 of Ontario Regulation 460, made pursuant to the Act  states:

1. (1) Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.
2. (2) Every head shall ensure that only those individuals who need a record for the performance of their duties shall have access to it.

This provision requires institutions to take steps to ensure that reasonable measures are in place to prevent unauthorized access to records that are in their custody. In this case, the records in question include T4s, which contain the highly sensitive personal information of the employees who were parties to the OLRB proceeding. While the Act and the Regulation do not specify the precise measures to prevent unauthorized access to records, they do require that the measures be reasonable, defined and documented, taking into account the nature of the records to be protected.

As noted above, 137 of the 309 CD-ROMs distributed to the employees have not been returned to the ministry. In the circumstances of this complaint there is insufficient information before me to support a finding that any of these CD-ROMs have been lost or are unaccounted for or have been accessed by unauthorized individuals.

In its submissions, the ministry addressed its obligations under section 4 of Ontario Regulation 460, stating:

The MOL provides secure file rooms for the storage of hardcopy information collected by an ESO [Employment Standards Officer] whether during the course of an investigation or as part of litigation proceedings. Electronic information collected by an ESO during the course of an investigation or litigation proceedings is stored on secure servicers with access limited only to those who may require the information to perform their duties.

These measures are accepted principles with respect to the retention of information collected by a MOL officer. The measures are documented and the MOL provides training to its staff with respect to these measures.

…

The information obtained by the ESO in relation to the investigation and litigation proceedings before the OLRB in this matter has been securely stored in accordance with the measures outlined above. The information that was produced on the CD-ROM to the parties is electronically stored on a secure server that is password protected and accessible only to those individuals who require the information in order to perform their duties in compliance with s. 4(2) of Regulation 460.

Section 4(2) of Regulation 460 provides as follows:

(2) Every head shall ensure that only those individuals who need a record for the performance of their duties shall have access to it.

In this case, the information was copied for disclosure, which was made only to the parties of the litigation, via regular mail, which is an accepted reasonable means of communication in a legal proceeding, and in compliance with the MOL’s legal obligations arising out of the litigation proceedings before the OLRB [Emphasis added].

Separate and apart from the MOL’s obligations under s. 4 of Regulation 460, as noted in paragraphs 21 and 22 above, the MOL is also bound by the deemed undertaking rule which requires all parties to ensure that any information obtained as the result of being a party to litigation before the OLRB is only used for the purpose of the litigation and is not copied, distributed or used for any other purpose.

Some guidance regarding what constitutes reasonable measures for the secure transfer of records of personal information can be found in IPC Order HO-011, issued under the Personal Health Information Protection (PHIPA). It involved the loss of 6,951 reports containing personal health information which were couriered to the physicians of individuals who were participating, or eligible to participate, in Cancer Care Ontario’s ColonCancerCheck program. Each report contained the personal health information of between 300 to 1300 patients. Of those reports, 17 containing the information of 7130 individuals were lost or unaccounted for.

Section 13(2) of Regulation 329/04, under PHIPA, states, in part:

A person who is a prescribed person for the purposes of clause 39(1)(c) of the Act  shall put into place practices and procedures,

(a) that are for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining the confidentiality of the information;

While section 13(2) does not specify the precise nature of the practices and procedures that are to be put in place, Commissioner Cavoukian applied a standard of reasonableness. In applying section 13(2), the Commissioner ordered the prescribed person to discontinue its practice of transferring records of personal health information in paper format and institute a properly secure method of transfer following an assessment of the privacy and security issues associated with the proposed method.

Although Order HO-011 arose in the context of PHIPA and this complaint arises under the Act , in my view, the approach taken in that Order provides some guidance here because the reasonableness standard applied in that Order is expressly incorporated into section 4(1) of Regulation 460, under the Act .

In determining whether the chosen method of transferring the records of personal health information relating to this program was reasonable, Commissioner Cavoukian considered the following factors:

• • the characteristics of the person or organization transferring the records;
• • the characteristics of the person or organization receiving the records;
• • the number of individuals whose personal health information is contained in the records;
• • the volume and frequency of the transfer; and
• • the availability of alternative methods of transfer and the risks associated with each method.

In addition to the order cited above, the IPC has also provided guidance with respect to the transmission of information through various media, including email and facsimile.¹ While the circumstances of this case concern regular mail, these guidelines recognize that the transfer of personal information or personal health information may expose the information to the risk of a privacy breach.

To be clear, while the ministry’s representations address, in part, the security arrangements in place in its offices, the only issue here relates to the transfer of the personal information of the 309 former employees to all of the parties to the OLRB proceeding. Regarding the transfer of the records, the ministry’s position is that regular mail is an accepted reasonable means of communication in a legal proceeding. This argument overlooks the fact that the ministry is an institution subject to the requirements set out in the Act  including a requirement to protect the privacy and security of personal information in its custody. The practices followed in legal proceedings are not based on the statutory requirements to protect privacy and security of personal information that are set out in the Act .

Order HO-011 cited above acknowledges that reasonableness does not require perfection, nor is it a static standard. What historically may have been considered an acceptable practice or procedure for the transfer of records of personal information may not necessarily be considered a reasonable practice or procedure now.

Taking the same approach that was taken in Order HO-011, I now turn to consider the relevant factors to determine whether the ministry’s chosen method of transferring the records of personal information was in compliance with the Act .

1. a. The ministry is a sophisticated government organization and it is reasonable to assume that it has ready access to bonded courier services that offer tracking features, and in the alternative, the means to encrypt the information it stores on CD-ROMs.

   By not using shipment tracking features, the ministry had no means of ascertaining whether the packages reached the addressees. Shipment tracking is available through the use of private couriers and Canada Post and enables an institution to account for the information in transit. While tracked packages may still go missing, this system enables an institution to locate packages, confirm receipt, and take active steps to recover and limit the extent of any missing materials and thereby contain the consequences of lost or misdirected shipments.

   In making this observation, I note that there is nothing in the OLRB’s rules that would prohibit the use of a bonded and tracked courier to effect delivery of the records at issue in this Report.

2. b. Regarding the characteristics of the persons receiving the records, I acknowledge that individual recipients may not have access to the resources to decrypt encrypted CD-ROMs. That said, it was apparently assumed that each of the 309 employees had access to the computer hardware that would enable them to view the information on the CD-ROMs. Because the ministry’s response does not indicate whether encryption was considered, I can only assume that it was not.
3. c. In my view there was a large volume of sensitive personal information included on the CD-ROMs. They contained the information of 309 employees and the loss or theft of one CD-ROM may have exposed 309 individuals to identity theft. In this circumstance, personal information was sent unencrypted via regular mail and therefore the sensitive personal information of 309 individuals was accessible to anyone who received the CD-ROM, regardless of whether they were the intended recipient or not. The ministry has not indicated that it considered the implications of losing this large volume of personal information when determining the method of transfer it was going to use.
4. d. Even if the ministry had assessed that the sending of unencrypted data on CD-ROMs via regular mail was reasonable, there is no evidence to indicate that the ministry made an effort to confirm the accuracy of the addresses of the recipients. This concern was identified by one of the complainants who noted that, in his opinion, some of the former employees may not have received the CD-ROM because he believed that the addresses used by the ministry were not up to date. This is supported by the fact that approximately 26 CD-ROMs were returned as undeliverable. While I have no information to verify the accuracy of this, if the ministry failed to confirm the addresses of the intended recipients, it would have exposed the personal information to further risk of being accessed by unauthorized individuals.
5. e. In my view, there were a number of more privacy protective alternatives available to the ministry for the transfer of the personal information and as the ministry’s response does not address this, I can only assume that they were not considered.

Regarding its obligations under the Act , the ministry also stated that:

… the MOL [Ministry of Labour] is also bound by the deemed undertaking rule which requires all parties to ensure that any information obtained as the result of being a party to litigation before the OLRB is only used for the purpose of the litigation and is not copied, distributed or used for any other purpose."

While I acknowledge the existence of the deemed undertaking rule, the ministry has failed to satisfy me that it has complied with the rule because it has not provided information to support a finding that it took steps to ensure that the personal information at issue here, is only used for the purpose of the litigation and is not copied, distributed or used for any other purposes. I also note that the deemed undertaking rule, on its own, does not adequately minimize the risk of personal information going astray during transfer, being accessed by unauthorized individuals, or being misused by any such third parties.

CONCLUSION:

1. 1. The information contained in the CD-ROM sent by the ministry on September 1, 2011, included the personal information of each of the 309 employees.
2. 2. The ministry did not put in place reasonable measures to prevent unauthorized access to the personal information at issue, having regard to the sensitive nature of the information, as required under section 4 of Ontario Regulation 460, made pursuant to the Act .

RECOMMENDATIONS:

The Ministry

1. 1. The ministry should develop and implement policies, procedures and/or guidelines for the secure transfer of personal information in its custody to ensure compliance with its obligations under the Act and Regulation 460.

The OLRB

1. 1. The OLRB should review and revise its rules and related policies to clarify that parties may seek an order from the OLRB to maintain the confidentiality of evidence containing the personal information of individuals by requiring that the manner and scope of disclosure be restricted as may be appropriate in the circumstances of any matter before it.

By February 6, 2013, the ministry and the OLRB should provide the IPC with proof of compliance with the above recommendations.

Original signed by: Jeffrey Cutler Investigator

November 9, 2012

---

¹ IPC, Privacy Protection Principles for Electronic Mail Systems, (February, 1994), available online at www.ipc.on.ca/images/Resources/email-e.pdf ; IPC, Guidelines on Facsimile Transmission Security, (Revised January, 2003), available online at www.ipc.on.ca/images/Resources/fax-gd-e.pdf; IPC, Fact Sheet #18: The Secure Transfer of Personal Health Information, (Revised June, 2012), available online at http://www.ipc.on.ca/images/Resources/fact-18-e.pdf.