PRIVACY COMPLAINT
REPORT
PRIVACY COMPLAINTS
Office of the Public
Guardian and Trustee - PC-020010-1
Ministry of Community and Social
Services - PC-020011-1
Toronto Community Housing Corporation -
MC-020020-1
December 6, 2002
PRIVACY COMPLAINT
REPORT
PRIVACY
COMPLAINT NOs.: |
PC-020010-1,
PC-020011-1 and MC-020020-1 |
MEDIATOR: |
Susan
Ostapec |
INSTITUTIONS:
|
Office of the
Public Guardian and Trustee Ministry of Community and Social
Services Toronto Community Housing Corporation |
SUMMARY OF COMMISSIONER-INITIATED
COMPLAINT:
The Office of the Public Guardian and Trustee (OPGT) notified the
Office of the Information and Privacy Commissioner/Ontario (the IPC) of an
incident involving misdirected faxes. Specifically, the Toronto Community
Housing Corporation (TCHC) received a fax sent by the OPGT, and others,
intended for the Ministry of Community and Social Services, now the Ministry of
Community, Family and Children's Services (the Ministry).
The OPGT advised that it had faxed a special needs application to
the Ministry's Ontario Disability Support Program (the ODSP). The fax was sent
to the number provided by the ODSP Special Needs office. However, the next day,
the TCHC telephoned the OPGT to advise that it had received this faxed document
and as well as a number of similar documents intended for the ODSP.
In total, there were five faxes sent by various sources during the
course of the day that were intended for the ODSP but which were received by
TCHC instead. As mentioned above, one of these faxes was sent by the OPGT. The
remainder consisted of a fax sent by a Ministry employee from a different
location; faxes sent by two ODSP clients; and a fax sent by a private company.
The following is a brief description of each of these faxes:
- Fax sent by the OPGT consisted of a special needs application
form and included an ODSP client's name, date of birth, OPGT file number, and
the need for replacement glasses (1 page).
- Fax sent by a Ministry employee consisted of a cover page with
an ODSP client's name on it (1 page), a financial statement of entitlements for
the client (2 pages), and a memo advising of re-admittance of the client to a
mental health centre (1 page).
- Fax sent by an ODSP client consisted of the client's earnings
statement, description of her current medication, and timelines for
back-to-work possibilities (2 pages).
- Fax sent by another ODSP client consisted of his name, his
wife's name and a reassessment decision regarding the status of his disability
(1 page).
- Fax sent by a private company pertained to the amount of rent
paid by two ODSP clients, and contained the address and date of birth of one of
the clients (2 pages).
As a result, three privacy complaints were initiated by the IPC
involving the OPGT, the Ministry and the TCHC.
Steps taken by the TCHC when it received the misdirected
faxes.
- The TCHC telephoned the OPGT immediately to advise them that it
had received several misdirected faxes.
- The next day, the TCHC returned all of the misdirected faxes to
the OPGT by way of facsimile transmission.
- The TCHC subsequently destroyed its copies of all of the
misdirected faxes it had received.
Steps taken by the OPGT once it was notified that the fax
it had sent was misdirected.
- The OPGT immediately contacted the Ministry's ODSP Special
Needs Office by telephone to apprise them of the situation and to obtain
confirmation that the fax number used by the OPGT was correct. The ODSP
confirmed that the number dialled was correct.
- The OPGT staff were advised not to use the fax number in
question until further notice.
- Queries were made of the OPGT staff to ascertain whether any
other material had been sent to the fax number in question. OPGT staff did not
report any other instances.
- After receiving copies of all of the misdirected faxes from the
TCHC, the OPGT wrote to the Manager of the ODSP Special Needs Office advising
that the TCHC had received numerous faxes intended for the ODSP, including
information faxed from a Ministry employee who "works from our office and uses
an independent fax machine from the OPGT Staff". The OPGT enclosed a copy of
all of the misdirected faxes for the Manager's examination.
- The OPGT was advised by the ODSP that there "appeared to be a
technical problem with the telephone lines which resulted in misdelivery of the
material, and that Bell could not confirm or locate the source of the problem
which apparently corrected itself within a few hours".
- The OPGT also sent a letter to the TCHC requesting that the
faxed material received from the OPGT be destroyed and that TCHC staff should
not disclose any of the clients' personal information. The OPGT requested that
the TCHC confirm this and included a written statement to this effect for the
TCHC Manager to sign. The OPGT has provided the IPC with a copy of the signed
statement.
- The OPGT did not inform its client of the disclosure of her
personal information "due to the client's mental incapacity to understand the
information concerning this event".
Initial steps taken by the Ministry
- The Ministry's Toronto Region confirmed that the fax number
provided to the OPGT was the correct number.
- The Ministry attempted to determine the extent of the breach,
the number of clients affected and the content of the information included in
the faxes, which had gone astray. The Ministry contacted the OPGT and requested
the names of the clients and copies of the faxes as well as the time the faxes
were sent.
- The Ministry contacted the TCHC to find out how many other
faxes went astray and was advised that all of the misdirected faxes were
returned by TCHC to the OPGT, as it believed the OPGT to be the
originator.
- The Ministry contacted its Telecommunications Support unit to
try to obtain the initial report by Bell Canada of the telephone/fax lines.
However, since Bell was contacted the day after the incident, it could not
identify any transmission errors and reported the fax lines were fully
functional on both dates.
Subsequent Steps taken by the Ministry
- The Ministry requested that Telecommunications Support conduct
a further investigation and "
. obtain records of all in and out calls on
the dates in question." The Ministry's Telecommunications Support unit
subsequently advised that there is no database for local calls and that there
is, consequently, no way to track secondary lines. In addition, when the unit
was requested to conduct a further search into the matter with Bell, Bell
advised that there is no longer a record of its investigation into the
telephone lines because it destroys its repair records after three
months.
- The Ministry contacted the employee who had sent a fax to the
ODSP Special Needs Office which was also misdirected to the TCHC. She produced
a copy of the confirmation slip that showed that her fax was sent to the
correct ODSP fax number.
- The Ministry notified the relevant ODSP clients about the
incident and the inadvertent disclosure of their personal
information.
- The Ministry issued a Directive reminding its employees of the
requirements of the Act with respect to ensuring the privacy and
protection of client records. It referred to this incident wherein another
institution had received Ministry faxes and advised employees of the procedures
to be followed where a privacy breach has occurred.
DISCUSSION:
The following issues were identified as arising from the
investigation.
Was the information "personal information" as defined in
section 2(1) of the Act?
Section 2(1) of the Act states, in part, that "personal
information" means recorded information about an identifiable individual.
As described above, the information contained in the faxes
included the names of ODSP clients, together with the date of birth, certain
financial information and/or other information about these individuals. Such
information clearly qualifies as "personal information" as defined in section
2(1) of the Act. None of the institutions involved in this complaint
dispute this finding.
Issue B:
|
Was the
disclosure of the personal information in compliance with section 42 of the
Act? |
Section 42 of the Act sets out a number of circumstances under
which an institution may disclose personal information.
Faxes sent by the OPGT and the Ministry
Clearly, in light of the circumstances surrounding the misdirected
faxes from the OPGT and the Ministry, none of the circumstances set out in
section 42 of the Act apply. As a result, the disclosure of the
personal information was not in compliance with the Act.
Having said this however, it is clear that, in both instances, the
correct fax number was dialled and the faxes were misdirected due to a
technical glitch completely outside the control of all of the senders as well
as the receiver. There are, however, certain steps that can be taken in order
to maximize the security of faxed information and these will be discussed
below.
Faxes sent by the TCHC to the OPGT
None of the circumstances set out in section 42 apply to the
disclosure of the personal information in the faxes sent by the TCHC to the
OPGT, with the exception of the one fax that originated with the OPGT.
Accordingly, the disclosure of personal information contained in the faxes that
did not originate with the OPGT was not in compliance with the
Act.
In this case, however, the reason the TCHC sent all of the faxes
to OPGT, as opposed to just the one that originated with the OPGT, is that it
believed the OPGT to be the originator of all of the faxes. Once again, there
are a number of practices that should be followed in the event that an
institution receives a fax in error, which will be discussed below.
Fax Guidelines
Given that facsimile transmission of personal information by
telephone lines, unless encrypted, is not secure, if personal information must
be faxed it is important that appropriate policies and procedures be in place
in order to maintain the confidentiality and integrity of information
transmitted by fax.
The OPGT
The OPGT follows the Ministry of the Attorney General's (MAG)
policy entitled Confidential Information. Part C of the policy paper
is entitled "Faxing Procedures" and includes the following direction: "Notify
the intended recipient that you are faxing the information and confirm the
destination fax number. The recipient should stand by to receive the material."
The OPGT provided this office with a copy of MAG's policy and the OPGT's
Best Practices which adds that the recipient should call [the sender]
when he or she receives the fax.
In addition, the OPGT makes the following statement on its fax
cover sheet:
This facsimile may contain PRIVILEGED and CONFIDENTIAL
INFORMATION only for use of the Addressee(s) named below. If you are not the
intended recipient, you are hereby notified that any dissemination or copying
of this facsimile is strictly prohibited. If you have received this facsimile
in error, please immediately notify us by telephone to arrange for the return
or destruction of this document. Thank you.
The Ministry
The Ministry provided this office with a copy of its policies and
procedures entitled Transmission of Confidential Information. A
section entitled "Preferred Procedures for Sending a Fax with Personal
Information" includes the following directions:
- Photocopy the document(s) in question.
- Sever all personal information from the document(s) to be
faxed.
- Telephone the party to whom the fax is addressed and inform
him/her that a fax is being sent and provide any necessary personal information
on the phone.
- Fax the severed version of the documents(s).
- Follow-up the fax by sending through confidential mail an
unsevered version of the document(s) where necessary.
The following statement also appears on the Ministry's fax cover
sheet:
This facsimile may contain Privileged and
Confidential Information only for the use of the addressee(s)
named above. If you are not the intended recipient of this facsimile or the
employee or agent responsible for delivering it to the intended recipient, you
are hereby notified that any dissemination or copying of this facsimile is
strictly prohibited. If you have received this facsimile in error, please
immediately notify us by telephone and return the original facsimile to us at
the above address via first class mail. Thank You. [original
emphasis]
The TCHC
The TCHC does not presently have its own fax guidelines. The TCHC
explained that it is a newly formed corporation comprised of two entities which
integrated on January 1, 2002. The two entities are the Local Housing
Corporation established under the Social Housing Reform Act, 2000 to
which was transferred the public housing portfolio formerly operated by the
Metropolitan Toronto Housing Authority (MTHA), a provincial Crown agency, and
Toronto Housing Company Inc., the non-profit housing provider owned and
operated by the City of Toronto.
The TCHC advised that information and privacy matters for the two
former entities were governed by different policies, and that it is currently
in the process of integrating these policies which will include privacy
considerations in facsimile transmissions. The TCHC explained that it will be
developing such a policy and associated communications and education of staff
as soon as practicable within its current policy development initiative to meet
its newly forming mandate. In the meantime, it has advised that TCHC staff will
be informed of the requirement to return misdirected facsimile transmissions to
their originator and not to the addressee.
The IPC
In June of 1989, the IPC issued Guidelines on Facsimile
Transmission Security, the objective of which is to ensure that proper
privacy practices are followed in order to protect the privacy and
confidentiality of faxed information. The guidelines recommend that personal
information not be faxed unless protected by encryption. However, the
guidelines also state the following:
While it is not advisable, there may be certain situations where
unencrypted personal information must be faxed, and personal identifiers cannot
be removed. Often, the destination fax does not have a confidential mailbox. In
situations such as these, the sender should telephone the recipient prior to
the transmission to advise that such information is about to be faxed and to
await its receipt. Once received, the recipient should confirm receipt by
telephone.
The IPC's fax cover sheet also contains a statement concerning the
confidentiality of the faxed information and request that if the fax is
received in error to notify this office immediately at a particular telephone
number.
In reviewing these guidelines during the course of this
investigation, it became clear that although the guidelines address various
aspects of facsimile transmissions, they do not address what should be done in
the event that an organization receives a fax that was intended for a different
recipient. Accordingly, the IPC is in the process of revising its guidelines to
address this. As neither the OPGT's nor the Ministry's policies address this
issue either, I will be making a recommendation that they too amend their
policies accordingly.
When an institution receives a misdirected fax, the first step
should be to immediately notify the sender. This will alert the sender so that
they can investigate whether it was a result of a technical glitch or human
error, and take steps to ensure the integrity of future fax transmissions. At
the same time, the recipient should confirm with the sender whether the errant
fax should be returned to the sender by means other than by fax or be
destroyed. The recipient should not forward the fax to the intended
recipient.
Additional Comments:
With respect to the incidents in question, I would like to point
out the following.
It is highly commendable that the TCHC telephoned the OPGT
immediately to alert them to the fact that it had received information intended
for the ODSP. The OPGT's response to take immediate action to investigate why
its document was transmitted to the wrong destination, and to notify the ODSP,
is also highly commendable.
Although both the OPGT and the Ministry have excellent policies
and procedures in place respecting the facsimile transmission of personal
information, it is unfortunate that neither of these institutions followed
their own guidelines. Had they done so, and notified the ODSP by
telephone to advise that a fax containing personal information was being
sent, and to request that the ODSP confirm receipt by telephone, both
the senders and the receiver would have known immediately that the documents
had not been received by the ODSP.
Although the TCHC does not have any fax guidelines in place, it
acted appropriately by telephoning the OPGT to advise that it had received
their fax in error. However, the absence of a policy regarding the faxing of
personal information likely contributed to the TCHC improperly disclosing
personal information when it returned the misdirected faxes of other
senders to the OPGT.
CONCLUSION:
I have reached the following conclusions based on the results of
my investigations:
- The information in question was personal information as defined
in section 2(1) of the Act.
- The disclosure of the personal information was not in
compliance with section 42 of the Act.
- The disclosure of personal information by the OPGT and the
Ministry was inadvertent and a result of a technical glitch. The disclosure of
personal information by the TCHC was due to human error.
Recommendations:
The OPGT and the Ministry
- The OPGT and the Ministry should amend their policies and
procedures concerning the faxing of personal information to address what steps
should be taken in the event that they receive a fax that was intended for a
different recipient. At a minimum, the policies and procedures should specify
that the recipient should notify the sender of the fax immediately and
determine whether the errant fax should be returned to the sender by means
other than by fax or be destroyed.
- The OPGT and the Ministry should take steps to ensure that the
appropriate employees are aware of the policies and procedures relating to the
faxing of personal information.
The TCHC
- The TCHC should complete and implement the policies and
procedures which are aleady in the developmental stage with respect to sending
and receiving facsimile transmissions containing personal information. In this
respect, the TCHC may wish to refer to the IPC's guidelines, and should also
address what steps should be taken in the event that it receives a fax that was
intended for a different recipient, as outlined in the first recommendation to
the OPGT and the Ministry.
- The TCHC should ensure that the appropriate employees are aware
of the policies and procedures relating to the faxing of personal
information.
The OPGT, the Ministry and the TCHC should provide the Office of
the Information and Privacy Commissioner with proof of compliance with the
above recommendations no later than March 6, 2003 following
the issuance of the final report.
Original signed by: Susan Ostapec Mediator December 6,
2002 |