PRIVACY COMPLAINT REPORT

PRIVACY COMPLAINT MC16-4

Toronto District School Board

April 24, 2018

Summary: The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Toronto District School Board (the Board) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act ) when it disclosed a student’s personal information to a photography vendor who in turn contacted the student’s parents to advertise their services. I conclude that the collection and use of students’ photographs for administrative purposes is in accordance with sections 28(2)  and 31  of the Act , respectively and that the Board’s disclosure of students’ personal information to the vendor for administrative and limited marketing purposes was in accordance with section 32  of the Act . I also conclude that the notice of collection of student photographs does not comply with section 29(2)  of the Act ; nor did the Board’s Service Agreement with the vendor include adequate provisions with respect to the protection of students’ personal information.

Statutes Considered: Municipal Freedom of Information and Protection of Privacy Act ,  R.S.O. 1990, c. M.56 , as amended, sections 2(1) (definition of “personal information”), 28(2), 29(2), 31, 32; R.R.O. 1990, Reg. 823, sections 3 and 5; Education Act , R.S.O. 1990, c. E.2, sections 170(1)  and 265(1) ; R.R.O. 1990, Reg. 298, section 11(3).

Cases: R. v. Find [2001] 1 S.C.R. 863, 2001 SCC 32.

Orders and Investigation Reports Considered: MC07-68.

BACKGROUND:

[1]  The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint under the Municipal Freedom of Information and Protection of Privacy Act (the Act) relating to the Toronto District School Board (the Board). The complainant asserted that the Indian Road Public School (the School) within the Board contravened the Act when making his son’s personal information available to a third-party photography company (the vendor).

[2]  The complainant explained that in September of 2015, his child brought home from the School a note indicating that picture day was occurring. The complainant asserts that no details as to the process were provided at that time. The complainant stated that several weeks later a “custom printed post-card” produced by the vendor was sent home. The post card included two photos of his child taken on picture day, his child’s full name together with other details including three codes that could be used to order prints and other products via the vendor’s website.

[3]  The complainant asserts that the Board disclosed his child’s personal information, including name, age and classroom/grade to the vendor. The complainant explained that he was not notified that his child’s personal information would be shared with the vendor; that the vendor would be creating and maintaining a database of student personal information; that the vendor would make the information web accessible; and that he was not provided any information concerning the vendor’s policies with regards to privacy and the destruction of personal information.

[4]  During the Intake stage of this complaint, the Board submitted a response to the complaint. In its letter to the IPC, dated May 13, 2016, the Board stated, in part:

It should be noted that the photographing of students is essential to the TDSB. An up-to-date photograph of each student is required for the following reasons:

- Student Safety

- Student Identification

- School Security

The TDSB is the largest school board in Canada, comprised of 588 schools serving approximately 245,000 students. In order to photograph every TDSB student, third party service providers are contracted out by the TDSB to perform photography services. Students and their parents/guardians have the right to opt out of classroom group photographs; however, an individual portrait is required for each student.

Only necessary student information is shared with photography service providers by the TDSB to allow for a student’s image to be matched with their correct student profile within the TDSB’s Trillium Student Information System (SIS), the online database that houses TDSB student information. The student information shared by the TDSB with photography service providers includes students’ first and last name, home room, Ontario Education Number (OEN), TDSB student number, and grade. The sharing of this information ensures that an incorrect photograph is not matched with an incorrect student profile.

[The vendor] was the photography service provider responsible for taking the complainant’s child’s image. [The vendor] retains any TDSB student information for a period of two years from date of collection. After two years, [the vendor] destroys students’ information. [The vendor] retains student information for two years to allow for students’ parents/guardians to order their children’s images outside of the short turnaround period given by a school. Should the complainant wish for [the vendor] to destroy any of their child’s information which [the vendor] is in the possession of outside of their two-year retention schedule, the complainant is welcome to reach out to the Principal of Indian Road Public School … or the company, [the vendor] directly.

It should also be noted that communication was sent home to all parents/guardians of Indian Road Public School students regarding picture day at the school on more than one occasion. There was also an informational pamphlet circulated by [the vendor] in which [the vendor] offered to answer any questions parents/guardians may have had regarding their services.

[5]  Subsequent to receiving the above information, this matter was moved to the investigation stage of the IPC complaint process.

ISSUES:

1. Is the information at issue “personal information” as defined by section 2(1) of the Act?
2. Is the Board’s collection and use of student photographs authorized under sections 28(2) and 31 of the Act, respectively?
3. Did the Board provide a notice of collection as required under section 29(2) of the Act?
4. Was the disclosure of personal information, by the Board to the vendor, in accordance with section 32 of the Act ?
5. Did the Board’s Service Agreement with the vendor include adequate provisions with respect to the protection of students’ personal information?

DISCUSSION:

1. Is the information at issue “personal information” as defined by section 2(1) of the Act?

[6]  Personal information is defined in section 2(1) of the Act which states, in part:

“personal information” means recorded information about an identifiable individual, including,

(a)  information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

…

(c)  any identifying number, symbol or other particular assigned to the individual,

…

(h)  the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

[7]  The Board confirmed that the information at issue is the complainant’s child’s photograph, name, home room, Ontario Education Number (OEN), TDSB student number, and grade.

[8]  In my view, this information meets the requirements of paragraphs (a), (c) and (h) of the definition of “personal information”. This conclusion is not disputed by the parties. Accordingly, I find the information in question qualifies as “personal information” as set out under section 2(1) of the Act .

2. Is the Board’s collection and use of student photographs authorized under sections 28(2) and 31 of the Act, respectively?

[9]  Section 28(2) of the Act  sets out the circumstances under which personal information may be collected by an institution, stating:

No person shall collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity.

[10]  The Board explained that student photographs are collected as part of the student registration process. In order to determine whether the collection is permitted under the Act , the Board must first show that the activity is lawfully authorized, and second, that the collection of the personal information is necessary to that lawfully authorized activity.

[11]  I note that the Board’s operation of schools is lawfully authorized under section 170(1) of the Education Act. Furthermore, the operation of the School includes responsibility for the safety and security of students and property as set out in section 265(1) of the Education Act and section 11(3) of Regulation 298.

[12]  Examples of lawfully authorized activities that are relevant to collecting student photographs include providing supervision of pupils [1] and the conduct of school activities [2] ; notifying parents or guardians of any infraction [3] ; and admitting students to class. [4] I note that section 265(1) (d) of the Education Act permits principals to collect information for inclusion in the record of each student.

[13]  The next question to consider is whether the collection of student photographs is necessary to the operation of the School. Past findings of this office have determined that institutions “must demonstrate how the collection of personal information is ‘necessary’, not merely helpful, to the achievement of this objective.” [5]

[14]  In response to this investigation, the Board explained that: “[p]hotographing students is an essential service for the TDSB, and to maintain up-to-date student records, the information collected during registration is used to assist in the process of photographing and matching photos to the correct profile.” The Board’s explanation is consistent with the explanation provided in its guidelines. The Board’s manual titled “Student Photographs: Trillium Student Information System” (SIS) provides instruction for the purposes of matching photographs to student records. The manual identifies student photographs as beneficial for student safety, student identification and school security.

[15]  I accept the Board’s submissions and find that the collection of student photographs is necessary to the operation of the school and therefore meets the requirement that it be “necessary to the proper administration of a lawfully authorized activity.”

[16]  Further, I find that the Board’s use of student photographs is consistent with its collection. Section 31(b) of the Act  permits use “for the purpose for which it was obtained or compiled or for a consistent purpose”. As previously determined by the IPC, when determining whether a particular use of personal information is in accordance with section 31(b) “it is necessary to assess whether the use of this information can be properly characterized as being either for the original purpose of the collection, or for a purpose that is consistent with that original purpose.” [6] There is no information before me to suggest that the Board uses the information other than for the purposes that necessitate its collection.

[17]  I conclude that the ability to identify individual students via the collection and use of photographs contributes to the safety of students and staff and maintaining school security. I also conclude that collecting student photographs to maintain up-to-date records, such as the Ontario School Record (OSR), and to add to the Trillium SIS is an important administrative purpose.

[18]  Therefore, I find that the Board has demonstrated that the collection of student photographs is necessary to the proper administration of a lawfully authorized activity in accordance with section 28(2) and that the associated use is consistent with this collection, as per section 31(b) of the Act.

3. Did the Board provide a Notice of Collection as required under section 29(2) of the Act?

[19]  Section 29(2) of the Act imposes a notice requirement on institutions that collect personal information, and states:

If personal information is collected on behalf of an institution, the head shall inform the individual to whom the information relates of,

(a)  the legal authority for the collection;

(b)  the principal purpose or purposes for which the personal information is intended to be used; and

(c)  the title, business address and business telephone number of an officer or employee of the institution who can answer the individual’s questions about the collection.

[20]  The complainant explained that in September of 2015, his child brought home from the School a note indicating that the school picture day was occurring but asserts that no details as to the process were provided at that time.

[21]  The Board explained that parents/guardians are provided with a school calendar, outlining events in the school community throughout the year, including Picture Day. The Board supplied a copy of the School calendar and student registration form, as well as an informational pamphlet circulated by the vendor. The vendor’s informational pamphlet describes their services, and includes contact information in which the vendor offers to answer any questions regarding their services.

[22]  I note that these documents do not reference that photos are being collected beyond the general explanation that it is “IRC Picture Day”. I have reviewed the Board’s “Student Registration Form” and note that it does not reference the collection of photographs. Section 29(2) of the Act  clearly sets out the components of notice. The Board does not provide any form of notice explaining its authority to collect the photographs, the principal purpose or purposes for which the photographs are intended to be used, or a Board or School contact who can answer questions about the collection.

[23]  I find that the Board’s notice does not comply with section 29(2). I therefore recommend that the Board implement a Notice of Collection that will inform parents/guardians and students about the collection of photographs, in accordance with section 29(2).

4. Was the disclosure of personal information, by the Board to the vendor, in accordance with section 32 of the Act?

[24]  Section 32 of the Act  prohibits the disclosure of personal information in the custody or under the control of an institution except in certain circumstances. The exception relevant to this case is section 32(c), which states:

An institution shall not disclose personal information in its custody or under its control except,

(c) for the purpose for which it was obtained or compiled or for a consistent purpose;

[25]  There is no dispute that the personal information at issue (name, home room, OEN, TDSB student number, and grade) was disclosed by the Board to the vendor. The Board has indicated that this information was disclosed to the vendor for administrative purposes. The information before me indicates that students’ personal information was also disclosed to the vendor for a secondary purpose of marketing the sale of photographs and related products to parents/guardians. The information communicated to parents/guardians and contained in the Service Agreement between the School and the vendor state that the vendor “is authorized to be the exclusive photography company for the school and is authorized to provide the school with the photography services listed.” These services include images on CD, yearbook CD, ID cards, pictorial/directory, OSR’s, Happy “BDay”, graduation photos and “free class group photos for each student and all services as required.”

[26]  The post card received by the complainant included two photos of his child taken on picture day, his child’s full name together with other details including three codes that could be used to order prints and other products via the vendor’s website. The vendor materials provided by the Board explicitly identify the products for sale and how to obtain them. For example, the vendor’s information pamphlet states “It’s Your Photo Day…”, and lists products such as magnets, bookmarks and keychains and explains “Online Ordering Available”.

[27]  I find that the Board disclosed personal information to the vendor for both administrative and marketing purposes. As such, I will now address whether the disclosure for each of these purposes is in accordance with section 32 of the Act .

Disclosure for administrative purposes

[28]  When applying the section 32(c) exception, the wording of which is identical to section 31(b) as described above, the same interpretation applies when considering whether the disclosure of personal information is related to the original purpose of collection, or for a consistent purpose.

[29]  In this circumstance, the students’ first and last name, home room, OEN, TDSB student number, and grade were disclosed to the vendor in order to match student photographs to their information and to ensure accurate records. The Board asserts that the information was disclosed in accordance with section 32(c), stating that “[t]he information was disclosed to [the vendor] to assist the TDSB with photographing the students at Indian Road Public School to maintain an up-to-date photograph for the student index card.”

[30]  According to the Trillium SIS Manual:

Your photographer will require Trillium student numbers when creating student images on a CD. Providing student information to photographers is at the discretion of Principals and VPs. Please be aware that the “Photographer Download” report in Report Generator includes the following data; Preferred Last/First Name, Student Number, OEN, Class and Grade.

[31]  I find the disclosure of at least some information of students, such as student numbers, names, home rooms, OENs, TDSB student numbers, and grades for administrative purposes, is consistent with the purpose of collection and therefore permissible under section 32(c) of the Act .

[32]  While the disclosure of the personal information at issue is allowed under the Act , there is more that the Board can do to minimize the amount of personal information disclosed to vendors. The Trillium SIS Manual indicates that the only information required to be provided to the vendor is the student number. Disclosure of this information is reasonable as the student number is unique to each student and is necessary to ensure photographs are assigned to the correct student file. In contrast, the disclosure of additional information such as first and last name, class, grade and OEN to photographers appears to be discretionary. I note that the Trillium SIS Manual does not identify what factors school staff may consider when exercising their discretion.

[33]  When considering what personal information to disclose, the Board should adhere to the principle of data minimization. The IPC has described data minimization as a fundamental principle of data protection and defined it as “the practice of limiting the collection of personal information to that which is directly relevant and necessary to achieving a specified purpose.” [7] Data minimization places a responsibility on school staff to determine whether a photography vendor requires additional student information to fulfil a school’s administrative needs. Auto-populating the fields in “Photographer Download” with all the above-described categories of personal information is inconsistent with the exercise of discretion. Instead, school staff should decide, based on the circumstances of their particular school, whether it is necessary to disclose specific types of personal information.

[34]  While I find that the disclosure of students’ personal information was in accordance with section 32(c) of the Act , I am also of the view that, the Board should minimize the personal information disclosed to vendors to that which is necessary to fulfill a school’s administrative needs.

Disclosure to the vendor for marketing purposes

[35]  Section 32(c) permits the disclosure of personal information for the purposes for which it was obtained or for a consistent purpose. As explained above, the Board disclosed students’ personal information to the vendor for administrative purposes. Although the Board does not take the position that it also disclosed this information for the vendor’s marketing purposes, it was aware that disclosure of student names would also assist the vendor to offer photographs to parents. Therefore, this raises the issue of whether disclosure for this secondary purpose can be considered a “consistent purpose” within the meaning of section 32(c).

[36]  Section 33 describes consistent purpose as follows:

The purpose of a use or disclosure of personal information that has been collected directly from the individual to whom the information relates is a consistent purpose under clauses 31  (b) and 32 (c) only if the individual might reasonably have expected such a use or disclosure.

[37]  Section 33 grants institutions the flexibility to disclose personal information for a purpose for which it may not have originally been collected. That said, section 33 makes it clear that this flexibility is premised on individuals’ reasonable expectations.

[38]  Reasonableness is a well established legal concept. In Privacy Complaint Report MC07-64, this office explained that “[t]here must be a rational connection between the purpose of the collection and the purpose of the use in order to meet the ‘reasonable person’ test set out in section 33.” [8] A key element of reasonable expectation is foreseeability.

[39]  In these circumstances I find that there is a reasonable expectation that student photographs would be offered for sale by the vendor. As noted above, the complainant’s child brought home a note indicating that the school picture day was occurring. As well, parents/guardians are provided with a school calendar that references picture day. In most schools, a photographer comes once a year to take individual and class photographs for sale to parents and for use within the school. This practice has been a part of school and family life for decades. As the sale of student photographs to parents/guardians is a historic and well known practice, I find that the disclosure is reasonably foreseeable. [9]

[40]  I conclude that an individual in the complainant’s position should reasonably expect that the student’s personal information would be disclosed to the photography vendor for specific limited marketing purposes. Accordingly, I find that the disclosure of some of the personal information at issue was for a consistent purpose and therefore in accordance with section 32(c). 

[41]  Despite my findings, I have two recommendations. First, as previously indicated, I am of the view that it may not have been necessary to disclose all of the personal information at issue to the vendor in this circumstance. I repeat my recommendation that the Board exercise diligence to minimize the amount of personal information that is disclosed. Second, I recommend that the Board provide parents/guardians with the ability to opt out of the vendor’s marketing activities or related uses. It is at the Board’s discretion how to implement such a measure.

5. Did the Board’s Service Agreement with the vendor include adequate provisions with respect to the protection of students’ personal information?

[42]  Under the Act, the Board is responsible for the security, retention and destruction of personal information in its custody or control.

[43]  Section 3(1) of Ontario Regulation 823, made pursuant to the Act states:

Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.

[44]  Section 5 of Ontario Regulation 823 sets out the retention requirements for records of personal information in the custody or control of an institution. It requires personal information to be retained for one year (with exceptions) after use, but does not prohibit keeping it longer.

[45]  In response to the complainant’s concerns, I have reviewed the information provided by the Board to determine whether its privacy protection and retention measures comply with the Act . The Board is ultimately responsible for the safety and security of its students’ personal information and for ensuring that its photography vendors agree to take adequate administrative, physical and technical measures to protect personal information.

[46]  In response, the Board explained that it applies several measures to protect the personal information provided to photography vendors. The measures include screening vendors (e.g. Police record check for photographers) during the request for proposal process. The Board stated that schools negotiated and discussed the access and privacy provisions required to properly collect, use and disclose personal information. The Board noted that sharing personal information with vendors is limited to a small group of Board employees. The Board informed the IPC that they are working towards revising the existing request for proposal process to include more stringent privacy measures and clauses, as well as creating and implementing a training program for staff members regarding access and privacy issues.

[47]  The Board explained that the vendor retains student information for a period of two years from the date of collection to allow for parents/guardians to order their children’s images, after which the vendor destroys the students’ information. While the Board asserts that parents/guardians and students may request that student information be destroyed prior to the two years elapsing, this is not indicated anywhere in the documents provided to the IPC.

[48]  The Board provided a copy of the School’s Service Agreement with the vendor. The Board noted that the vendor has been used by the School for many years and that the principal has had multiple conversations with the vendor regarding the School’s expectations.

[49]  It is noteworthy that neither the Service Agreement nor the Trillium SIS Manual address security or retention when providing personal information to vendors.

[50]  The service agreement between the Board and the vendor should provide, at a minimum, that personal information is collected, retained, used, disclosed and disposed of in accordance with the Board’s obligations under the Act . It should explain that the vendor will take reasonable steps to protect the security and confidentiality of this information and ensure its secure destruction. These are all elements that I recommend be included in the service agreements between the Board’s schools and photography vendors.

[51]  Furthermore, I recommend that personal information not be retained by the photography vendor for longer than necessary and to ensure that parents/guardians are clearly informed that they can request that the vendor destroy the information so long as it does not interfere with the Board’s administrative requirements. These requirements should be incorporated into the service agreements between the Board’s schools and vendors.

[52]  I find that the Board’s Service Agreement with the vendor does not include adequate provisions to protect students’ personal information. Accordingly, I recommend that the Board revise its service agreements with photography vendors to ensure compliance with the Act .

CONCLUSION:

1. The information at issue is “personal information” as defined by section 2(1) of the Act.
2. The Board’s collection and use of student photographs is authorized under sections 28(2) and 31 of the Act.
3. The Board did not provide a notice of collection of student photographs in accordance with section 29(2) of the Act .
4. The Board’s disclosure of students’ personal information to the vendor was in accordance with section 32(c) of the Act .
5. The Board’s Service Agreement with the vendor does not include adequate provisions with respect to the security, retention and destruction of students’ personal information.

RECOMMENDATIONS:

1. I recommend that the Board implement a Notice of Collection explaining its authority and purpose for collecting student photographs. The notice should include a Board or School contact person. The notice may be added to the Student Registration Form, a separate form or can be provided via the Board’s website or otherwise, as the Board sees fit.
2. I recommend that parents/guardians be provided with the opportunity to opt out of receiving marketing from vendors regarding the sale of photographs and related products.
3. I recommend that the Board clearly inform parents/guardians that they can request that the vendor destroy the personal information so long as it does not interfere with the Board’s administrative requirements.
4. I recommend that the Board develop guidelines for staff to assist them in exercising their discretion concerning the amount of personal information that is necessary to disclose to photography vendors.
5. I recommend that the Board revise its service agreements with photography vendors to ensure compliance with the Act .

The Board has reviewed this Report and agreed to implement the recommendations described above. Within six months of receiving this Report, the Board should provide this office with proof of compliance with the above recommendations.

Original Signed by:		April 24, 2018
Jeffrey Cutler
Investigator