PRIVACY COMPLAINT REPORT

PRIVACY COMPLAINT MC16-5

Hamilton-Wentworth District School Board

May 7, 2018

Summary: The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the Hamilton-Wentworth District School Board (the Board) contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act ) when it disclosed a student’s personal information to a photography vendor. I conclude that the collection and use of students’ photographs for administrative purposes is in accordance with sections 28(2)  and 31  of the Act , respectively. As well, I find that the Board’s notice of collection complies with section 29(2) of the Act and that the Board’s Service Agreement with the vendor included adequate provisions with respect to the protection of the students’ personal information. Furthermore, while I conclude that the Board’s disclosure of students’ personal information to the vendor for administrative and limited marketing purposes was in accordance with section 32  of the Act , I find that the disclosure for the vendor’s Pictures2Protect Program was not.

Statutes Considered: Municipal Freedom of Information and Protection of Privacy Act ,  R.S.O. 1990, c. M.56 , as amended, sections 2(1), 28(2) , 29(2), 31  and 32 ; R.R.O. 1990, Reg. 823, sections 3(1) and 5; Education Act , R.S.O. 1990, c. E.2, sections 170(1) , 264(1) , 265(1) , 300.1  and 300.2 ; R.R.O. 1990, Reg. 298, section 11(3).

Cases: R. v. Find [2001] 1 S.C.R. 863, 2001 SCC 32.

Orders and Investigation Reports Considered: MC07-64.

BACKGROUND:

[1]  The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint under the Municipal Freedom of Information and Protection of Privacy Act (the Act) from an individual (the complainant) relating to the Hamilton-Wentworth District School Board (the Board). The complainant asserted that the Earl Kitchener Elementary School (the School) within the Board contravened the Act when making her child’s personal information available to a third-party photography company (the vendor).

[2]  The complainant asserts that on October 15, 2015, her son had his photograph taken by the vendor on “Picture Day” at the School, despite her refusal to consent to have her child’s photograph taken for any reason other than for administrative purposes. The complainant also asserts that prior to Picture Day, the Board disclosed her child’s first and last names to the vendor.

[3]  The complainant also raised concerns about the vendor’s Pictures2Protect Program in which it creates identification cards to assist if a child is reported missing. This program is operated in partnership with the Canadian Centre for Child Protection (CCCP). The complainant is concerned that the CCCP has access to the personal information in the vendor’s possession.

[4]  The Board provided the following information regarding the collection, use and disclosure of student photographs by the vendor and the School:

• The Board contracts vendors to collect student portraits for administrative purposes.
• Vendors send proofs of students’ photos to schools to be sent home with the students for their parents to see and place orders.
• School principals are given a complementary "Principal's album" containing photographs of all of the students, which are kept locked in principals’ offices and are used as a quick reference for identifying students.
• Digital files of student photographs are made available to the Information Technology (IT) department of the Board through a portal hosted by the vendor. Upon request from the school principal, IT staff download student photographs from the portal and upload them into the Board’s Student Information System (SIS) so that when student profiles are accessed, the student’s photograph appears beside the student’s name for user identification purposes. The downloaded files are then deleted.
• Educators and school office staff use photographs in the SIS to identify students. When necessary, student photographs are used by police in the event a student goes missing during the school day.
• Vendors send four wallet size photographs of each student to the schools for use in the Ontario Student Record (OSR) and for posting medical alerts (in staff areas only). The photographs are placed in the OSR for identification purposes; to ensure the OSR is attributed to the correct student. These photographs are kept in a locked file cabinet in the school office and the leftover photographs are shredded at the end of each school year. The Board notes that the Ministry of Education OSR Guidelines Form 1 contains four spots for student photographs, typically, one photograph for each stage of the education process (i.e. primary, junior, intermediate and senior).
• Consent was not historically considered necessary for student photographs, as they are important pieces of information for schools to conduct their business and it was assumed students would participate. However, given that the Board was not explicit about the use of student photographs, the Board’s new notice of collection will make this clear and parents will be reasonably accommodated. The notice of collection encourages parents to talk to the School if they have issues with what information is collected and used. Requests for accommodation are considered wherever possible.

[5]  Subsequent to receiving the above information, this matter was moved to the investigation stage of the IPC complaint process.

ISSUES:

1. Is the information at issue “personal information” as defined by section 2(1) of the Act?
2. Is the Board’s collection and use of student photographs authorized under sections 28(2) and 31 of the Act, respectively?
3. Did the Board provide a notice of collection as required under section 29(2) of the Act?
4. Was the disclosure of the personal information by the Board to the vendor in accordance with section 32 of the Act ?
5. Did the Board’s Service Agreement with the vendor include adequate provisions with respect to the protection of students’ personal information?

DISCUSSION:

1. Is the information at issue “personal information” as defined by section 2(1) of the Act?

[6]  Personal information is defined in section 2(1) of the Act which states, in part:

“personal information” means recorded information about an identifiable individual, including,

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

(h) the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

[7]  The Board confirmed that the information at issue is the complainant’s child’s photograph, and first and last names.

[8]  In my view, this information meets the requirements of paragraphs (a) and (h) of the definition of “personal information”. This conclusion is not disputed by the parties. Accordingly, I find the information in question qualifies as “personal information” as set out under section 2(1) of the Act .

2. Is the Board’s collection and use of student photographs authorized under sections 28(2) and 31 of the Act, respectively?

[9]  Section 28(2) of the Act  states:

No person shall collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity.

[10]  In order for a collection of personal information to be permissible, it must satisfy one of these conditions. In the circumstances under investigation, the condition that applies is the necessity to administer a lawfully authorized activity. As such, the onus is on the Board to demonstrate first, that the activity is lawfully authorized, and second, that the collection of the personal information is necessary to that lawfully authorized activity.

[11]  I note that the Board’s operation of schools is lawfully authorized under section 170(1) of the Education Act. Furthermore, the operation of the School includes responsibility for the safety and security of students and property as set out in section 265(1) of the Education Act and section 11(3) of Regulation 298.

[12]  Examples of lawfully authorized activities that are relevant to collecting student photographs include the principal’s responsibility to provide supervision of pupils [1] and school activities; [2] notify parents or guardians of any infraction; [3] and admit students to class. [4] I note that section 265(1) (d) of the Education Act  permits principals to collect information for inclusion in the record of each student.

[13]  The next question to consider is whether the collection of student photographs is necessary to the operation of the School. In Special Investigation Report MC07-68, Commissioner Cavoukian concluded that for the collection to be “necessary” to the proper administration of a lawfully authorized activity means that it must be more than merely helpful.

[14]  The Board explained that “the personal information at issue is collected in accordance with section 28(2) of the Act  because it is necessary to the proper administration of a lawfully authorized activity.” The Board stated that the collection of student photographs is directly linked to the “effective and safe operations of schools” as mandated by the Education Act . The Board referenced the purposes set out at section 300.0.1  of the Education Act , which include creating schools in Ontario that are safe, inclusive and accepting of all pupils; to prevent and address inappropriate behaviour; and to provide students with a safe learning environment.

[15]  The Board explained that it is important for teachers to know their students, for supply teachers to be able to identify students, and for all staff to know those students at risk of anaphylactic shock or other life threatening conditions, those with severe behaviour challenges, and victims of bullying. Further, section 300.2  of the Education Act  requires all school staff to report issues involving any student of the school and therefore be able to identify all students.

[16]  I accept the Board’s submissions and find that the collection of student photographs is necessary to the operation of the school and therefore meets the requirement that it be “necessary to the proper administration of a lawfully authorized activity.”

[17]  The Board also referenced sections 264(1) (e) and 170(1) 7.2 of the Education Act , which concern the duty of teachers to maintain order and discipline on the entire school ground and the duty of school boards to provide programs and supports to address bullying. The Board stated that it “utilizes school portraits purposefully and strategically and considers them a necessary tool in successfully meeting its legislated duties to operate safe and effective schools.”

[18]  Further, I find that the Board’s use of student photographs is consistent with the purpose of the collection. Section 31(b) of the Act  outlines the provisions permitting use, stating, in part:

An institution shall not use personal information in its custody or under its control except,

(a) for the purpose for which it was obtained or compiled or for a consistent purpose;

[19]  As previously determined by the IPC, when determining whether a particular use of personal information is in accordance with section 31(b) “it is necessary to assess whether the use of this information can be properly characterized as being either for the original purpose of the collection, or for a purpose that is consistent with that original purpose.” [5] There is no information before me to suggest that the Board uses the information other than for the purposes that necessitate its collection.

[20]  In sum, I conclude that the ability to identify individual students via the collection and use of photographs contributes to the safe and effective operation of schools. I also conclude that collecting student photographs to maintain up-to-date records, such as the OSR, is a necessary administrative function. I find that the Board has demonstrated that the collection of student photographs is necessary to the proper administration of a lawfully authorized activity in accordance with section 28(2) and that the associated use is consistent with the purpose of this collection, as required by section 31(b) of the Act.

3. Did the Board provide a Notice of Collection as required under section 29(2) of the Act?

[21]  Section 29(2) of the Act  imposes a notice requirement on institutions that collect personal information, and states:

If personal information is collected on behalf of an institution, the head shall inform the individual to whom the information relates of,

(a) the legal authority for the collection;

(b) the principal purpose or purposes for which the personal information is intended to be used; and

(c) the title, business address and business telephone number of an officer or employee of the institution who can answer the individual’s questions about the collection.

[22]  The Board explained that parents/guardians are provided with a school calendar, outlining events in the school community throughout the year, including Picture Day. The Board also provided a copy of an informational pamphlet circulated by the vendor via the school to parents/guardians notifying of Picture Day, and included contact information in which the vendor offered to answer any questions regarding their services. The Board advised that vendors do not have access to parents/guardians’ contact information unless parents/guardians provided it to the vendors themselves.

[23]  These documents do not reference why the information is collected beyond the general explanation that it is “Picture Day” and “Photo Day”. Nor do the vendor’s information pamphlets indicate any administrative purpose for the collection. Rather, as described above, the vendor’s materials concern taking and providing student portraits.

[24]  During the course of the Investigation, the Board explained that it was revising its “Student Registration and Information Form”, as it was flawed.

[25]  The Board also created a new document titled “How We Collect, Use and Disclose Your Personal Information” that addresses parents/guardians and students. The document defines personal information and explains why the Board collects personal information, as well as how it is used and disclosed. This is a comprehensive document, which addresses the administrative purposes for which the Board uses photographs as well as explaining that photographs are offered to parents for purchase. Included with the posting of this document on the Board’s website is the contact information for the staff member who can address questions and concerns.

[26]  The Board also explained that its Privacy Officer will work with schools to assist them in adopting a communication strategy that results in more frequent and timely information to parents/guardians, and provides an opportunity to ask questions and voice concerns.

[27]  Whether or not the Board met the prescribed notice requirements at the time this complaint arose, I am satisfied that the measures implemented by the Board in response to the complainant’s concerns fulfill the notice requirements set out in section 29(2) of the Act .

4. Was the disclosure of the personal information in accordance with section 32 of the Act?

[28]  Section 32 of the Act  prohibits the disclosure of personal information in the custody or under the control of an institution except in certain circumstances. The exceptions that are relevant to this case are sections 32(c) and (d), which state:

An institution shall not disclose personal information in its custody or under its control except,

(c) for the purpose for which it was obtained or compiled or for a consistent purpose;

(d) if the disclosure is made to an officer, employee, consultant or agent of the institution who needs the record in the performance of their duties and if the disclosure is necessary and proper in the discharge of the institution’s functions;

[29]  In this circumstance, the students’ first and last names were disclosed to the vendor in order to match student photographs to their information and to ensure accurate records. As secondary purposes, the disclosure also permitted the vendor the opportunity to market photographs to parents/guardians and inform them of the Pictures2Protect Program. As such, I will now address whether the disclosure for each of these purposes is in accordance with section 32 of the Act .

Disclosure for administrative purposes

[30]  The Board asserts that the information was disclosed in accordance with section 32(d), stating:

School picture companies are agents of the board. HWDSB staff do not have the capacity to carry out school pictures. School picture companies, as agents of the board, come to schools to provide this service and are provided with the personal information they need in order to do so.

[31]  The Board’s document titled “How We Collect, Use and Disclose Your Personal Information” informs students and parents/guardians of the scope of disclosure including to allow Board staff access to the information they need to perform their duties and to meet legislated requirements. It also specifically references photography service providers and the need to organize photographs in order to provide proofs to a school as well as prepare files for uploading student photographs to student profiles in the Board’s SIS.

[32]  Section 32(d) uses the phrase “needs the record in the performance of their duties”. The Board’s “Privacy and Information Management” policy instructs staff to limit collection to only that information necessary for the specified purpose and for disclosure to be for the purposes for which it was collected. The Board’s approach is consistent with the principle of data minimization, which the IPC has described as a fundamental principle of data protection. [6]

[33]  In this circumstance, the disclosure of students’ first and last names is necessary to ensure photographs are correctly matched to students. The disclosure of the students’ names to the vendor fulfills an important administrative function which is consistent with the purpose of collection, as discussed above, and necessary to the proper discharge of the Board’s functions.

[34]  I find the Board has demonstrated that the disclosure of students’ names to the vendor was in accordance with section 32(d) of the Act .

Disclosure to the vendor for marketing purposes

[35]  Section 32(c) of the Act  permits information to be disclosed for the purpose for which it was obtained or for a consistent purpose. As explained above, the Board disclosed the students’ personal information, in this case first and last names, to the vendor for administrative purposes. Although the Board does not take the position that it also disclosed this information for the vendor’s marketing purposes, it was aware that disclosure of student names would also assist the vendor to offer photographs to parents. Therefore, this raises the issue of whether the disclosure for this secondary purpose can be considered a “consistent purpose” within the meaning of section 32(c).

[36]  Section 33 describes consistent purpose as referenced in section 32(c) as follows:

The purpose of a use or disclosure of personal information that has been collected directly from the individual to whom the information relates is a consistent purpose under clauses 31  (b) and 32 (c) only if the individual might reasonably have expected such a use or disclosure.

[37]  When applying the section 32(c) exception, the wording of which is identical to section 31(b) as described above, the same interpretation applies when considering whether personal information is disclosed for a purpose that is consistent with the original purpose.

[38]  Section 33 grants institutions the flexibility to disclose personal information for a purpose for which it may not have originally been collected. That said, section 33 makes it clear that this flexibility is premised on individuals’ reasonable expectations.

[39]  Reasonableness is a well established legal concept. In Privacy Complaint Report MC07-64, this office explained that “[t]here must be a rational connection between the purpose of the collection and the purpose of the use in order to meet the ‘reasonable person’ test set out in section 33.” [7] A key element of reasonable expectation is foreseeability.

[40]  Whether it was foreseeable that student photographs would be offered for sale by the vendor is determined by the circumstances. In this case, the Board provided a copy of the photography vendor’s “Student & Staff Data Privacy FAQ for School Records Custodians.” In it, the vendor explains that it:

... uses School Data solely as necessary to create, offer and deliver student images and school administrative services to the school and families of students. [The vendor] will not sell or license such data to others.

…

[The vendor] retains School Data only as necessary and permissible to promote the sale of portraits to parents, to retrieve the images to supply picture orders for the current school year and to support the school for an approved administrative purposes.

[41]  As noted above, parents/guardians are informed that pictures will be taken via the school calendar as well as via the vendor’s pamphlet notifying of Picture Day. In most schools, a photographer comes once a year to take individual and class photographs for sale to parents and for use within the school. This practice has been a part of school and family life for decades. As described in the FAQ, taking school photographs for sale to parents/guardians is a longstanding and understood historical practice, and I agree. [8]

[42]  I conclude that an individual in the complainant’s position should reasonably expect that the student’s personal information including first and last name, would be disclosed to the vendor for the purpose of offering parents the opportunity to purchase their children’s photographs. Accordingly, I find that the disclosure of the information at issue was for a consistent purpose and in accordance with section 32(c).

[43]  Despite the Board’s disclosure being permissible under the Act , I agree with its initiative to revise its notice of collection to include the vendor’s commercial use and to inform parents/guardian that they will be reasonably accommodated. Since this is a secondary purpose, I will also recommend that the Board provide parents/guardians with the ability to opt out of the vendor’s marketing activities or other uses.

Disclosure to the vendor for the Pictures2Protect Program

[44]  As noted above, the complainant raised concerns about the Pictures2Protect Program, a program offered by the vendor. The Board provided me with information about this program, including communications from the vendor to the Board explaining the program as well as an FAQ authored by the vendor. As explained in the vendor’s FAQ, the Pictures2Protect Program is offered in collaboration with the CCCP. As part of the program, the vendor provides two complimentary photo ID cards each year to students at participating schools, at no extra cost. The vendor describes the programs as a means to assist police and/or the media when searching for a lost or missing child.

[45]  The vendor does not share personal information with the CCCP through the Pictures2Protect Program unless a parent/guardian initiates the service. The Board provided the following information from the vendor:

We reiterate that there is no sharing of the child’s personal information. The cards stay with the parent or guardian, and the image of the child is not shared outside of [the vendor]. Parents and guardians do not “participate” in the P2P Program unless they affirmatively use the card to contact the [CCCP] to initiate the release of the photo in the event of an emergency. CCCP’s role is to verify the caller’s identity and their relationship to the child in question, and, once verified, CCCP contacts [the vendor] through established procedures.

[46]  As described, the Pictures2Protect Program facilitates the consensual transfer of student photographs in emergency situations. The vendor does not share personal information with the CCCP as part of the Pictures2Protect Program unless a parent/guardian initiates the service.

[47]  Although the vendor does not share any personal information of students with the CCCP, it does use the information disclosed by the Board for the Pictures2Protect Program. This therefore raises the issue of whether the Board’s disclosure of student information for such a purpose is permitted under the Act . Applying the section 32(c) analysis, the question is whether the disclosure relates to the original purpose for collection or for a consistent purpose. The original collection was unrelated to the Pictures2Protect Program. As for consistent purpose, there is no information before me to conclude that parents/guardians would have reasonably foreseen the disclosure for the Pictures2Protect Program and it is therefore not in accordance with section 32 of the Act .

[48]  To address this concern, I recommend that the Board notify parents/guardians of the Pictures2Protect Program and permit them to opt out of receiving the complimentary student ID cards.

5. Did the Board’s Service Agreement with the vendor include adequate provisions with respect to the protection of students’ personal information?

[49]  Under the Act, the Board is responsible for the security, retention and destruction of personal information in its custody or control.

[50]  Section 3(1) of Ontario Regulation 823, made pursuant to the Act states:

Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.

[51]  Section 5 of Ontario Regulation 823 sets out the retention requirements for records of personal information in the custody or control of an institution. It requires personal information to be retained for one year (with exceptions) after use, but does not prohibit keeping it longer. The Board is ultimately responsible for the safety and security of its students’ personal information and for ensuring that its photography vendors agree to take adequate administrative, physical and technical measures to protect personal information.

[52]  The service agreement between the Board and the vendor should provide, at a minimum, that personal information is collected, retained, used, disclosed and disposed of, in accordance with the Board’s obligations under the Act . It should explain that the vendor will take reasonable steps to protect the security and confidentiality of this information and ensure its secure destruction.

[53]  In response, the Board described multiple measures to manage the personal information that it provides to photography vendors, including:

• The Photography Service Agreement requires that the vendor “will not disclose confidential information provided by the school or use it for any purpose except to fulfill the services requested to be performed…”
• Implementing a “Third Party Service Provider Questionnaire” to determine the privacy and security “posture” of all school photography vendors. It requires photography vendors to answer multiple questions addressing accountability, data storage, safeguards, training and awareness.
• Requiring that vendors not permit third parties access to the personal information disclosed to them by the Board without the consent of parents/guardians and to maintain this information on secure servers.

[54]  The vendor’s “Student & Staff Data Privacy FAQ for School Records Custodians” describes the personal information the vendor collects, how it is used and disclosed, as well as the security measures. With regard to security, the vendor describes a number of measures to protect personal information, including firewalls, monitoring and testing of network security, controlled access, authentication procedures as well as encryption. This document also includes the vendor’s contact information.

[55]  Based on the information before me, I find that reasonable provisions to prevent unauthorized access to the records are defined, documented and in place as required by Section 3(1) of Ontario Regulation 823.

[56]  The Board explained that the vendor retains student photographs and other personal information for a period of 12 to 18 months following Picture Day, unless the Board requests an alternative period. After this period the records are destroyed. The Board states that parents/guardians or adult children may request that the photography vendor destroy their personal information. In the circumstances of this Investigation, the Board explained that the vendor removed the complainant’s child’s photographs from their database at her request.

[57]  The vendor’s “Student & Staff Data Privacy FAQ for School Records Custodians” states that once “School Data” is no longer needed for the purposes it was retained (to create, offer and deliver student images and school administrative services to the school and the families of students), it is securely destroyed.

[58]  I find that the Board’s retention practices are in accordance with the Act . That said, I recommend that the Board clearly inform parents/guardians that they can request that the Board direct the vendor to destroy the personal information so long as it does not interfere with the Board’s administrative requirements.

CONCLUSION:

1. The information at issue is “personal information” as defined by section 2(1) of the Act.
2. The Board’s collection and use of student photographs is authorized under sections 28(2) and 31 of the Act.
3. The Board’s notice of collection complies with section 29(2) of the Act .
4. The Board’s disclosure of students’ personal information to the vendor for administrative and marketing purposes was in accordance with section 32 of the Act .
5. The disclosure in relation to the vendor’s Pictures2Protect Program was not in accordance with section 32 of the Act .
6. The Board’s Service Agreement with the vendor includes adequate provisions with respect to the security, retention and destruction of students’ personal information.

RECOMMENDATIONS:

1. I recommend that parents/guardians be provided with the opportunity to opt out of receiving marketing from vendors regarding the sale of photographs and related products.
2. I recommend that the Board notify parents/guardians of the Pictures2Protect Program and permit them to opt out of receiving the complimentary student ID cards.
3. I recommend that the Board clearly inform parents/guardians that they can request that the Board direct the vendor to destroy the personal information so long as it does not interfere with the Board’s administrative requirements.

The Board has reviewed this Report and agreed to implement the recommendations described above. Within six months of receiving this Report, the Board should provide this office with proof of compliance with the above recommendations.

Original Signed by:		May 7, 2018
Jeffrey Cutler
Investigator