PRIVACY COMPLAINT REPORT

PRIVACY COMPLAINT MI16-3

Peel District School Board

March 23, 2018

Summary: The Office of the Information and Privacy Commissioner (the IPC) received information that the Peel District School Board (the Board) may have contravened the Municipal Freedom of Information and Protection of Privacy Act  (the Act ) when one of its teachers allegedly disclosed the names of students who had Individual Education Plans (IEPs) to her spouse, an investment representative, so that he could solicit business from their parents. In response, the IPC opened a Commissioner-initiated privacy complaint file to determine if the Board’s actions were consistent with the requirements of the Act . In this Privacy Complaint Report, I find that the information at issue is personal information and that the disclosure of students’ personal information from a Special Education Teacher to another teacher did not comply with section 32  of the Act . I also find that the Board’s use of students’ personal information, through the actions of the teacher, did not comply with section 31  of the Act . This report recommends that the Board require all staff sign confidentiality agreements when they are hired by the Board and annually thereafter.

Statutes Considered: Municipal Freedom of Information and Protection of Privacy Act , R.S.O. 1990, c. M. 56 , as amended, sections 2(1), 31 , 32 , 33.

Orders and Investigation Reports Considered: MC07-64, PO-1880.

BACKGROUND:

[1]  The Office of the Information and Privacy Commissioner (the IPC) received information that the Peel District School Board (the Board) may have contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when one of its teachers allegedly disclosed the names of students who had Individual Education Plans (IEPs), to her spouse, an investment representative, so that he could solicit business from their parents. In response, the IPC opened a Commissioner-initiated privacy complaint file and contacted the Board about the potential breach.

[2]  In response to the IPC’s inquiries, the Board informed this office that it first learned of the alleged breach when the parent of a student at one of its schools raised concerns about his child bringing home a package of information regarding Registered Disability Savings Plans (RDSPs). This package was addressed to the student by name and included the business card of the teacher’s spouse and a gift certificate for a financial needs analysis. Upon receipt of this complaint, the Board commenced an investigation. Pending the outcome of its investigation, the teacher was “assigned to home,” which the Board explained was a non-disciplinary action that essentially suspended the teacher with pay.

[3]  The Board’s investigation concluded that a Special Education Teacher had printed a list of the students who had IEPs and had disclosed it to the teacher. The teacher had wrongfully informed the Special Education Teacher that she had the principal’s consent to receive this information. According to the information provided by the Board to this office, the teacher’s spouse had previously asked the Board for a list of students who had IEPs so that he could provide their parents with information about RDSPs and his request had been denied.

[4]  Given the sequence of events in this case, I will first analyze whether the disclosure of information from the Special Education Teacher to the teacher complied with the Act and will then analyze whether the information was used permissibly.

ISSUES:

[5]  The following issues were identified as arising from this investigation:

1. Is the information at issue “personal information” as defined by section 2(1) of the Act ?
2. Was the information “disclosed” in accordance with section 32 of the Act ?
3. Was the information “used” in accordance with section 31 of the Act ?
4. Did the Board respond adequately to the breach?

DISCUSSION:

Issue 1:  Is the information at issue “personal information” as defined by section 2(1) of the Act?

[6]  Personal information is defined in section 2(1) of the Act, which states in part:

“personal information” means recorded information about an identifiable individual, including,

…

(b)   information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved.

…

(h)   the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

[7]  To qualify as personal information, it must be reasonable to expect that an individual could be identified if the information were disclosed. [1]

[8]  The information at issue is a list of 28 students who have IEPs. Accordingly, I find that the information at issue qualifies as “personal information” within the meaning of paragraphs (b) and (h) of the definition at section 2(1) of the Act . The Board does not dispute this finding.

Issue 2:  Was the information “disclosed” in accordance with section 32 of the Act?

[9]  It is the Board’s position that the disclosure did not comply with the Act . It does not dispute that, as an institution under the Act , it is responsible for the actions of the teacher and Special Education Teacher in the circumstances of this case. Section 32 of the Act  provides a list of exceptions to the general prohibition against the disclosure of personal information by institutions. In order for a given disclosure of personal information to be authorized under the Act , the institution must demonstrate that the disclosure was in accordance with at least one of the exceptions listed in section 32 of the Act . Section 32 of the Act  states:

An institution shall not disclose personal information in its custody or under its control except,

(a) in accordance with Part I;

(b) if the person to whom the information relates has identified that information in particular and consented to its disclosure;

(c) for the purpose for which it was obtained or compiled or for a consistent purpose;

(d) if the disclosure is made to an officer, employee, consultant or agent of the institution who needs the record in the performance of their duties and if the disclosure is necessary and proper in the discharge of the institution’s functions;

(e) for the purpose of complying with an Act of the Legislature or an Act of Parliament, an agreement or arrangement under such an Act  or a treaty;

(f) if disclosure is by a law enforcement institution,

(i) to a law enforcement agency in a foreign country under an arrangement, a written agreement or treaty or legislative authority, or

(ii) to another law enforcement agency in Canada;

(g) if disclosure is to an institution or a law enforcement agency in Canada to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result;

(h) in compelling circumstances affecting the health or safety of an individual if upon disclosure notification is mailed to the last known address of the individual to whom the information relates;

(i) in compassionate circumstances, to facilitate contact with the spouse, a close relative or a friend of an individual who is injured, ill or deceased;

(j) to the Minister;

(k) to the Information and Privacy Commissioner;

(l) to the Government of Canada or the Government of Ontario in order to facilitate the auditing of shared cost programs.

[10]  In reviewing the list of exceptions in section 32, the only one that may apply to the disclosure of information from the Special Education teacher to the teacher is section 32(d), which states:

if the disclosure is made to an officer, employee, consultant or agent of the institution who needs the record in the performance of their duties and if the disclosure is necessary and proper in the discharge of the institution’s functions.

[11]  According to the language used in section 32(d), it is clear that the Act  treats the provision of personal information “to an officer, employee, consultant or agent of the institution” as a disclosure. Such a disclosure is only permitted under the Act  if the internal individual to whom the personal information is provided “needs the record in the performance of their duties and if the disclosure is necessary and proper in the discharge of the institution’s functions.”

[12]  As previously discussed, the teacher obtained students’ personal information from the Special Education Teacher to enable her husband to solicit investment business from the parents of students who had IEPs. I accept that the Special Education Teacher was misled into believing that the teacher was acting with the principal’s permission. Nonetheless, and even if the principal had authorized it, this disclosure was not permissible, as it did not meet any of the exceptions listed in section 32 of the Act , including section 32(d). The teacher did not need the list in the performance of her job duties nor was it required by the Board to properly discharge its functions.

[13]  Based on the foregoing information, I find that the disclosure of the list of students who had IEPs from the Special Education teacher to the teacher did not comply with section 32 of the Act .

[14]  With respect to whether there was a disclosure of personal information from the teacher to her spouse, the Board stated the teacher maintained that once she had obtained the list of students who had IEPs, she did not disclose this information to her husband. Rather, according to the teacher, her husband stuffed blank envelopes with the RDSP materials and she then affixed labels with the students’ names on the envelopes and distributed these envelopes to the students’ teachers, who in turn gave them to the students to bring home. Based on this information, there is insufficient evidence to establish that there was a disclosure of personal information under section 32 of the Act  from the teacher to her spouse.

Issue 3:  Was the information “used” in accordance with section 31 of the Act?

[15]  I will now consider whether the teacher’s “use” of students’ personal information to solicit investment business complied with section 31 the Act . The Board’s position is that it did not.

[16]  Section 31 of the Act  provides a list of exceptions to the general prohibition against the use of personal information by institutions, as follows:

An institution shall not use personal information in its custody or under its control except,

(a) if the person to whom the information relates has identified that information in particular and consented to its use;

(b) for the purpose for which it was obtained or compiled or for a consistent purpose; or

(c) for a purpose for which the information may be disclosed to the institution under section 32 or under section 42 of the Freedom of Information and Protection of Privacy Act.

[17]  Section 33 defines “consistent purpose” as referenced in section 31(b) as follows:

The purpose of a use or disclosure of personal information that has been collected directly from the individual to whom the information relates is a consistent purpose under clauses 31(b) and 32(c) only if the individual might reasonably have expected such a use or disclosure.

[18]  In order for a given use of personal information to be permissible under the Act , the institution must demonstrate that the use was in accordance with at least one of the section 31 exceptions or that it was for a consistent purpose.

[19]  Neither of section 31(a) or 31(c) are applicable in the circumstances. Section 31(a) only applies when consent is provided by an individual to permit a specific use. No such consent was provided in these circumstances. Likewise, section 31(c) is not applicable, as none of the purposes for which the information may be disclosed to the institution described in section 32 apply in the circumstances.

[20]  As explained in Privacy Complaint Report MC07-64, when determining whether a particular use of personal information is in accordance with section 31(b):

[I]t is first necessary to determine the original purpose of the collection. Next, it is necessary to assess whether the use of this information can be properly characterized as being either for the original purpose of the collection, or for a purpose that is consistent with that original purpose.

[21]  The Board has acknowledged that the information was originally collected to educate students. The use of personal information to solicit business for an investment professional is not consistent with the original purpose for which it was collected nor for a consistent purpose. In fact, the Board’s own Conflict of Interest Policy explicitly states:

Promotion and/or Sale of Goods and Services, Including Teaching Materials

1. All employees are prohibited from directly or indirectly promoting, offering for sale or selling any book, teaching or learning materials or other goods, services or equipment to the Peel Board or to any other school board, provincial school or teachers’ college, or to any student (italics and underline in original)

[22]  As previously explained, the teacher obtained the list of students who had IEPs from the Special Education Teacher and then used this information to solicit investment business from the parents of these students. Based on the above-noted information, I find that the teacher’s use of students’ personal information to solicit business did not comply with section 31 of the Act .

Issue 4:  Did the Board respond adequately to the breach?

[23]  Once the Board’s investigation was complete and it had determined that there had been a privacy breach, the teacher received a letter of discipline, which was placed in her Human Resources file, and she was transferred to another school within the Board. This breach was also reported to the Ontario College of Teachers.

[24]  In notifying the parents of affected students of this breach, the school principal first contacted them by phone. This call was followed up by a letter of apology, which was signed by the Board’s Director of Education. This letter also informed parents that the IPC was aware of the breach.

Privacy Training

[25]  In response to this breach, the Board now provides school principals with annual privacy training. Principals are then required to annually remind their staff to review the Board’s policies and procedures with respect to privacy and confidentiality of personal information. This information is now included in all school staff handbooks which are provided to staff at the beginning of each school year.

Confidentiality Agreements

[26]  It has become common for organizations that handle personal information to have a requirement that confidentiality agreements are signed by all staff. Although the Board has a Confidentiality Agreement in place, this agreement must only be signed by staff who are not members of professional colleges (e.g. Ontario College of Teachers).

[27]  With respect to its rationale for determining that staff who belong to regulatory colleges are not required to sign Confidentiality Agreements, the Board stated that it:

[C]onsiders the legal requirements that apply governing access to personal student information (including student health information) pursuant to the Education Act, O.S.R. Guideline, the Act , the Regulated Health Professions Act, as well as the Personal Health Information and Protection of Privacy Act and existing Board policies, procedures, and practices to provide sufficient and appropriate regulation to the collection, use, retention, disclosure and disposal of student information and its confidentiality.

[28]  According to the Board, “the teacher deliberately and deceitfully accessed student information without regard to her legal obligations.” For this reason, the Board has stated that it does not believe that a confidentiality agreement would have prevented the behavior at issue in this matter, nor does it believe that having a confidentiality agreement would have resulted in a different disciplinary response for the teacher.

[29]  During the course of my investigation, the Board agreed to change its practice relating to confidentiality agreements. The Board will now require all staff who may have access to students’ personal information – including those who are members of professional colleges – to sign confidentiality agreements as part of their onboarding training when they are hired by the Board, as well as annually thereafter.

CONCLUSIONS:

[30]  Based on the findings of my investigation, I have reached the following conclusions:

1. The information at issue is “personal information” as defined by section 2(1) of the Act .
2. The disclosure of information from the Special Education Teacher to the teacher did not comply with section 32 of the Act . I have not been provided with sufficient information to find that there was a disclosure of information from the teacher to her spouse under section 32 of the Act .
3. The use of students’ personal information did not comply with section 31 of the Act .
4. The Board has responded adequately to the breach.

RECOMMENDATION:

I recommend that the Board require all staff – including those who are members of professional colleges – sign confidentiality agreements when they are hired by the Board and annually thereafter.

The Board should provide the IPC with proof of compliance with the above-noted recommendation by June 19, 2018.

Original Signed by:		March 23, 2018
Trish Coyle
Investigator