PRIVACY COMPLAINT REPORT

PRIVACY COMPLAINT MI17-3

Corporation of the Township of McGarry

June 26, 2018

Summary: On May 25, 2016, the Office of the Information and Privacy Commissioner/Ontario received an appeal under the Municipal Freedom of Information and Protection of Privacy Act (the Act) in relation to an access decision issued by the Township of McGarry (the Township). During the processing of the appeal, the lawyer for the Township wrote to the affected parties in order to notify them of the access request and to obtain consent to disclose the information related to them that had been identified as responsive to the access request.

In correspondence to the affected parties, the Township’s lawyer disclosed the name of the individual who sought access to the requested information. This Report finds that the information disclosed was personal information and that the disclosure was not in accordance with section 32 of the Act.

This Report also finds that the Mayor is the “head” of the Township, and that the head has not complied with section 3(1) of Ontario Regulation 832. Specifically, the head has not ensured that the Township has defined, documented and put in place reasonable measures to prevent and respond to unauthorized use or disclosure of records containing or revealing the identity of a requester.

Statutes Considered: Municipal Freedom of Information and Protection of Privacy Act, sections 2(1), 3, 32, 14(1), 21 and Ontario Regulation 832 section 3(1)

Orders and Investigation Reports Considered: Orders PO-1880, P-230, PO-3813, PO-1998, MC-040012-1, MC-050034-1 and MC-050005-1

BACKGROUND:

[1]  On May 25, 2016, the Office of the Information and Privacy Commissioner/Ontario (the IPC) received an appeal under the Act, in relation to an access decision issued by the Township. During the processing of the appeal, the Township’s lawyer wrote to the affected parties in order to notify them of the access request and to obtain consent to disclose the information related to them that had been identified as responsive to the access request.

[2]  In correspondence to the affected parties, the Township’s lawyer disclosed the name of the individual who sought access to the requested information (the requester).

[3]  Upon learning of this disclosure, this office became concerned that a breach of the Act’s provision restricting the disclosure of personal information may have occurred. Clarification as to what exactly happened was requested by this office and in response the Township’s lawyer provided some additional details which will be discussed later in this report. He also confirmed that he had in fact disclosed the name of the requester to the affected parties. The Township’s lawyer also advised this office that it was the Township’s position that no breach of the Act had occurred because “…the requester’s name is not personal information within the definition of that term”.

[4]  The Township’s lawyer also took the position that since a breach had not occurred, the Township would not be notifying the requester that his personal information had been inappropriately disclosed to the affected parties.

[5]  After receiving this response, this office notified the requester of the disclosure, a Commissioner initiated privacy complaint file was opened, and this matter was assigned to myself as the investigator.

INVESTIGATION:

[6]  On August 15, 2017, I contacted the Township to advise that based on the response received from the Township’s lawyer, this matter was now at the investigation stage. The Township advised me to continue communicating with their lawyer directly.

[7]  On September 29, 2017, I wrote to the Township’s lawyer, and asked questions regarding the circumstances of the disclosure, as well as the Township’s position on this matter. My request for representations also requested a response by a specified date. When I did not receive a reply to my September 29, 2017 request for information, I followed up with the Township’s lawyer by email and telephone. I never received a reply to any of these inquiries. Thereafter, I contacted the Township directly by email and telephone requesting a response to my request for information. Again, I received no reply from anyone representing the Township.

[8]  Subsequently, on November 28, 2017, I spoke to the Township’s Mayor about the lack of response from the Township.

[9]  During this call, additional concerns came to my attention. Despite the fact the disclosure had occurred while the lawyer was acting on behalf of the Township, the Mayor’s view was that, the Township’s lawyer is the “subject” of the privacy breach investigation, and as such, it is up to the Township’s lawyer and solely his responsibility, to respond to the IPC on this matter.

[10]  The Mayor also indicated that the Township has no power or duty to ensure that a response be provided to the IPC.

[11]  Ultimately, the Mayor agreed to contact the Township’s lawyer to “ask” him to respond. Despite this, I still did not receive a response from the Township’s lawyer nor anyone representing the Township.

[12]  In light of these developments, I had additional questions related to the Township’s policies and practices with respect to responding to privacy breach complaints and remaining accountable for compliance with the Act. Accordingly, on January 11, 2018, I wrote directly to the Mayor requesting representations and asking that the Township respond to a number of questions. This request for information was copied to the Township’s lawyer and clerk. In view of the importance of understanding the Township’s efforts to protect the privacy of requestors and comply with the Act, my request for information also advised the Mayor that I would still consider responses to the questions in my earlier request for representations, as long as I also received those by a specified date.

[13]  Once again, I did not receive a response from the Township or anyone representing the Township. In this context, I rely on the uncontested summaries of facts provided to the Township during my investigation, as well as a limited amount of information tied to the disclosure of the requestor’s identity, provided to this office by the Township’s lawyer prior to the commencement of my investigation.

ISSUES:

[14]  The following issues were identified as arising from this investigation:

1. Is the information at issue “personal information” as defined in section 2(1) of the Act?
2. Was the Township’s disclosure of the information at issue in accordance with section 32 of the Act?
3. Who is the head of the institution?
4. Has the head defined, documented and put in place reasonable measures to prevent and respond to unauthorized access to the records in his or her institution?

DISCUSSION:

Issue 1:   Is the information at issue “personal information” as defined by section 2(1) of the Act?

[15]  Section 2(1) of the Act states in part:

“personal information” means recorded information about an identifiable individual, including,

a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

c) any identifying number, symbol or other particular assigned to the individual,

d) the address, telephone number, fingerprints or blood type of the individual,

e) the personal opinions or views of the individual except where they relate to another individual,

f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,

g) the views or opinions of another individual about the individual, and

h) the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual; 

[16]  The list of examples of personal information under section 2(1) is not exhaustive. Information that does not fall under paragraphs (1)(a) to (h) may still qualify as personal information.

[17]  To qualify as personal information, it must be reasonable to expect that an individual may be identified if the information is disclosed. [1]

[18]  At issue in this complaint is the information conveyed by the Township to the affected parties during the processing of an access request. The information provided included the requester’s name and the fact s/he had made a request for access under the Act.

[19]  As previously indicated, when this concern first arose, the IPC contacted the Township’s lawyer and asked for a written report regarding details of the breach. The Township’s lawyer responded by providing the following statement:

There was no breach of the Act here. [the IPC’s] letter refers to an “inappropriate” disclosure of the requester’s name. The circumstances reveal that there was no impropriety, however, before the issue of propriety arises, there would have to be a breach of the Act, on the basis of the definition of “personal information” contained in the Act:

“personal information” means recorded information about an identifiable

individual, including,

(h) the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual;

I submit that the requester’s name is not personal information within the definition of that term.

[20]  As discussed further below, correspondence sent to certain affected parties included the requester’s name and appeared with other personal information relating to the requester (e.g. the fact s/he made an access request). Having considered the nature of the information at issue, I am satisfied that it includes the personal information of the requester. This view is consistent with past Orders and Privacy Complaint Reports issued by this office. [2]

Issue 2:   Was the Township’s disclosure of the information at issue in accordance with section 32 of the Act?

[21]  The information before me indicates that the Township’s lawyer disclosed the requestor’s personal information at least twice. The first known occasion was in an email dated March 17, 2017, from the lawyer to the Township of Laurentian Valley at info@Ivtownship.ca. This email stated in part:

I act for the Township of McGarry in the matter of a request for records that was made by [requester’s name], seeking records pertaining to [a particular individual].

…

[22]  The second disclosure I am aware of relates to a letter sent to an affected party by the Township’s lawyer. Although I have not been provided with a copy of the Township’s lawyer’s letter, the affected party’s responding letter stated the following in part:

I require to know who [the named requester] is and his interest in my hiring at McGarry Township.

…

[23]  In addition to the above, in response to the concerns raised, the Township’s lawyer sent an email to this office on May 2, 2017, which stated the following in part:

… I wrote directly to [the affected party] myself, pursuant to my client's instructions to seek her consent. In my letter seeking her consent, in accordance with my instructions, I properly informed her that it was [the named requester] … that was seeking the disclosure…

[24]  Section 32 of the Act prohibits the disclosure of personal information in the custody or under the control of an institution except in certain circumstances enumerated in paragraphs (a) through (l). In order for a disclosure of personal information to be permissible under the Act, it must be demonstrated that the disclosure was in accordance with section 32 of the Act.

[25]  Section 32 states the following:

Where disclosure permitted

An institution shall not disclose personal information in its custody or under its control except,

(a) in accordance with Part I;

(b) if the person to whom the information relates has identified that information in particular and consented to its disclosure;

(c) for the purpose for which it was obtained or compiled or for a consistent purpose;

(d) if the disclosure is made to an officer, employee, consultant or agent of the institution who needs the record in the performance of their duties and if the disclosure is necessary and proper in the discharge of the institution’s functions;

(e) for the purpose of complying with an Act of the Legislature or an Act of Parliament, an agreement or arrangement under such an Act or a treaty;

(f) if disclosure is by a law enforcement institution,

(i) to a law enforcement agency in a foreign country under an arrangement, a written agreement or treaty or legislative authority, or

(ii) to another law enforcement agency in Canada;

(g) if disclosure is to an institution or a law enforcement agency in Canada to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result;

(h) in compelling circumstances affecting the health or safety of an individual if upon disclosure notification is mailed to the last known address of the individual to whom the information relates;

(i) in compassionate circumstances, to facilitate contact with the spouse, a close relative or a friend of an individual who is injured, ill or deceased;

(j) to the Minister;

(k) to the Information and Privacy Commissioner;

(l) to the Government of Canada or the Government of Ontario in order to facilitate the auditing of shared cost programs.

[26]  The only provision that appears to have any possible application in the circumstances at issue is section 32(a). To comply with section 32(a), the disclosure of personal information must be “in accordance with Part I.”

[27]  In correspondence with this office, the Township’s lawyer provided his view that the procedure of seeking an affected person’s “consent is expressly contemplated by section 14(1)(a) of the Act”. Section 14(1)(a) provides that:

Personal privacy

14 (1) A head shall refuse to disclose personal information to any person other than the individual to whom the information relates except,

(a) upon the prior written request or consent of the individual, if the record is one to which the individual is entitled to have access;

[28]  Section 14(1)(a) has no bearing in the context of this privacy investigation. The personal information at issue is that of the requestor, not an affected party. In any case, the requestor did not request or consent to the disclosure of his/her identity.

[29]  In my view, the critical provisions from Part I at issue here are the ones that set out the duties of the head as it relates to obtaining consent from an affected third party when an access request is made for records that appear to include the personal information of such a party. Those provisions are found in sections 21(1) and (2), which state:

Notice to affected person

21(1) A head shall give written notice in accordance with subsection (2) to the person to whom the information relates before granting a request for access to a record,

(a) that the head has reason to believe might contain information referred to in subsection 10 (1) that affects the interest of a person other than the person requesting information; or

(b) that is personal information that the head has reason to believe might constitute an unjustified invasion of personal privacy for the purposes of clause 14 (1) (f).

Contents of notice

(2) The notice shall contain,

(a) a statement that the head intends to disclose a record or part of a record that may affect the interests of the person;

(b) a description of the contents of the record or part that relate to the person; and

(c) a statement that the person may subject to subsection (5.1), within twenty days after the notice is given, make representations to the head as to why the record or part should not be disclosed.

[30]  In executing their duty under section 21 to notify affected persons the head must perform that duty while complying with section 32 limitations on disclosure of personal information, which in this case was the identity of the requester. In particular, under section 32(a), the disclosure of personal information must be “in accordance with Part I” of the Act. While section 21(2)(b) requires that an affected person be provided with “a description of the contents of the record or part that relate to the person”, section 21 does not require, nor does it generally permit the head or the institution to disclose the identity of a requestor to an affected party.

[31]  Any latitude to disclose a requester’s personal information in providing the requisite notice under this section must be justified on the basis of strict necessity. IPC Practices Number 16: Maintaining the Confidentiality of Requesters and Privacy Complainants [3] describes this necessity-focused exception to the requirement of confidentiality as follows:

Any employee who assists the Co-ordinator in responding to requests for personal information should be reminded that all information about the requester’s identity and the request should remain confidential. This information can be disclosed to co-workers, managers, supervisors or officers of the institution only if they need it to perform their duties and carry out a function of the institution. [Emphasis added.]

[32]  The necessity-focused exception to this confidentiality requirement has also been expressed in past Annual Reports issued by the IPC as well as various Orders and Privacy Complaint Reports issued by this office [4] . The identity of a requester may be internally disclosed where the requester is seeking access to his or her own personal information, and the provision of the identity of the requester is necessary in order to properly process the request.

[33]  Confidentiality and the related narrow, necessity-focused exception have equal application with respect to any contemplated external disclosures. By his own admission, the Township’s lawyer disclosed the requester’s name in the course of notifying possible affected persons. The requested records did not include the personal information of the requester and the disclosures were to external parties. Moreover, the Township has not offered any basis to conclude that the disclosure of the requester’s identity was necessary in order to properly process the request.

[34]  In the circumstances, and in the absence of any submissions from the Township, I therefore find that the Township disclosed the personal information of the requester and that the disclosure was not in accordance with Part I. Having considered the information before me, and all of the paragraphs of section 32 that permit the disclosure of personal information, I conclude that the disclosure was in breach of section 32 of the Act.

Issue 3:  Who is the head of the institution?

[35]  Sections 2(1) and 3 of the Act state the following in part:

“head”, in respect of an institution, means the individual or body determined to be head under section 3;

…

Designation of head

The members of the council of a municipality may by by-law designate from among themselves an individual or a committee of the council to act as head of the municipality for the purposes of this Act.

[36]  In the course of this investigation, I wrote the Township, summarized the facts as I understood them and invited the Township to comment on those summaries. Despite repeated invitations to reply, the Township chose not to comment on or contradict those accounts of the underlying factual circumstances, including with respect to the identity of the head of the Township. As I indicated in my correspondence, the Mayor is the head of the Township within the meaning of sections 2(1) and 3 of the Act. In the circumstances, I conclude that the Mayor is the head of the Township for the purposes of the Act.

Issue 4:   Has the head defined, documented and put in place reasonable measures to prevent and respond to unauthorized access to the records in his or her institution?

[37]  Section 3(1) of Regulation 832 of the Act states the following:

Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected. 

[38]  In addition to asking the Township about the specific incident at issue in this matter, and in light of my concerns regarding the Township’s failure to provide a response to the Commissioner and the Township’s duty to remain accountable for compliance with the Act, I wrote to the Township and inquired about the Mayor’s comments and views regarding this matter. I asked questions surrounding who at the Township is responsible for responding to privacy complaints/breaches of the kind at issue here and how this information is relayed to the public.

[39]  I also inquired about whether the Township has a privacy breach policy, protocol or any privacy policy and I asked to be provided with copies.

[40]  Lastly, my letter indicated that I would still consider any forthcoming responses to the questions in my previous correspondence to the Township.

[41]  I did not receive a response of any kind from the Township or anyone representing to Township.

[42]  In light of the Township’s refusal to provide any response whatsoever and the way the Township and its representatives conducted themselves during the processing of the access request and throughout the course of my investigation, I conclude that the neither the head or anyone else at the Township has defined, documented and put in place reasonable measures to prevent and respond to unauthorized use or disclosure of records containing or revealing the identity of a requester.

CONCLUSION:

1. The information at issue is “personal information” as defined in section 2(1) of the Act.
2. The Township’s disclosure of the information at issue was not in accordance with section 32 of the Act.
3. The Mayor is the “head” of the Township as defined in section 3 of the Act.
4. The head has not complied with section 3(1) of Ontario Regulation 832. Specifically, the head has not defined, documented and put in place reasonable measures to prevent and respond to unauthorized use or disclosure of records containing or revealing the identity of a requester.

RECOMMENDATIONS:

[43]  In order to bring itself in compliance with the Act, I strongly recommend the head move expeditiously to ensure that the Township develops and implements policies and procedures related to the processing of access requests and privacy complaints under the Act, as well as a protocol outlining how it will respond to a privacy breach.

[44]  I also recommend the Township develop and implement training for all officers, employees, consultants or agents - including external counsel - that may be involved in processing FOI requests, on the importance of maintaining confidentiality with respect to the identity of requesters.

[45]  Within six months of receiving this Report, the Township should provide this office with proof of compliance with the above recommendations.

POST SCRIPT

[46]  During my investigation, the Township demonstrated a significant degree of unwillingness to cooperate with or even to respond to this office. Despite many attempts to obtain information to understand what exactly transpired and how the Township addresses privacy breaches, I received no response to my questions. When I took steps to contact the Mayor directly in an effort to move forward with my investigation, the Mayor expressed his view that the Township had no power or duty to ensure a reply be provided by the Township’s lawyer to the IPC.

[47]  It is of great concern that during my investigation the Township failed to account for its actions in the circumstances of this matter, and for the actions of a lawyer they hired to act on the Township’s behalf for both the access request and the privacy breach matter at issue in this Report.

[48]  Despite the fact the Township is the lawyer’s client in this circumstance, and that in the normal course of such a relationship a lawyer is instructed by their client, the Mayor’s position was that the responsibility of responding to the IPC lay solely with the lawyer of the Township, and that he, the Mayor could not compel a response. It is important to note that the Mayor, as head of the Township was also given the opportunity to respond to this office directly and decided not to respond to my correspondence.

[49]  Consistent with IPC practice, I provided the Township with a copy of my draft privacy complaint report and invited written comments on any factual errors or omissions. For the first time since the commencement of my investigation, I received a response from the Township’s lawyer which was comprised of late submissions on the merits of the disclosure-related aspects of the complaint and discussions of selected portions of an email exchange with an employee of this office. On my review of these submissions and discussions, they would not have altered any of my findings. Among other things, the selected portions of the email exchange omit other parts of the exchange and, on a review of the communications as a whole, the portions submitted mischaracterize the meaning and significance of that exchange.

[50]  Finally, it is my view that the Township’s failure to be accountable during the course of my investigation is a serious matter. Unfortunately, without order making powers in the circumstances at issue, I can only make findings and issue recommendations. Should these kinds of failings continue, they could undermine public confidence in the Township’s ability and willingness to comply with the Act. In these circumstances, it is all the more critical that the Township demonstrate its commitment to respecting the access and privacy rights of members of the public by taking decisive and principled action in response to my recommendations.

Original Signed by:		June 26, 2018
Lucy Costa
Investigator