PRIVACY COMPLAINT REPORT

PRIVACY COMPLAINT MC18-39

Conseil Scolaire Catholique Providence

October 22, 2020

Summary: The Office of the Information and Privacy Commissioner of Ontario received a privacy complaint from a parent (the complainant) in which he advised that a supply teacher employed by the Conseil scolaire catholique Providence (the Board) had inappropriately collected his children’s personal information by video recording them without his consent. The parent was concerned that the teacher’s actions breached his children’s privacy under the Municipal Freedom of Information and Protection of Privacy Act (the Act).

This report finds that the Board’s collection of the children’s personal information was not in accordance with section 28(2) of the Act and, therefore, breached their privacy. It also finds that the Board did not respond adequately to the breach because it did not notify them of the steps it has taken to address the breach. As a result, I recommend that, going forward, the Board take steps to ensure that adequate notification is provided to parties affected by a breach.

Statutes Considered: Municipal Freedom of Information and Protection of Privacy Act, R.R.O. 1990, c. M. 56, as amended, sections 2(1) and 28(2).

Investigation Reports Considered: Privacy Complaint Reports MC10-2, MC13-46, MC13-60 and PC11-34; Privacy Investigation Report MC07-68 and Order HO-010.

BACKGROUND:

[1]  The complainant’s children attend École élémentaire catholique Sainte-Marguerite- Bourgeoy (the school), which is under the Conseil scolaire catholique Providence (the Board).

[2]  In April 2018, his children told him that, without their permission, a supply teacher at the school used a cell phone to make a video recording of them while they were on the playground.

The Complaint

[3]  On behalf of his children, [1] the complainant filed a privacy complaint with the Office of the Information and Privacy Commissioner of Ontario (the IPC or this office) alleging that the teacher’s video recording of them was an inappropriate collection of their personal information under the Municipal Freedom of Information and Protection of Privacy Act (the Act) by the Board.

[4]  Specifically, the complainant was concerned that the Board had collected his children’s personal information without permission, or for an educational purpose. Therefore, he believed that the Board breached their privacy under the Act.

[5]  Moreover, the complainant was concerned about how the teacher might have used the video recording or whom the teacher might have shared it with. He also advised that the Board had not responded to his requests for information about how it would address the incident.

[6]  The matter moved from the Intake Stage to the Investigation Stage of the IPC’s complaint process and, as part of my investigation, I requested and received written representations, discussed below, from the Board.

The Board’s Representations

[7]  The Board advised that it employed the supply teacher and confirmed that, in April 2018, the teacher video recorded the complainant’s children on the playground using a personal cell phone.

[8]  On the date of the incident, the Board advised that the complainant raised his concerns about the teacher’s actions to the school’s principal. In response, the Board advised that it immediately investigated the matter.

[9]  As part of its investigation, the Board advised that it discussed the incident with the teacher. During this discussion, the Board advised that the teacher acknowledged that their behaviour was inappropriate, deleted the video recording of the complainant’s children from their personal cell phone and confirmed that a copy of the recording was not made or shared.

[10]  That Board also advised that it took steps in accordance with its progressive discipline of staff members policy and procedures.

[11]  After completing its investigation, the Board advised that it did not provide the complainant with details about the disciplinary steps that it took, if any, to address the incident, but did tell him that the measures taken would ensure that, going forward, the teacher would not be in the presence of his children.

The Complainant’s Response to the Board’s Representations

[12]  In response to the Board’s representations, the complainant advised that the only information about the incident that he received from the Board was that the principal of the school would be investigating the matter. He also advised that the Board did not provide him with any information about the steps it took to address the incident despite his repeated requests for this information.

ISSUES:

[13]  I identified the following issues as arising from this investigation:

1. Is the information at issue “personal information”, as defined by section 2(1) of the Act?
2. Was the collection of the personal information in accordance with section 28(2) of the Act?
3. Has the Board responded adequately to the breach?

DISCUSSION:

Issue 1: Is the information at issue “personal information”, as defined by section 2(1) of the Act?

[14]  In this matter, the information at issue is the video images of the complainant’s children recorded by the teacher.

[15]  “Personal information” is defined in section 2(1) of the Act, in part, as follows:

“personal information” means recorded information about an identifiable individual, including,

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

[16]  In previous decisions, the IPC has held that information collected about identifiable individuals by a video recording device qualifies as “personal information” under the Act. [2] The Board does not dispute this.

[17]  Therefore, I find that the video recording at issue is “personal information” as defined by section 2(1) of the Act.

Issue 2: Was the collection of the personal information in accordance with section 28(2) of the Act?

[18]  There is no dispute that the teacher collected the video images of the complainant’s children using their cell phone. Above, I found that this information is “personal information” as defined by section 2(1) of the Act.

[19]  Section 28(2) of the Act requires that the Board collect personal information in only three circumstances. This section states:

No person shall collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity.

[20]  Of note, with respect to school boards, generally, the collection of personal information is specifically authorized by the Education Act, or necessary to deliver educational services or other related activities. [3]

[21]  In this matter, the Board advised that none of the circumstances under section 28(2), or otherwise under the Act, apply to the collection of the personal information at issue. As such, the Board confirmed that the teacher’s actions amounted to an unauthorized collection and, as a result, a privacy breach under the Act.

[22]  Therefore, I find that the collection of the personal information was not in accordance with section 28(2) of the Act. The Board does not dispute this finding.

Issue 3: Has the Board responded adequately to the breach?

[23]  As indicated above, the inappropriate collection of the personal information at issue was a breach of the Act.

[24]  To determine whether the Board has responded adequately to the breach, the IPC’s “Privacy Breaches Guidelines for Public Sector Organizations” (the IPC Guidelines) [4] , which provides municipal institutions with guidance on how to deal with privacy breaches, is informative.

[25]  The IPC Guidelines set out steps that institutions should take when responding to privacy breaches. Generally, these steps are to ensure that the breach is contained, notify the affected individuals, investigate the cause of the breach and take remedial measures to prevent a reoccurrence.

Containment

[26]  To contain a breach, the IPC Guidelines recommends that institutions identify the nature and scope of the breach, determine what personal information is involved and ensure that no personal information has been retained by an unauthorized recipient.

[27]  In this matter, the Board determined that the supply teacher made an inappropriate video recording of the complainant’s children and confirmed that the recording was deleted and not copied or shared.

[28]  For these reasons, I am satisfied that the Board took adequate steps to contain the breach.

Notification

[29]  The IPC Guidelines recommends that notification of parties affected by a breach (the affected parties) “should be direct, such as by telephone, letter, email or in person” and include:

• details of the extent of the breach and the specifics of the personal information that was compromised; and
• the steps taken and planned to address the breach, both immediate and long-term.

[30]  Further, this office has held that notification includes providing the affected parties with the results of any disciplinary action taken against the employee in question. [5]

[31]  In this matter, the complainant reported the matter to the Board and, in response, the Board discussed the breach directly with him. The Board confirmed to him that the breach involved a supply teacher who made an unauthorized video recording of his children. The Board also claimed that it informed the complainant that it would take steps to ensure that the teacher would no longer be around his children.

[32]  However, as indicated above, despite the complainant’s requests, the Board did not provide him with details regarding the disciplinary action, if any, that it took against the teacher to address the breach. For this reason, I am not satisfied that the Board provided adequate notification to the complainant.

[33]  Given that this report describes in detail the steps taken by the Board to address the breach, I will only recommend that, going forward, the Board take steps to ensure that it provides notification to affected parties in accordance with the IPC Guidelines when responding to a privacy breach under the Act.

Investigation and Remediation

[34]  Regarding investigation and remediation, the IPC Guidelines recommends that institutions:

• identify and analyze the events that led to the breach;
• review your policies and practices in protecting personal information, privacy breach response plans and staff training to determine whether changes are needed;
• take corrective action to prevent similar breaches in the future and ensure your staff are adequately trained; and
• educate your staff about Ontario’s privacy laws and your organization’s policies and practices governing the collection, retention, use, security, disclosure and disposal of personal information.

[35]  In this matter, the Board and the school investigated the complainant’s concerns and determined that its supply teacher was responsible for the breach.

[36]  As remedial steps and to prevent a similar reoccurrence, the Board took steps to ensure that the teacher is no longer around the complainant’s children and:

• undertook a complete review of its data protection systems and procedures, and its staff training;
• developed an internal procedure to update and document its information security measures;
• drafted a new confidentiality agreement for all employees to sign in respect of the new security measures;
• incorporated training on the Act’s privacy protection provisions for supply teachers; and
• at the beginning of the 2019-2020 school year, sent a communication to staff reminding them of the appropriate use of personal electronic devices.

[37]  Given these steps, I am satisfied that the Board took adequate steps to investigate and remediate the breach.

[38]  Based on the above, it appears that the Board took the majority of steps recommended by the IPC Guidelines. However, in my view, the Board fell short in its efforts to provide proper notification to the affected parties by failing to give the complainant the details relating to the disciplinary steps it has taken, if any, against the teacher to address the breach.

[39]  For this reason, I find that the Board has not responded adequately to the breach.

CONCLUSIONS:

1. The information at issue is “personal information” as defined by section 2(1) of the Act.
2. The collection of the personal information was not in accordance with section 28(2) of the Act.
3. The Board has not responded adequately to the breach.

RECOMMENDATIONS:

I recommend that, going forward, the Board take steps to ensure that it provides notification to the affected parties in accordance with the IPC Guidelines when responding to a privacy breach under the Act.

Original signed by:		October 22, 2020
John Gayle
Investigator