PRIVACY COMPLAINT REPORT

PRIVACY COMPLAINT MC20-00002

City of Toronto

July 13, 2022

Summary: The Office of the Information and Privacy Commissioner of Ontario received a complaint alleging that the City of Toronto contravened the Municipal Freedom of Information and Protection of Privacy Act (the Act) when it posted the complainant’s Committee of Adjustment application, which included her personal information, on the internet. In this report, I find that the City’s Committee of Adjustment applications are a public record, pursuant to section 27 of the Act, and are therefore not subject to the privacy rules under Part II of the Act.

Although I find that the City’s Committee of Adjustment applications are outside the scope of the Act, I recommend that the City pursue its intended review of its Committee of Adjustment application forms with the view of implementing data minimization principles. The City should also proceed with developing criteria to determine when it is appropriate to remove personal information from its forms.

Statutes Considered: Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, Planning Act, R.S.O. 1990

Orders and Investigation Reports Considered: Order 11, PO-1880, MC13-67, PC-980049-I

BACKGROUND:

[1] The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint under the Municipal Freedom of Information and Protection of Privacy Act (the Act). Specifically, the complainant alleged that the City of Toronto (the City) breached the Act when they posted the complainant’s Committee of Adjustment (COA) application online.

[2] The complainant explained that she had submitted a request for a building permit to the City through the City’s COA process. As part of that process, the complainant’s COA application was posted to the City’s Application Information Centre, which is online and visible to the public.

[3] The complainant advised that the application contains personal information, specifically, her personal email address, signature and telephone number, which she believes should not be posted on the internet. The complainant argues that this personal information contained in the COA application is not relevant to the nature or substance of the COA application or the intended purpose of the application and has no bearing on the process. The complainant believes that a decision by the City to not post this information would not impede the intent of the public disclosure or hearing requirements. The complainant’s position is that these elements of personal information, that are not pertinent to the COA hearing, should be proactively redacted by the City prior to the application being posted on the internet.

[4] The complainant raised concerns that her email, signature and telephone number, alone or in combination with other information available on the application, could be used by perpetrators to commit identity theft and access her credit or banking information. The complainant does not believe that the City has considered the risks of cyber security and fraud when deciding to publish applicant’s personal emails, signatures and telephone numbers.

[5] The complainant noted that since submitting her application to the City, she has received phishing and spam emails as well as unsolicited phone calls regarding home redevelopment. The complainant believes that as a result of her application being available on the internet, her personal information has been compromised.

[6] The information at issue in this complaint is the complainant’s personal email address, telephone number and signature.

[7] It should be noted that the complainant’s COA application is no longer online as once the COA process is completed the applications are removed from the City’s Application Information Centre.

ISSUES:

[8] This report deals with the following issues:

1. Does the information at issue qualify as “personal information” under section 2(1) of the Act?
2. Was the City’s disclosure in accordance with section 32 of the Act?

DISCUSSION:

Issue 1: Does the information at issue qualify as “personal information” under section 2(1) of the Act?

[9] Prior to determining whether the City has complied with the Act, it is first necessary to decide whether the information at issue is personal information pursuant to section 2(1) of the Act.

[10] The information at issue is the complainant’s email address, telephone number and signature.

[11] Section 2(1) of the Act states:

“personal information” means recorded information about an identifiable individual, including,

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

(c) any identifying number, symbol or other particular assigned to the individual,

(d) the address, telephone number, fingerprints or blood type of the individual,

(e) the personal opinions or views of the individual except if they relate to another individual,

(f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,

(g) the views or opinions of another individual about the individual, and

(h) the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual;

[12] The list of examples of personal information under section 2(1) is not exhaustive. Therefore, information that does not fall under paragraphs (a) to (h) may still qualify as personal information. [1]

[13] To qualify as personal information, the information must be about the individual in a personal capacity and it must be reasonable to expect that an individual may be identified if the information is disclosed. [2]

[14] In my view the complainant’s personal email address, signature and telephone number would meet the requirements of one or more of the above paragraphs under the definition of “personal information” in section 2(1) of the Act.

[15] I therefore find that the information at issue is personal information pursuant to the Act. The City does not dispute this.

Issue 2: Was the City’s disclosure in accordance with section 32 of the Act?

[16] Under the Act, personal information in the custody or under the control of an institution cannot be disclosed except for in the specific circumstances outlined in section Section 32 of the Act reads as follows:

An institution shall not disclose personal information in its custody or under its control except,

(a) in accordance with Part I;

(b) if the person to whom the information relates has identified that information in particular and consented to its disclosure;

(c) for the purpose for which it was obtained or compiled or for a consistent purpose;

(d) if the disclosure is made to an officer, employee, consultant or agent of the institution who needs the record in the performance of their duties and if the disclosure is necessary and proper in the discharge of the institution’s functions;

(e) where permitted or required by law or by a treaty, agreement or arrangement made under an Act or an Act of Canada;

(f) if disclosure is by a law enforcement institution,

(i) to a law enforcement agency in a foreign country under an arrangement, a written agreement or treaty or legislative authority, or

(ii) to another law enforcement agency in Canada;

(g) to an institution or a law enforcement agency in Canada if,

(i) the disclosure is to aid in an investigation undertaken by the institution or the agency with a view to a law enforcement proceeding, or

(ii) there is a reasonable basis to believe that an offence may have been committed and the disclosure is to enable the institution or the agency to determine whether to conduct such an investigation;

(h) in compelling circumstances affecting the health or safety of an individual if upon disclosure notification is mailed to the last known address of the individual to whom the information relates;

(i) in compassionate circumstances, to facilitate contact with the spouse, a close relative or a friend of an individual who is injured, ill or deceased;

(j) to the Minister;

(k) to the Information and Privacy Commissioner;

(l) to the Government of Canada or the Government of Ontario in order to facilitate the auditing of shared cost programs.

[17] Section 27 is also relevant to the circumstances of this complaint. Section 27 is found in Part II of the Act, which is the part of the Act that governs the collection, use, disclosure and retention of personal information.

[18] Section 27 of the Act states:

This Part does not apply to personal information that is maintained for the purpose of creating a record that is available to the general public.

[19] “This Part” refers to Part II of the Act. If section 27 applies, the information at issue is excluded from Part II of the Act and the privacy provisions found in Part II do not apply to the collection, retention, use and disclosure of the personal information contained in the complainant’s COA application, as the entire record would fall outside the privacy protections of Part II of the Act.

The City’s Representations:

[20] It is the City’s position that the COA application is a public record and therefore section 27 of the Act applies to the record and personal information at issue in this complaint.

[21] The City explained that section 44 and 45 of the Planning Act grants the City the authority to appoint committees to approve a number of minor variance applications from the provisions of the by-laws in respect of land, building or structure.

[22] In addition, the Planning Act requires notice to be provided regarding the COA’s hearing of minor variance applications and for such meetings to be held in public. It also requires municipalities to keep on file the minutes and records of planning applications and proceedings of the Committee of Adjustment.

[23] All COA hearings are open to the public, and all documentation received with respect to the application is considered part of the public record. The City advised that the Planning Act is applicable to these records. Section 1.0.1 of the Planning Act states:

Information and material that is required to be provided to a municipality or approval authority under this Act shall be made available to the public.

[24] The City stated that Section 1.0.1 of the Planning Act does not stipulate that certain portions of records that are required to be provided are excluded from this provision, therefore, it is the City's position that the entirety of the COA application form, and all other submitted materials, are public records and it publishes these records on the internet.

[25] The City advised that the COA application form informs applicants that the form is considered a public record and must be made available to the public. The City also advised that the form provides an “Acknowledgement of Public Information” and this acknowledgement informs applicants that by signing and submitting the form, they grant permission for the City to distribute the form to the public either online or by other means.

[26] The City also explained that the application form informs applicants that they have the opportunity to indicate what portion of the form may be a security risk and to identify those portions that should be considered for removal prior to the form being publicly available.

[27] The form specifically states the following:

If there may be a security risk by allowing the public access to any portion of these documents you must indicate the portion of the documents to which you believe this concern applies, along with supporting documentation outlining the reasons for your concern along with the document submitted as part of the application. The Chief Planner, or delegate, will consider but will not be bound to agree with such submissions prior to reproduction, in whole or in part, any identified portions for internal use, inclusion in staff reports or public distribution to the application review.

[28] As noted on the form, the City stated that it is not bound to agree with the submissions of an applicant. Thus, the City advised that applicants are encouraged to resolve any privacy concerns with respect to an application before it is submitted. The City explained that if applicants consult with COA staff prior to submitting their application they are encouraged to find solutions that can address their security concerns, such as setting up a new phone number or email address for the application or using a lesser known family member’s contact information.

[29] The City further advised that the threshold it uses to determine whether the security concerns identified by the applicant warrant removal prior to posting the entire application are quite high. For example, the City advised that an applicant simply not wanting his/her/their phone number on an application is not considered to be substantial enough to warrant information contained on the form not to be published. The City advised that there would need to be some additional security concern related to the particular information being public such as an applicant being a police officer or having some identifiable threat related to that information being made public, such as a verifiable criminal threat.

[30] According to the City, there is no formalized process through its Application Information Centre to address these types of requests. With respect to COA applications, the City Planning Division does not have written policies or procedures or a formalized process that governs requests or the redacting of personal information from public records.

[31] Should the City receive such a request from an applicant it is forwarded to the Director, Zoning and Secretary-Treasurer COA, as a designate of the Chief Planner, for consideration. If the Director requires assistance in evaluating the request, he/she/they consults with the City Solicitor and/or Information Access staff. Once the determination on the merits of the specific request is made, it is communicated to the applicant.

The Complainant’s Representations:

[32] During the investigation, the complainant was provided with a copy of the City’s position. In response she provided comments, however, they did not all directly relate to the section of the legislation the City has applied to determine that the record at issue is a public record. I have summarized the complainant’s comments below.

[33] As noted above, the complainant’s concerns relate to the City posting her COA application, that included her personal email address, signature and telephone number online. The complainant’s position is that this personal information is not relevant to the intended purpose of the COA application and has no bearing on the process.

[34] In response to the City’s submissions, the complainant argues that the City is relying on a blanket statement of the Planning Act, and using this statement to absolve itself of any accountability or responsibility.

[35] The complainant argues that the section identified by the City, 1.0.1 of the Planning Act, has not been updated since 2006 and the creation of this section pre-dates most of the modern technology of the 21^st century and the current issues with cyber security and fraud. The complainant submits that in 2006 the City was not posting applications on the internet and now that the applications are posted online, the City should be considering the issues of cyber security and fraud when it determines what information it is required to collect and publish.

[36] As noted above, the complainant believes that a reasonable person would conclude that publishing the information at issue in this complaint along with the other information contained in the application, can create a serious cyber threat and identity theft risks for applicants. The complainant does not believe that the City has considered the risks of cyber security and fraud given that it did not proactively redact her personal email, signature and telephone number when it posted her application online.

[37] The complainant advised that she only discovered that the information was published after receiving a barrage of unwanted calls and/or emails from unscrupulous individuals/companies contacting her about their project as well as receiving phishing emails.

[38] In addition, the complainant believes that the City can determine what information it posts as the City collects payment information such as credit card information, cheques, etc., as part of the application process, but chooses not to release this information publicly. The complainant believes that the City should be consistent and apply the same rationale it applies to the financial information to applicant’s signatures, telephone numbers and personal emails.

[39] The complainant also provided comment on the information related to consent and the publication of information that is included on the City’s COA application form. The form states the following, in part:

Public Record Notice

The information collected on this form is considered to be a public record as defined by section 27 of the Municipal Freedom of Information and Protection of Privacy Act.

Acknowledgement of Public Information

The applicant grants the City permission to reproduce, in whole or in part, any document submitted as part of a complete application for internal use, inclusion in staff reports or distribution to the public either online or by other means for the purpose of application review. The application agrees to provide a reasonable number of copies of any such document, or parts thereof, in paper and/or electronic form, to the City for internal use and distribution to the public either online or by other means for the purposes of application review

If there may be a security risk by allowing the public access to any portion of these documents you must indicate the portion of the documents to which you believe this concern applies, along with supporting documentation outlining the reasons for your concern along with the document submitted as part of the application. The Chief Planner, or delegate, will consider but will not be bound to agree with such submissions prior to reproduction, in whole or in part, any identified portions for internal use, inclusion in staff reports or public distribution to the application review.

[40] The complainant notes that the above statement includes a reference to the applicant granting the City permission to reproduce any document “in whole or in part”. The complainant believes this statement does not clearly identify what information the City would be publishing and a reasonable person would not expect their personal email, signature and telephone number to be published as a public record when it is not relevant to the proceedings and does not add to the public process regarding a request for a variance.

[41] The complainant also noted that in the “Acknowledgement of Public Information” it refers to “security risks” but the City does not provide definitions for this term. It is the complainant’s position that this term appears to imply a physical risk versus the financial, cyber and identity theft risks that are prevalent in the 21^st century.

[42] In addition, the complainant noted that the application requirements listed on the COA application includes that applicants are required to provide an “Authorization Form signed by all registered owners of the property”. It is the complainant’s position that this authorization is a result of coercion because if applicants do not consent to the application, which includes the acknowledgement of public information, their application is in jeopardy as it could be denied.

[43] The complainant acknowledged that the City allows for requests to be submitted by applicants if the applicant has privacy concerns; however, the complainant questions the City’s procedure and requirements for supporting documentation. The complainant believes that there is no clear procedure for the redaction request process and the process becomes more obscure with the City’s requirement of supporting documentation. The complainant noted that the documentation required to support her privacy concerns could not have been provided at the time her application was submitted as the impacts of having her personal information published occurred after her application was submitted and available online.

Analysis:

[44] As noted above, the City has taken the position that section 27 of the Act applies to the COA application. Section 27 sets out that Part II of the Act does not apply to personal information that is maintained for the purpose of creating a record that is available to the general public. If this section applies, the information at issue is excluded from Part II of the Act and the privacy provisions found in Part II do not apply to the collection, retention, use and disclosure of the personal information and the entire record would fall outside the privacy protections of Part II of the Act.

[45] In order to satisfy the requirements of section 27, the City must establish that the information in question is “personal information”, and that the personal information is maintained by the institution for the purpose of creating a record that is available to the general public.

[46] Under Issue 1 of this report, I have already found that the complainant’s personal email address, signature and telephone number is considered personal information for the purposes of section 2(1) of the Act. Therefore, the next step in my review is to determine whether the personal information is maintained by the institution for the purpose of creating a record that is available to the general public.

[47] In Investigation Report PC-980049-I, former Commissioner Ann Cavoukian found that personal information is considered to be “maintained for the purpose of creating a record that is available to the general public” under section 37 of the Freedom of Information and Protection of Privacy Act (which mirrors section 27 of the Act) where the records “meet certain criteria of public availability”, such as: (1) institution personnel have a statutory duty to make this information available to the public; (2) there is a regularized system of access to the information; and (3) a standardized fee is charged to all persons seeking access.

[48] In order to determine whether section 27 applies, I will apply the criteria set out in PC-980049-I to the circumstances of this complaint.

[49] The City has argued that section 27 applies to this record because the Planning Act requires that information is publicly available. Section 1.0.1 of Planning Act states that information that is provided to the municipality under the Planning Act is to be made available to the public. Given this section of the Planning Act, it is clear that the City has a statutory duty to make the COA application available to the public.

[50] With respect to the system of access, all completed applications accepted by the COA are posted on the internet through its Application Information Centre in order to provide free public access. In this case, there is a regularized system of access to the information and a standard fee (free) for the public to access COA applications.

[51] In light of the above, I find that section 27 is applicable to the COA application forms and that this record is maintained for the purpose of creating a record that is available to the general public.

[52] Given that section 27 applies to COA application forms, the application form, and the personal information contained in the record, is excluded from the privacy provisions of Part II of the Act. Therefore, I do not need to consider the application of section 32 as this section is not applicable to the circumstances of this complaint.

[53] This case is not the first time that this office has considered a complaint regarding a minor variance application being posted on the internet. Among other concerns reviewed, Investigation Report MC13-67, also considered whether that municipality had the authority to disclose the minor variance application on the internet. In that matter, the Investigator determined that, pursuant to section 32 of the Act, the municipality did have the authority. Although these two complaints were reviewed under different sections of the Act, I agree with the recommendation of the Investigator in that report that institutions should strive to balance transparency and privacy.

[54] During this investigation, the City advised our office that it would consider limiting the information that it posted publicly and that it was considering a re-design of its COA forms. The City also advised that it was also considering developing criteria related to the determination of when it is appropriate to remove personal information from public documents, upon a request to do so. I note, however, as of the date of this report, the City has not taken steps to move forward on the above noted initiatives.

[55] This office has issued guidance material related to identity theft encouraging individuals to minimize the amount of information they give out, especially online, and recommended organizations not put scanned copies of signatures on their website. [3]

[56] In the circumstances of this complaint, although I find that the COA application form is outside the scope of Part II of the Act, I recommend that the City move forward on the initiatives it identified with a view of balancing privacy and transparency, and apply data minimization principles to the COA application process. This can be accomplished by only publishing information necessary for its application, hearing and public disclosure requirements.

[57] Given the increases in the use of technology, the ongoing evolution of technology as well as ever evolving cybersecurity threats, it is important that even if the legislation allows for the release of information publicly, the City continuously review the information that it publishes and apply data minimization principles on an ongoing basis.

FINDINGS:

Based on the results of my investigation, I have made the following findings:

1. The information at issue is “personal information” as defined by section 2(1) of the Act.
2. Section 27 applies to the record.

RECOMMENDATIONS:

Based on the above conclusions, I make the following recommendations:

1. I recommend that the City pursue its review of its COA application forms with the view of implementing data minimization principles as well as develop criteria related to the determination of when its appropriate to remove personal information from public documents.
2. Within six months of receiving this report, the City should report back on its progress with the above recommendation.

Original Signed by:		July 13, 2022
Alanna Maloney
Investigator