PRIVACY COMPLAINT REPORT

PRIVACY COMPLAINT PC20-00017

Ministry of Public and Business Service Delivery

December 1, 2022

Summary: The Office of the Information and Privacy Commissioner received a privacy complaint about the disclosure of a certified copy of a death registration for a deceased individual (the deceased) by the Ministry of Public and Business Service Delivery (the ministry) to an applicant who is not the deceased’s next of kin or extended next of kin. The complainant, who is the deceased’s mother and next of kin, believed that the disclosure was unauthorized and, therefore, a privacy breach under the Freedom of Information and Protection of Privacy Act  (the Act ).

In this report, I find that the information at issue is “personal information” within the meaning of section 2(1) of the Act and that the ministry’s disclosure of this information was not in accordance with section 42(1)  of the Act . I also find that the ministry did not have reasonable measures in place to prevent unauthorized access to the personal information in accordance with section 4(1) of Regulation 460 made under the Act . As a result, I recommend that the ministry take reasonable steps to be satisfied as to the identity of an applicant before granting them access to a certified copy of a death registration. Further, as I found that the ministry did not respond adequately to the breach with respect to containment, I recommend that the ministry consider pursuing other means to retrieve the deceased’s certified copy of a death registration.

Statutes Considered: The Freedom of Information and Protection of Privacy Act , R.S.O. 1990, c. F. 31 , as amended, sections 2(1) and 42 (1)(e); R.R.O. 1990, Regulation 460, section 4(1); the Vital Statistics Act , R.S.O. 1990, c. V.4 ., as amended, section 45(1)  and 56 ; and the Personal Health Information Protection Act, S.O. 2004, c.3, as amended, section 54(9).

Orders and Investigation Reports Considered: Investigation Reports I94-023P, I94-057M and I93-044M; and Privacy Complaint Reports MI10-5 and PR16-40.

BACKGROUND:

[1] In 2019, through the ServiceOntario [1] website, the Office of the Registrar General (ORG) received an application for a certified copy of a death registration for a deceased individual (the deceased). [2] On the application, the applicant indicated that they are the uncle of the deceased. The ORG processed the application and issued the requested registration for the deceased (the certified copy of death registration) to the applicant.

[2] Later, the complainant became aware that the ORG had issued a copy of the certified copy of death registration to the applicant and raised concerns about this disclosure to ServiceOntario. The complainant advised that they are the deceased’s mother and next of kin. The complainant also advised that the applicant, who is known to her family, posted the certified copy of death registration on Facebook [3] and is not related (by blood, marriage, adoption or otherwise) to her family.

[3] As a result, the complainant believed that the disclosure was not in accordance with the Freedom of Information and Protection of Privacy Act (the Act) and, therefore, breached the deceased’s privacy. The complainant was not satisfied with ServiceOntario’s response to her concerns and made a complaint to the Information and Privacy Commissioner of Ontario (IPC or this office).

[4] During the Intake Stage of this office’s complaint process, the Ministry of Public and Business Service Delivery (the ministry) [4] advised that, in response to the complainant’s concerns, ServiceOntario escalated the matter to its Risk Management Unit (RMU) for investigation by a Provincial Offences Officer. The RMU determined the alleged applicant’s place of residence, [5] contacted the local Royal Canadian Mounted Police (RCMP) detachment and requested that an officer visit them in order to retrieve the death registration.

[5] The ministry advised that the RCMP contacted the applicant who denied applying for or receiving the certified copy of death registration. They also denied posting the certified copy of death registration on Facebook as they claimed that their Facebook account had been hacked. The ministry also advised that the RCMP believed that there was insufficient evidence to press charges against the alleged applicant.

[6] However, the ministry advised that the RMU determined and informed the RCMP that a Mastercard credit card was used to pay the required fee for the certified copy of the death registration, that this card was in the name of the alleged applicant’s “wife/girlfriend” and business partner, and that the certified copy of death registration was sent to their address.

[7] The ministry also advised that the RCMP informed the RMU that the alleged applicant claimed that the credit card was compromised, despite the ORG’s observation that the credit charge for the fee required to be paid for the certified copy of death registration had not been reversed by the credit card company. The ministry advised that the RCMP did not investigate this angle further.

[8] According to the ministry, the RCMP suggested to the RMU that they contact the Ontario Provincial Police (OPP) because it appeared that the applicant may have broken an Ontario law and, therefore, the RCMP did not have jurisdiction over the matter. The RCMP suggested this course of action because the applicant, who declined their request to return the certified copy of death registration, denied the incident, even though, in the RCMP’s view, it was likely the case that they had submitted the application for the certified copy of death registration. Further, the ministry advised that the RCMP informed the RMU that it was unable to take any other action against the alleged applicant.

[9] The RMU spoke with the OPP about the incident and informed them of the RCMP’s position. According to the ministry, the RMU advised that the OPP would not investigate the matter because of the jurisdictional issues, the lack of evidence required to press charges against the alleged applicant as well as the uncertainty surrounding how much personal information was shared between the complainant and the alleged applicant when they were on more friendly terms.

[10] Further, the ministry advised the RMU spoke with the Thunder Bay police about the incident and the RCMP’s involvement. In response, the Thunder Bay police advised that they could not lay charges against the alleged applicant and would not be pursuing the matter any further as the RCMP had concluded their investigation.

[11] Moreover, the ministry advised that ServiceOntario’s Provincial Offences Officer would have been unable to lay charges against the alleged applicant, even if they resided in Ontario, in respect of the false information provided in the application for the certified copy of death registration because there was insufficient evidence to do so.

[12] The ministry explained that, because of the false information provided in the certified copy of death registration, a Provincial Offences Officer could lay charges pursuant to section 56(1)  of the Vital Statistics Act  (VSA ) [6] , which states:

Every person who wilfully makes or causes to be made a false statement in any documentation required to be furnished under this Act  or the regulations is guilty of an offence and on conviction is liable, in the case of an individual, to a fine of not more than $50,000 or to imprisonment for a term of not more than two years less a day, or to both, and, in the case of a corporation, to a fine of not more than $250,000.

[13] However, in this matter, the ministry advised that, even if there was sufficient evidence, the officer would not have been able to lay charges because more than one year had passed since ServiceOntario became aware of the facts upon which a proceeding against the alleged applicant could be based and, therefore, the one-year time limitation set out in section 59(1)  of the VSA  applied. This section states:

No proceeding shall be commenced in respect of an offence under this Act  more than one year after the Deputy Registrar General becomes aware of the facts on which the proceeding is based.

[14] Based on the RCMP’s findings, the ministry advised that it concluded that the applicant likely provided a false certification statement, discussed below, in their application for the certified copy of death registration.

[15] To address the complainant’s concerns, as a remedial step, the ministry advised that the ORG flagged the death registration and the deceased’s birth registration in its Information Technology (IT) database in order to prevent any future applications for these registrations (or the deceased’s birth or death certificate) from being processed until the ORG could take additional verification steps to ensure that applicants are authorized to receive this information.

[16] After reviewing the information provided by the ministry regarding this matter, it raised some concerns with respect to the ministry’s response to this complaint as well as their information practices. As a result, this matter moved from the Intake Stage to the Investigation Stage of this office’s complaint process and was assigned to me as the Investigator. As part of my investigation, I requested and received representations about the complaint, discussed below, from the ministry.

ISSUES:

[17] I identified the following issues as arising from this investigation:

1. Is the information at issue “personal information” as defined by section 2(1) of the Act ?
2. Was the ministry’s disclosure of the personal information in accordance with section 42(1) of the Act ?
3. Did the ministry have reasonable measures in place to prevent unauthorized access to the personal information in accordance with section 4(1) of Regulation 460 made under the Act ?

DISCUSSION:

Issue 1: Is the information at issue “personal information” as defined by section 2(1) of the Act?

[18] Under section 2(1) of the Act , “personal information”, is defined, in part, as follows:

“personal information” means recorded information about an identifiable individual, including,

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

(c) any identifying number, symbol or other particular assigned to the individual,

(d) the address, telephone number, fingerprints or blood type of the individual,

…

(h) the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual;

[19] The ministry confirmed to me that the certified copy of death registration contains information included in paragraphs (a) to (d) and (h) within the meaning of “personal information” under section 2(1).

[20] Accordingly, I find that the information at issue is “personal information” within the meaning of section 2(1) of the Act .

Issue 2: Was the ministry’s disclosure of the personal information in accordance with section 42(1) of the Act?

[21] Section 42(1) of the Act  prohibits the disclosure of personal information unless one of the exceptions described in paragraphs (a) to (o) under this section applies. In this matter, the ministry submitted that section 42(1)(e) of the Act  applied to allow the disclosure of the deceased’s personal information.

[22] In 2019 [7] , at the time of the disclosure, section 42(1)(e) read as follows:

An institution shall not disclose personal information in its custody or under its control except,

(e) for the purpose of complying with an Act of the Legislature or an Act of Parliament, an agreement or arrangement under such an Act  or a treaty; [8]

[23] Regarding this section, this office has found that the word “complying” in this section means that there must be a specific requirement for the disclosure and that the requirement in question must be mandatory in nature. [9] I accept and adopt these findings.

[24] With respect to section 42(1)(e), because the alleged applicant submitted a request for the certified copy of death registration, the ministry advised that it was required to disclose this personal information for the purpose of complying with section 45(1)  of the VSA  which states:

No certified copy of a registration of birth, change of name, death or still- birth shall be issued except to a person authorized by the Registrar General or the order of a court and upon payment of the required fee.

[25] In this matter, as previously mentioned, the required fee for the certified copy of death registration was paid. Further, regarding the ORG’s authorization of the applicant, the ministry explained that this determination was done in accordance with the ORG’s “Entitlement/Access to Records or Certificates” policy. Under this policy, the following person would be authorized to receive the certified copy of death registration:

Death:

Any person who completes an application and pays the prescribed fee may obtain a death certificate. Certified copies of the Statement of Death or Medical Certificate of Death are available to the next-of-kin**

[26] The terms “next of kin” and “extended next of kin” are defined in the ORG’s “Definition of Next of Kin” policy as follows:

For the purpose of determining entitlement for vital event documents, next of kin is defined as:

• Spouse

• Common Law Partner

• Mother, Father/Other Parent

• Son, Daughter

• Sister, Brother

These individuals have equal and legitimate claim to a record of a deceased person or still-born.

If all next of kin are deceased, the extended next of kin may be considered as:

• Grandmother, Grandfather

• Aunt, Uncle

• First Cousin

• Niece, Nephew

• Grandchild

[27] Further, in order for an application for a certified copy of a death registration to be processed, applicants must agree to the following statement on the ServiceOntario website:

I authorize the Office of the Registrar General to issue the requested document/information, and consent to the Ministry of Government and Consumer Services collecting information about myself and the person(s) named on the record (if other than myself) from such other sources as may be necessary to verify the information on this form and my entitlement to the service required and the disclosure of such information to the Ministry of Government and Consumer Services. I am aware that it is an offence to wilfully make a false statement on this form. [emphasis added] [10]

[28] Moreover, applicants must provide a reason for requesting this registration [11] and certify that they are the next of kin or extended next of kin as follows:

When you request a Certificate and/or a Certified Copy of Statement of death, the Office of the Registrar General requires you to certify that you are the Next of Kin or, if all of the Next of Kin are deceased, you are the Extended Next of Kin.

I, [name of applicant], am the [relationship to the deceased] of [the deceased’s name]. I certify that I am the Next of Kin or, that, the Next of Kin is deceased and I am the Extended Next of Kin.

[29] The ministry advised that, in order for a deceased individual’s next of kin or extended next of kin to receive a certified copy of a death registration, at a minimum, applicants must provide the name (first and last, or single name), the date of death, the place of death (city, town, village) and the sex of the individual who died.

[30] Where this minimal information is incomplete, does not exactly match the information on a death registration or the ORG is unable to confirm the record in circumstances where more than one registration with the same or similar information exists, the ministry advised that additional information would be requested (for example, the names of siblings and their dates of birth) which then can be verified through other records held by the ORG.

[31] To obtain this additional information, the ministry advised that the ORG would contact applicants by phone or by mail. If contacted by phone, the ministry explained that an applicant would be authenticated by an ORG staff member who would ask questions regarding the application (for example, their address) and the subject of the registration (for example, the name of one of the deceased’s parents). Once the staff member is satisfied that an applicant is the person who applied, the ministry advised that they would proceed with obtaining the outstanding and/or additional information. Where the ORG contacts applicants by mail, the ministry advised that this correspondence would be sent to the address they provided and, in response, applicants must provide the requested information and sign the correspondence.

[32] Where applicants do not provide the additional information, the ministry advised that the requirements of the application would not be met and, as a result, the ORG would send them a letter indicating that there is no registration that exactly matches the information provided in the application and not issue the registration to them.

[33] In this matter, the ministry advised that the applicant correctly provided the minimum information, as well as the correct first and last names of the deceased’s father and mother. The applicant also indicated on the application that the certified copy of death registration was required for estate purposes and certified their status as the extended next of kin (that is, the uncle) of the deceased.

[34] For these reasons, and because the ORG did not have a reason to challenge the alleged applicant’s entitlement to the certified copy of death registration and the fee for it was paid, the ministry advised that, in accordance with the ORG’s entitlement/access and next of kin policies above, the alleged applicant was authorized by the ORG to receive the certified copy of death registration pursuant to section 45(1)  of the VSA .

[35] Based on the information provided to me, it appears that the ORG issued the certified copy of death registration in accordance with its policies. However, it is also clear that the applicant should not have received this information. As mentioned above, following an investigation into the complainant’s concerns about the disclosure of the certified copy of death registration, the ministry concluded that the alleged applicant likely falsified their certification statement in their application. Therefore, it appears that the ORG should not have authorized the applicant to receive the certified copy of death registration pursuant to section 45(1)  of the VSA .

[36] Moreover, importantly, I note that although under the ministry’s policy, a certified copy of a death registration is available to a deceased’s next of kin (or extended next of kin), the ministry does not require applicants to prove their identity.

[37] For the reasons noted above, it is my view that the ORG’s disclosure of the certified copy of death registration to the applicant was not authorized under section 45(1)  of the VSA . Accordingly, I find that, the ministry’s disclosure of the certified copy of death registration was not in accordance with section 42(1)(e) of the Act .

Issue 3: Did the ministry have reasonable measures in place to prevent unauthorized access to the personal information in accordance with section 4(1) of Regulation 460 made under the Act?

[38] Section 4(1) of Regulation 460 made under the Act  (Reg. 460) [12] states:

Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.

[39] This office has found that this requirement “applies throughout the life-cycle of a given record, from the point at which it is collected or otherwise obtained, through all of its uses, and up to and including its eventual disposal.” [13]

[40] Further, in Privacy Complaint Report PR16-40, the Investigator stated:

From the way this section of the regulation is written, it is clear that it does not prescribe a “one-size-fits-all” approach to security. It does not set out a list of measures that every institution must put in place regardless of circumstance. Instead, it requires institutions to have “reasonable” measures and ties those measures to the “nature” of the records to be protected. It follows that the same security measures may not be required of all institutions. Depending on the nature of the records to be protected, including their sensitivity, level of risk and the types of threats posed to them, the required measures may differ among institutions. [emphasis added]

[41] Moreover, in Investigation Report I93-044M, the Assistant Commissioner considered the term “reasonable measures” in section 3(1) of Regulation 823, which is the municipal access/privacy law equivalent of section 4(1), as follows:

The determination of whether reasonable measures had been put into place hinges on the meaning of "reasonable" in section 3(1) of Regulation 823, R.R.O. 1990, as amended. Black's Law Dictionary defines reasonable as:

Fair, proper, just, moderate, suitable under the circumstances. Fit and appropriate to the end in view ... Not immoderate or excessive, being synonymous with rational, honest, equitable, fair, suitable, moderate, tolerable.

Thus, for reasonable measures to have been put into place would not have required a standard so high as to necessitate that every possible measure be pursued to prevent unauthorized access. In our view, the measures identified above are consistent with Black's definition of "reasonable" -- appearing to be fair and suitable under the circumstances.

[42] I accept and adopt all of these findings.

[43] As mentioned above, the applicant denied applying for the certified copy of death registration. However, this claim appears to be in dispute because the RMU determined that an individual who was in a relationship with the applicant paid the required fee for the certified copy of death registration, which was mailed to their address. Further, based on the RCMP’s investigation, the ministry concluded that the applicant had likely falsified their certification in order to gain access to the death registration.

[44] As a result, it appears that the deceased’s personal information was inappropriately disclosed because of a falsified certification in the application for the certified copy of death registration. Therefore, I must consider whether the ministry had reasonable measures in place to prevent this type of threat as required by section 4(1) of Reg. 460.

[45] Regarding the certification provided by an applicant for a certified copy of a death registration, unless it is not reasonable to do so, the ministry advised that the ORG relies on the accuracy of the information that they attest to, which includes the “name of applicant”, their “relationship to the deceased” and “the deceased’s name”.

[46] In my view, without anything more than this reliance, I am not satisfied that the ministry had reasonable measures in place to prevent the threat of the alleged applicant providing a falsified certification and using it to gain unauthorized access to the certified copy of death registration. Therefore, I find that the ministry did not have reasonable measures in place to prevent unauthorized access to the personal information in accordance with section 4(1) of Reg. 460.

[47] Although the Personal Health Information Protection Act (PHIPA) [14] is not the applicable legislation governing this matter, this legislation is informative regarding the reasonable measures that the ministry can take to address the threat of an applicant who may provide a false certification in their application for a certified copy of a death registration.

[48] More specifically, PHIPA provides guidance as to the importance of verifying an individual’s identity before disclosing personal (health) information to them. Section 54(9) of PHIPA states:

A health information custodian shall not make a record of personal health information or a part of it available to an individual under this Part or provide a copy of it to an individual under clause (1) (a) without first taking reasonable steps to be satisfied as to the individual’s identity. [15]

[49] In light of the circumstances of this complaint, in my view, having an applicant provide proof of their identity as the person who is applying for a certified copy of a death registration would be fair and suitable with regard to the nature of the records to be protected. In addition, it would add a layer of security, could assist with the investigation and prosecution of any attempted unauthorized access, and may also serve as a deterrent to anyone who may be requesting this registration under false pretenses.

[50] Further, I note that, although during the application process for a certified copy of a death registration applicants agree that they “are aware that it is an offence to wilfully make a false statement on this [application] form”, there is no information provided to them about what may occur should they decide to make such a statement.

[51] Therefore, I will recommend that the ministry, as part of its reasonable measures in place to prevent unauthorized access to personal information as required by section 4(1) of Reg. 460 and to avoid a similar privacy breach in the future, take reasonable steps to be satisfied as to the identity of the next of kin or extended next of kin before granting them access to a certified copy of a death registration.

[52] I will also recommend that the ministry review the application form and consider including more information about the referenced offence for wilfully making a false statement on the form. Again, I believe having such information may serve as a deterrent and an extra layer of security.

[53] With respect to the ministry’s response to the breach, the ministry advised that the ORG took the corrective action of flagging the deceased’s birth registration and the death registration in its IT database.

[54] The ministry explained that a flagged registration contains the contact information of the person (for example, a next of kin of the deceased) (the contact person) to be contacted should an application be made for a certified copy of the flagged registration. As a result, the ministry advised that the ORG would contact this person and make them aware that someone claiming to be entitled to the registration had applied for it.

[55] The ministry also explained that the contact person would be required to assist with the application by advising whether there are other living next of kin. The ministry advised that no personal information relating to the potentially unauthorized applicant would be disclosed to the contact person.

[56] Where the contact person indicates that there are no other living next of kin, the ministry advised that the ORG would then contact the potentially unauthorized applicant and inform them that they are not entitled to a certified copy of the registration. Where fraud is suspected, the ministry advised that the matter would be further investigated by the ORG and that police may be contacted. However, where the contact person confirms that there is another entitled person who can apply (for example, another living equally entitled next of kin), the ministry advised that the ORG would issue the registration provided that all of the other information required for the application is correct and complete.

[57] Accordingly, should another application for the death registration be submitted to the ORG, the ministry advised that the flag would stop the request from being completed and that it would be by-passed only after the application was investigated and reviewed by a manager.

[58] Further, the ministry advised that the ORG would contact the complainant to determine whether they are aware that another person had applied for the death registration. Should the complainant not be aware of the application, the ministry advised that the ORG would investigate this person further.

[59] After considering the ministry’s information practices as they relate to the matter before me, I am satisfied that they have put into place measures that would prevent further disclosures of the certified copy of death registration at issue in this complaint.

[60] However, I continue to have concerns with the ministry’s response to the breach with respect to the containment of the breach. In my view, the ministry should have explored other means to retrieve the certified copy of death registration from the applicant. While charges may not have been able to be pursued due to the application of section 59(1)  of the VSA , such means may have included other legal action against the applicant. As such, I find that the ministry did not respond adequately to the breach.

[61] In light of the above, I will recommend that the ministry consider pursuing other means or legal action to retrieve the certified copy of death registration.

CONCLUSION:

Based on the results of the investigation, I have reached the following conclusions:

1. The information at issue is “personal information” as defined by section 2(1) of the Act .
2. The disclosure of the personal information was not in accordance with section 42(1) of the Act .
3. The ministry did not have reasonable measures in place to prevent unauthorized access to the personal information in accordance with section 4(1) of the Regulation 460 made under the Act .

RECOMMENDATIONS:

1. I recommend that the ministry, as part of its reasonable measures in place to prevent unauthorized access to personal information as required by section 4(1) of Reg. 460, take reasonable steps to be satisfied as to the identity of a person who applies for a certified copy of a death registration, that is, that this person is the person applying for the registration, before granting them access to the registration.
2. I recommend that the ministry review the application form for a certified copy of a death registration and consider including information relating to the offence for wilfully making a false statement on the form, such as the information found in section 56(1)  of the VSA .
3. I recommend that the ministry consider pursuing other means or legal action to retrieve the certified copy of death registration

Within three months of receiving this report, the ministry should provide this office with proof of compliance with the above recommendations.

Original signed by:		December 1, 2022
John Gayle
Investigator