Manual
PRIVACY PROTECTION
This chapter contains the following topics:
Introduction
Public Records
Labour
Relations and Employment-Related Records
Collection of
Personal Information
Retention of Records
Accuracy of Records
Disposal of Records
Use of Personal
Information
Disclosure of
Personal Information
Consistent Purpose
New
Use/Disclosure of Personal Information
Role of Information
and Privacy Commissioner
Introduction
The protection of personal privacy is one of the key principles of the
Freedom of Information and Protection of Privacy Act (FIPPA) / Municipal
Freedom of Information and Protection of Privacy Act (MFIPPA). The
personal privacy requirements, set out in Part III FIPPA/ Part II MFIPPA,
deal with privacy protection in the day-to-day operations of institutions.
These parts reflect internationally accepted principles of fair
information practices, and are based on two key principles:
- that an individual has the right to control his or her own personal
information; and
- that the privacy rules governing the collection, use, disclosure,
retention and disposal of personal information are necessary.
These privacy rules apply to all personal information in the custody or
control of institutions, with the exception of public records and certain
employment-related and labour relations records.
Public Records
s.37 FIPPA
/ s.27 MFIPPA
The privacy requirements do not apply to personal information
maintained for the purpose of creating a record that is available to the
general public.
Public records of personal information are records to which all members of
the public have equal access. Personal information to which some members
of the public have access, while others do not, is not a public record.
For example:
A public record is a list of electors as required by the Municipal
Elections Act.
Assessment rolls, as required by s.39 of the Assessment Act, are
public records.
Records of court proceedings that are publicly available by virtue of the Courts
of Justice Act are not subject to the privacy rules.
The Information and Privacy Commissioner has stated in a number of privacy
investigation reports that the public records exception applies "only
if the information in question is held by the institution maintaining it
for the express purpose of creating a record available to the general
public. Other institutions cannot claim the benefit of the public records
exception for the same personal information unless they, too, maintain the
personal information for the purpose of making it available to the general
public" (e.g. (Privacy
Investigation Report #I94-011P).
As a result, institutions should consider the privacy implications of
their business practices even when they are handling otherwise
"public" information. For example, it is not appropriate for
institutions to maintain profiles or dossiers on individuals even when the
personal information has been gathered from public sources such as
newspaper clippings. (This would not apply when the personal information
in question relates to information about individuals acting in a
representative or professional capacity such as politicians, lobbyists or
representatives of groups or organizations).
Labour Relations and Employment-Related
Records
s.65(6),
(7) FIPPA / s.52(3), (4)
MFIPPA
FIPPA/MFIPPA does not apply to most employment-related and labour
relations information in which an institution has an interest.
Nonetheless, certain records such as employee expense accounts, and
agreements arising out of negotiations about employment-related matters
between an institution and an employee(s) continue to be covered by FIPPA/MFIPPA.
For further discussion regarding this category of excluded records refer
to Chapter 3 (Access
Procedures) or the Annotation of Commissioner's Orders.
Collection of Personal Information
s.38, 39
FIPPA / s.28, 29
MFIPPA
Expanded Definition of Personal Information
s.38(1)
FIPPA / s.28(1) MFIPPA
The privacy provisions dealing with the collection of personal
information apply to both recorded and non-recorded personal information -
that is, to personal information which is collected verbally.
All other privacy provisions in the Act, dealing with use, disclosure,
retention, disposal and access to personal information apply only to
recorded personal information about an individual.
Authority to Collect
s.38(2)
FIPPA / s.28(2) MFIPPA
This section sets out the conditions under which personal information
may be collected. Personal information is collected when the institution
actively acquires the information or invites an individual or others to
send personal information to the institution. An individual may submit
personal information on his/her own initiative without the information
being requested by the institution. Receipt of this information is not
considered a collection unless the institution keeps or uses the
information.
One of three conditions must exist in order for personal information to be
collected:
- the collection of personal information is expressly authorized by a
statute. The authority to collect must be in a statute rather than in
a regulation; or
- the information collected is used for the purposes of law
enforcement; or
- the collection is necessary for the proper administration of a
lawfully authorized activity (provincial institutions may have this
activity authorized by statute, regulation or order- in-council; local
governments by statute, regulation or by-law).
By implication, this authority to collect personal information is
limited to the collection of necessary information.
For example:
It was necessary to the proper administration of a lawfully authorized
activity for the Family Support Plan to collect health plan numbers and
photographs of individuals who have support or custody orders existing
against them. This information was necessary in order to trace
individuals, assist in enforcing orders and serve documents personally. (Privacy
Investigation Report #I92-38P)
Further, the phrase "expressly authorized by statute" requires
either that the specific types of personal information collected be
expressly described in the statute or a general reference to the activity
be set out in the statute, together with a specific reference to the
personal information to be collected in a regulation made under the
statute, i.e., in the form or in the text of the regulation.
Manner of Collection
s.39(1)
FIPPA / s.29(1) MFIPPA
This section requires that personal information be collected directly
from the individual to whom it relates, unless certain circumstances
described in subsections (a) through (h) permit an indirect collection, -
that is, from a source other than the individual to whom the information
relates.
Individual Authorization
s.39(1)(a)
FIPPA / s.29(1)(a)
MFIPPA
An individual may authorize an indirect collection of his/her own
personal information. Such authorization should generally include:
- the identification of the personal information to be collected;
- the source from which the personal information may be collected; and
- the name of the institution that is to collect the personal
information.
A record should be kept with the date and the details of the
authorization.
Disclosure Under Section 42 FIPPA / Section 32 MFIPPA
s.39(1)(b)
FIPPA / s.29(1)(b)
MFIPPA
Personal information may be collected by one institution from another
institution where the disclosing institution has authority to disclose
under s.42 FIPPA / s.32 MFIPPA.
For example:
When a welfare recipient moves to another municipality, the municipality
originally providing benefits may disclose certain personal information
about the recipient to the second municipality, so that the client's
eligibility for welfare may be determined.
The disclosure is authorized by s.32(c)
of MFIPPA, as the disclosure to the second municipality is for
the same or similar purpose for which the information was originally
collected, namely, determining eligibility for welfare benefits. The
second municipality, therefore, may collect the information since it has
been properly disclosed to it under s.32(c) of MFIPPA.
Authority of the Commissioner
s.39(1)(a),
39(1)(c), 59(c)
FIPPA / s.29(1)(a), 29(1)(c),
46(c) MFIPPA
The Commissioner may authorize a collection from a source other than
the individual. The Commissioner's authorization may be sought because the
indirect collection is not specifically allowed under this section or
where the institution believes it is not possible or practical to collect
the personal information directly or to obtain authorization directly from
the individual concerned.
The Information and Privacy Commissioner has prepared guidelines to
assist institutions in making an application for making an indirect
collection authority. See Appendix
X (Guidelines on applications for authorization of indirect
collection).
Consumer Reporting Act
s.39(1)(d)
FIPPA / s.29(1)(d)
MFIPPA
This subsection authorizes an institution to collect personal
information contained in a consumer report that is prepared in accordance
with the Consumer Reporting Act. A complete list of information
which may be included in such a report is contained in s.8(1)(d) of the Consumer
Reporting Act.
Honour or Award
s.39(1)(e)
FIPPA / s.29(1)(e)
MFIPPA
This subsection authorizes an institution to collect personal
information indirectly for the purpose of determining suitability for an
honour or award to recognize outstanding achievement or distinguished
service.
For example:
Personal information can be collected to determine which of a number of
candidates should receive a Citizen of the Year award.
Courts and Tribunals
s.39(1)(f)
FIPPA / s.29(1)(f)
MFIPPA
This subsection authorizes an institution to collect personal
information indirectly for the conduct of a proceeding or a possible
proceeding before a court or judicial or quasi-judicial tribunal.
A judicial or quasi-judicial tribunal is a body constituted under a
statute with power to decide the legal rights of a person or the
eligibility of a person for a benefit or licence. Such tribunals are
required to adhere to standards of procedural fairness similar to the
procedures of courts.
Examples of this type of tribunal include the Ontario Municipal Board,
Property Standards Committee, Assessment Review Court, Social Assistance
Review Board, Courts of Revision, and Committees of Adjustment.
In some cases, after personal information has been collected, no
proceeding takes place because, for example, there is insufficient
evidence. Even though the tribunal may never hear the matter, this
subsection applies as long as the purpose of the collection is to
determine whether a proceeding can be commenced before a court or
tribunal.
Law Enforcement
s.39(1)(g)
FIPPA / s.29(1)(g)
MFIPPA
Personal information which is collected for the purpose of law
enforcement may be collected from a source other than the individual about
whom the information relates.
The IPC has found that collection authorized by this subsection must be
directly relevant to the law enforcement activity. Only the minimal amount
of personal information that is necessary should be collected.
Law enforcement is defined in Chapter
1 (Introduction to the Act) of this manual.
Statutory Authority
s.39(1)(h)
FIPPA / s.29(1)(h)
MFIPPA
A statute, regulation or by-law may authorize a collection of personal
information from a source other than the individual.
For example:
Under s.6(4) of the Municipal Health Services Act, a municipal
assessment commissioner may require any employer to furnish a list of
employees residing in the municipality, and the dates upon which the
employees are paid their salary or wages.
Subsection 10(1) of the Assessment Act authorizes an assessor to
indirectly collect specific personal information about an individual from
any person "present on land " visited by an assessor under the
Act.
Subsection 61(3) of the Family Responsibility and Support Arrears
Enforcement Act authorized indirect collection of specific types of
personal information.
Notification Requirements
s.39(2)
FIPPA / s.29(2) MFIPPA
When personal information is collected on behalf of an institution,
either directly from the person about whom the information relates or
indirectly from another source, the institution must inform the individual
that the collection has occurred.
The notice to the individual must state:
- the legal authority for the collection;
- the principal purpose(s) for which the personal information will be
used;
- the title, business address and telephone number of an official of
the institution who can answer the individual's questions about the
collection.
The notice of legal authority should include a reference to the
specific act (or regulation) and section, or by-law which authorized the
collection. Where an act or by-law does not specifically refer to the
collection, then the notice should refer to the specific section of the
act or by-law which establishes the activity or program under which the
information is collected.
For example:
Subsection 58(2) of the Education Act provides for the
establishment of Boards of Education. Even though the Education Act may
not specifically authorize each collection of personal information
undertaken by a Board of Education, nonetheless s.58(2) of the Education
Act would provide sufficient statutory authority to undertake
collections of personal information that are necessary to the functioning
of a board.
The statement regarding the principal purpose(s) for which the information
will be used should be consistent with the allowable uses of personal
information. The principal purpose(s) for which the information will be
used should also be consistent with the statement in the index of personal
information banks which describes the use and disclosure of personal
information in each bank.
The IPC has found that a notice of collection should contain each of the
three elements described in the subsection. Discussion of matters other
than collection (e.g., anticipated disclosure of the information) should
be included in a separate paragraph from the notice.
Where the personal information is collected directly from the individual,
notice should be given to the individual at the time of the collection.
Where the personal information is collected on a form, the notice may be
provided on the form itself.
A notification should be included on a form where the principal purpose of
the form is to collect personal information and the information is used
for the purpose of making a decision affecting the individual.
Further, where a variety of personal information data has been collected,
the notice of collection must relate to all of the data that has been
collected. Where different personal information data on the form is used
for different purposes, or is collected under different legal authority,
the various purposes and authority must be included in the notice.
For example:
Where a particular use of the social insurance number was not indicated in
the notice, the notice of collection was found inadequate by the IPC.
Forms which are prescribed by a provincial regulation are not controlled
by a municipality or local board. In cases where personal information is
collected on a prescribed form, it is the responsibility of the provincial
ministry controlling the form to include a notice on the form.
Alternative ways of providing collection notices could include:
- notifying the public through advertisements in the press (e.g.,
where a public advertisement solicits the collection);
- orally informing the individual in the course of an in-person or
telephone interview (and noting this in the individual's file); or
- including the notice in correspondence or as an insert with other
mailed material.
Where personal information is collected and will be used by or
disclosed to another institution, the individual should be given notice
of:
- the legal authority that the first institution has for collecting
the information;
- the principal purposes for which the personal information will be
used by that institution;
- the address and telephone number of an official in that institution
who can answer questions; and
- the fact that the information will be used by a second institution
and the name of that institution.
If the individual is not informed at the time of collection that the
information will be used by another institution, then the second
institution must provide notice to the individual.
Notice must be provided each time personal information is collected. A
notice of collection may notify of specific collections occurring in the
future when this can be predicted with certainty. Whenever there is
ambiguity regarding the sufficiency of the notice, a new notice of
collection should be provided. (Privacy
Investigation Report #I95-030P)
Where indirect collection is permitted under subsection 1, notice to the
individual is still required.
Exception to Notice Requirements
Minister's Waiver
The requirement to provide a notice of collection may be waived by the
Minister responsible for FIPPA/MFIPPA. Each request for waiver is
considered on its merits. Waivers will normally be requested for a class
or group of individuals rather than one individual.
For example:
The Chair of Management Board has granted waivers of notice under
s.29(3)(b) MFIPPA in respect of indirect collection of personal
information on Alzheimer patients for the creation of Wandering Patient
Registries by various Police Services in the province.
Some of the criteria for consideration in determining whether to grant
a waiver of notice are as follows:
- Notice Frustrates Purpose of Indirect Collection:
In some cases, to give notice to the individual where information is
collected indirectly for certain programs, or of investigations which do
not qualify as law enforcement, would undermine the objectives or
frustrate the purpose of those programs and investigations. The
circumstances which necessitate indirect collection may be considered in
determining whether a waiver will be granted.
- Statutory Authority for Indirect Collection:
Where there is statutory authority for indirect collection, the
circumstances that make indirect collection necessary may be considered
in determining whether the notice requirements will be waived.
- Administrative Burden and Cost:
A heavy administrative burden coupled with high costs may justify a
waiver in certain circumstances. The administrative burden and the costs
would be excessive when weighed against the requirement or need for
notice in the particular case. An alternative, however, such as posting
a notice or publishing a notice in the newspaper, might be appropriate
in these circumstances.
- Impossibility/Difficulty:
There can be circumstances where it is impossible or very difficult
to provide notice. Those circumstances may be considered in determining
whether the notice requirements will be waived.
- Authorization of Information an Privacy Commissioner:
Where the Commissioner has authorized collection of personal
information other than directly from the individual, the circumstances
which the Commissioner considered in authorizing indirect collection may
be considered in determining whether a waiver of notice will be granted.
- Subsequent Collection by Another Institution:
Where personal information is collected and will be disclosed to
another institution in accordance with s.42 FIPPA/ s.32 MFIPPA, the
individual is to be given the required notice by the first institution
and a statement the information will be disclosed to the second
institution. No waiver is required in these circumstances since the
first institution has complied with s.39(2) FIPPA/ s.29(2) MFIPPA for
both institutions.
Where the first institution does not advise the individual of the
disclosure to the second institution, notice will usually be required.
There may, however, be circumstances where to provide notice would be
inconsistent with the disclosure in s.42 FIPPA/ s.32 MFIPPA. In such
circumstances, waiver may be appropriate.
Therefore, when a institution obtains the information, and the
individual was already notified in respect to the first collection, it
may be appropriate to waive further notification requirements.
This list is not exhaustive and other criteria may be considered in
determining whether a waiver of notice will be granted. To request a
waiver of notification, complete the Request for Waiver of Notice the
Individual of Collection of Personal Information (see Appendix
IX).
Further information on the procedure can be obtained from the Corporate
Freedom of Access and Privacy Office, Ministry of Government Services.
Other Exceptions to Notice
s.39(3)
FIPPA / s.29(3) MFIPPA
Notice of collection of personal information is not required if:
- the type of information being collected would be exempt from access
under s.14(1) or 14(2) FIPPA / s.8(1) or 8(2) MFIPPA (law
enforcement);
- the Minister (Chair of the Management Board of Cabinet) waives the
notice. Each request for a waiver is considered on its own merits.
Waivers will normally be requested for a class or group of individuals
rather than one individual; or
- the regulations provide that the notice is not required.
For MFIPA institutions, O.Reg.823 s.4 outlines circumstances where
notice of collection is not required. The following circumstances apply
only to institutions governed by MFIPPA:
- Notice Frustrates Purpose of the Collection:
Providing notice to the individual when personal information is
collected may undermine the purpose for which the personal information
is collected. An institution might collect personal information to
determine the whereabouts of someone who is indebted to the
institution and who has absconded to avoid paying the debt. In such
circumstances, providing notice would frustrate the purpose of
collecting the personal information, since notifying the debtor could
result in the debtor taking further steps to avoid payment.
- Unjustified Invasion of Another Individual's Personal Privacy:
Under the Act a notice of collection of personal information must
describe how the information will be used. When the use touches upon
sensitive personal matters involving another person, the notice may
reveal personal information about another individual.
For example:
An individual who applies for social assistance benefits from a
municipality may be required to furnish the names and routine
biographical details of the applicant's dependents or co-habitors.
Providing notice to the dependents or co-habitor that personal
information about them has been collected for the purpose of assessing
the applicant's application would reveal sensitive personal
information, namely that the individual has applied for assistance.
- Suitability or Eligibility for Award or Honour:
An institution may collect the names and biographical details of
persons who are being considered for an award or honour. Where
personal information is collected for this purpose, a notice of
collection is not required.
The head of the institution must make available to the public, a
statement describing the purpose of the collection of personal
information and the reason that notice has not been given. The statement
should:
- identify the program or activity for which the personal information
is collected;
- describe in general terms the type of personal information
collected, and how the information will be used;
- state the time period during which the notice would not be given,
for example, whether the notice is being dispensed with for a one-time
only collection or for collections occurring regularly over an
indefinite time period;
- explain under which of the circumstances provided for by the
regulations the notice has been dispensed with; and
- advise that any concerns regarding the dispensing of notice may be
brought to the attention of the IPC.
The public statement should not disclose any personal information about
an identifiable individual.
Retention of Records
s.40(1)
FIPPA / s.30(1) MFIPPA
The Act includes the power to make regulations relating to the
retention period for personal information.
The regulations prescribe a minimum one year retention period for personal
information following the last date of use of the information. This is a
minimum period, and other operational or legal considerations may require
a longer retention period.
The purpose of the minimum retention period is to ensure that the
individual to whom the information relates has a reasonable opportunity to
obtain access to the personal information (s.40(1) FIPPA / s.30(1) MFIPPA).
When information is updated the outdated information must be retained in
some form so that the it is available for the prescribed retention period
of one year. The back up documentation does not necessarily need to be
stored in the same location as the current information.
Provincial institutions
The Management Board Directive on Recorded Information Management
provides ministries and certain agencies with policies and procedures for
scheduling the retention and disposal of records.
Local Institutions
The one year minimum retention period can be shortened in two
circumstances: first, where the individual to whom the information relates
consents to an earlier disposal, the records need not be kept for one
year. Individuals, however, cannot compel the destruction of records.
Second, where a by-law or resolution stipulates a retention period for the
personal information, shorter than the statutory one year period.
This is a minimum retention period, and other operational and legal
considerations may require a longer retention period.
Accuracy of Records
s.40(2)
FIPPA / s.30(2) MFIPPA
Subsection 40(2) FIPPA / s.30(2) MFIPPA requires that reasonable steps
be taken to ensure that personal information is not used unless it is
accurate and up to date.
Reasonable steps include checking for accuracy, including errors or
omissions, at the time the personal information is collected. Any
verification of information should be documented.
Although personal information may be accurate and up-to-date when
collected, it may become outdated and, therefore, inaccurate. Before
personal information is used, the following questions may be useful in
assessing its accuracy:
- When was the information collected?
- Was the information collected directly from the individual to whom
it relates?
- Was the accuracy of the information verified at the time it was
collected? (e.g., Was a birth certificate viewed to verify age?)
- Is the proposed use of the information consistent with the purpose
for which it was collected? Information collected for one purpose may
be misleading when used for a different purpose.
- How relevant is the personal information to the current use? (e.g.,
If the information is used to determine eligibility for benefits based
on age, the date of birth may be the most relevant piece of
information.)
- Is the information likely to be outdated?
Exception to Accuracy Requirement
s.40(3)
FIPPA / s.30(4) MFIPPA
These subsections do not apply to information collected for law
enforcement purposes.
Disposal of Records
s.40(4)
FIPPA / s.30(4) MFIPPA
For FIPPA institutions, O.Reg.459 governs the disposal of personal
information. There is no comparable regulation for MFIPPA institutions.
Regulation 459 establishes certain requirements that must be followed by
provincial institutions when disposing of personal information.
These requirements can be summarized as follows:
- Transfer to the Archives of Ontario or destruction:
An institution may dispose of personal information only by (1)
transferring it to the Archives of Ontario or (2) by destroying it in
such a manner that the information cannot be reconstructed or retrieved.
Records from ministries and certain agencies are transferred to the
Archives of Ontario for permanent retention if the Archivist determines
that the records have long-term, historical value. Where these records
contain personal information, the head disposes of the personal
information by transferring it to the custody of the Archives of
Ontario.
Where the personal information does not have archival value, or where
the personal information is in the custody or control of an institution
which does not transfer records to the Archives of Ontario, the personal
information is disposed of by destruction.
Transferring personal information to an internal archives other than the
Archives of Ontario is not a "disposal" for the purposes of
the regulation.
Personal information that is disposed of by destruction should be
destroyed in such a way that it cannot be reconstructed or retrieved.
Paper and other hard copy records such as microfiche for instance,
should be burned, pulped, or shredded rather than discarded or disposed
of as garbage.
Personal information on magnetic media such as tape or disk should be
disposed of by magnetic erasure or by destruction of the medium, when
the medium is released from the processing environment. Where the medium
is retained and re-used within a secure processing environment, however,
personal information may be disposed of by writing-over during re-use.
Where personal information is in the custody or under the control of
an institution, no person shall destroy it without the authorization of
the head. The head may delegate this responsibility.
The authorization may apply to specific data or to general classes or
categories of records, and must be consistent with any retention or
other management requirement which may apply to the record of personal
information through legislation or policy.
- Protecting security and confidentiality:
The head shall ensure that all reasonable steps are taken to protect
the security and confidentiality of personal information that is to be
disposed of, including protecting its security and confidentiality
during its storage, transportation, handling and destruction or transfer
to the Archives of Ontario. In determining whether all reasonable steps
are taken, the head shall consider the nature of the personal
information to be disposed of.
- Measures which may be considered include:
- ensuring that personal information is not left unattended or
outside of secure areas during interim storage;
- ensuring that storage rooms are locked and secure, with controlled
distribution of keys or lock combinations;
- ensuring that access to information during temporary storage is
limited to authorized personnel and that such access is documented;
- labelling record storage containers in such a manner that the nature
of the contents is not revealed;
- requiring outside suppliers of transportation and disposal services to
be bonded, with security provision included in the service contract.
The nature of these measures should be consistent with the sensitivity
of the personal information involved. In all cases, however, the minimum
requirement is that the confidentiality of the personal information be
maintained during disposal.
Each institution shall maintain a disposal record setting out what
personal information has been destroyed or transferred to the Archives
of Ontario and the date of that destruction or transfer. This disposal
record must not contain personal information.
The record of disposal would describe the "class" of record
involved (e.g., "Licence Application Forms", "ABC Program
Closed Case Files") rather than containing information about an
identifiable individual, and would include the date or date range of the
records, and the disposal date. The authority for the disposal and the
means of the disposal may also be included.
Where the disposal is undertaken by an outside supplier, the institution
may require the supplier to provide a "certification of
destruction" signed by an officer of the company. This certificate
would then be linked to the disposal record maintained by the
institution.
Use of Personal Information
s.41
FIPPA / s.31 MFIPPA
This section establishes general rules governing the use of personal
information in the custody or under the control of institutions. It
recognizes that an individual's right to privacy includes the right to
know how his/her personal information is being used. Personal information
may be used within the institution where any one of the following
circumstances exists.
Individual Consent
s.41(a)
FIPPA / s.31(a) MFIPPA
An institution may use personal information where the individual to
whom the information relates has consented to the use proposed by the
institution.
This consent should be in writing and indicate:
- the particular personal information to be used;
- the use for which consent is given;
- the date of the consent; and
- the institution to which consent is given.
Consent of the individual is required where none of the other
circumstances described below exists.
Purpose for Which Information Collected
s.41(b)
FIPPA / s.31(b) MFIPPA
The institution may use personal information for the purpose for which
the information was originally obtained or compiled, or for a consistent
purpose.
Usually, an institution may use personal information under its custody or
control for the purposes indicated in the collection notice and in the
personal information bank descriptions it provides in its directory of
records.
The institution may also use personal information for a purpose which is
consistent with the purpose(s) listed in the collection notice. For an
explanation of a consistent purpose, see the discussion of s.43 FIPPA /
s.33 MFIPPA later in this chapter.
For the Purpose Disclosed
s.41(c)
FIPPA / s.31(c) MFIPPA
An institution may have personal information disclosed to it by another
institution under s.42 FIPPA / s.32 MFIPPA. The receiving
institution may use this personal information only for the purpose for
which it was disclosed by the first institution.
For example:
If personal information is disclosed from one institution to another in
compassionate circumstances to assist in locating a family member, that
information is to be used by the receiving institution only to locate the
family member and for no other purpose.
Disclosure of Personal Information
s.42
FIPPA / s.32 MFIPPA
Institutions covered by FIPPA/ MFIPPA have rules governing the two
separate sets of circumstances under which personal information may be
disclosed to another party:
- Part II/I. The first set of rules appear under s.21 FIPPA / s.14
MFIPPA. These mandatory rules apply whenever anyone makes an access
request for another's personal information. Detailed discussion of
these rules can be found in the Chapter 4 (Exemptions).
- Part III/II. The second set of rules appear under s.42 FIPPA / s.32
MFIPPA. These rules govern an institution's disclosure of personal
information during the conduct of its day-to-day activities. An
institution may disclose personal information in the absence of a
formal access request if the disclosure is permitted under part
III/II.
Disclosure in Accordance with Part II/I
s.42(a)
FIPPA / s.32(a) MFIPPA
Subsection 42(a) FIPPA / s.32(a) MFIPPA permits an institution to
disclose personal information in circumstances where such disclosure would
have been permitted under s.21
FIPPA / s.14 MFIPPA,
even though the institution has not received an access request. This
subsection should be read in conjunction with s.63(1)
FIPPA /s.50(1) MFIPPA
which permits a head to disclose information even though an access request
has not been received.
Consent to Disclosure
s.42(b)
FIPPA / s.32(b) MFIPPA
Personal information may be disclosed where the individual has
consented to the disclosure. Where consent to disclose personal
information has been given by an individual, the specific information for
which consent has been given must be identified.
Where this consent is not obtained in writing it should be documented and
should indicate:
- the particular personal information to be disclosed;
- to whom the information may be disclosed and for what purpose it is
to be used; and
- the date of the consent; and the institution to which consent is
given.
Where an individual purports to act as an agent, the institution has an
obligation under s.3(3)
of Regulation 460 FIPPA / s.2(3)
Regulation 823 MFIPPA to verify the identity of an individual seeking
access to his/her personal information and whether or not the agent is
properly authorized to obtain such information. If proper authorization
cannot be obtained, the institution may either notify the individual whose
personal information is at issue and provide him/her with an opportunity
to provide representations prior to any decision regarding disclosure of
the records or may deal with the validity of the authorizations as a
preliminary matter. The following factors are relevant for the institution
in determining reasonably whether to refuse or accept certain
authorizations:
- whether the personal information is very sensitive,
- whether the authorizations preclude the institution from verifying
the consent, and
- whether or not the individuals who have allegedly consented have
responded to the request for verification made by the institution.
Special care should be taken where personal information is being
requested about the treatment of vulnerable individuals. Institutions
should not assume that requests for personal information by agents are
invalid; rather, they should discuss the matter with the individuals
involved before determining whether or not to accept the authorizations.
Consistent Purpose
s.42(c), 43
FIPPA / s.32(c), 33
MFIPPA
Personal information may be disclosed for the purpose(s) for which it
was originally collected, or for a consistent purpose. A purpose is a
consistent purpose only if the individual from whom the information was
directly collected might reasonably have expected such a disclosure of the
information.
For example:
A public utility commission may disclose personal information to a debt
collection agency to recover monies owed to the commission for utility
bills in arrears. Such disclosures would reasonably be expected by persons
who have not discharged their debts to the commission.
The IPC has found that where personal information has been collected
indirectly, a consistent purpose is one in which the use or disclosure is
"reasonably compatible" with the purpose for which it was
collected.
An institution may also disclose personal information for a purpose which
is consistent with the purpose(s) listed in the collection notice.
For example:
Disclosure of personal information such as payments received, social
insurance number, date of birth and address regarding an application for a
government loan to credit reporting agencies was in compliance with this
provision. This personal information was disclosed for the purposes of
updating or making the necessary credit investigations or credit reporting
as stated in the notice of collection of personal information.
Where an administrative or policy manual provided guidelines for the
subsequent use or disclosure of personal information by an institution,
disclosure in accordance with the guidelines was found to have been for a
consistent purpose.
In Performance of Duties
s.42(d)
FIPPA / s.32(d) MFIPPA
Personal information may be disclosed to an employee or officer of the
institution who needs the record in the performance of his/her duties, and
where disclosure is necessary and proper in the discharge of the
institution's functions.
Before an officer or employee of an institution is granted access to
personal information under this provision, both of the following
conditions must be satisfied:
- the employee or officer must need the personal information for the
performance of his/her duties; and
- disclosure of the personal information must be necessary and proper
in discharging the institution's functions.
For example:
A municipal council resolution that authorized the disclosure of a list of
welfare recipients from the Welfare Administrator to the council to
address the councillors' "previously expressed interest and
concern" regarding social assistance expenditures was insufficient to
satisfy the requirements of this subsection. This provision required that
the sharing of personal information within an institution be based on more
than an interest or concern; it required evidence that the disclosure was
needed and necessary. Since it failed to comply with this provision, the
council's resolution was illegal and need not be obeyed. (H.(J) v.
Hastings (County), (1993) 12 M.P.L.R. (2d) 40 (Ont.Ct.Gen. Div.))
Disclosures that are merely convenient or desirable are not allowed under
this section.
It is important to note that the identity of an access requester should
not be disclosed within an institution unless such disclosure is necessary
in order to respond to the request. Further, names and addresses of
individuals who have made requests for general records under the Act
should not be communicated within an institution other than to staff of
the Freedom of Information and Privacy office.
An institution's functions would include the administration of by-laws,
statutory programs, and activities necessary to the overall operation of
the institution.
Act of Legislature or Parliament
s.42(e)
FIPPA / s.32(e) MFIPPA
This subsection permits disclosure of personal information for the
purpose of complying with an act of the Legislature or of Parliament, or
an agreement or arrangement thereunder, or a treaty. The agreement or
arrangement must result from or be sanctioned by a federal or Ontario
statute. Disclosure of personal information for the purposes of complying
with a regulation or a by-law would be included.
For example:
Section 14 of the Immunization of School Pupils Act requires a
medical officer of health to transfer a child's immunization records to
another medical officer of health when that child moves to a school under
the jurisdiction of the latter health unit.
Subsection 72(3) of the Child and Family Services Act requires a
person (for example, a school teacher or principal, social worker, family
counsellor) to report suspicions of child abuse and to report the
information on which the suspicion is based.
Subsection 199(3) of the Highway Traffic Act requires a police
officer to forward accident reports to the Ministry of Transportation.
The Ombudsman Act provides authority for the disclosure of
personal information to the Office of the Ombudsman from governmental
institutions in accordance with this provision.
Disclosure to Law Enforcement
Agency
s.42(f)
FIPPA / s.32(f) MFIPPA
A law enforcement institution may disclose personal information to a
law enforcement agency in Canada, or to a law enforcement agency in a
foreign country under an arrangement, a written agreement or treaty, or
under legislative authority.
Under this section, disclosure may only be made by a "law enforcement
institution". An institution engaged in "law enforcement"
is discussed in the Definitions section in Chapter
1 (Introduction to the Act).
For example:
The Ministry of the Solicitor General and Correctional Services is a law
enforcement institution which is engaged through the Ontario Provincial
Police and other programs. It is also responsible for the enforcement of
probation and parole orders, another law enforcement activity. The
Ministry of Community and Social Services and the Ministry of Consumer and
Commercial Relations are also institutions engaged in law enforcement
through their departments which are responsible for compliance with
statutes. Similarly, municipalities are law enforcement institutions
through their enforcement of by-laws.
Disclosure may only be made to a law enforcement agency. A "law
enforcement agency" includes a national, state, or local police
force, or a municipal or provincial police force in Canada, the RCMP and
some special police forces.
For example:
The IPC has determined that the Canadian National Railways (CNR) police is
a "law enforcement agency" for the purpose of this section. The
Ontario Provincial Police were authorized to disclose to CNR police
personal information concerning a criminal offence that had been laid
against a CNR employee.
In exchanges of personal information with foreign countries, written
agreements or treaties should be established. Where this is not possible
or practical, an arrangement may be made. An "arrangement" is an
unwritten agreement for the exchange of personal information.
When a law enforcement institution discloses personal information to a
police agency or other law enforcement agencies in Canada, an agreement or
arrangement is not required. It is understood that the purpose of the
disclosure is law enforcement.
Aid in Law Enforcement
s.42(g)
FIPPA / s.32(g) MFIPPA
An institution may disclose personal information to another institution
covered by FIPPA/MFIPPA or to a law enforcement agency in Canada to aid an
investigation leading or likely to lead to a law enforcement proceeding.
For this section to apply, the disclosure must be in aid of the
investigation undertaken.
For example:
Disclosure of personal information to an eligibility review officer is for
a law enforcement purpose if it is to aid in an investigation into social
services benefits eligibility where a person has received benefits. Such
an investigation could lead to sanctions such as an assessment of
overpayment or withholding of benefits.
Although this subsection permits an institution to release personal
information, the institution may choose to require a search warrant before
access to personal information is granted.
For example:
The Education Act states that the Ontario Student Record is
privileged for the information and use of supervisory officers and the
principal and teachers of the school. A school may require a police agency
to provide a search warrant before disclosing such a record.
Compelling Circumstances
s.42(h)
FIPPA / s.32(h) MFIPPA
An institution may disclose personal information in compelling
circumstances affecting the health or safety of an individual. In
compelling circumstances, there may be no other way to obtain the personal
information, or there may be an emergency where the delay in obtaining the
information would be injurious to someone's health or safety. Before
personal information is released under this subsection, both of the
following conditions must be satisfied:
- the circumstances in which the release of personal information is
contemplated must be compelling; and
- the compelling circumstances must affect the health or safety of an
individual.
For example:
A mentally unstable social services benefits client convinces his case
worker that he is going to kill his roommate.
Where personal information is disclosed under this subsection,
notification of the disclosure must be mailed to the last known address of
the individual to whom the information relates. This means the most recent
address known to the institution which disclosed the personal information.
If no address is known, the institution should attempt to obtain it from
the person who made the request for the information.
Compassionate Circumstances
s.42(i)
FIPPA / s.32(i) MFIPPA
An institution may disclose personal information in compassionate
circumstances to facilitate contact with the next-of-kin, or a friend of
an individual who is injured, ill or deceased.
"Compassionate circumstances" are those where there is a need to
make contact with a friend or next-of-kin to inform them of an
individual's injury, illness, or death. The personal information to be
disclosed may relate either to the injured or deceased person, or to the
relative or friend who is to be contacted.
Only the personal information necessary to facilitate contact should be
disclosed.
This provision is not relevant in deciding whether personal information
may be disclosed as a result of an access request.
To a Member of the Legislature
s.42(j)
FIPPA
Disclosure is permitted to a member of the Legislative Assembly (MLA)
who has been authorized by a constituent to whom the information relates
to make an enquiry on his/her behalf. Where the constituent is
incapacitated, the member may be authorized by the next of kin or legal
representative of the constituent.
This subsection applies to situations in which the assistance of a MLA is
sought in resolving a problem, and the individual or his/her
representative has consented to the disclosure of personal information to
the member in the course of his/her enquiry.
Whether the member is making a written or oral inquiry, the member must
indicate that he/she is acting with the constituent's authority. This
disclosure will be recorded in or linked to the individual/s record. Where
the personal information is particularly sensitive (e.g., medical
records), the institution may have additional consent requirements
specific to the situation, such as written authorization.
To a Member of the Bargaining Agent
s.42(k)
FIPPA
Disclosure is permitted to a member of the bargaining agent who has
been authorized by an employee to whom the information relates to make an
enquiry on the employee's behalf. Where the employee is incapacitated, the
bargaining agent may be authorized by the next of kin or legal
representative of the employee.
As in s.42(j), reasonable steps should be taken to ensure the authority
exists.
Disclosure to Responsible Minister
s.42(l)
FIPPA / s.32(j) MFIPPA
Personal information may be disclosed to the Chair of Management Board
of Cabinet as minister responsible for the Act.
For example:
A request for waiver of notification of personal information may require
the disclosure of personal information to the Minister.
Disclosure to Information and Privacy
Commissioner
s.42(m)
FIPPA / s.32(k) MFIPPA
Personal information may be disclosed to the IPC. This subsection is
intended to facilitate the IPC's access to records in order to carry out
its decision making and investigation responsibilities. Under s.52(4)
FIPPA / s.41(4) MFIPPA, the Commissioner has the authority to examine any
record in the custody or control of an institution during the course of an
inquiry regarding an appeal of an access decision made by an institution.
Government of Canada or Government of
Ontario
s.42(n)
FIPPA / s.32(l) MFIPPA
Disclosure of personal information is permitted to the Government of
Canada or to the Government of Ontario in order to facilitate the auditing
of shared-cost programs.
For example:
Personal information contained in general welfare case files established
under the General Welfare Assistance Act may be audited by the
Province of Ontario.
Consistent Purpose
s.43
FIPPA / s.33 MFIPPA
This section provides that when personal information is collected
directly from the individual to whom it relates, the purpose of its
use/disclosure is a consistent purpose only if the individual might
reasonably have expected such a use/disclosure.
Subsection 41(b) FIPPA / s.31(b) MFIPPA permits the use of personal
information for the purpose for which it was obtained or for a consistent
purpose.
Section 42(c) FIPPA / s.32(c) MFIPPA permits disclosure of personal
information for the purpose for which it was collected or for a consistent
purpose.
A consistent purpose must be compatible with the purpose stated to the
individual at the time the information was collected. The individual could
therefore reasonably expect this use/disclosure of his/her personal
information.
Where personal is collected other than directly from the individual, the
question of whether use/disclosure is for a consistent purpose is not
determined by considering the individual's reasonable expectations. It is
determined by considering whether the institution's proposed
use/disclosure of information is reasonably compatible with the purpose
for which it was collected.
New Use/Disclosure of Personal Information
s.46(1)(a)and(b)
FIPPA / s.35(1)(a)and(b)
MFIPPA
The personal information banks maintained by institutions include a
statement of the regular uses of the personal information and the regular
users to whom the information is disclosed.
There may be instances where the institution uses or discloses personal
information for a purpose allowed by the Act, but where that use/purpose
has not been listed in the personal information bank descriptions. Where
such a new use or disclosure has occurred, the institution is required to:
- make a record of that new use or disclosure; and
- attach or link the record of use/disclosure to the personal
information, so that when the personal information is accessed, the
record of use/disclosure is accessed as well. In other words, the
record of the new use/disclosure of the personal information becomes
part of the personal information itself (s.46(2) FIPPA/ s.35(2) MFIPPA).
If the new use or disclosure becomes a regular occurrence, the
institution should update its personal information bank description to
include the new regular use/disclosure. Once the description has been
updated, s.46 FIPPA/ s.35 MFIPPA ceases to apply.
The requirement to create and attach a record of use/disclosure only
applies to personal information which is part of a personal information
bank. It does not apply to personal information contained within a general
record.
Role of Information and Privacy Commissioner
s.59
FIPPA / s.46 MFIPPA
This section establishes the powers of the Commissioner relating to the
protection of personal privacy.
Subsection (a) of FIPPA/ MFIPPA permits the Commissioner to offer comment
on the privacy protection implications of proposed programs of
institutions.
Subsection (b) enables the Commissioner to, after hearing
representations from a head, order an institution to cease a collection
practice and to destroy collections of personal information that
contravene this Act.
Subsection (c) empowers the Commissioner to authorize the collection of
personal information otherwise than directly from the individual to whom
the information relates. (See the discussion under s.39(1)(c) FIPPA /
s.29(1)(c) MFIPPA).
Subsections (d), (e) and (f) respectively permit the Commissioner to
engage in research into matters affecting the carrying out of the purposes
of the Act, conduct public education programs about the Act and the
Commissioner's role and activities and to receive representations from the
public concerning the operation of this Act.
|
OCIPO 
