The Information and Privacy Commissioner of Ontario has released her 2008 Annual Report, which makes broad recommendations for changes to the laws in Ontario and calls for the adoption of better practices:
IPC - Office of the Information and Privacy Commissioner/Ontario Commissioner Cavoukian lays out path for increased privacy protection & accountability – doing battle with Victoria University
Commissioner Cavoukian lays out path for increased privacy protection & accountability – doing battle with Victoria University
TORONTO – Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is urging the provincial government to make specific legislative changes and take additional steps to protect privacy and ensure greater accountability.
In her 2008 Annual Report, released today, the Commissioner cites how her sweeping recommendations from her seminal investigation into a privacy complaint against the video surveillance program of Toronto’s mass transit system have been hailed in the United States as a model that cities around the world can build upon, and in Canada as “a road map for the most privacy-protective approach to CCTV.”
Among the recommendations she is making in her 2008 Annual Report, are:
Amend the law to make it clear that all Ontario universities fall under FIPPA
The Commissioner is calling on the government to fix a potential omission in the Freedom of Information and Protection of Privacy Act related to which organizations are covered under the Act.
Under amendments that came into force in mid-2006, publicly funded universities were brought under the Act. Due to the wording of an amended regulation, the University of Toronto, in response to a freedom of information request received under the Act, argued that Victoria University, an affiliated university, was not covered under the Act.
“An IPC adjudicator determined that, based on the financial and academic relationship between the two, Victoria was part of the University of Toronto for the purposes of FIPPA,” said Commissioner Cavoukian. “The University of Toronto has not accepted our ruling and is now appealing it – having it ‘judicially reviewed.’ They have chosen to fight openness and transparency, expending valuable public resources in the process. We find this completely unacceptable, which is why we are prepared to go to battle on this issue, in our effort to defend public sector accountability. We should add that this is contrary to our normal process of working co-operatively with organizations to mediate appeals and resolve complaints informally. In this case, however, the university, having thrown down the gauntlet, left us no choice but to respond in kind and aggressively defend our Order in the courts.”
There are more than 20 other affiliated universities in Ontario that may have a different relationship with the university they are affiliated with, says Commissioner Cavoukian. “I am calling on the government to ensure that all affiliated universities are covered by the Act. There is no rationale for these publicly funded institutions to fall outside of the law.”
The government needs to set specific fees for requests for patients’ health records under PHIPA
The IPC has received a number of inquiries and formal complaints from the public regarding the fees charged by some health information custodians when patients ask for copies of their own medical records.
Ontario’s Personal Health Information Protection Act (PHIPA) provides that when an individual seeks copies of his or her own personal health information, the fee charged by a health information custodian shall not exceed the amount set out in the regulation under the Act or the amount of reasonable cost recovery, if no amount is provided in the regulation. No such regulation has been passed.
Commissioner Cavoukian, in her August 2008 submission to the Standing Committee on Social Policy, which conducted a statutorily mandated review of PHIPA, again raised the need for a fee regulation. Two months later, in its report to the Speaker of the Assembly, the Standing Committee indicated its agreement with the Commissioner’s recommendation, stating that the determination of what constitutes “reasonable cost recovery” should not be left to the discretion of individual health information custodians and their agents.
“The Minister of Health,” said the Commissioner, “should make the creation of a fee regulation a priority.”
Ontario’s enhanced driver’s licence (EDL) needs a higher level of protection
The Commissioner is calling on the Minister of Transportation to provide better privacy protection for the EDL. “The radio frequency identity (RFID) tag that will be embedded into the card can be read not only by authorized readers, but just as easily by unauthorized readers,” said Commissioner Cavoukian. “Over time, these tags could be used to track or covertly survey one’s activities and movements.”
The electronically opaque protective sleeve that will come with these enhanced licences – which drivers without a passport will need as of June 1 to drive across the U.S. border – “only provides protection when the driver’s licence is actually encased in the sleeve,” said Commissioner Cavoukian. “But individuals who voluntarily sign up for these enhanced driver’s licences will not only be required to produce them at the border, but will still have to do so in other circumstances where a driver’s licence or ID card is presently required, including in many commercial contexts. The reality is that most drivers will abandon the use of the protective sleeve.”
“An on-off device on the RFID tag would provide greatly enhanced protection,” said the Commissioner. “The default position would be off since drivers don’t need the RFID to be ‘on’ when routinely taking their licence in and out of their wallets, unless they are actually crossing the border. I am urging the government to pursue adding a privacy-enhancing on-off device for RFID tags embedded in the EDLs.”
The number of freedom of information requests filed across Ontario in 2008 was the second highest ever – 37, 933, trailing only the 38,584 filed in 2007. Nearly two-thirds of the 2008 requests were filed under the Municipal Freedom of Information and Protection of Privacy Act (24,482), to such organizations as police service boards, municipalities, school boards and health boards. In fact, there were more requests filed to police service boards (13,598) than there were for all organizations under the provincial Act (13,451).
FOI requests may be filed for either personal information or general records (which encompasses all information held by government organizations except personal information). And, the majority of requests each year have been for general records. In 2008 – for the second year in a row – the average cost of obtaining general records under the provincial Act dropped – this time, to $42.74 from $50.54, continuing a reversal of what had been a lengthy trend. The average cost of general records under the municipal Act was $23.54, up only a nickel from the previous year.
Among other key statistics released by the Commissioner:
· Since the IPC began emphasizing in 1999 the importance of quickly responding to FOI requests, in compliance with the response requirements set out in the Acts, the provincial 30-day compliance rate has more than doubled, climbing to 85 per cent from 42 per cent. After achieving a record 30-day compliance rate in 2007 of 84.4 per cent, provincial ministries, agencies and other provincial institutions promptly broke the record in 2008, producing an overall 30-day compliance rate of 85 per cent.
· The Commissioner also reported that her office received 507 complaints in 2008 under Ontario’s three privacy Acts, and 919 appeals from requesters who were not satisfied with the response they received after filing an FOI request with a provincial or local government organization. Overall, the IPC resolved 966 appeals and 534 complaints in 2008. The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians, in addition to educating the public about access and privacy issues.