On November 9th the Information and Privacy Commissioner/Ontario held that the Ministry of Labour breached FIPPA’s safeguarding duty after it investigated the administration of a production order made by the Ontario Labour Relations Board.
The directors of a bankrupt employer appealed an order to pay wages and vacation pay to 309 former employees to the OLRB. The directors and the prosecutor agreed to a consent order that required production of relevant financial information about the 309 employees, and the prosecutor agreed to one or more participating employees that all 309 employees (as parties to the proceeding) would receive the production. The OLRB mailed an unencrypted CD-ROM containing the 309 employees’ names, social insurance numbers, total annual remuneration, period of earnings and address information. After complaints were lodged by some recipients the OLRB attempted to recall the mailing, but in the end did not recover 137 of the CD-ROMs.
The production order itself was the real source of difficulty here, but the IPC rightly acknowledged it had no jurisdiction to scrutinize the OLRB’s exercise of procedural powers. Instead, the IPC looked at the adequacy of the OLRB’s and Ministry’s security practices, recommending first that the OLRB take the added precaution of making clear to parties that they can request orders to restrict the manner and scope of disclosure. The IPC also held that the Ministry ought to have used a bonded courier service, ought to have considered encryption and ought to have attempted to confirm addresses.
Is this an adequate resolution? What can be done that respects tribunals’ independence but promotes better protection of privacy?