On November 9th the Information and Privacy Commissioner/Ontario held that the Ministry of Labour breached FIPPA’s safeguarding duty after it investigated the administration of a production order made by the Ontario Labour Relations Board.
The directors of a bankrupt employer appealed an order to pay wages and vacation pay to 309 former employees to the OLRB. The directors and the prosecutor agreed to a consent order that required production of relevant financial information about the 309 employees, and the prosecutor agreed to one or more participating employees that all 309 employees (as parties to the proceeding) would receive the production. The OLRB mailed an unencrypted CD-ROM containing the 309 employees’ names, social insurance numbers, total annual remuneration, period of earnings and address information. After complaints were lodged by some recipients the OLRB attempted to recall the mailing, but in the end did not recover 137 of the CD-ROMs.
The production order itself was the real source of difficulty here, but the IPC rightly acknowledged it had no jurisdiction to scrutinize the OLRB’s exercise of procedural powers. Instead, the IPC looked at the adequacy of the OLRB’s and Ministry’s security practices, recommending first that the OLRB take the added precaution of making clear to parties that they can request orders to restrict the manner and scope of disclosure. The IPC also held that the Ministry ought to have used a bonded courier service, ought to have considered encryption and ought to have attempted to confirm addresses.
Is this an adequate resolution? What can be done that respects tribunals’ independence but promotes better protection of privacy?
One thought on “Ministry of Labour breaches FIPPA in administering an OLRB production order”
I don’t think it’s so clear-cut that the IPC could not question the production order, despite section 64 of the FOIPPA; there have been cases in the past when they have. At the very least, some greater scrutiny would have been in order here, especially where disclosure involves 309 T-4s disclosed in electronic format! Unfortunately, I think the IPC report avoided commenting on some of the key issues in what was a rather significant disclosure of sensitive personal information (e.g. should an individual’s T-4 form go to all 308 former co-workers?). At the very least, some more probing analysis and thoughtful recommendations would have been beneficial. In short, I think this was a disappointing report on a significant issue.