Introduction

The protection of personal privacy is one of the key principles of the Freedom of Information and Protection of Privacy Act (FIPPA) / Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). The personal privacy requirements, set out in Part III FIPPA/ Part II MFIPPA, deal with privacy protection in the day-to-day operations of institutions. These parts reflect internationally accepted principles of fair information practices, and are based on two key principles:

  • that an individual has the right to control his or her own personal information; and
  • that the privacy rules governing the collection, use, disclosure, retention and disposal of personal information are necessary.

These privacy rules apply to all personal information in the custody or control of institutions, with the exception of public records and certain employment-related and labour relations records.

Public Records

s.37 FIPPA / s.27 MFIPPA

The privacy requirements do not apply to personal information maintained for the purpose of creating a record that is available to the general public.

Public records of personal information are records to which all members of the public have equal access. Personal information to which some members of the public have access, while others do not, is not a public record.

For example: A public record is a list of electors as required by the Municipal Elections Act. Assessment rolls, as required by s.39 of the Assessment Act , are public records. Records of court proceedings that are publicly available by virtue of the Courts of Justice Act are not subject to the privacy rules.

The Information and Privacy Commissioner has stated in a number of privacy investigation reports that the public records exception applies "only if the information in question is held by the institution maintaining it for the express purpose of creating a record available to the general public. Other institutions cannot claim the benefit of the public records exception for the same personal information unless they, too, maintain the personal information for the purpose of making it available to the general public" (e.g. (Privacy Investigation Report #I94-011P).

As a result, institutions should consider the privacy implications of their business practices even when they are handling otherwise "public" information. For example, it is not appropriate for institutions to maintain profiles or dossiers on individuals even when the personal information has been gathered from public sources such as newspaper clippings. (This would not apply when the personal information in question relates to information about individuals acting in a representative or professional capacity such as politicians, lobbyists or representatives of groups or organizations).

Labour Relations and Employment-Related Records

s.65(6), (7) FIPPA / s.52(3), (4) MFIPPA

FIPPA/MFIPPA does not apply to most employment-related and labour relations information in which an institution has an interest. Nonetheless, certain records such as employee expense accounts, and agreements arising out of negotiations about employment-related matters between an institution and an employee(s) continue to be covered by FIPPA/MFIPPA. For further discussion regarding this category of excluded records refer to Chapter 3 (Access Procedures) or the Annotation of Commissioner’s Orders.

Collection of Personal Information

s.38, 39 FIPPA / s.28, 29 MFIPPA

Expanded Definition of Personal Information

s.38(1) FIPPA / s.28(1) MFIPPA

The privacy provisions dealing with the collection of personal information apply to both recorded and non-recorded personal information - that is, to personal information which is collected verbally.

All other privacy provisions in the Act, dealing with use, disclosure, retention, disposal and access to personal information apply only to recorded personal information about an individual.

Authority to Collect

s.38(2) FIPPA / s.28(2) MFIPPA

This section sets out the conditions under which personal information may be collected. Personal information is collected when the institution actively acquires the information or invites an individual or others to send personal information to the institution. An individual may submit personal information on his/her own initiative without the information being requested by the institution. Receipt of this information is not considered a collection unless the institution keeps or uses the information.

One of three conditions must exist in order for personal information to be collected:

  • the collection of personal information is expressly authorized by a statute. The authority to collect must be in a statute rather than in a regulation; or
  • the information collected is used for the purposes of law enforcement; or
  • the collection is necessary for the proper administration of a lawfully authorized activity (provincial institutions may have this activity authorized by statute, regulation or order- in-council; local governments by statute, regulation or by-law).

By implication, this authority to collect personal information is limited to the collection of necessary information.

For example: It was necessary to the proper administration of a lawfully authorized activity for the Family Support Plan to collect health plan numbers and photographs of individuals who have support or custody orders existing against them. This information was necessary in order to trace individuals, assist in enforcing orders and serve documents personally. (Privacy Investigation Report #I92-38P)

Further, the phrase "expressly authorized by statute" requires either that the specific types of personal information collected be expressly described in the statute or a general reference to the activity be set out in the statute, together with a specific reference to the personal information to be collected in a regulation made under the statute, i.e., in the form or in the text of the regulation.

Manner of Collection

s.39(1) FIPPA / s.29(1) MFIPPA This section requires that personal information be collected directly from the individual to whom it relates, unless certain circumstances described in subsections (a) through (h) permit an indirect collection, - that is, from a source other than the individual to whom the information relates.

Individual Authorization

s.39(1)(a) FIPPA / s.29(1)(a) MFIPPA An individual may authorize an indirect collection of his/her own personal information. Such authorization should generally include:

  • the identification of the personal information to be collected;
  • the source from which the personal information may be collected; and
  • the name of the institution that is to collect the personal information.

A record should be kept with the date and the details of the authorization.

Disclosure Under Section 42 FIPPA / Section 32 MFIPPA

s.39(1)(b) FIPPA / s.29(1)(b) MFIPPA

Personal information may be collected by one institution from another institution where the disclosing institution has authority to disclose under s.42 FIPPA / s.32 MFIPPA.

For example: When a welfare recipient moves to another municipality, the municipality originally providing benefits may disclose certain personal information about the recipient to the second municipality, so that the client’s eligibility for welfare may be determined.

The disclosure is authorized by s.32(c) of MFIPPA , as the disclosure to the second municipality is for the same or similar purpose for which the information was originally collected, namely, determining eligibility for welfare benefits. The second municipality, therefore, may collect the information since it has been properly disclosed to it under s.32(c) of MFIPPA.

Authority of the Commissioner

s.39(1)(a), 39(1)(c), 59(c) FIPPA / s.29(1)(a), 29(1)(c), 46(c) MFIPPA

The Commissioner may authorize a collection from a source other than the individual. The Commissioner’s authorization may be sought because the indirect collection is not specifically allowed under this section or where the institution believes it is not possible or practical to collect the personal information directly or to obtain authorization directly from the individual concerned.

The Information and Privacy Commissioner has prepared guidelines to assist institutions in making an application for making an indirect collection authority. See Appendix X (Guidelines on applications for authorization of indirect collection).

Consumer Reporting Act

s.39(1)(d) FIPPA / s.29(1)(d) MFIPPA

This subsection authorizes an institution to collect personal information contained in a consumer report that is prepared in accordance with the Consumer Reporting Act. A complete list of information which may be included in such a report is contained in s.8(1)(d) of the Consumer Reporting Act.

Honour or Award

s.39(1)(e) FIPPA / s.29(1)(e) MFIPPA

This subsection authorizes an institution to collect personal information indirectly for the purpose of determining suitability for an honour or award to recognize outstanding achievement or distinguished service.

For example: Personal information can be collected to determine which of a number of candidates should receive a Citizen of the Year award.

Courts and Tribunals

s.39(1)(f) FIPPA / s.29(1)(f) MFIPPA

This subsection authorizes an institution to collect personal information indirectly for the conduct of a proceeding or a possible proceeding before a court or judicial or quasi-judicial tribunal.

A judicial or quasi-judicial tribunal is a body constituted under a statute with power to decide the legal rights of a person or the eligibility of a person for a benefit or licence. Such tribunals are required to adhere to standards of procedural fairness similar to the procedures of courts.

Examples of this type of tribunal include the Ontario Municipal Board, Property Standards Committee, Assessment Review Court, Social Assistance Review Board, Courts of Revision, and Committees of Adjustment.

In some cases, after personal information has been collected, no proceeding takes place because, for example, there is insufficient evidence. Even though the tribunal may never hear the matter, this subsection applies as long as the purpose of the collection is to determine whether a proceeding can be commenced before a court or tribunal.

Law Enforcement

s.39(1)(g) FIPPA / s.29(1)(g) MFIPPA

Personal information which is collected for the purpose of law enforcement may be collected from a source other than the individual about whom the information relates.

The IPC has found that collection authorized by this subsection must be directly relevant to the law enforcement activity. Only the minimal amount of personal information that is necessary should be collected.

Law enforcement is defined in Chapter 1 (Introduction to the Act) of this manual.

Statutory Authority

s.39(1)(h) FIPPA / s.29(1)(h) MFIPPA

A statute, regulation or by-law may authorize a collection of personal information from a source other than the individual.

For example: Under s.6(4) of the Municipal Health Services Act, a municipal assessment commissioner may require any employer to furnish a list of employees residing in the municipality, and the dates upon which the employees are paid their salary or wages.

Subsection 10(1) of the Assessment Act authorizes an assessor to indirectly collect specific personal information about an individual from any person "present on land " visited by an assessor under the Act.

Subsection 61(3) of the Family Responsibility and Support Arrears Enforcement Act authorized indirect collection of specific types of personal information.

Notification Requirements

s.39(2) FIPPA / s.29(2) MFIPPA

When personal information is collected on behalf of an institution, either directly from the person about whom the information relates or indirectly from another source, the institution must inform the individual that the collection has occurred.

The notice to the individual must state:

  • the legal authority for the collection;
  • the principal purpose(s) for which the personal information will be used;
  • the title, business address and telephone number of an official of the institution who can answer the individual’s questions about the collection.

The notice of legal authority should include a reference to the specific act (or regulation) and section, or by-law which authorized the collection. Where an act or by-law does not specifically refer to the collection, then the notice should refer to the specific section of the act or by-law which establishes the activity or program under which the information is collected.

For example: Subsection 58(2) of the Education Act provides for the establishment of Boards of Education. Even though the Education Act may not specifically authorize each collection of personal information undertaken by a Board of Education, nonetheless s.58(2) of the Education Act would provide sufficient statutory authority to undertake collections of personal information that are necessary to the functioning of a board.

The statement regarding the principal purpose(s) for which the information will be used should be consistent with the allowable uses of personal information. The principal purpose(s) for which the information will be used should also be consistent with the statement in the index of personal information banks which describes the use and disclosure of personal information in each bank.

The IPC has found that a notice of collection should contain each of the three elements described in the subsection. Discussion of matters other than collection (e.g., anticipated disclosure of the information) should be included in a separate paragraph from the notice.

Where the personal information is collected directly from the individual, notice should be given to the individual at the time of the collection. Where the personal information is collected on a form, the notice may be provided on the form itself.

A notification should be included on a form where the principal purpose of the form is to collect personal information and the information is used for the purpose of making a decision affecting the individual.

Further, where a variety of personal information data has been collected, the notice of collection must relate to all of the data that has been collected. Where different personal information data on the form is used for different purposes, or is collected under different legal authority, the various purposes and authority must be included in the notice.

For example: Where a particular use of the social insurance number was not indicated in the notice, the notice of collection was found inadequate by the IPC.

Forms which are prescribed by a provincial regulation are not controlled by a municipality or local board. In cases where personal information is collected on a prescribed form, it is the responsibility of the provincial ministry controlling the form to include a notice on the form.

Alternative ways of providing collection notices could include:

  • notifying the public through advertisements in the press (e.g., where a public advertisement solicits the collection);
  • rally informing the individual in the course of an in-person or telephone interview (and noting this in the individual’s file); or
  • including the notice in correspondence or as an insert with other mailed material.

Where personal information is collected and will be used by or disclosed to another institution, the individual should be given notice of:

  • the legal authority that the first institution has for collecting the information;
  • the principal purposes for which the personal information will be used by that institution;
  • the address and telephone number of an official in that institution who can answer questions; and
  • the fact that the information will be used by a second institution and the name of that institution.

If the individual is not informed at the time of collection that the information will be used by another institution, then the second institution must provide notice to the individual.

Notice must be provided each time personal information is collected. A notice of collection may notify of specific collections occurring in the future when this can be predicted with certainty. Whenever there is ambiguity regarding the sufficiency of the notice, a new notice of collection should be provided. (Privacy Investigation Report #I95-030P) Where indirect collection is permitted under subsection 1, notice to the individual is still required.

Exception to Notice Requirements

Minister’s Waiver

s.39(2) FIPPA / s.29(3)(b) MFIPPA

The requirement to provide a notice of collection may be waived by the Minister responsible for FIPPA/MFIPPA. Each request for waiver is considered on its merits. Waivers will normally be requested for a class or group of individuals rather than one individual.

For example: The Chair of Management Board has granted waivers of notice under s.29(3)(b) MFIPPA in respect of indirect collection of personal information on Alzheimer patients for the creation of Wandering Patient Registries by various Police Services in the province.

Some of the criteria for consideration in determining whether to grant a waiver of notice are as follows:

  • Notice Frustrates Purpose of Indirect Collection: In some cases, to give notice to the individual where information is collected indirectly for certain programs, or of investigations which do not qualify as law enforcement, would undermine the objectives or frustrate the purpose of those programs and investigations. The circumstances which necessitate indirect collection may be considered in determining whether a waiver will be granted.
  • Statutory Authority for Indirect Collection: Where there is statutory authority for indirect collection, the circumstances that make indirect collection necessary may be considered in determining whether the notice requirements will be waived.
  • Administrative Burden and Cost: A heavy administrative burden coupled with high costs may justify a waiver in certain circumstances. The administrative burden and the costs would be excessive when weighed against the requirement or need for notice in the particular case. An alternative, however, such as posting a notice or publishing a notice in the newspaper, might be appropriate in these circumstances.
  • Impossibility/Difficulty: There can be circumstances where it is impossible or very difficult to provide notice. Those circumstances may be considered in determining whether the notice requirements will be waived.
  • Authorization of Information an Privacy Commissioner: Where the Commissioner has authorized collection of personal information other than directly from the individual, the circumstances which the Commissioner considered in authorizing indirect collection may be considered in determining whether a waiver of notice will be granted.
  • Subsequent Collection by Another Institution: Where personal information is collected and will be disclosed to another institution in accordance with s.42 FIPPA/ s.32 MFIPPA, the individual is to be given the required notice by the first institution and a statement the information will be disclosed to the second institution. No waiver is required in these circumstances since the first institution has complied with s.39(2) FIPPA/ s.29(2) MFIPPA for both institutions.

Where the first institution does not advise the individual of the disclosure to the second institution, notice will usually be required. There may, however, be circumstances where to provide notice would be inconsistent with the disclosure in s.42 FIPPA/ s.32 MFIPPA. In such circumstances, waiver may be appropriate.

Therefore, when a institution obtains the information, and the individual was already notified in respect to the first collection, it may be appropriate to waive further notification requirements.

This list is not exhaustive and other criteria may be considered in determining whether a waiver of notice will be granted. To request a waiver of notification, complete the Request for Waiver of Notice the Individual of Collection of Personal Information (see Appendix IX).

Further information on the procedure can be obtained from the Corporate Freedom of Access and Privacy Office, Ministry of Government Services.

Other Exceptions to Notice

s.39(3) FIPPA / s.29(3) MFIPPA

Notice of collection of personal information is not required if:

  • the type of information being collected would be exempt from access under s.14(1) or 14(2) FIPPA / s.8(1) or 8(2) MFIPPA (law enforcement);
  • the Minister (Chair of the Management Board of Cabinet) waives the notice. Each request for a waiver is considered on its own merits. Waivers will normally be requested for a class or group of individuals rather than one individual; or
  • the regulations provide that the notice is not required.

For MFIPPA institutions, O.Reg.823 s.4 outlines circumstances where notice of collection is not required. The following circumstances apply only to institutions governed by MFIPPA:

  • Notice Frustrates Purpose of the Collection: Providing notice to the individual when personal information is collected may undermine the purpose for which the personal information is collected. An institution might collect personal information to determine the whereabouts of someone who is indebted to the institution and who has absconded to avoid paying the debt. In such circumstances, providing notice would frustrate the purpose of collecting the personal information, since notifying the debtor could result in the debtor taking further steps to avoid payment.
  • Unjustified Invasion of Another Individual’s Personal Privacy: Under the Act a notice of collection of personal information must describe how the information will be used. When the use touches upon sensitive personal matters involving another person, the notice may reveal personal information about another individual.

For example: An individual who applies for social assistance benefits from a municipality may be required to furnish the names and routine biographical details of the applicant’s dependents or co-habitors. Providing notice to the dependents or co-habitor that personal information about them has been collected for the purpose of assessing the applicant’s application would reveal sensitive personal information, namely that the individual has applied for assistance.

  • Suitability or Eligibility for Award or Honour: An institution may collect the names and biographical details of persons who are being considered for an award or honour. Where personal information is collected for this purpose, a notice of collection is not required.

The head of the institution must make available to the public, a statement describing the purpose of the collection of personal information and the reason that notice has not been given. The statement should:

  • identify the program or activity for which the personal information is collected;
  • describe in general terms the type of personal information collected, and how the information will be used;
  • state the time period during which the notice would not be given, for example, whether the notice is being dispensed with for a one-time only collection or for collections occurring regularly over an indefinite time period;
  • explain under which of the circumstances provided for by the regulations the notice has been dispensed with; and
  • advise that any concerns regarding the dispensing of notice may be brought to the attention of the IPC.

The public statement should not disclose any personal information about an identifiable individual.

Retention of Records

s.40(1) FIPPA / s.30(1) MFIPPA

The Act includes the power to make regulations relating to the retention period for personal information.

The regulations prescribe a minimum one year retention period for personal information following the last date of use of the information. This is a minimum period, and other operational or legal considerations may require a longer retention period.

The purpose of the minimum retention period is to ensure that the individual to whom the information relates has a reasonable opportunity to obtain access to the personal information (s.40(1) FIPPA / s.30(1) MFIPPA).

When information is updated the outdated information must be retained in some form so that the it is available for the prescribed retention period of one year. The back up documentation does not necessarily need to be stored in the same location as the current information.

Provincial institutions

The Management Board Directive on Recorded Information Management provides ministries and certain agencies with policies and procedures for scheduling the retention and disposal of records.

Local Institutions

The one year minimum retention period can be shortened in two circumstances: first, where the individual to whom the information relates consents to an earlier disposal, the records need not be kept for one year. Individuals, however, cannot compel the destruction of records. Second, where a by-law or resolution stipulates a retention period for the personal information, shorter than the statutory one year period. This is a minimum retention period, and other operational and legal considerations may require a longer retention period.

Accuracy of Records

s.40(2) FIPPA / s.30(2) MFIPPA Subsection 40(2) FIPPA / s.30(2) MFIPPA requires that reasonable steps be taken to ensure that personal information is not used unless it is accurate and up to date.

Reasonable steps include checking for accuracy, including errors or omissions, at the time the personal information is collected. Any verification of information should be documented. Although personal information may be accurate and up-to-date when collected, it may become outdated and, therefore, inaccurate. Before personal information is used, the following questions may be useful in assessing its accuracy:

  • When was the information collected?
  • Was the information collected directly from the individual to whom it relates?
  • Was the accuracy of the information verified at the time it was collected? (e.g., Was a birth certificate viewed to verify age?)
  • Is the proposed use of the information consistent with the purpose for which it was collected? Information collected for one purpose may be misleading when used for a different purpose.
  • How relevant is the personal information to the current use? (e.g., If the information is used to determine eligibility for benefits based on age, the date of birth may be the most relevant piece of information.)
  • Is the information likely to be outdated?

Exception to Accuracy Requirement

s.40(3) FIPPA / s.30(4) MFIPPA

These subsections do not apply to information collected for law enforcement purposes.

Disposal of Records

s.40(4) FIPPA / s.30(4) MFIPPA

For FIPPA institutions, O.Reg.459 governs the disposal of personal information. There is no comparable regulation for MFIPPA institutions.

Regulation 459 establishes certain requirements that must be followed by provincial institutions when disposing of personal information. These requirements can be summarized as follows:

  • Transfer to the Archives of Ontario or destruction: An institution may dispose of personal information only by (1) transferring it to the Archives of Ontario or (2) by destroying it in such a manner that the information cannot be reconstructed or retrieved.

Records from ministries and certain agencies are transferred to the Archives of Ontario for permanent retention if the Archivist determines that the records have long-term, historical value. Where these records contain personal information, the head disposes of the personal information by transferring it to the custody of the Archives of Ontario.

Where the personal information does not have archival value, or where the personal information is in the custody or control of an institution which does not transfer records to the Archives of Ontario, the personal information is disposed of by destruction.

Transferring personal information to an internal archives other than the Archives of Ontario is not a "disposal" for the purposes of the regulation.

Personal information that is disposed of by destruction should be destroyed in such a way that it cannot be reconstructed or retrieved. Paper and other hard copy records such as microfiche for instance, should be burned, pulped, or shredded rather than discarded or disposed of as garbage.

Personal information on magnetic media such as tape or disk should be disposed of by magnetic erasure or by destruction of the medium, when the medium is released from the processing environment. Where the medium is retained and re-used within a secure processing environment, however, personal information may be disposed of by writing-over during re-use.

  • Authorization of head: Where personal information is in the custody or under the control of an institution, no person shall destroy it without the authorization of the head. The head may delegate this responsibility. The authorization may apply to specific data or to general classes or categories of records, and must be consistent with any retention or other management requirement which may apply to the record of personal information through legislation or policy.
  • Protecting security and confidentiality: The head shall ensure that all reasonable steps are taken to protect the security and confidentiality of personal information that is to be disposed of, including protecting its security and confidentiality during its storage, transportation, handling and destruction or transfer to the Archives of Ontario. In determining whether all reasonable steps are taken, the head shall consider the nature of the personal information to be disposed of.

Measures which may be considered include:

  • ensuring that personal information is not left unattended or outside of secure areas during interim storage;
  • ensuring that storage rooms are locked and secure, with controlled distribution of keys or lock combinations;
  • ensuring that access to information during temporary storage is limited to authorized personnel and that such access is documented;
  • labelling record storage containers in such a manner that the nature of the contents is not revealed;
  • requiring outside suppliers of transportation and disposal services to be bonded, with security provision included in the service contract.

The nature of these measures should be consistent with the sensitivity of the personal information involved. In all cases, however, the minimum requirement is that the confidentiality of the personal information be maintained during disposal.

Record of disposal: Each institution shall maintain a disposal record setting out what personal information has been destroyed or transferred to the Archives of Ontario and the date of that destruction or transfer. This disposal record must not contain personal information. The record of disposal would describe the "class" of record involved (e.g., "Licence Application Forms", "ABC Program Closed Case Files") rather than containing information about an identifiable individual, and would include the date or date range of the records, and the disposal date. The authority for the disposal and the means of the disposal may also be included. Where the disposal is undertaken by an outside supplier, the institution may require the supplier to provide a "certification of destruction" signed by an officer of the company. This certificate would then be linked to the disposal record maintained by the institution.

Use of Personal Information

s.41 FIPPA / s.31 MFIPPA This section establishes general rules governing the use of personal information in the custody or under the control of institutions. It recognizes that an individual’s right to privacy includes the right to know how his/her personal information is being used. Personal information may be used within the institution where any one of the following circumstances exists.

Individual Consent

s.41(a) FIPPA / s.31(a) MFIPPA An institution may use personal information where the individual to whom the information relates has consented to the use proposed by the institution.

This consent should be in writing and indicate:

  • the particular personal information to be used;
  • the use for which consent is given;
  • the date of the consent; and
  • the institution to which consent is given.

Consent of the individual is required where none of the other circumstances described below exists.

Purpose for Which Information Collected

s.41(b) FIPPA / s.31(b) MFIPPA The institution may use personal information for the purpose for which the information was originally obtained or compiled, or for a consistent purpose.

Usually, an institution may use personal information under its custody or control for the purposes indicated in the collection notice and in the personal information bank descriptions it provides in its directory of records.

The institution may also use personal information for a purpose which is consistent with the purpose(s) listed in the collection notice. For an explanation of a consistent purpose, see the discussion of s.43 FIPPA / s.33 MFIPPA later in this chapter.

For the Purpose Disclosed

s.41(c) FIPPA / s.31(c) MFIPPA An institution may have personal information disclosed to it by another institution under s.42 FIPPA / s.32 MFIPPA . The receiving institution may use this personal information only for the purpose for which it was disclosed by the first institution.

For example: If personal information is disclosed from one institution to another in compassionate circumstances to assist in locating a family member, that information is to be used by the receiving institution only to locate the family member and for no other purpose.

Disclosure of Personal Information

s.42 FIPPA / s.32 MFIPPA Institutions covered by FIPPA/ MFIPPA have rules governing the two separate sets of circumstances under which personal information may be disclosed to another party:

  • Part II/I. The first set of rules appear under s.21 FIPPA / s.14 MFIPPA. These mandatory rules apply whenever anyone makes an access request for another’s personal information. Detailed discussion of these rules can be found in the Chapter 4 (Exemptions).
  • Part III/II. The second set of rules appear under s.42 FIPPA / s.32 MFIPPA. These rules govern an institution’s disclosure of personal information during the conduct of its day-to-day activities. An institution may disclose personal information in the absence of a formal access request if the disclosure is permitted under part III/II.

Disclosure in Accordance with Part II/I

s.42(a) FIPPA / s.32(a) MFIPPA Subsection 42(a) FIPPA / s.32(a) MFIPPA permits an institution to disclose personal information in circumstances where such disclosure would have been permitted under s.21 FIPPA / s.14 MFIPPA, even though the institution has not received an access request. This subsection should be read in conjunction with s.63(1) FIPPA /s.50(1) MFIPPA which permits a head to disclose information even though an access request has not been received.

Consent to Disclosure

s.42(b) FIPPA / s.32(b) MFIPPA

Personal information may be disclosed where the individual has consented to the disclosure. Where consent to disclose personal information has been given by an individual, the specific information for which consent has been given must be identified. Where this consent is not obtained in writing it should be documented and should indicate:

  • the particular personal information to be disclosed;
  • to whom the information may be disclosed and for what purpose it is to be used; and
  • the date of the consent; and the institution to which consent is given.

Where an individual purports to act as an agent, the institution has an obligation under s.3(3) of Regulation 460 FIPPA / s.2(3) Regulation 823 MFIPPA to verify the identity of an individual seeking access to his/her personal information and whether or not the agent is properly authorized to obtain such information. If proper authorization cannot be obtained, the institution may either notify the individual whose personal information is at issue and provide him/her with an opportunity to provide representations prior to any decision regarding disclosure of the records or may deal with the validity of the authorizations as a preliminary matter. The following factors are relevant for the institution in determining reasonably whether to refuse or accept certain authorizations:

  • whether the personal information is very sensitive,
  • whether the authorizations preclude the institution from verifying the consent, and
  • whether or not the individuals who have allegedly consented have responded to the request for verification made by the institution.

Special care should be taken where personal information is being requested about the treatment of vulnerable individuals. Institutions should not assume that requests for personal information by agents are invalid; rather, they should discuss the matter with the individuals involved before determining whether or not to accept the authorizations.

Consistent Purpose

s.42(c), 43 FIPPA / s.32(c), 33 MFIPPA Personal information may be disclosed for the purpose(s) for which it was originally collected, or for a consistent purpose. A purpose is a consistent purpose only if the individual from whom the information was directly collected might reasonably have expected such a disclosure of the information.

For example: A public utility commission may disclose personal information to a debt collection agency to recover monies owed to the commission for utility bills in arrears. Such disclosures would reasonably be expected by persons who have not discharged their debts to the commission.

The IPC has found that where personal information has been collected indirectly, a consistent purpose is one in which the use or disclosure is "reasonably compatible" with the purpose for which it was collected.

An institution may also disclose personal information for a purpose which is consistent with the purpose(s) listed in the collection notice.

For example: Disclosure of personal information such as payments received, social insurance number, date of birth and address regarding an application for a government loan to credit reporting agencies was in compliance with this provision. This personal information was disclosed for the purposes of updating or making the necessary credit investigations or credit reporting as stated in the notice of collection of personal information.

Where an administrative or policy manual provided guidelines for the subsequent use or disclosure of personal information by an institution, disclosure in accordance with the guidelines was found to have been for a consistent purpose.

In Performance of Duties

s.42(d) FIPPA / s.32(d) MFIPPA

Personal information may be disclosed to an employee or officer of the institution who needs the record in the performance of his/her duties, and where disclosure is necessary and proper in the discharge of the institution’s functions. Before an officer or employee of an institution is granted access to personal information under this provision, both of the following conditions must be satisfied:

  • the employee or officer must need the personal information for the performance of his/her duties; and
  • disclosure of the personal information must be necessary and proper in discharging the institution’s functions.

For example: A municipal council resolution that authorized the disclosure of a list of welfare recipients from the Welfare Administrator to the council to address the councillors' "previously expressed interest and concern" regarding social assistance expenditures was insufficient to satisfy the requirements of this subsection. This provision required that the sharing of personal information within an institution be based on more than an interest or concern; it required evidence that the disclosure was needed and necessary. Since it failed to comply with this provision, the council’s resolution was illegal and need not be obeyed. (H.(J) v. Hastings (County), (1993) 12 M.P.L.R. (2d) 40 (Ont.Ct.Gen. Div.)

Disclosures that are merely convenient or desirable are not allowed under this section.

It is important to note that the identity of an access requester should not be disclosed within an institution unless such disclosure is necessary in order to respond to the request. Further, names and addresses of individuals who have made requests for general records under the Act should not be communicated within an institution other than to staff of the Freedom of Information and Privacy office.

An institution’s functions would include the administration of by-laws, statutory programs, and activities necessary to the overall operation of the institution.

Act of Legislature or Parliament

s.42(e) FIPPA / s.32(e) MFIPPA

This subsection permits disclosure of personal information for the purpose of complying with an act of the Legislature or of Parliament, or an agreement or arrangement thereunder, or a treaty. The agreement or arrangement must result from or be sanctioned by a federal or Ontario statute. Disclosure of personal information for the purposes of complying with a regulation or a by-law would be included.

For example: Section 14 of the Immunization of School Pupils Act requires a medical officer of health to transfer a child’s immunization records to another medical officer of health when that child moves to a school under the jurisdiction of the latter health unit. Subsection 72(3) of the Child and Family Services Act requires a person (for example, a school teacher or principal, social worker, family counsellor) to report suspicions of child abuse and to report the information on which the suspicion is based. Subsection 199(3) of the Highway Traffic Act requires a police officer to forward accident reports to the Ministry of Transportation.

The Ombudsman Act provides authority for the disclosure of personal information to the Office of the Ombudsman from governmental institutions in accordance with this provision.

Disclosure to Law Enforcement Agency

s.42(f) FIPPA / s.32(f) MFIPPA

A law enforcement institution may disclose personal information to a law enforcement agency in Canada, or to a law enforcement agency in a foreign country under an arrangement, a written agreement or treaty, or under legislative authority. Under this section, disclosure may only be made by a "law enforcement institution". An institution engaged in "law enforcement" is discussed in the Definitions section in Chapter 1 (Introduction to the Act).

For example: The Ministry of the Solicitor General and Correctional Services is a law enforcement institution which is engaged through the Ontario Provincial Police and other programs. It is also responsible for the enforcement of probation and parole orders, another law enforcement activity. The Ministry of Community and Social Services and the Ministry of Consumer and Commercial Relations are also institutions engaged in law enforcement through their departments which are responsible for compliance with statutes. Similarly, municipalities are law enforcement institutions through their enforcement of by-laws.

Disclosure may only be made to a law enforcement agency. A "law enforcement agency" includes a national, state, or local police force, or a municipal or provincial police force in Canada, the RCMP and some special police forces.

For example: The IPC has determined that the Canadian National Railways (CNR) police is a "law enforcement agency" for the purpose of this section. The Ontario Provincial Police were authorized to disclose to CNR police personal information concerning a criminal offence that had been laid against a CNR employee.

In exchanges of personal information with foreign countries, written agreements or treaties should be established. Where this is not possible or practical, an arrangement may be made. An "arrangement" is an unwritten agreement for the exchange of personal information. When a law enforcement institution discloses personal information to a police agency or other law enforcement agencies in Canada, an agreement or arrangement is not required. It is understood that the purpose of the disclosure is law enforcement.

Aid in Law Enforcement

s.42(g) FIPPA / s.32(g) MFIPPA

An institution may disclose personal information to another institution covered by FIPPA/MFIPPA or to a law enforcement agency in Canada to aid an investigation leading or likely to lead to a law enforcement proceeding. For this section to apply, the disclosure must be in aid of the investigation undertaken.

For example: Disclosure of personal information to an eligibility review officer is for a law enforcement purpose if it is to aid in an investigation into social services benefits eligibility where a person has received benefits. Such an investigation could lead to sanctions such as an assessment of overpayment or withholding of benefits.

Although this subsection permits an institution to release personal information, the institution may choose to require a search warrant before access to personal information is granted.

For example: The Education Act states that the Ontario Student Record is privileged for the information and use of supervisory officers and the principal and teachers of the school. A school may require a police agency to provide a search warrant before disclosing such a record.

Compelling Circumstances

s.42(h) FIPPA / s.32(h) MFIPPA

An institution may disclose personal information in compelling circumstances affecting the health or safety of an individual. In compelling circumstances, there may be no other way to obtain the personal information, or there may be an emergency where the delay in obtaining the information would be injurious to someone’s health or safety. Before personal information is released under this subsection, both of the following conditions must be satisfied:

  • the circumstances in which the release of personal information is contemplated must be compelling; and
  • the compelling circumstances must affect the health or safety of an individual.

For example: A mentally unstable social services benefits client convinces his case worker that he is going to kill his roommate.

Where personal information is disclosed under this subsection, notification of the disclosure must be mailed to the last known address of the individual to whom the information relates. This means the most recent address known to the institution which disclosed the personal information. If no address is known, the institution should attempt to obtain it from the person who made the request for the information.

Compassionate Circumstances

s.42(i) FIPPA / s.32(i) MFIPPA

An institution may disclose personal information in compassionate circumstances to facilitate contact with the next-of-kin, or a friend of an individual who is injured, ill or deceased. "Compassionate circumstances" are those where there is a need to make contact with a friend or next-of-kin to inform them of an individual’s injury, illness, or death. The personal information to be disclosed may relate either to the injured or deceased person, or to the relative or friend who is to be contacted. Only the personal information necessary to facilitate contact should be disclosed. This provision is not relevant in deciding whether personal information may be disclosed as a result of an access request.

To a Member of the Legislature

s.42(j) FIPPA

Disclosure is permitted to a member of the Legislative Assembly (MLA) who has been authorized by a constituent to whom the information relates to make an enquiry on his/her behalf. Where the constituent is incapacitated, the member may be authorized by the next of kin or legal representative of the constituent. This subsection applies to situations in which the assistance of a MLA is sought in resolving a problem, and the individual or his/her representative has consented to the disclosure of personal information to the member in the course of his/her enquiry. Whether the member is making a written or oral inquiry, the member must indicate that he/she is acting with the constituent’s authority. This disclosure will be recorded in or linked to the individual/s record. Where the personal information is particularly sensitive (e.g., medical records), the institution may have additional consent requirements specific to the situation, such as written authorization.

To a Member of the Bargaining Agent

s.42(k) FIPPA

Disclosure is permitted to a member of the bargaining agent who has been authorized by an employee to whom the information relates to make an enquiry on the employee’s behalf. Where the employee is incapacitated, the bargaining agent may be authorized by the next of kin or legal representative of the employee. As in s.42(j), reasonable steps should be taken to ensure the authority exists.

Disclosure to Responsible Minister

s.42(l) FIPPA / s.32(j) MFIPPA

Personal information may be disclosed to the Chair of Management Board of Cabinet as minister responsible for the Act.

For example: A request for waiver of notification of personal information may require the disclosure of personal information to the Minister.

Disclosure to Information and Privacy Commissioner

s.42(m) FIPPA / s.32(k) MFIPPA

Personal information may be disclosed to the IPC. This subsection is intended to facilitate the IPC's access to records in order to carry out its decision making and investigation responsibilities. Under s.52(4) FIPPA / s.41(4) MFIPPA, the Commissioner has the authority to examine any record in the custody or control of an institution during the course of an inquiry regarding an appeal of an access decision made by an institution.

Government of Canada or Government of Ontario

s.42(n) FIPPA / s.32(l) MFIPPA Disclosure of personal information is permitted to the Government of Canada or to the Government of Ontario in order to facilitate the auditing of shared-cost programs.

For example: Personal information contained in general welfare case files established under the General Welfare Assistance Act may be audited by the Province of Ontario.

Consistent Purpose

s.43 FIPPA / s.33 MFIPPA This section provides that when personal information is collected directly from the individual to whom it relates, the purpose of its use/disclosure is a consistent purpose only if the individual might reasonably have expected such a use/disclosure.

Subsection 41(b) FIPPA / s.31(b) MFIPPA permits the use of personal information for the purpose for which it was obtained or for a consistent purpose. Section 42(c) FIPPA / s.32(c) MFIPPA permits disclosure of personal information for the purpose for which it was collected or for a consistent purpose. A consistent purpose must be compatible with the purpose stated to the individual at the time the information was collected. The individual could therefore reasonably expect this use/disclosure of his/her personal information. Where personal information is collected other than directly from the individual, the question of whether use/disclosure is for a consistent purpose is not determined by considering the individual’s reasonable expectations. It is determined by considering whether the institution’s proposed use/disclosure of information is reasonably compatible with the purpose for which it was collected.

New Use/Disclosure of Personal Information

s.46(1)(a)and(b) FIPPA / s.35(1)(a)and(b) MFIPPA

The personal information banks maintained by institutions include a statement of the regular uses of the personal information and the regular users to whom the information is disclosed.

There may be instances where the institution uses or discloses personal information for a purpose allowed by the Act, but where that use/purpose has not been listed in the personal information bank descriptions. Where such a new use or disclosure has occurred, the institution is required to:

  • make a record of that new use or disclosure; and
  • attach or link the record of use/disclosure to the personal information, so that when the personal information is accessed, the record of use/disclosure is accessed as well. In other words, the record of the new use/disclosure of the personal information becomes part of the personal information itself (s.46(2) FIPPA/ s.35(2) MFIPPA).

If the new use or disclosure becomes a regular occurrence, the institution should update its personal information bank description to include the new regular use/disclosure. Once the description has been updated, s.46 FIPPA/ s.35 MFIPPA ceases to apply.

The requirement to create and attach a record of use/disclosure only applies to personal information which is part of a personal information bank. It does not apply to personal information contained within a general record.

Role of Information and Privacy Commissioner

s.59 FIPPA / s.46 MFIPPA This section establishes the powers of the Commissioner relating to the protection of personal privacy.

Subsection (a) of FIPPA/ MFIPPA permits the Commissioner to offer comment on the privacy protection implications of proposed programs of institutions.

Subsection (b) enables the Commissioner to, after hearing representations from a head, order an institution to cease a collection practice and to destroy collections of personal information that contravene this Act.

Subsection (c) empowers the Commissioner to authorize the collection of personal information otherwise than directly from the individual to whom the information relates. (See the discussion under s.39(1)(c) FIPPA / s.29(1)(c) MFIPPA).

Subsections (d), (e) and (f) respectively permit the Commissioner to engage in research into matters affecting the carrying out of the purposes of the Act, conduct public education programs about the Act and the Commissioner’s role and activities and to receive representations from the public concerning the operation of this Act.