The protection of personal privacy is one of the key principles of the Freedom of Information and Protection of Privacy Act (FIPPA) / Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). The personal privacy requirements, set out in Part III FIPPA/ Part II MFIPPA, deal with privacy protection in the day-to-day operations of institutions. These parts reflect internationally accepted principles of fair information practices, and are based on two key principles:
These privacy rules apply to all personal information in the custody or control of institutions, with the exception of public records and certain employment-related and labour relations records.
s.37 FIPPA / s.27 MFIPPA
The privacy requirements do not apply to personal information maintained for the purpose of creating a record that is available to the general public.
Public records of personal information are records to which all members of the public have equal access. Personal information to which some members of the public have access, while others do not, is not a public record.
For example: A public record is a list of electors as required by the Municipal Elections Act. Assessment rolls, as required by s.39 of the Assessment Act, are public records. Records of court proceedings that are publicly available by virtue of the Courts of Justice Act are not subject to the privacy rules.The Information and Privacy Commissioner has stated in a number of privacy investigation reports that the public records exception applies "only if the information in question is held by the institution maintaining it for the express purpose of creating a record available to the general public. Other institutions cannot claim the benefit of the public records exception for the same personal information unless they, too, maintain the personal information for the purpose of making it available to the general public" (e.g. (Privacy Investigation Report #I94-011P).
As a result, institutions should consider the privacy implications of their business practices even when they are handling otherwise "public" information. For example, it is not appropriate for institutions to maintain profiles or dossiers on individuals even when the personal information has been gathered from public sources such as newspaper clippings. (This would not apply when the personal information in question relates to information about individuals acting in a representative or professional capacity such as politicians, lobbyists or representatives of groups or organizations).
s.65(6), (7) FIPPA / s.52(3), (4) MFIPPA
FIPPA/MFIPPA does not apply to most employment-related and labour relations information in which an institution has an interest. Nonetheless, certain records such as employee expense accounts, and agreements arising out of negotiations about employment-related matters between an institution and an employee(s) continue to be covered by FIPPA/MFIPPA. For further discussion regarding this category of excluded records refer to Chapter 3 (Access Procedures) or the Annotation of Commissioner's Orders.
s.38, 39 FIPPA / s.28, 29 MFIPPA
s.38(1) FIPPA / s.28(1) MFIPPA
The privacy provisions dealing with the collection of personal information apply to both recorded and non-recorded personal information - that is, to personal information which is collected verbally.
All other privacy provisions in the Act, dealing with use, disclosure, retention, disposal and access to personal information apply only to recorded personal information about an individual.
s.38(2) FIPPA / s.28(2) MFIPPA
This section sets out the conditions under which personal information may be collected. Personal information is collected when the institution actively acquires the information or invites an individual or others to send personal information to the institution. An individual may submit personal information on his/her own initiative without the information being requested by the institution. Receipt of this information is not considered a collection unless the institution keeps or uses the information.
One of three conditions must exist in order for personal information to be collected:
By implication, this authority to collect personal information is limited to the collection of necessary information.
For example: It was necessary to the proper administration of a lawfully authorized activity for the Family Support Plan to collect health plan numbers and photographs of individuals who have support or custody orders existing against them. This information was necessary in order to trace individuals, assist in enforcing orders and serve documents personally. (Privacy Investigation Report #I92-38P)
Further, the phrase "expressly authorized by statute" requires either that the specific types of personal information collected be expressly described in the statute or a general reference to the activity be set out in the statute, together with a specific reference to the personal information to be collected in a regulation made under the statute, i.e., in the form or in the text of the regulation.
s.39(1) FIPPA / s.29(1) MFIPPA
This section requires that personal information be collected directly from the individual to whom it relates, unless certain circumstances described in subsections (a) through (h) permit an indirect collection, - that is, from a source other than the individual to whom the information relates.
s.39(1)(a) FIPPA / s.29(1)(a) MFIPPA
An individual may authorize an indirect collection of his/her own personal information. Such authorization should generally include:
A record should be kept with the date and the details of the authorization.
s.39(1)(b) FIPPA / s.29(1)(b) MFIPPA
Personal information may be collected by one institution from another institution where the disclosing institution has authority to disclose under s.42 FIPPA / s.32 MFIPPA.
For example: When a welfare recipient moves to another municipality, the municipality originally providing benefits may disclose certain personal information about the recipient to the second municipality, so that the client's eligibility for welfare may be determined.
The disclosure is authorized by s.32(c) of MFIPPA, as the disclosure to the second municipality is for the same or similar purpose for which the information was originally collected, namely, determining eligibility for welfare benefits. The second municipality, therefore, may collect the information since it has been properly disclosed to it under s.32(c) of MFIPPA.
s.39(1)(a), 39(1)(c), 59(c) FIPPA / s.29(1)(a), 29(1)(c), 46(c) MFIPPA
The Commissioner may authorize a collection from a source other than the individual. The Commissioner's authorization may be sought because the indirect collection is not specifically allowed under this section or where the institution believes it is not possible or practical to collect the personal information directly or to obtain authorization directly from the individual concerned.
The Information and Privacy Commissioner has prepared guidelines to assist institutions in making an application for making an indirect collection authority. See Appendix X (Guidelines on applications for authorization of indirect collection).
s.39(1)(d) FIPPA / s.29(1)(d) MFIPPA
This subsection authorizes an institution to collect personal information contained in a consumer report that is prepared in accordance with the Consumer Reporting Act. A complete list of information which may be included in such a report is contained in s.8(1)(d) of the Consumer Reporting Act.
s.39(1)(e) FIPPA / s.29(1)(e) MFIPPA
This subsection authorizes an institution to collect personal information indirectly for the purpose of determining suitability for an honour or award to recognize outstanding achievement or distinguished service.
For example: Personal information can be collected to determine which of a number of candidates should receive a Citizen of the Year award.
s.39(1)(f) FIPPA / s.29(1)(f) MFIPPA
This subsection authorizes an institution to collect personal information indirectly for the conduct of a proceeding or a possible proceeding before a court or judicial or quasi-judicial tribunal.
A judicial or quasi-judicial tribunal is a body constituted under a statute with power to decide the legal rights of a person or the eligibility of a person for a benefit or licence. Such tribunals are required to adhere to standards of procedural fairness similar to the procedures of courts.
Examples of this type of tribunal include the Ontario Municipal Board, Property Standards Committee, Assessment Review Court, Social Assistance Review Board, Courts of Revision, and Committees of Adjustment.
In some cases, after personal information has been collected, no proceeding takes place because, for example, there is insufficient evidence. Even though the tribunal may never hear the matter, this subsection applies as long as the purpose of the collection is to determine whether a proceeding can be commenced before a court or tribunal.
s.39(1)(g) FIPPA / s.29(1)(g) MFIPPA
Personal information which is collected for the purpose of law enforcement may be collected from a source other than the individual about whom the information relates.
The IPC has found that collection authorized by this subsection must be directly relevant to the law enforcement activity. Only the minimal amount of personal information that is necessary should be collected.
Law enforcement is defined in Chapter 1 (Introduction to the Act) of this manual.
s.39(1)(h) FIPPA / s.29(1)(h) MFIPPA
A statute, regulation or by-law may authorize a collection of personal information from a source other than the individual.
For example: Under s.6(4) of the Municipal Health Services Act, a municipal assessment commissioner may require any employer to furnish a list of employees residing in the municipality, and the dates upon which the employees are paid their salary or wages.
Subsection 10(1) of the Assessment Act authorizes an assessor to indirectly collect specific personal information about an individual from any person "present on land " visited by an assessor under the Act.
Subsection 61(3) of the Family Responsibility and Support Arrears Enforcement Act authorized indirect collection of specific types of personal information.
s.39(2) FIPPA / s.29(2) MFIPPA
When personal information is collected on behalf of an institution, either directly from the person about whom the information relates or indirectly from another source, the institution must inform the individual that the collection has occurred.
The notice to the individual must state:
The notice of legal authority should include a reference to the specific act (or regulation) and section, or by-law which authorized the collection. Where an act or by-law does not specifically refer to the collection, then the notice should refer to the specific section of the act or by-law which establishes the activity or program under which the information is collected.
For example: Subsection 58(2) of the Education Act provides for the establishment of Boards of Education. Even though the Education Act may not specifically authorize each collection of personal information undertaken by a Board of Education, nonetheless s.58(2) of the Education Act would provide sufficient statutory authority to undertake collections of personal information that are necessary to the functioning of a board.
The statement regarding the principal purpose(s) for which the information will be used should be consistent with the allowable uses of personal information. The principal purpose(s) for which the information will be used should also be consistent with the statement in the index of personal information banks which describes the use and disclosure of personal information in each bank.
The IPC has found that a notice of collection should contain each of the three elements described in the subsection. Discussion of matters other than collection (e.g., anticipated disclosure of the information) should be included in a separate paragraph from the notice.
Where the personal information is collected directly from the individual, notice should be given to the individual at the time of the collection. Where the personal information is collected on a form, the notice may be provided on the form itself.
A notification should be included on a form where the principal purpose of the form is to collect personal information and the information is used for the purpose of making a decision affecting the individual.
Further, where a variety of personal information data has been collected, the notice of collection must relate to all of the data that has been collected. Where different personal information data on the form is used for different purposes, or is collected under different legal authority, the various purposes and authority must be included in the notice.
For example: Where a particular use of the social insurance number was not indicated in the notice, the notice of collection was found inadequate by the IPC.
Forms which are prescribed by a provincial regulation are not controlled by a municipality or local board. In cases where personal information is collected on a prescribed form, it is the responsibility of the provincial ministry controlling the form to include a notice on the form.
Alternative ways of providing collection notices could include:
Where personal information is collected and will be used by or disclosed to another institution, the individual should be given notice of:
If the individual is not informed at the time of collection that the information will be used by another institution, then the second institution must provide notice to the individual.
Notice must be provided each time personal information is collected. A notice of collection may notify of specific collections occurring in the future when this can be predicted with certainty. Whenever there is ambiguity regarding the sufficiency of the notice, a new notice of collection should be provided. (Privacy Investigation Report #I95-030P)
Where indirect collection is permitted under subsection 1, notice to the individual is still required.
s.39(2) FIPPA / s.29(3)(b) MFIPPA
The requirement to provide a notice of collection may be waived by the Minister responsible for FIPPA/MFIPPA. Each request for waiver is considered on its merits. Waivers will normally be requested for a class or group of individuals rather than one individual.
For example: The Chair of Management Board has granted waivers of notice under s.29(3)(b) MFIPPA in respect of indirect collection of personal information on Alzheimer patients for the creation of Wandering Patient Registries by various Police Services in the province.
Some of the criteria for consideration in determining whether to grant a waiver of notice are as follows:
Where the first institution does not advise the individual of the disclosure to the second institution, notice will usually be required. There may, however, be circumstances where to provide notice would be inconsistent with the disclosure in s.42 FIPPA/ s.32 MFIPPA. In such circumstances, waiver may be appropriate.
Therefore, when a institution obtains the information, and the individual was already notified in respect to the first collection, it may be appropriate to waive further notification requirements.
This list is not exhaustive and other criteria may be considered in determining whether a waiver of notice will be granted. To request a waiver of notification, complete the Request for Waiver of Notice the Individual of Collection of Personal Information (see Appendix IX).
Further information on the procedure can be obtained from the Corporate Freedom of Access and Privacy Office, Ministry of Government Services.
Other Exceptions to Notice
s.39(3) FIPPA / s.29(3) MFIPPA
Notice of collection of personal information is not required if:
For MFIPPA institutions, O.Reg.823 s.4 outlines circumstances where notice of collection is not required. The following circumstances apply only to institutions governed by MFIPPA:
For example: An individual who applies for social assistance benefits from a municipality may be required to furnish the names and routine biographical details of the applicant's dependents or co-habitors. Providing notice to the dependents or co-habitor that personal information about them has been collected for the purpose of assessing the applicant's application would reveal sensitive personal information, namely that the individual has applied for assistance.
The head of the institution must make available to the public, a statement describing the purpose of the collection of personal information and the reason that notice has not been given. The statement should:
The public statement should not disclose any personal information about an identifiable individual.
s.40(1) FIPPA / s.30(1) MFIPPA
The Act includes the power to make regulations relating to the retention period for personal information.
The regulations prescribe a minimum one year retention period for personal information following the last date of use of the information. This is a minimum period, and other operational or legal considerations may require a longer retention period.
The purpose of the minimum retention period is to ensure that the individual to whom the information relates has a reasonable opportunity to obtain access to the personal information (s.40(1) FIPPA / s.30(1) MFIPPA).
When information is updated the outdated information must be retained in some form so that the it is available for the prescribed retention period of one year. The back up documentation does not necessarily need to be stored in the same location as the current information.
The Management Board Directive on Recorded Information Management provides ministries and certain agencies with policies and procedures for scheduling the retention and disposal of records.
The one year minimum retention period can be shortened in two circumstances: first, where the individual to whom the information relates consents to an earlier disposal, the records need not be kept for one year. Individuals, however, cannot compel the destruction of records. Second, where a by-law or resolution stipulates a retention period for the personal information, shorter than the statutory one year period.
This is a minimum retention period, and other operational and legal considerations may require a longer retention period.
s.40(2) FIPPA / s.30(2) MFIPPA
Subsection 40(2) FIPPA / s.30(2) MFIPPA requires that reasonable steps be taken to ensure that personal information is not used unless it is accurate and up to date.
Reasonable steps include checking for accuracy, including errors or omissions, at the time the personal information is collected. Any verification of information should be documented.
Although personal information may be accurate and up-to-date when collected, it may become outdated and, therefore, inaccurate. Before personal information is used, the following questions may be useful in assessing its accuracy:
s.40(3) FIPPA / s.30(4) MFIPPA
These subsections do not apply to information collected for law enforcement purposes.
s.40(4) FIPPA / s.30(4) MFIPPA
For FIPPA institutions, O.Reg.459 governs the disposal of personal information. There is no comparable regulation for MFIPPA institutions.
Regulation 459 establishes certain requirements that must be followed by provincial institutions when disposing of personal information.
These requirements can be summarized as follows:
Records from ministries and certain agencies are transferred to the Archives of Ontario for permanent retention if the Archivist determines that the records have long-term, historical value. Where these records contain personal information, the head disposes of the personal information by transferring it to the custody of the Archives of Ontario.
Where the personal information does not have archival value, or where the personal information is in the custody or control of an institution which does not transfer records to the Archives of Ontario, the personal information is disposed of by destruction.
Transferring personal information to an internal archives other than the Archives of Ontario is not a "disposal" for the purposes of the regulation.
Personal information that is disposed of by destruction should be destroyed in such a way that it cannot be reconstructed or retrieved. Paper and other hard copy records such as microfiche for instance, should be burned, pulped, or shredded rather than discarded or disposed of as garbage.
Personal information on magnetic media such as tape or disk should be disposed of by magnetic erasure or by destruction of the medium, when the medium is released from the processing environment. Where the medium is retained and re-used within a secure processing environment, however, personal information may be disposed of by writing-over during re-use.
The nature of these measures should be consistent with the sensitivity of the personal information involved. In all cases, however, the minimum requirement is that the confidentiality of the personal information be maintained during disposal.
s.41 FIPPA / s.31 MFIPPA
This section establishes general rules governing the use of personal information in the custody or under the control of institutions. It recognizes that an individual's right to privacy includes the right to know how his/her personal information is being used. Personal information may be used within the institution where any one of the following circumstances exists.
s.41(a) FIPPA / s.31(a) MFIPPA
An institution may use personal information where the individual to whom the information relates has consented to the use proposed by the institution.
This consent should be in writing and indicate:
Consent of the individual is required where none of the other circumstances described below exists.
s.41(b) FIPPA / s.31(b) MFIPPA
The institution may use personal information for the purpose for which the information was originally obtained or compiled, or for a consistent purpose.
Usually, an institution may use personal information under its custody or control for the purposes indicated in the collection notice and in the personal information bank descriptions it provides in its directory of records.
The institution may also use personal information for a purpose which is consistent with the purpose(s) listed in the collection notice. For an explanation of a consistent purpose, see the discussion of s.43 FIPPA / s.33 MFIPPA later in this chapter.
s.41(c) FIPPA / s.31(c) MFIPPA
An institution may have personal information disclosed to it by another institution under s.42 FIPPA / s.32 MFIPPA. The receiving institution may use this personal information only for the purpose for which it was disclosed by the first institution.
For example: If personal information is disclosed from one institution to another in compassionate circumstances to assist in locating a family member, that information is to be used by the receiving institution only to locate the family member and for no other purpose.
s.42 FIPPA / s.32 MFIPPA
Institutions covered by FIPPA/ MFIPPA have rules governing the two separate sets of circumstances under which personal information may be disclosed to another party:
s.42(a) FIPPA / s.32(a) MFIPPA
Subsection 42(a) FIPPA / s.32(a) MFIPPA permits an institution to disclose personal information in circumstances where such disclosure would have been permitted under s.21 FIPPA / s.14 MFIPPA, even though the institution has not received an access request. This subsection should be read in conjunction with s.63(1) FIPPA /s.50(1) MFIPPA which permits a head to disclose information even though an access request has not been received.
s.42(b) FIPPA / s.32(b) MFIPPA
Personal information may be disclosed where the individual has consented to the disclosure. Where consent to disclose personal information has been given by an individual, the specific information for which consent has been given must be identified.
Where this consent is not obtained in writing it should be documented and should indicate:
Where an individual purports to act as an agent, the institution has an obligation under s.3(3) of Regulation 460 FIPPA / s.2(3) Regulation 823 MFIPPA to verify the identity of an individual seeking access to his/her personal information and whether or not the agent is properly authorized to obtain such information. If proper authorization cannot be obtained, the institution may either notify the individual whose personal information is at issue and provide him/her with an opportunity to provide representations prior to any decision regarding disclosure of the records or may deal with the validity of the authorizations as a preliminary matter. The following factors are relevant for the institution in determining reasonably whether to refuse or accept certain authorizations:
Special care should be taken where personal information is being requested about the treatment of vulnerable individuals. Institutions should not assume that requests for personal information by agents are invalid; rather, they should discuss the matter with the individuals involved before determining whether or not to accept the authorizations.
s.42(c), 43 FIPPA / s.32(c), 33 MFIPPA
Personal information may be disclosed for the purpose(s) for which it was originally collected, or for a consistent purpose. A purpose is a consistent purpose only if the individual from whom the information was directly collected might reasonably have expected such a disclosure of the information.
For example: A public utility commission may disclose personal information to a debt collection agency to recover monies owed to the commission for utility bills in arrears. Such disclosures would reasonably be expected by persons who have not discharged their debts to the commission.
The IPC has found that where personal information has been collected indirectly, a consistent purpose is one in which the use or disclosure is "reasonably compatible" with the purpose for which it was collected.
An institution may also disclose personal information for a purpose which is consistent with the purpose(s) listed in the collection notice.
For example: Disclosure of personal information such as payments received, social insurance number, date of birth and address regarding an application for a government loan to credit reporting agencies was in compliance with this provision. This personal information was disclosed for the purposes of updating or making the necessary credit investigations or credit reporting as stated in the notice of collection of personal information.
Where an administrative or policy manual provided guidelines for the subsequent use or disclosure of personal information by an institution, disclosure in accordance with the guidelines was found to have been for a consistent purpose.
s.42(d) FIPPA / s.32(d) MFIPPA
Personal information may be disclosed to an employee or officer of the institution who needs the record in the performance of his/her duties, and where disclosure is necessary and proper in the discharge of the institution's functions.
Before an officer or employee of an institution is granted access to personal information under this provision, both of the following conditions must be satisfied:
For example: A municipal council resolution that authorized the disclosure of a list of welfare recipients from the Welfare Administrator to the council to address the councillors' "previously expressed interest and concern" regarding social assistance expenditures was insufficient to satisfy the requirements of this subsection. This provision required that the sharing of personal information within an institution be based on more than an interest or concern; it required evidence that the disclosure was needed and necessary. Since it failed to comply with this provision, the council's resolution was illegal and need not be obeyed. (H.(J) v. Hastings (County), (1993) 12 M.P.L.R. (2d) 40 (Ont.Ct.Gen. Div.))
Disclosures that are merely convenient or desirable are not allowed under this section.
It is important to note that the identity of an access requester should not be disclosed within an institution unless such disclosure is necessary in order to respond to the request. Further, names and addresses of individuals who have made requests for general records under the Act should not be communicated within an institution other than to staff of the Freedom of Information and Privacy office.
An institution's functions would include the administration of by-laws, statutory programs, and activities necessary to the overall operation of the institution.
s.42(e) FIPPA / s.32(e) MFIPPA
This subsection permits disclosure of personal information for the purpose of complying with an act of the Legislature or of Parliament, or an agreement or arrangement thereunder, or a treaty. The agreement or arrangement must result from or be sanctioned by a federal or Ontario statute. Disclosure of personal information for the purposes of complying with a regulation or a by-law would be included.
For example: Section 14 of the Immunization of School Pupils Act requires a medical officer of health to transfer a child's immunization records to another medical officer of health when that child moves to a school under the jurisdiction of the latter health unit.
Subsection 72(3) of the Child and Family Services Act requires a person (for example, a school teacher or principal, social worker, family counsellor) to report suspicions of child abuse and to report the information on which the suspicion is based.
Subsection 199(3) of the Highway Traffic Act requires a police officer to forward accident reports to the Ministry of Transportation.
The Ombudsman Act provides authority for the disclosure of personal information to the Office of the Ombudsman from governmental institutions in accordance with this provision.
s.42(f) FIPPA / s.32(f) MFIPPA
A law enforcement institution may disclose personal information to a law enforcement agency in Canada, or to a law enforcement agency in a foreign country under an arrangement, a written agreement or treaty, or under legislative authority.
Under this section, disclosure may only be made by a "law enforcement institution". An institution engaged in "law enforcement" is discussed in the Definitions section in Chapter 1 (Introduction to the Act).
For example: The Ministry of the Solicitor General and Correctional Services is a law enforcement institution which is engaged through the Ontario Provincial Police and other programs. It is also responsible for the enforcement of probation and parole orders, another law enforcement activity. The Ministry of Community and Social Services and the Ministry of Consumer and Commercial Relations are also institutions engaged in law enforcement through their departments which are responsible for compliance with statutes. Similarly, municipalities are law enforcement institutions through their enforcement of by-laws.
Disclosure may only be made to a law enforcement agency. A "law enforcement agency" includes a national, state, or local police force, or a municipal or provincial police force in Canada, the RCMP and some special police forces.
For example: The IPC has determined that the Canadian National Railways (CNR) police is a "law enforcement agency" for the purpose of this section. The Ontario Provincial Police were authorized to disclose to CNR police personal information concerning a criminal offence that had been laid against a CNR employee.
In exchanges of personal information with foreign countries, written agreements or treaties should be established. Where this is not possible or practical, an arrangement may be made. An "arrangement" is an unwritten agreement for the exchange of personal information.
When a law enforcement institution discloses personal information to a police agency or other law enforcement agencies in Canada, an agreement or arrangement is not required. It is understood that the purpose of the disclosure is law enforcement.
s.42(g) FIPPA / s.32(g) MFIPPA
An institution may disclose personal information to another institution covered by FIPPA/MFIPPA or to a law enforcement agency in Canada to aid an investigation leading or likely to lead to a law enforcement proceeding. For this section to apply, the disclosure must be in aid of the investigation undertaken.
For example: Disclosure of personal information to an eligibility review officer is for a law enforcement purpose if it is to aid in an investigation into social services benefits eligibility where a person has received benefits. Such an investigation could lead to sanctions such as an assessment of overpayment or withholding of benefits.
Although this subsection permits an institution to release personal information, the institution may choose to require a search warrant before access to personal information is granted.
For example: The Education Act states that the Ontario Student Record is privileged for the information and use of supervisory officers and the principal and teachers of the school. A school may require a police agency to provide a search warrant before disclosing such a record.
s.42(h) FIPPA / s.32(h) MFIPPA
An institution may disclose personal information in compelling circumstances affecting the health or safety of an individual. In compelling circumstances, there may be no other way to obtain the personal information, or there may be an emergency where the delay in obtaining the information would be injurious to someone's health or safety. Before personal information is released under this subsection, both of the following conditions must be satisfied:
For example: A mentally unstable social services benefits client convinces his case worker that he is going to kill his roommate.
Where personal information is disclosed under this subsection, notification of the disclosure must be mailed to the last known address of the individual to whom the information relates. This means the most recent address known to the institution which disclosed the personal information. If no address is known, the institution should attempt to obtain it from the person who made the request for the information.
s.42(i) FIPPA / s.32(i) MFIPPA
An institution may disclose personal information in compassionate circumstances to facilitate contact with the next-of-kin, or a friend of an individual who is injured, ill or deceased.
"Compassionate circumstances" are those where there is a need to make contact with a friend or next-of-kin to inform them of an individual's injury, illness, or death. The personal information to be disclosed may relate either to the injured or deceased person, or to the relative or friend who is to be contacted.
Only the personal information necessary to facilitate contact should be disclosed.
This provision is not relevant in deciding whether personal information may be disclosed as a result of an access request.
Disclosure is permitted to a member of the Legislative Assembly (MLA) who has been authorized by a constituent to whom the information relates to make an enquiry on his/her behalf. Where the constituent is incapacitated, the member may be authorized by the next of kin or legal representative of the constituent.
This subsection applies to situations in which the assistance of a MLA is sought in resolving a problem, and the individual or his/her representative has consented to the disclosure of personal information to the member in the course of his/her enquiry.
Whether the member is making a written or oral inquiry, the member must indicate that he/she is acting with the constituent's authority. This disclosure will be recorded in or linked to the individual/s record. Where the personal information is particularly sensitive (e.g., medical records), the institution may have additional consent requirements specific to the situation, such as written authorization.
Disclosure is permitted to a member of the bargaining agent who has been authorized by an employee to whom the information relates to make an enquiry on the employee's behalf. Where the employee is incapacitated, the bargaining agent may be authorized by the next of kin or legal representative of the employee.
As in s.42(j), reasonable steps should be taken to ensure the authority exists.
s.42(l) FIPPA / s.32(j) MFIPPA
Personal information may be disclosed to the Chair of Management Board of Cabinet as minister responsible for the Act.
For example: A request for waiver of notification of personal information may require the disclosure of personal information to the Minister.
s.42(m) FIPPA / s.32(k) MFIPPA
Personal information may be disclosed to the IPC. This subsection is intended to facilitate the IPC's access to records in order to carry out its decision making and investigation responsibilities. Under s.52(4) FIPPA / s.41(4) MFIPPA, the Commissioner has the authority to examine any record in the custody or control of an institution during the course of an inquiry regarding an appeal of an access decision made by an institution.
s.42(n) FIPPA / s.32(l) MFIPPA
Disclosure of personal information is permitted to the Government of Canada or to the Government of Ontario in order to facilitate the auditing of shared-cost programs.
For example: Personal information contained in general welfare case files established under the General Welfare Assistance Act may be audited by the Province of Ontario.
s.43 FIPPA / s.33 MFIPPA
This section provides that when personal information is collected directly from the individual to whom it relates, the purpose of its use/disclosure is a consistent purpose only if the individual might reasonably have expected such a use/disclosure.
s.46(1)(a)and(b) FIPPA / s.35(1)(a)and(b) MFIPPA
The personal information banks maintained by institutions include a statement of the regular uses of the personal information and the regular users to whom the information is disclosed.
There may be instances where the institution uses or discloses personal information for a purpose allowed by the Act, but where that use/purpose has not been listed in the personal information bank descriptions. Where such a new use or disclosure has occurred, the institution is required to:
If the new use or disclosure becomes a regular occurrence, the institution should update its personal information bank description to include the new regular use/disclosure. Once the description has been updated, s.46 FIPPA/ s.35 MFIPPA ceases to apply.
The requirement to create and attach a record of use/disclosure only applies to personal information which is part of a personal information bank. It does not apply to personal information contained within a general record.
s.59 FIPPA / s.46 MFIPPA
This section establishes the powers of the Commissioner relating to the protection of personal privacy.
Subsection (b) enables the Commissioner to, after hearing representations from a head, order an institution to cease a collection practice and to destroy collections of personal information that contravene this Act.
Subsection (c) empowers the Commissioner to authorize the collection of personal information otherwise than directly from the individual to whom the information relates. (See the discussion under s.39(1)(c) FIPPA / s.29(1)(c) MFIPPA).
Subsections (d), (e) and (f) respectively permit the Commissioner to engage in research into matters affecting the carrying out of the purposes of the Act, conduct public education programs about the Act and the Commissioner's role and activities and to receive representations from the public concerning the operation of this Act.