Ontario has several privacy statutes that govern how organizations collect, use, and disclose personal information. For instance, the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) governs how municipal organizations gather and use data, while the Personal Health Information Protection Act, 2004 (PHIPA) governs how hospitals and medical professionals gather and use data. Under both laws, the organizations to whom it applies are obligated to, among other things, identify the data that they collect, the methods by which they use the data, obtain consent from their users, and ensure that the data collected is sufficiently protected.
With privacy rights becoming more mainstream, organizations are commonly investigated by the Information and Privacy Commissioner in Ontario (IPC) to ensure that they are in compliance with the laws that govern them. With upcoming changes to privacy regulations and the formation of a privacy tribunal that will more effectively investigate and adjudicate privacy complaints, organizations will need to make sure that their privacy policies and procedures are in compliance with applicable laws.
Failing to comply with legislative requirements may subject organizations to lengthy investigations, potential tort claims, and fines.
School Board Uses Third-Party Applications
In a recent decision, the IPC investigated the use of third-party applications by the Halton District School Board. The Board is subject to the MFIPPA, and a privacy complaint was initiated by the parents of two children, who alleged that the applications used by the Board included various add-ons and extensions that collected a large amount of personal information from the students. More concerning, however, was the complaint that the Board was not aware of what information was being collected by the applications, what data was being uploaded by the students, and how that data was going to be used by the creators of those applications. Among the third-party applications were add-ons for the Google G-suite, Duolingo, and others.
The information being uploaded by students to these third-party applications included their full names, age, student numbers, location, email, passwords, classes, parent’s emails, dates of birth, individualized education plans, and photos. This information was considered “personal information”, which attracted the application of MFIPPA.
The IPC concluded that the Board was in the best position to determine whether the use of the subject applications was necessary for the administration of their educational goals. The IPC saw no reason to question the Board’s use of the subject applications and saw the programs as being necessary to the administration of educational programs. As such, the collection of personal information was permitted.
However, the IPC identified some issues with the use of these applications, which were two-fold. The first issue was relatively minor and required the Board to provide the parents with the contact information of an employee of the Board, who would be able to answer questions regarding the collection of personal information. Although the Board had already provided a privacy statement to the parents, it did not include the direct contact information of an individual whom they could contact for further clarification. In essence, the IPC opined that the Board had an obligation to ensure that parents could easily contact the Board to get information about privacy policies.
The second issue was more onerous. The IPC found that the Board did not have sufficiently clear usage agreements with the providers of the applications. More concerningly, the IPC found that the Board did not have reasonable contractual and oversight measure in place to ensure the privacy and security of the personal information of its students.
Namely, the usage agreements did not protect against the use of personal information for advertising and marketing purposes of the third-party application. The usage contracts also did not provide the Board with sufficient information on what data was being collected and how it was going to be used. The IPC recommended that the Board revise their usage agreements to explicitly prohibit vendor’s use of students’ personal information for marketing and advertising purposes. The usage agreements were recommended to also include provisions that would grant the Board more oversight power to be aware of what data was being collected, how it was being collected, and the details surrounding how long it would be stored and used.
Although there is broad privacy legislation in Ontario and Canada, certain organizations have a higher duty to ensure that their users’ private information is being collected and used in compliance with privacy legislation. Those industries include medical professionals, who handle sensitive data and are subject to PHIPA, and school board, who handle the personal information of a vulnerable sector of our society and are subject to the MFIPPA. Although technology can make teaching easier, more engaging, and more efficient, it also poses a serious risk to the students and their parents.
Organizations subject to these two pieces of privacy legislation, should turn their mind to the tools that they use and how those tools affect their responsibilities under the law. It is important to keep in mind that MFIPPA applies to the school board, not the third-party application, as such, liability from a privacy breach will rest with the school board. As such, when it comes to a privacy investigation or a legal action, the Board must not just show that they obtained consent for the collection of that data, but that they took steps to ensure that the data is protected as its being used, or disclosed to, third parties.
One way to mitigate this risk is to ensure that the usage agreements and contracts with those third-party applications are clear on what data can be collected, how it is used, and how it is distributed. The usage agreements must be clear on who is handling data and what oversight is being provided to the organization that is legally liable for that data – the school board.
Further, organizations need to identify the data that they need to achieve their goals, rather than over-collecting data from their users. The IPC has repeatedly noted the one of the best ways to mitigate privacy-related concerns is to only collect the data that is required to perform the organization’s goals, compared to a broad approach of collecting all data from their users. The chances are, the Board does not need to know my cat’s name to teach me a thing or two.
See Halton District School Board (Re), 2022 CanLII 9040 (ON IPC).
Once the target of an unsuccessful phishing scam, Stas is a key part of SBA’s cyber liability and privacy group providing services ranging from assessments and prevention to crisis response.