Notable examples of cases

Early Resolution

Three school boards, one college, and two universities contacted the IPC to report a ransomware attack on guard.me. Guard.me, a third-party company providing insurance coverage to international students at these institutions, experienced a ransomware attack that affected the personal information of some of their students.

At the time, a significant number of the institutions’ international students were required or encouraged to provide personal information to guard.me to receive mandatory insurance coverage. In most cases, the student provided their claims information directly to guard.me and the institution only provided limited enrollment information. During its review, the IPC found that some of the institutions did not have a contractual agreement with guard.me to ensure the confidentiality and security of the personal information disclosed to the company. In addition, some of the institutions did not get the students’ consent or provide clear notice to them before providing their personal information to guard.me. Following our review, the institutions have implemented or committed to implementing changes we recommended to address these and other gaps.

Mediation

Over two months, a city received requests from a legal clinic for information relating to poverty, homelessness, encampments, overdose prevention, and race-based data. The city denied five of the requests outright on the basis that they appeared to be frivolous or vexatious. The parties agreed to participate in the expedited mediation pilot project and succeeded in quickly resolving the issues. During the teleconference, the appellant better explained the type of information they were seeking, and the city provided guidance on how to reformulate the request using certain keywords and timeframes. As a result of the mediation discussions, four appeals were resolved on the same day, and the fifth was resolved shortly after.

Privacy investigations

After learning that a health information custodian was allegedly selling de-identified personal health information to a third party, the IPC opened an investigation. We found that de-identifying personal health information was a permitted use without consent under PHIPA, but subject to certain conditions, including transparency and safeguarding obligations. We found that custodians planning to de-identify and sell data must clearly and explicitly state this in their public notice to individuals. The custodian’s security obligations also required that they take reasonable steps to protect and secure personal health information, including during the de-identification process and afterwards. Notably, sale agreements with third parties must include adequate security and privacy controls to ensure de-identified data remains de-identified, including a robust de-identification governance process with regular re-identification risk assessments.

Adjudication

Within a relatively short period, requesters made dozens of multi-part, excessively detailed, and significantly overlapping requests for records relating to a class-action lawsuit against a town. The requesters were acting on behalf of the plaintiffs in the class action lawsuit. The town denied the requests on the basis that they were frivolous or vexatious, and the requesters appealed. The adjudicator found that the appellants’ pattern of conduct — the filing of an inordinate number of detailed and repetitive requests — was an abuse of the right of access found in MFIPPA, and that the requests were frivolous or vexatious. The adjudicator upheld the town’s decisions to deny the requests and placed limits on the appellants’ future access requests and appeals.