Statement from the City of Greater Sudbury Regarding Privacy Breaches

Dec 15, 2016

The City of Greater Sudbury has reported itself to the Information and Privacy Commissioner of Ontario for two instances of breaches of privacy related to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). The breaches occurred when two summaries of Freedom of Information requests which included personal information were published on the City of Greater Sudbury website. 

“We deeply regret the breaches that have occurred. We take seriously our responsibility to safeguard the information in our care, and upon identifying the breach immediately acted to contain it, notify individuals affected, investigate and remediate,” said Caroline Hallsworth, City Clerk for the City of Greater Sudbury. “We offer our most sincere apologies to all those affected by these breaches and are committed to rebuilding the trust that you place in us.” 

Under MFIPPA, citizens have the right to access information in the City’s possession, with legislated exemptions that limit the City from releasing certain types of information. Specifically, individuals have a right to protection of their personal information and a right to access their personal information. As part of the City’s commitment to Open Government, summaries of Freedom of Information requests have been posted to the municipal website on a weekly basis since 2015, with personal information removed in accordance with legislation. 

In the first instance of privacy breach, one summary of Freedom of Information requests contained the name and date of birth of an individual identified as a client of Ontario Works. 

Further investigation uncovered a second privacy breach in a second summary report. In this instance, personal information may have been contained in the summary information related to 86 Freedom of Information requests. Personal information published in the summary included in some instances the identity of requestors, the specific nature of each request, names, dates of birth and other personally identifying information. 

Both documents were immediately removed from the City’s website upon discovery of the privacy breaches on December 5, 2016. A final version of the 2016 FOI Tracking List and the 2017 document will be posted to the website, once the recommended remedial actions have been completed at the end of January. As part of the City’s protocol to notify individuals affected by a privacy breach, a team of four non-union staff made initial contact with as many of the individuals whose personal information was released as we could find contact information for.   

A full investigation has been conducted into the breaches and has determined that they were the result of human error. Two employees have been disciplined in accordance with the City’s policies and a third employee has left the organization. 

In addition, five changes in process are being made as a result of the investigation: 

1.A summary of Freedom of Information requests will be published on the City’s website on a monthly, rather than a weekly, basis to provide more time to review the data prior to release. 

2.The Freedom of Information Request Tracking list has been redesigned so that employees can more easily separate the data that is available for public release from personal information that cannot be released. 

3.A glossary of standard descriptions for FOI request types will be developed to remove any personal information from the public release of what is being requested. 

4.Formal responsibility will be assigned for producing, verifying, and obtaining sign-off on the public release to ensure a three-step verification that the information being released meets all legislative requirements. 

5.Existing training will be reviewed and additional training provided to staff who provide support to the Freedom of Information process.

The City’s letter to the Information and Privacy Commissioner is attached.