Reading disabilities Inquiry
I. Administrative safeguards
a. Minimizing data
c. Authorized personnel
d. Responsibilities of the RD Inquiry Team
e. Responsibilities of non-RD Inquiry OHRC staff
f. Responsibilities of the RD Inquiry Lead for privacy matters
h. The Retained Expert
II. Physical safeguards
a. Access card
c. Hard copies
III. Electronic safeguards
a. OHRC Computers
b. OHRC laptops
Protection of personal information and privacy safeguards policy: Reading Disabilities Inquiry
October 3, 2019
- The Ontario Human Rights Commission (OHRC) recognizes the importance of protecting personal information.
- To protect human dignity and maintain public trust and confidence in the OHRC as an institution, the OHRC works hard to comply with all relevant laws that relate to handling personal information.
- As a provincial public institution, the OHRC must abide by the Freedom of Information and Protection of Privacy Act (FIPPA).
- The Chief Commissioner, the head of the OHRC, has a duty to take objectively reasonable steps and measures to:
- Ensure the preservation of records in the OHRC’s custody and control
- Ensure the security of original records
- Protect records from inadvertent destruction or damage, “taking into account the nature of the records to be protected.”
- OHRC staff have a duty to exercise due diligence in ensuring that personal information is protected.
- Using its inquiry powers under s. 31 of the Ontario Human Rights Code (the Code), the OHRC has commenced an inquiry (the RD Inquiry) into human rights issues that affect students with reading disabilities in Ontario’s public education system.
- As part of the RD Inquiry, the OHRC has requested documents and information from eight public school boards in Ontario: Hamilton-Wentworth District School Board, Keewatin-Patricia District School Board, Lakehead District School Board, London District Catholic School Board, Ottawa-Carleton District School Board, Peel District School Board, Simcoe Muskoka Catholic District School Board, and Thames Valley District School Board (the selected school boards). The information requested may include “personal information” within the definition of FIPPA. Because the information requested relates to children, it may also be of a sensitive nature.
- The more sensitive the personal information collected, the more stringent the security measures adopted must be to mitigate the risk of a privacy breach.
- The purpose of this policy is to:
- Identify and explain the privacy safeguards that the OHRC has and/or will have in place relating to the RD Inquiry
- Clarify the roles and responsibilities of OHRC staff involved in the RD Inquiry
- Show that the potential privacy implications of the RD Inquiry have been considered.
I. Administrative safeguards
- The first step to protect the privacy of personal information is to minimize, to the extent possible, the personal information that comes into the OHRC’s custody.
- In securing compliance with the OHRC’s document requests, the OHRC will work with the selected school boards to ensure that personal identifying information collected by the OHRC is minimized.
- If the OHRC is provided with access to personal information, it will at the earliest possible stage adopt measures to minimize the collection of personal identifying information. This can be achieved by using templates that do not include a person’s name or other personal information that would identify them, and by anonymizing the data obtained.
- The OHRC does not intend to disclose personal information obtained from the selected school boards through the RD Inquiry. The OHRC’s report relating to the RD Inquiry will not contain personal information that identifies any particular individual.
- The OHRC will destroy any personal information as soon as reasonably possible after it is no longer required.
- Before the OHRC has access to personal information from the selected school boards, the OHRC will provide notice of collection of personal information on its website. Individuals who believe that their personal information may be affected will be able to contact the OHRC. They may also contact the Information and Privacy Commissioner.
- The OHRC may also obtain personal information from voluntary participants through interviews or surveys. Before conducting an interview, the OHRC will obtain the person’s consent. Surveys will require individuals to provide their consent for the information to be collected. To the extent possible, information contained in the inquiry report will be aggregated and/or anonymized. However, if it is possible that a particular individual could be identified – the person’s informed consent will be obtained before any personal information is disclosed.
- Access to any personal information obtained through the RD Inquiry is strictly limited to OHRC staff who are on the Inquiry Team.
- The Privacy Lead will keep a list of individuals on the Inquiry Team. No OHRC staff other than the Inquiry Team will have access to personal information. Inquiry Team members may be added or changed as needed.
- The Inquiry Team must comply with all privacy safeguards set out in this policy.
- The Inquiry Team must exercise reasonable judgment when handling personal information, depending on the sensitivity of the data, nature of the information and use.
- As part of exercising privacy due diligence, the Inquiry Team should identify and address potential privacy concerns while performing their roles in the RD Inquiry.
- The Inquiry Team must report a privacy breach or potential privacy breach to the Privacy Lead and Manager as soon as they become aware that a breach or potential breach has occurred.
- OHRC staff not on the Inquiry Team must, to the extent possible, avoid encountering RD Inquiry-related personal information, and must keep confidential any RD Inquiry-related personal information that they may learn.
- OHRC staff will consult with the Privacy Lead and the Inquiry Team if they have questions or concerns related to privacy matters.
- OHRC staff must report a privacy breach or potential privacy breach to the Privacy Lead and Manager as soon as they become aware that a breach or potential breach has occurred.
- At this time, the RD Inquiry Lead for Privacy Matters (Privacy Lead) is:
Nika Farahani, Counsel, Legal Services and Inquiries
Ontario Human Rights Commission
180 Dundas Street West, 9th Floor
Toronto, Ontario M7A 2R9
Telephone: 416 564 9246
- The Privacy Lead will act as the main contact person for public citizens and internal or external staff who have an RD Inquiry privacy question or concern.
- The Privacy Lead will brief the Inquiry Team on the privacy-related requirements of FIPPA and the contents of this policy.
- The Privacy Lead will frequently monitor and report on compliance with this policy to ensure that safeguards have been implemented, and that privacy due diligence continues to be applied throughout the RD Inquiry.
- Before having access to any personal information obtained through the RD Inquiry, all Inquiry Team members, whether internal or external to the OHRC, must voluntarily sign an acknowledgement that requires that they:
- Have read this policy and understand the privacy safeguards herein
- Will keep any personal information in a secure location at all times
- Will ensure that no personal information is used or disclosed unless necessary and proper in the discharge of the OHRC’s functions
- Will ensure that no personal information is used or disclosed in a way that identifies the person it relates to, without the prior informed consent of the person the information relates to.
- An expert (the Retained Expert) has been engaged to help analyze the RD Inquiry data. The expert retainer includes a confidentiality agreement between the Retained Expert and the OHRC.
- To the extent that the Retained Expert has access to personal information, they must under no circumstances disclose it to anyone other than the Inquiry Team.
- The Retained Expert shall not disclose or otherwise provide access to non-personal information and data obtained through the RD Inquiry, other than for the defined research purposes.
- The Retained Expert will implement safeguards and protocols consistent with this policy and will consult with the Inquiry Team on any additional safeguards that may be required.
- An access card is required to enter the OHRC office.
- Staff must not permit unauthorized or uninvited people to enter into the OHRC office space.
- Staff will notify security of suspicious activity in the OHRC vicinity.
- As much as possible, the Inquiry Team will turn their computer monitors off, put their computers in sleep mode or change screens to prevent others from seeing personal information on the screen.
- Hard copy documents or files containing personal information must be kept in a central office/room that can be locked when unattended. When possible, the Inquiry Team should use a clean desk policy whereby personal information is kept out of sight, ideally in a locked drawer or filing cabinet.
- When discussing RD Inquiry matters, Inquiry Team staff will close the door during their meetings to ensure that others do not overhear personal information.
- The Inquiry Team will take all reasonable steps to ensure that third parties who may attend the OHRC office (invited guests, maintenance or cleaning staff) do not have access to personal information.
- Hard copies of collected RD Inquiry materials, including any personal information, must be stored in a secure location, ideally raised off the floor to prevent flood damage and in a fire-resistant space.
- When not in use, hard copies of collected RD Inquiry materials, including any personal information, must be locked in filing cabinets.
- The Inquiry Team should refrain from printing and photocopying any personal information.
- The Inquiry Team must not leave any document containing personal information on the printer. If printing, staff should use Secure Print so that personal information does not print until the staff member goes to the printer to retrieve it.
III. Electronic safeguards
- OHRC computers are password protected. The passwords automatically expire every 45 days.
- The Windows firewall is enabled on all OHRC computers. The computers use McAfee software to protect them from virus and malware threats.
- When working on RD Inquiry materials that contain personal information, staff must not use a personal or non-OHRC computer.
b. OHRC laptops
- OHRC laptops are password protected. The passwords automatically expire every 45 days.
- The Windows firewall is enabled on all OHRC laptops. The laptops use McAfee software to protect them from virus and malware threats.
- The hard drive of every OHRC laptop is encrypted. If a laptop is misplaced or lost, a finder should be unable to access the secure information.
- The Inquiry Team will not use their personal emails for any RD Inquiry work that involves personal information.
- No personal information shall be communicated or transmitted by email.
- No personal information shall be faxed anywhere.
- If Inquiry Team members must work off-site, then they will use a Virtual Private Network (VPN) service.
- The Inquiry Team shall not remove any personal information from the RD Inquiry data from the OHRC premises.
- Electronic information obtained during the RD Inquiry will be stored in a shared folder, accessible only by members of the Inquiry Team.
- The Inquiry Team will not use instant messaging tools to discuss RD Inquiry material that includes personal information.
Protecting personal information is an ongoing responsibility. This policy was adopted at an early stage of the RD Inquiry and will be re-assessed on an ongoing basis.
 RSO 1990, c F-31, s 2(1) [FIPPA]; Freedom of Information and Protection of Privacy Act, RRO 1990, Reg 460: General, s. 1(1), Schedule, Item 110 [FIPPA Reg General].
 FIPPA, supra note 1, s. 10.1; FIPPA Reg General, supra note 1, ss. 3(1), 4(3), Schedule.
 For example, see. Information and Privacy Commissioner of Ontario, Open Government and Protecting Privacy (Toronto: IPC, 15 March 2017) at 8.