logo logo

Toronto accidentally turned over citizens’ private info 16 times in 2 years

Unreported theft of kids’ daycare photos among breaches

A daycare in this north Etobicoke school was broken into last year, and photos of 12 of the children were stolen. It’s one of 16 privacy breaches reported by the city in two years. (Mike Smee/CBC News)

Photos of children at a city-run daycare were stolen during a break-in last year, but neither the police nor the children’s parents were ever notified of the theft.

The incident is one of 16 reported privacy breaches by the city between January, 2016 and January, 2018.  CBC Toronto obtained the list through a freedom of information request.

The break-in at the Greenholme Early Learning and Child Care Centre in North Etobicoke occurred in May, 2017. A memory card containing photographs of 12 children was stolen, along with a camera cable.

City Coun. Jim Karygiannis says he’d like to find out why parents and police weren’t told about a break-in during which photos of 12 children were stolen. (Rob Krbavac/CBC News)

Toronto Police say they have no record of the incident. The city admitted in a statement to CBC Toronto that the children’s parents were told only about the break-in and vandalism — not the theft of the photos.

‘Someone should be held accountable’

“I’m very upset that this has happened; I’m very upset that the parents have not been notified,” Coun. Jim Karygiannis told CBC Toronto. “I’m horrified by what I’ve seen and I think someone should be held accountable.”

Children’s Services was the leakiest city division, responsible for five of the 16 privacy breaches.

People line up to pay bills at city hall last week. Personal information was lost or mis-directed by city staff 16 times between Jan., 2016 and Jan., 2018. (Rob Krbavac/CBC News)

Also included in the list:

  •  A woman’s address was mistakenly given to her ex-spouse while he was registering for a city Parks, Forestry and Recreation division program. The city says it notified the ex-wife and police of the breach.
  •  An X-ray requisition for a resident was posted on a public cork board at the city-run Seven Oaks Long-term Care Home in Scarborough.
  •  A staff member lost an iPad that contained notes on a client of the Children’s Services division.
  • Personal information of 38 unsuccessful applicants for a city job was sent to seven other applicants who’d been invited for an interview by the Human Resources division.
  •  Revenue Services staff accidentally mailed personal information about two individuals to a third person.

In all 16 cases, the city has labelled the incidents “closed.” The city appears to have investigated and sent letters of apology in most instances.

In one case, the Parks, Forests and Recreation division accidentally gave the address of a woman to her ex-spouse while he was enrolling in a rec program. Police and the woman were notified of the breach. (Rob Krbavac/CBC News)

City staff declined to be interviewed by CBC Toronto about the incidents.

‘It’s a pretty good record’

But in a series of statements, spokesperson Wynna Brown said: “The City of Toronto routinely manages hundreds of thousands of documents and when these rare instances do occur, we take them very seriously.  We identify every opportunity to review and tighten information management procedures to ensure the continued protection of personal information.

“Of note, approximately 7 of the 16 occurrences involved mailings of which the City undertakes more than 4 million per year.  As well, the vast majority of incidents are self-reported by staff which we attribute to the effectiveness of the City’s training program.”

Councillor Gord Perks agreed that the city has a relatively good track record, under the circumstances:

“Any time it happens, it’s serious. That being said we do handle hundreds of millions of pieces of information every year and from what you’ve shown me, this is 16 accidents or releases of information over 2 years; it’s a pretty good record.”

He said he’d have been more concerned if most of the privacy breaches came from a single division.

After looking at the list of breaches, Brenda McPhail, director of the Canadian Civil Liberties Association privacy, technology and surveillance project, said it appears that the system for tracking and rectifying privacy breaches is in line with guidelines set out by the Information and Privacy Commissioner of Ontario.

However, she said the fact that the incidents were not made public voluntarily by the city is “a little bit troubling.”

“The city has such a high duty of care for our personal information. It would be great if they were a little more forthcoming about when things go wrong. A transparency report would be a really great idea — just an annual report that says we’ve had this number of breaches; this number of people were affected and this is what we did to fix it in each case.”