Background
Section 26 of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) requires an institution to include in its annual report to the Information and Privacy Commissioner (IPC), factors that contributed to its access and privacy performance. The City of Toronto’s City Clerk’s Office is proud of its achievements and the efforts it has made over the past year. This report summarizes the City’s initiatives and achievements for the year 2008.

Staff Training
In 2008, training content focused on providing City staff with a greater understanding of the principles of access and privacy and their roles and responsibilities as it relates to these principles. The training delivered both at corporate and divisional levels in response to program area requests for customized training, focused on the fundamental principles and rights contained in MFIPPA, the importance of routine disclosure, IPC decisions, and information from the provincial and federal governments as well as the private sector. Offered monthly, attendance has been full at most sessions, and employees have provided very positive feedback on the effectiveness of the training.

Routine Disclosure
Routine disclosure is directly linked to the right of access embodied in the provisions of MFIPPA. Recognized as a core component of the City’s freedom of information and privacy training program for City staff, the CAP unit continued to work with City divisions to encourage further development and implementation of routine disclosure plans in 2008.

All City divisional routine disclosure plans were posted to the City's website in February 2008 for public reference. A staff report to City Council was submitted at the same time, outlining the key developments of the routine disclosure program.

One of the successful routine disclosure initiatives in 2008 was making the information relating to councillors’ expenses available online. The City Clerk’s Office, Council and Support Services unit developed a database that posts supporting receipts and invoices for Councillor expenses to the City’s website on a quarterly basis, along with expense summaries by category. The Routine Disclosure Plan for the Toronto Building Division also moved forward in 2008, when City Council approved the necessary resources and policy changes to enable Toronto Building to routinely provide access to building plans without the need for a formal freedom of information request. This will take effect in 2009.

To further facilitate the implementation of divisional routine disclosure plans, the CAP unit has developed a Disclosure Management Framework that sets out the steps required to implement and update routine disclosure plans. This framework allows divisions to go beyond routine access to general records, by following trends and anticipating the types of information of interest to the public and proactively making that information available through the web, across the counter, and other channels. Implementing routine disclosure policies demonstrates the City’s commitment to an open exchange of information with the public and the City Clerk’s Office will be monitoring the implementation process throughout 2009.

Privacy Impact Assessments
The City Clerk’s Office actively supports the principle of “privacy by design”. The City risks damaging its reputation and losing the public’s trust and willingness to interact with City services if privacy and security are not top priorities. The CAP unit conducts privacy impact assessments (PIAs) as part of a comprehensive privacy compliance program.

PIAs completed in 2008

• Corporate Finance - CS Stars Project
• Public Health - Tuberculosis Directly Observed Therapy
• Public Health - One on One Mentoring
• Solid Waste - Getting to 70% Bin Program
• Solid Waste - Addendum to Getting to 70% Bin Program PIA
• Transportation - Amendment to Temporary Parking Permit System PIA
• Solid Waste - CEAT/Public Consultations by Residual. Waste & 3R's Working Groups Parks and Recreation - Work Management System
• Shelter, Support & Housing - E-mailing Rent-Geared-to-Income Tenant Arrears Data
• ML&S - Remote Computing System
• Social Services - Ontario Works

• 3-1-1 Core Technology Logical PIA
• 3-1-1 Project - Hansen Divisional System Logical PIA
• 3-1-1 Project - TMMS Divisional System Logical PIA
• 3-1-1 Project - IBMS Divisional System Logical PIA
• 3-1-1 Core Technology Final PIA
• 3-1-1 Project - Hansen Divisional System Final PIA
• 3-1-1 Project - TMMS Divisional System Final PIA
• 3-1-1 Project - IBMS Divisional System Final PIA
• Human Resources - TalentFlow Applicant Tracking System
• Shelter, Support & Housing - Streets to Homes (Pirouette)
• Children's Services - CSIS on the Web (Attendance)
• City Manager’s Office - Public Consultations
• ML&S/IBMS - Municipal Licensing System
• ML&S - Licensing Tribunal Process
• Court Services - Administrative Dispute Resolution (Parking Violations)
• Shelter, Support & Housing - Social Housing Administration System
• Shelter, Support & Housing – Rent-Geared-to-Income Tenant Arrears Data Sharing

Privacy Compliance
The CAP unit also continued its processes to review all City forms and web applications prior to implementation, to ensure that privacy is protected when collecting information from individuals. Through collaboration with City Web Services and all program areas, City forms and web applications are reviewed and approved by the CAP unit prior to implementation, including ensuring that the necessary notices of collection of personal information are included and recommendations are made for secure websites and limitations on information collected.

Another critical component of privacy compliance work is the investigation and response to privacy breaches and complaints. The CAP unit continued to address these situations and cooperate fully with the IPC on investigations. The CAP unit provided strong recommendations to business units in the City on how to mitigate the consequences of breaches, improve staff awareness of their privacy responsibilities, and incorporate privacy best practices in the City’s day-to-day operations. Through ongoing education and follow-up, the CAP unit has worked towards ensuring that privacy becomes embedded into the City’s institutional culture.

In response to the IPC privacy investigation regarding secure disposal of personal information at Old City Hall courthouse, the CAP unit established an interdivisional team to develop City-wide solutions for secure disposal at all City office locations. The IPC privacy investigation report made a series of recommendations for the City to improve its disposal practices which are being developed and implemented, and senior management in all City divisions were briefed on the report’s recommendations. The City was commended in the report for the proactive work being done to respond to this privacy investigation.

A major achievement in 2008 was the development of a privacy compliance audit toolkit, designed to review and assess the privacy measures in place in an organizational unit. This toolkit was implemented by the CAP unit at Seaton House, a homeless men’s shelter, as part of a larger management audit being conducted. In this initiative, Seaton House’s existing practices for handling personal information and records were documented and evaluated, employees were interviewed in order to identify privacy risks, new privacy practices were developed and put in place, and all management and staff received comprehensive privacy training. The CAP unit plans to use this successful model in other organizational units at the City, depending on staff resources available to conduct the detailed project work.

External Outreach
The CAP unit was also engaged in external outreach activities in 2008. Two sessions were delivered by the CAP unit at the annual Ontario Ministry of Government Services (MGS) Workshop in fall 2008. The CAP unit also delivered an overview of MFIPPA to the Board of Governors of Exhibition Place; a half-day access and privacy presentation to senior staff in Niagara Region and area municipalities; and participated in the first annual Association of Municipal Managers, Clerks and Treasurers of Ontario(AMCTO) Access and Privacy Workshop in Burlington.

The CAP unit was also invited to participate in the newly established AMCTO Municipal Information and Privacy Project Team, which held its first meeting in November 2008. The AMCTO Project Team, which includes representatives from municipalities across Ontario, as well as the MGS and IPC, will focus on common municipal access and privacy issues, developing common guidelines, legislative advocacy, and province-wide training opportunities.

Conclusion
There were two significant IPC orders issued against the City in 2008. Order MO-2337, involved records relating to an incident in which an unattended fire truck was stolen. The IPC ordered disclosure of some of the records relating to the settlement agreement on a disciplinary matter. The City complied with this order immediately and included the order and IPC conclusions in the corporate access and privacy monthly training.

In Order MO-2342, the IPC ordered disclosure of a list of names of individual defendants charged by the City’s mobile enforcement team under Chapter 545 of the Municipal Code. The IPC found that the list did not contain information that met the definition of personal information under the Act. As a result of this order, the City immediately disclosed the list in full to the requester and updated the CAP unit procedures to include the conclusions of the IPC in Order MO-2342.

As a result of the motion before Toronto City Council regarding “Councillors’ Read-Only Access to the Integrated Business Management System (IBMS), the City Clerk’s Office has spent several months preparing staff reports and recommendations on the application of the provisions of MFIPPA. At the City Council meeting on October 29 and 30, 2008, Council directed City staff to retain independent legal counsel to apply to the Ontario Superior Court of Justice for a determination on whether providing individual members of Council with access to the information contained in the IBMS complies with the provisions of MFIPPA.

While every effort is being made to provide all discloseable information to Councillors, the City currently has no way to redact the personal and law enforcement information covered by MFIPPA exemptions contained in the IBMS database. Pending the outcome of this Court application, the City administration will continue to work actively to improve the system of information disclosure, implement routine disclosure plans and increase the overall amount and types of information and records made available to both members of Council and members of the public.

As pointed out by Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, “Privacy is essential to creating an environment that fosters trusting, long-term relationships…”. The City of Toronto, like all public institutions, has entered a new phase of public engagement in which information is created through new technologies and in a way that is faster and more immediate than ever before.

2009 will bring opportunities for the City of Toronto to strike a balance between providing access to City records while protecting privacy and security in accordance with the legislation. With City record holdings in multiple document formats in numerous locations, the opportunity for the City in the upcoming year will be to continue to build upon the foundation of MFIPPA and PHIPA compliance towards an information management solution.