In what’s being called a “shocking” misuse of personal health information, Ontario police services made unauthorized searches of the province’s COVID-19 first-responder data portal — including querying entire postal codes to find active cases of the virus, according to documents obtained by two civil rights groups.
In a memo addressed to all police chiefs in June, Ontario’s Ministry of the Solicitor General said an audit of the COVID-19 database — a controversial and now-shuttered portal for first responders — revealed “many” searches violating the province’s directive that the tool be used cautiously and with precision.
The audit raised “concerns that the portal is being used beyond the express purpose that the government intends,” wrote Richard Stubbings, assistant deputy minister of the public safety division, in a June 11 letter.
Among the unauthorized searches listed: “broad-based” municipal searches with no specific address, including queries of postal codes or of another municipality, and searches of a specific name unrelated to an active call for service.
“I strongly urge police services boards and chiefs of police to ensure that access to this critical information is strictly for responding to a call for service,” Stubbings wrote.
The memo — obtained through a freedom of information request by the Canadian Constitution Foundation, a civil rights charity — is the latest problem stemming from a portal dubbed an “extraordinary” privacy invasion by human rights groups and deemed an unnecessary infringement by Ontario’s privacy commissioner.
“I was shocked when I read the extent of what appears to be abuse of that database,” Christine Van Geyn, litigation director with the CCF, said Wednesday.
“At the same time, when you look at what access was granted under that regulation … it’s not surprising that such a database was abused.”
The temporary portal was created via an emergency order in April, letting first responders including police officers access personal information such as names, addresses and birthdates of people who tested positive for COVID-19. The database was intended to be used solely by 911 operators and only for active calls, to aid efforts to limit the spread of the virus.
The province halted police access to the database in July, after a legal challenge filed by human rights groups including the Canadian Civil Liberties Association argued the portal was an unjustified invasion of privacy.
After obtaining the June memo this week, the CCF filed a formal complaint about the searches to the Office of the Independent Police Review Director — the province’s complaints watchdog — and to the province’s information and privacy commissioner.
“There is no rationale for this abuse,” said Van Geyn.
But misuse of the portal may have been caused in part by attempts by police to use a tool the CCLA said was overall “pretty useless to first responders.” Some services adopted “illegal” and “privacy-invasive work arounds” when authorized searches failed, the rights group said.
In a report released Wednesday, the CCLA highlighted significant problems with a database, including incorrectly entered addresses and outdated and unreliable information. Database weaknesses were also noted by the province itself in communication to police services earlier this year, including delays in test results and the fact that individuals listed as positive may no longer have COVID-19.
Abby Deshman, the criminal justice program director of the CCLA, said it remains unclear why the database was deemed useful to begin with.
“We were right to be concerned about the utility of the database. Not only was the information extremely limited, it was designed in such a way that made it unusable,” she said in an interview Wednesday.
“They created a tool that I think never should have been created.”
Brent Ross, spokesperson for the Ministry of the Solicitor General, said in a statement Wednesday that protecting personal health information was a key commitment.
“Recognizing that the local needs and challenges of individual communities across Ontario is varied, police and fire services were expected to implement local policies to ensure appropriate use and to take appropriate action in the case of misuse,” Ross said.
“Police and fire services are responsible for their use of the portal within the requirements of the emergency order.”
Data released as part of the CCLA’s lawsuit revealed Ontario police services searched the portal 95,000 times. While some services, including Toronto police, never accessed the portal, a handful of others made up the bulk of the queries.
Durham Regional Police and Thunder Bay Regional Police alone conducted 40 per cent of the searches, with nearly 25,000 and 14,000 searches respectively, according to the CCLA.
In a Sept. 1 report to its police services board, Durham police called the database “extremely unreliable,” saying that, in good faith, its staff adopted broad, “wild-card style” searches to glean results when more precise queries failed.
The Durham report states, for example, that when address queries for a long term care home with known COVID-19 cases failed, “the search was expanded using wildcard parameters.” That practice was “widely used” until the province’s June 11 memo.
In late June, Durham was warned about its overly broad searches, and its access was ultimately shut off by the province five days before the entire portal was closed.
York Regional Police initially made use of the portal, performing more than 13,000 searches, but later asked the province to revoke its access, according to the CCLA.
“YRP identified that the look-up tool was not sufficiently user-friendly and did not permit authorized users to conduct searches that would consistently provide accurate results while still allowing YRP to maintain stringent limits on how members conducted their searches,” reads a Sept. 23 report to the York police board.
Van Geyn, lawyer for the CCF, called on the privacy commissioner to conduct an investigation into any instances of searches of specific names unrelated to active calls. The legislation that let police access the COVID-19 database required that individuals be informed of any breaches of their privacy, she said.
“We’ve asked for an investigation, and if there is misconduct, for the administrative penalty under the act to be applied,” she said.
Wendy Gillis is a Toronto-based reporter covering crime and policing for the Star. Reach her by email at email@example.com or follow her on Twitter: @wendygillis