Recreation Software Data

Unauthorized Use – Recreation Software Data

The City of Hamilton would like to inform the public about an unauthorized use of internal data that the city is classifying as an internal privacy breach. Residents do not need to take any action as there is no threat to people’s personally identifiable information being shared in the public domain. The breach is considered internal as information was incorrectly shared among city departments.

What Happened

In an effort to create a better customer experience and minimize the need for residents to have to re-enter information/date (specifically address information – street name and number, city, and postal code), City staff copied information/data from the City’s recreation software into new Customer Relationship Management (CRM) software via a data transfer. The original information that would have been used was not recoverable due to the February 25, 2024 cybersecurity attack.

The internal privacy breach occurred when City staff pulled data files from a since archived Corporate Point of Sale Software, used by multiple Divisions including Recreation known as “Legend”. The Recreation Division’s current software was not affected by the breach and was not involved in its cause, nor were any Recreation staff.

Recreation user data from the City’s software was imported into the CRM with the intent of minimizing the need for property owners to re-enter their address information as part of the Vacant Unit Tax declaration portal. During the data transfer process some data became misaligned between the old and new database resulting in a potential mismatch between property owners’ email address and the respective property address. Once the city became aware of the address data mismatch on February 25, 2025 the City worked quickly to ensure the address data was purged (deleted) from the new system.

Upon further review this breach was identified as an internal unauthorized use. Personal information and data collected for one purpose, in this case users registering for recreation-related programs, cannot be used for another unrelated purpose by the City unless that intended usage is disclosed in the original Notice of Collection. A Notice of Collection defines how the information collected will be used by the City.

It is considered an unauthorized use of data breach because the original Notice of Collection only indicated the data could be used for recreation purposes and the City used it for another purpose. 

Under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), subject to specific exceptions, organizations can only use the data they collect for the purpose for which it was collected in the notice of collection. No financial data was involved in the data transfer, and no personally identifiable information was shared in the public domain.

How You Might be Affected

A limited number of internal staff accessed 133,744 records as part of the information/data transfer process, and to date, 105,979 have been deleted. If you are the main contact on a family account with the Recreation Division and registered for a program, rented a facility, or purchased a membership between Fall 2017 and March 15, 2024, your information may have been accessed internally by the limited staff when the data transfer occurred between the Recreation and Vacant Unit Tax solutions.  

The undeleted records represent those that residents would have either requested updates to or made updates to their address information directly. An example would be a resident who updated their address, email, or phone number by speaking to a Customer Service Rep as part of a City Service Request or via updating their information as part of the Vacant Unit Tax declaration process. These records have not been deleted as those residents have confirmed their contact information and provided consent to update it.

What the City is Doing 

The City has notified the Information and Privacy Commissioner of Ontario (IPC) of the internal authorized data use breach. Individuals have the right to file a complaint with the Information and Privacy Commissioner of Ontario IPC about their personal information through the following website www.ipc.on.ca/en/resources/information-individuals. While individuals are welcome to file a complaint, it is not required.

The City, in coordination with the City’s Privacy Office, has reviewed its current processes, conducted staff awareness and education and is creating a new process to ensure that there are access and use controls when disclosing datasets between internal program areas.