From Queen’s Park – Elections Ontario privacy breach shows risks to personal information

Sarah Campbell-MPPKENORA – Leaders Ledger – Last week Elections Ontario announced that two USB keys containing personal data for 2.4 million people had been lost due to employee negligence.

While it is good news that data from the Kenora-Rainy River was not one the 20-25 ridings involved, it shows that not enough is being done by the government to protect this very private and confidential information.

In this case, the private information of these individuals- including their name, address, gender and birth date, were stolen. In the wrong hands just having a person’s name, address and birthdate could be enough to seriously compromise that individual’s safety through identity fraud or any other means of misuse. What’s worse, is that there is no telling when and how this information will be used for nefarious purposes, or if it ever will be. For the individuals affected it is a truly frightening situation.

During an election only Elections Ontario officials and registered candidates are permitted access to the voters list, which includes only the names, addresses and voter sequence numbers of most individuals who is eligible to vote in their district. Even then, sensitive information such as a person’s birthdate is not disclosed. In fact, this information provided to registered candidates is not much more than one can find in the telephone book, and is standard across many jurisdictions.

My primary concern lies not with the controls that are in place to distribute or store this sensitive information, but that the controls were not followed. Elections Ontario has procedures in place that require this information to be stored on password protected USB sticks which are stored in restricted areas. Neither of these procedures were followed.

Personal privacy has been in the news a great deal recently, yet I worry that the government is not taking this as seriously as it should.

Earlier this year, I raised concerns relating to the privacy of personal information collected by the Ministry of Natural Resources and stored in the United States. At that time I expressed concerns that under the Patriot Act the United States Government can access that data without permission or notice.

What’s even more concerning is that if this government moves forward with its plans to privatize other services, such as Service Ontario or the Registrar General’s office, some of our most sensitive personal information, including that contained on our Drivers’ Licenses, birth and death certificates- including one’s current mailing address, and OHIP data could also be in jeopardy. Because if privatized, the delivery of these services would also be subject to the rules of the North America Free Trade Agreement (NAFTA) which force governments to choose the lowest bidder in Canada, the United States, or Mexico regardless of location or privacy concerns.

This latest incident with Elections Ontario shows us the gaps that can occur even when not-for-profit government organizations are charged with protecting our privacy. What happens when it is left to a private entity who’s primary concern is generating a profit and who may not even be subject to our laws?

Sarah Campbell MPP