Elections Ont. breach shows privacy policies must be followed
A woman casts her ballot at a voting station in Toronto as voters participate in the Ontario Provincial Election on Thursday, Oct. 6, 2011. (Chris Young / THE CANADIAN PRESS)
Published Wednesday, September 5, 2012 6:32PM EDT
HALIFAX -- The loss of personal information belonging to millions of Ontario voters earlier this year shows that even good privacy policies can be useless if they're not followed, the province's privacy commissioner said Wednesday.
Ann Cavoukian released a new report that calls on organizations to beef up the enforcement and understanding of their privacy policies after the "egregious" breach at Elections Ontario.
"If you don't enforce your policy, it has no value," Cavoukian said after addressing a meeting of the privacy section of the Canadian Bar Association in Halifax.
"And don't dare to assume that your frontline staff will know automatically how to implement a policy. "
In April, Elections Ontario discovered a major privacy breach when two memory sticks containing the names, addresses and birthdates of some 2.4 million voters were lost.
The information also indicated whether they voted in the last election.
Cavoukian previously found that the staff who lost the USB keys didn't encrypt the files because they didn't know what encryption meant.
After researching online, the staff members thought compressing the data was the same as encryption, which actually involves converting data into code to prevent unauthorized access.
"You can't fault them," Cavoukian said in an interview. "I don't fault them. They weren't told, they weren't taught how to implement these things."
Her report doesn't target Elections Ontario, but makes seven recommendations to improve privacy protection at any organization, including developing privacy education and awareness training programs.
It also suggests conducting privacy audits of the organization and ensuring mobile devices are encrypted and password-protected, as well as appointing a specialist who can answer internal questions about the policy.
Furthermore, the report says organizations should have a protocol in place to deal with a possible privacy breach that includes notifying affected people as soon as possible.
In the Elections Ontario case, the public didn't learn of the breach until July 17, prompting investigations by Cavoukian's office and provincial police.
Cavoukian said Wednesday that Elections Ontario waited to come forward to the public until after its own internal investigation was underway.
"In my view, waiting three months was too long," she said. "Maybe you can do that for a week or two and pull together the facts. But I believe they should have moved on it more quickly."
Julia Bennett, a spokeswoman for Elections Ontario, said she couldn't comment on the report released Wednesday because it was still being reviewed.
Bennett said the office planned to submit a report to the Speaker of the provincial legislature by the end of the year outlining the steps it's taken to improve privacy protections.
Cavoukian said the agency has already moved ahead with an audit of its policies, which was one of the recommendations she made in a report in July.
Elections Ontario has previously said it will issue a report by the end of the year on how it will implement the commissioner's recommendations.
In a statement on its website, the agency said there's no evidence the lost information has been improperly accessed. Still, the breach has prompted a provincewide class-action lawsuit against Elections Ontario.
The data is from voters in 20 to 25 electoral districts, but because the agency can't say which districts, four million voters in 49 ridings are being advised to watch out for suspicious activity on their bank statements.