On July 5, the Commissioner's office was advised of the loss of two USB keys containing the unencrypted names, home addresses, dates of birth, and gender, as well as whether or not the person had voted in the last election - all included on Ontario voters' lists. The Commissioner advised Elections Ontario to notify the public of this breach as soon as possible. An investigation was immediately launched, with the full cooperation of Elections Ontario, to examine how the breach could have occurred and the existence of privacy policies and procedures in place at the province's election agency.
The investigation is expected to be completed in several weeks, at which time the Commissioner's findings will be released publicly. As part of her report, the Commissioner will be providing guidance that organizations can use to limit the possibility of this type of breach happening in the future.
Commissioner Cavoukian Quotes:
"I am deeply disturbed that a breach of this extent, the largest in Ontario history, involving millions of individuals, could happen at Elections Ontario - the agency charged with protecting the integrity of our electoral process."
"Personal information is the currency in which Elections Ontario trades. It is my expectation that personally-identifiable information will not be stored on USB keys, laptops or other mobile devices - full stop. That is the message I have repeatedly given over the years. If it is absolutely necessary, to transfer personal information to a mobile device, it should first be de-identified or protected with strong encryption."
"Given the magnitude of this breach, impacting millions of Ontarians, the loss of electors' personal information will of course raise concerns of identity theft. Resources are available on my website, www.ipc.on.ca, to learn how to protect your personal information, and what to do if you become a victim of identity theft."
About the Information and Privacy Commissioner
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians. A vital component of the Commissioner's mandate is to help educate the public about access and privacy issues.