TORONTO—Greg Essensa, Chief Electoral Officer, announced Tuesday that Elections Ontario has identified a privacy breach that occurred with respect to some Ontario voters’ personal information. This notification applies to approximately 20-25 electoral districts, including Algoma-Manitoulin.
“There is no evidence that copies of personal information on two USB keys have been improperly accessed, however, I want to exercise the greatest degree of caution,” stated Mr. Essensa in a release. “And in consideration of my accountability to the people of Ontario, I am making this notification.”
The information at issue is limited to full name, gender, birth date, address, whether or not an elector voted in the last election and any other personal information updates provided by electors to Elections Ontario during that time, as well as administrative codes used solely for election purposes.
The information does not include how an individual voted. Elections Ontario does not have such information because the voting process guarantees the secrecy of the vote. Nor does the information include social insurance numbers, Ontario health card information, driver’s licence information, telephone numbers, email addresses, credit card or banking information, or any other information provided by voters during the 2011 election to confirm their identity or residence.
The information can only be accessed in an intelligible form by internal Elections Ontario proprietary software or specialized commercial software applications, a release points out.
As a precaution, Elections Ontario recommends that Ontarians in the impacted electoral districts monitor and verify their personal transaction statements from governments, financial institutions, businesses and any other institutions to detect any unusual activity. If any suspicious activities are detected, the public are advised to contact those organizations immediately.
“Elections Ontario has specific policies and processes in place regarding the management and care of personal information that were not followed,” continued Mr. Essensa, “and therefore I cannot confirm the security of the information. For that reason, I am notifying Ontarians.”
Election Ontario policies dictate that USB keys must be password protected and encrypted if they are being used to carry personal information, and that USB keys must be in the custody of Elections Ontario personnel at all times, the release explains. Two USB keys carrying copies of personal information of electors from the 20-25 electoral districts were not encrypted or password protected and cannot be located as they were unsecured.
Elections Ontario personnel were working with copies of personal information from 49 of the 107 electoral districts. Their work was completed on 20-25 of the 49 electoral districts. However, Elections Ontario and external forensic experts cannot confirm which specific 20-25 of the 49 electoral districts are impacted.
“I take this matter extremely seriously,” continued Mr. Essensa. “We have undertaken a rigorous search as well as a full internal investigation to completely review the circumstances. We engaged external counsel, Gowling Lafleur Henderson LLP, to undertake and guide a full investigation supported by Inkster Incorporated, a forensic security specialist firm. Their investigation is still underway. I have reported this matter to the Ontario Provincial Police. The OPP is investigating. I have also asked the office of the Information and Privacy Commissioner of Ontario to assist Elections Ontario in a full review of our privacy policies and procedures and to consult with us in ensuring that this circumstance is not repeated.”
Beginning July 18, an open letter from the Chief Electoral Officer will run in newspapers across the province targeting Ontarians in the 49 electoral districts to notify them further and to recommend what care they should exercise.
As part of its notification, Elections Ontario is also releasing the “Preliminary Report Regarding the Privacy Breach at Elections Ontario,” as prepared by Gowlings. Elections Ontario will also table a comprehensive report to the Legislative Assembly about this matter by year-end, summarizing the outcomes of the Gowlings and Inkster Incorporated investigations, the OPP investigation and the Information and Privacy Commissioner’s review.
Mr. Essensa also announced that he has further directed, in response to the breach, an immediate and comprehensive review of all Elections Ontario policies and procedures related to the privacy, management, protection and custody of personal information including staff orientation, training, management oversight, accountability and audits; an immediate and comprehensive review of Elections Ontario’s technology strategic framework, infrastructure, management policies and oversight. Both activities will be undertaken by external expert resources and will be directly accountable to him.
If you require assistance regarding this notification or to confirm your electoral district, please contact the information line at 1-888-ONT-VOTE (1-888-668-8683), TTY at 1-888-292-2312 or Elections Ontario’s website, www.elections.on.ca. You may also wish to visit the website of the Office of the Information and Privacy Commissioner of Ontario, www.ipc.on.ca, for further information on how to protect your privacy.