Last month, Elections Ontario, which oversees voter registration for the province, admitted that election officials had lost two unencrypted USB keys containing voters’ full names, addresses, gender, and birth dates; whether they voted in the last provincial election; other personal updates provided to the agency; and administrative codes used for election purposes.
Elections Ontario did not initially provide estimates of the number of voters affected, but the province’s privacy commissioner, Ann Cavoukian, said the number could be as high as four million because the election body could not identify which of the 20 to 25 electoral districts out of a total of 49 were involved.
In a scathing report released on Tuesday, the privacy commissioner chastised Elections Ontario for failing to “systematically address privacy and security issues”, particularly the failure to encrypt data on the USB keys, which were used to transfer data to an off-site location.
“I am astounded at the failure of senior staff to address the security and technological challenges posed by the decision to locate the project off-site”, said Cavoukian. “Ultimately, at the root of the problems uncovered in the course of my investigation was a failure to build privacy into the routine information management practices of the agency.”
A spokeswoman for Elections Ontario told the Globe and Mail newspaper that the agency is reviewing the privacy commissioner’s report and will address changes by the end of the year, once all investigations are complete.