Privacy breach shows personal info at risk

Last week, Elections Ontario announced two USB keys containing personal data for 2.4 million people had been lost due to employee negligence.
While it’s good news that data from Kenora-Rainy River was not one of the 20-25 ridings involved, it shows that not enough is being done by the government to protect this very private and confidential information.
In this case, the private information of these individuals, including their name, address, gender, and birth date, were stolen. In the wrong hands, just having a person’s name, address, and birth date could be enough to seriously compromise that individual’s safety through identity fraud or any other means of misuse.
What’s worse is that there’s no telling when and how this information will be used for nefarious purposes, or if it ever will be.
For the individuals affected, it is a truly frightening situation.
During an election, only Elections Ontario officials and registered candidates are permitted access to the voters’ list, which includes only the names, addresses, and voter sequence numbers of most individuals who are eligible to vote in their riding.
Even then, sensitive information such as a person’s birth date is not disclosed. In fact, the information provided to registered candidates is not much more than one can find in the telephone book—and is standard across many jurisdictions.
My primary concern lies not with the controls that are in place to distribute or store this sensitive information, but that the controls were not followed. Elections Ontario has procedures in place that require this information to be stored on password-protected USB sticks, which, in turn, are stored in restricted areas.
Neither of these procedures were followed.
Personal privacy has been in the news a great deal recently, yet I worry that the government is not taking this as seriously as it should.
Earlier this year, I raised concerns relating to the privacy of personal information collected by the Ministry of Natural Resources and stored in the United States. At that time, I expressed concerns that under the Patriot Act, the U.S. government can access that data without permission or notice.
What’s even more concerning is that if this government moves forward with its plans to privatize other services, such as ServiceOntario or the Registrar General’s office, some of our most sensitive personal information, including that contained on our driver’s licences, birth and death certificates (including one’s current mailing address), and OHIP data also could be in jeopardy.
Because if privatized, the delivery of these services also would be subject to the rules of the North America Free Trade Agreement (NAFTA), which force governments to choose the lowest bidder in Canada, the U.S., or Mexico regardless of location or privacy concerns.
This latest incident with Elections Ontario shows us the gaps that can occur even when not-for-profit government organizations are charged with protecting our privacy.
What happens when it is left to a private entity, whose primary concern is generating a profit and who may not even be subject to our laws?