The number of Canadians who could be victims of one of the country’s biggest losses of personal data could hit four million, according to a privacy official.
Ann Cavoukian, privacy commissioner for the province of Ontario, said Tuesday that is the number of records that might be compromised in the loss of two USB memory sticks earlier this year by the provincial elections agency.
The initial number of voter names, addresses and dates of birth on the sticks was thought to be 2.6 million. The exact number isn’t known.
In her report on the incident Cavoukian said she was “astounded” and “discouraged” at some of the procedures at Elections Ontario.
Policy called for data put on portable devices to be encrypted. Not only wasn’t that done, after the loss was reported the agency gave staff two more data sticks to use with orders to encrypt data — and again that wasn’t done.
“On what planet do you do the same thing again?” a frustrated Cavoukian asked reporters.
In fact, she added, the staff thought encrypting data meant it was to be zipped, or compressed.
The first set of sticks, used by a team of contract workers updating voters lists in a facility not connected to Elections Ontario’s main servers, went missing in April.
The second set of sticks apparently are safe.
Two persons have been dismissed by the department and the provincial police have opened a criminal investigation.
It isn’t known if the memory keys, which were supposed to be locked up at night, were lost or stolen.
In her report on the incident, Cavoukian also dismissed an initial Elections Ontario report suggesting the odds of someone accessing the disks are report. The agency said someone would either need access to its proprietary software, or be someone highly skilled in the use of specialized software.
But Cavoukian said the data on the disks was in a standard format that could be easily accessed.
She recommends Elections Ontario hire an independent group to audit its privacy policies and procedures to ensure they are ingrained in what the staff does daily. “A policy is not enough sitting on some shelf, not understood, not translated into the day to day steps of your staff,” she said. “It has to be embedded in the operations of your agency.”
She also challenged provincial and municipal governments to ensure this is the last report ever of missing data on portable devices.