If you’re wondering how your local Member of Parliament could have remembered to send you a birthday card, boy has Privacy Commissioner Jennifer Stoddard have news for you.
The Office of the Privacy Commissioner of Canada recently audited Elections Canada, Passport Canada, The Canada Revenue Agency as well as Service Canada and found that political parties have nearly unhampered access to the personal information of more than 23 million Canadians and are inadequately privacy policies exposing voters to serious consequences such as identity theft.
This serious lapse in privacy protection came at the heels or reports that the federal government is mulling new legislation aim at increasing police powers to search through private Internet exchanges.
Among the more alarming findings by the OPC were:
• Under existing legislation voter’s personal information are not covered by the Privacy Act and therefore could be released without consent to political parties
• Elections Canada collects far too much personal information, including from teenagers who are not eligible to vote
• Sets of voter’s list in one Toronto riding have actually gone missing and remain unaccounted for and in another case police seized lists of voters names and addresses at the offices of a Tamil Tiger cell
A voters’ list contain a person’s full name, phone number, previous address and current address.
“When you get something as organized and valid such as a voters’ list it’s usually worth a lot of money in the underground economy,” said Stoddard.
“We’re concerned that voters’ personal information fall into the wrong hands and be used for illegal activities,” she added.
The OPC examined Elections Canada, Passport Canada, the Canada Revenue Agency and Service Canada to assess whether these agencies treat the information in a manner that safeguards the privacy of Canadians. The Office of the Auditor General of Canada (OAG) also audited the same four federal institutions to determine whether they work together to efficiently manage identity information, while respecting legal and policy requirements, and that they collect only the information that is relevant to program needs.
Stoddard said the OPC also found out that individuals are not adequately informed about how their personal information is being handled by government agencies.
“For example, many people are not aware that when they fill out their income tax returns there’s a box they should mark if they don’t want Elections Canada to release their personal information. That’s one of the ways personal information goes to political parties,” the commissioner said.
She said her office was prompted to carry out the audit because of the numerous complaints they receive from people who get unsolicited sales calls and junk mail or greeting cards from politicians.
The audit also noted that paper and electronic copies of voter lists are widely circulated to political parties and candidates, who are not covered by the Privacy Act and are therefore not subject to the law’s obligations for protecting privacy or security breach notification laws.
Political parties and candidates are not obliged to keep track of elections documentation, the audit found, and do not have a formal mechanism to report potential privacy breaches to Elections Canada.
“Anyone of the 190,000 temporary workers hired to staff polling stations during elections can have their hands on the voters’ list there’s no control mechanism,” Stoddard explained.
In 2006, the RCMP discovered lists of voter names and addresses at the offices of a Tamil Tiger cell, classed in Canada as a terrorist organization. The documents were allegedly being used to identify potential financial supporters for the Tamil cause, she said.
An earlier and related audit of Canadian passport operations also found some problems in the management of personal information. It found, for example, that passport applications and supporting documents were kept in clear plastic bags on open shelves, documents containing personal information were sometimes tossed into regular garbage and recycling bins, and too many employees had access to computerized passport files.
Back in 2007, the Commission also found that 31 per cent of Canadian businesses are either still in the process of complying with the private sector privacy law or have yet to begin.
The audit also concluded there inadequate privacy training for employees was an issue of concern across government institutions.
For instance, the audit of Service Canada, which manages the personal records of everyone who has applied for a Social Insurance Number (SIN), found sound policies to safeguard privacy, but noted they are not always followed in practice.
The Canada Revenue Agency (CRA) has comprehensive controls, built up over many years throughout the organization, to safeguard the security of taxpayers’ personal information, the audit found. However, the agency did not consider the privacy implications before automatically collecting the SIN information for between six and eight million children.
Stodddard said the CRA has since indicated that it will review existing policies and procedures with a view toward enhancing the secure treatment of the SINs of children.