![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
The privacy and security risks associated with the use of mobile devices such as laptops and USB keys have been well documented. However, occasionally an event occurs that should make all organizations stop and reconsider whether their own privacy and security practices could permit such an event to occur. The loss of two USB keys by Elections Ontario (EO) is such a tale.
In July, EO reported to the Office of the Information and Privacy Commissioner of Ontario (OIPC) that two memory sticks containing the personal information of as many as 2.4 million voters had been discovered missing from an EO warehouse in April of that year. The OIPC conducted an investigation of the practices of EO and issued a report that laid out, in painstaking detail, the shortcomings of EO’s privacy and security policies and practices.
Investigation findings
EO had initiated a project to update the permanent register for electors in Ontario (PREO) and to expedite the process, located the project team in an EO warehouse. The investigation revealed that EO did not take much time to consider the privacy and security implications of moving the team to this facility. For example, warehouse staff not working on the project had keys or the access code to the alarm system of the building; there was no physical separation; i.e., partitions, shielding the team from the warehouse activities; desk drawer keys were either not used or stored insecurely; laptops were not physically secured, and hard drives were not encrypted.
Insufficient thought was given to how data would be securely transferred between the data entry clerks and the team leaders and then between the team leaders and headquarters. Despite the fact that the clear dangers of using USB keys had been identified, a request for two keys was signed off. EO staff were directed to purchase the keys themselves and were informed by technology services as to which keys to purchase, since these keys possessed built-in encryption software; however, the encryption was never turned on. The only direction that staff using the USB keys received was verbal direction from the project manager that the information on the USB key should be encrypted; however, neither the manager nor the staff knew what encryption was, and no training was offered with respect to encryption. At the time of the breach, the director of technology services was not sure who was responsible for ensuring that encryption on mobile devices was in place; he was of the view that the responsibility for implementing the encryption lay with the “business area.”
In assessing EO’s overall management of its privacy program, the OIPC report noted that EO had not appointed a privacy officer; it was clear that there was no “go-to person” who could answer questions about privacy requirements or the implications of particular practices on privacy. Compounding this lack of privacy leadership, EO did not have adequate privacy and security policies in place. While EO had a privacy policy relating to the PREO, there was no agency-wide privacy policy and the PREO privacy policy provided inadequate direction to staff regarding the need to protect the privacy and security of PI. The PREO policy was not translated into procedures which could then be implemented by way of visible actions and the actions of the frontline staff bore no resemblance to the privacy policy. The investigation found that employees’ knowledge of the privacy policy was inconsistent, as several frontline staff were completely unaware of the policy's existence and the privacy policy was not included in the orientation package provided to new employees.
Impact and considerations
While the above situation may seem extreme, it would be a mistake for others to rush to the conclusion the issues identified in the OIPC’s report don’t or couldn’t occur within their organization. When reviewing privacy and security programs, organizations should consider the following:
- Do all employees know the contact information of the chief privacy officer or the designated “go-to” person?
- When creating temporary offsite project teams, is a full assessment of privacy and security undertaken to identify any new risks associated the project?
- Are all employees who are involved in the collection, use and/or disclosure of personal information aware of the organization’s privacy policies?
- Are your organization’s policies supported by operational procedures that guide employees’ actions, or are they really only “window-dressing”?
- Can you confidently affirm that employees are following your policies and procedures?
In summary, organizations should regularly assess their practices to ensure that no unidentified gaps exist and that can it demonstrate compliance with relevant privacy laws.
