This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Audit reveals privacy gaps at federal agencies
Weaknesses in rules for governing voter information could threaten the privacy of Canadians, Privacy Commissioner warns
OTTAWA, February 12, 2009 — Gaps in the way the personal information of Canada’s 23 million registered voters is governed could expose Canadians to serious consequences such as identity theft, the Privacy Commissioner of Canada warns.
“The personal information of Canadian voters is not adequately protected,” Commissioner Jennifer Stoddart said today after presenting an audit report to Parliament. “We’re concerned that voters’ personal information could fall into the wrong hands and be used for illegal activities.”
The Office of the Privacy Commissioner of Canada (OPC) examined Elections Canada, Passport Canada, the Canada Revenue Agency and Service Canada to assess whether these agencies, which operate databases housing vast quantities of personal information, treat the information in a manner that safeguards the privacy of Canadians.
At the same time, the Office of the Auditor General of Canada (OAG) was auditing the same four federal institutions to determine whether they work together to efficiently manage identity information, while respecting legal and policy requirements, and that they collect only the information that is relevant to program needs. The collaboration between the OPC and the OAG represents a historic first.
The OPC found shortcomings in two agencies’ efforts to safeguard the personal information of Canadians. In its examination of Elections Canada, for example, it found that:
- some voter lists simply vanished during elections and by-elections;
- Elections Canada collects too much personal information on voters, including on teenagers too young to vote, and
- Canadians are not fully informed about how their personal information will be used.
“Maintaining full control of electoral documents is a significant challenge,” Commissioner Stoddart said, pointing out that up to 190,000 temporary workers are hired to staff polling stations at elections.
The audit also noted that paper and electronic copies of voter lists are widely circulated to political parties and candidates, who are not covered by the Privacy Act and are therefore not subject to the law’s obligations for protecting privacy.
Political parties and candidates are not obliged to keep track of elections documentation, the audit found, and do not have a formal mechanism to report potential privacy breaches to Elections Canada.
In 2006, the RCMP discovered lists of voter names and addresses at the offices of a Tamil Tiger cell, classed in Canada as a terrorist organization. The documents were allegedly being used to identify potential financial supporters for the Tamil cause.
An earlier and related audit of Canadian passport operations also found some problems in the management of personal information. It found, for example, that passport applications and supporting documents were kept in clear plastic bags on open shelves, documents containing personal information were sometimes tossed into regular garbage and recycling bins, and too many employees had access to computerized passport files.
The audit also concluded there was inadequate privacy training for employees – an issue of concern across government institutions. Some of the findings, which were originally published as part of the OPC’s Annual Report to Parliament last December, are summarized in an appendix to this current report.
The OPC’s audits of the four agencies revealed some problems, but also strengths in the federal government’s personal information management practices.
For instance, the audit of Service Canada, which manages the personal records of everyone who has applied for a Social Insurance Number (SIN), found sound policies to safeguard privacy, but noted they are not always followed in practice.
The Canada Revenue Agency has comprehensive controls, built up over many years throughout the organization, to safeguard the security of taxpayers’ personal information, the audit found. However, the agency did not consider the privacy implications before automatically collecting the SIN information for between six and eight million children. The CRA has indicated that it will review existing policies and procedures with a view toward enhancing the secure treatment of the SINs of children.
In its audit report, the OPC called on the Treasury Board Secretariat to take the lead in strengthening policies and practices throughout the Government of Canada on the collection, management and use of personal information. In particular, the central agency should focus on better employee training, as well as mechanisms to govern the secure and confidential sharing of personal information within government.
The full audit reports are available on the OPC website, www.priv.gc.ca.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
— 30 —
For more information or interview requests, contact:
Office of the Privacy Commissioner of Canada
Tel: (613) 995-0103
Report a problem or mistake on this page
- Date modified: