Elections Canada may be exposing voters to ID theft: privacy commissioner

Canadian voters are at risk of identity theft because of voters lists that go missing and are circulated widely among political parties, says Canada's privacy commissioner.

"The personal information of Canadian voters is not adequately protected," commissioner Jennifer Stoddart said Thursday in a statement after presenting a report to Parliament highlighting the issue. "We're concerned that voters' personal information could fall into the wrong hands and be used for illegal activities."

Stoddart and Auditor General Sheila Fraser collaborated on two reports that looked into the practices of four federal agencies that collect personal information such as birthdates and addresses:

• Canada Revenue Agency.
• Elections Canada.
• Passport Canada.
• Service Canada.

They found that in the case of Elections Canada:

• At least one per cent of voters lists have gone missing during elections and byelections.
• Elections Canada collects too much personal information on Canadians, including some teenagers too young to vote.  
• Paper and electronic copies of voter lists are widely circulated to political parties and candidates, who aren't covered by the same privacy laws that federal employees have to abide by. Stoddart said that is a notable gap in Canada's privacy legislation.
• Such parties don't have a formal way to report privacy breaches to Elections Canada.
• Canadians aren't fully informed about how their personal information will be used.

Stoddart cited one example from 2006, when RCMP discovered lists of voters' names and addresses at an office belonging to the Tamil Tigers, classed in Canada as a terrorist organization, which was allegedly using them to find people who might help them financially.

"When you get something as reliable, as organized, as a voters list in the wrong hands, this is arguably worth a lot of money in the underground economy," Stoddart told reporters at a news conference.

She acknowledged that keeping track of the lists is a challenge, given that 190,000 temporary workers are hired during elections and laws governing elections require the distribution of voter information.

But she suggested that Elections Canada:

• Boost its privacy training.
• Develop a system for reporting data breaches.

She said it would also be "good practice" for political parties, MPs, and candidates to report losses or inappropriate use of the electoral lists to Elections Canada, even though they are not required to do so. 

Elections Canada will purge minors' data

Fraser presented her own report on whether the departments examined by Stoddart work together to manage the information efficiently in accordance with the law and collect only information that is relevant to delivering their programs.

She found that Elections Canada currently holds identity information on about 104,000 Canadians under the age of 18, even though it is not authorized to do so because they are too young to vote.

That is because it gets data from provincial and territorial driver's licence registries.

In response to the findings of the audit, Elections Canada said it will purge its database of information on Canadians under 18 and will ask suppliers to provide only information about adults.

However, the report found that for the most part, Elections Canada and the three other institutions audited collect only the information they are authorized to collect.

Data gathering incomplete or duplicated

Other findings in Fraser's report included:

• Federal departments have no national framework that allows them to work together in managing personal information. That has resulted in duplication, repeated consideration of the same problems and incomplete solutions to problems.
• Even though there have been electronic links between federal departments and provincial governments for 10 years, only some information is being collected electronically. That means some individual federal organizations have separate agreements with provinces and territories to obtain and pay for information about people who have died, and then sometimes exchange information with each other about the same people.

Fraser said the Treasury Board of Canada Secretariat needs to address the issues by providing clearer leadership in this area.

Overall, Stoddart said the government needs to strengthen privacy training for its employees. With regard to the other departments in the audit, Stoddart found:

• Service Canada has good policies to protect privacy, but doesn't always follow them.
• Canada Revenue Agency did not consider the privacy implications before automatically collecting social insurance numbers for between six and eight million children.

She noted that an earlier audit found Passport Canada also had some questionable personal data management practices. For example, it kept applications in clear plastic bags and sometimes threw out personal information with regular garbage and recycling.

The privacy commissioner’s mandate is to oversee compliance with laws governing the handling of personal information by federal government departments and the private sector, while the auditor general’s mandate is to hold the federal government accountable for its spending of public funds.