Annual Report on the Privacy Act for the period ending March 31, 2016
2. Administration of the Privacy Act
2.1 Education and Training
Privacy training at Elections Canada typically involves educating staff on the principles of the Act; how to securely manage privacy requests and protect personal information. In the 2015–2016 fiscal year, Elections Canada conducted two formal training sessions for six employees on their responsibilities as liaisons between their sector and the ATIP Office. The ATIP Office also raised awareness of privacy issues such as best practices for managing personal information and what to do in the event of a privacy breach, throughout the agency and for field personnel through Elections Canada's intranet sites.
2.2 Institutional Privacy Policies and Procedures
No new institution-specific policies or procedures related to privacy were implemented in this fiscal year. Elections Canada is in the process of developing a new internal privacy framework and policy as well as reviewing its tools in order to improve the management of personal information at the agency.
2.3 Institutional Monitoring of Privacy Requests
The ATIP Office uses its case management software to monitor the status of each request being processed, including the number of days remaining before the statutory deadline. A weekly progress report of all open and recently closed files is regularly provided to senior officials, including the Chief Electoral Officer and the Executive Committee.
2.4 Material Privacy Breaches
A material privacy breach is any unauthorized collection, use, disclosure, retention or disposal of sensitive personal information that could reasonably be expected to cause injury or harm to the individual.
In 2015–2016, Elections Canada notified the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat of three material privacy breaches.
The first breach involved the theft of an external hard drive in a returning office that contained the personal information of the election workers who worked in the electoral district. The theft was reported to the local police and the agency took immediate steps to enhance the security of election workers' personal information and minimize the risk of a recurrence.
The second breach involved the loss of a document in a returning office that contained the personal information of electoral workers working in the electoral district.
The third breach involved the theft of a briefcase from two targeted revision agents as they were serving electors. The briefcase contained personal information on electors residing in the area that had been targeted for revision. The theft was reported to the local police.
In all three cases, notification and apology letters were sent to the affected individuals. The ATIP Office worked closely with the responsible program areas, senior management and other internal stakeholders to manage the breaches further to Elections Canada's Privacy Breach Protocol.
2.5 Privacy Impact Assessments
Elections Canada consistently conducts privacy impact assessments (PIAs) to address privacy risks in new or existing departmental programs, initiatives or projects that manage personal information.
In 2015–2016, the ATIP Office advised on different internal programs to determine whether a PIA was warranted. One PIA was completed during this reporting period. The purpose of the PIA was to assess the privacy impacts of a new field application called REVISE 3.0, which is used to update elector and poll information during an electoral event.
Elections Canada is in the process of posting the summary of the REVISE PIA on its website at elections.ca.