Guidelines for Use of the Lists of Electors
IV. Security of Personal Information
Authorized recipients of the lists of electors should take reasonable precautions to protect the security and confidentiality of the personal information of Canadian electors. The safeguards listed below will assist them in ensuring effective protection and management of the lists of electors.
Safeguards may include the following:
- Administrative measures: procedures to protect the privacy and security of personal information, staff training on privacy, limiting access to information to a "need to know" basis and based on the reliability status of employees having access to the information.
- Technical measures: strong passwords, audit trails, encryption, firewalls and other technical security safeguards to minimize the risk of unauthorized individuals accessing personal information.
- Physical measures: restricted access to areas where information is stored.
The following safeguards are provided as guidance. Authorized recipients may see fit to adopt other forms of safeguards that protect the confidentiality and security of the lists of electors.
a) Administrative Measures
It is recommended that privacy procedures be implemented and that the authorized recipients appoint a person who will be responsible for implementing privacy safeguards.
This person should be responsible for the following:
- designing and implementing specific protocols regarding the use, safeguarding and disposal of the lists of electors (see section VI on best practices for disposal)
- responding to questions concerning the authorized use of the lists of electors
- controlling access to the lists
- communicating these guidelines to any persons who have been given access to the lists of electors
Training sessions regarding the authorized use of the lists of electors should be provided to all persons who will have access to the lists to ensure that they understand the importance of protecting the privacy of information.
Authorized recipients may also consider implementing the following additional administrative measures:
- The lists of electors should be provided only on a "need to know" basis—that is, only to people who need to communicate with electors and constituents on behalf of the authorized recipients. Strictly limiting the number of people who have access to the lists of electors greatly reduces the chances of a privacy breach.
- If a person can perform their functions effectively with a paper copy of the lists, provide only a paper copy and not an electronic copy.
- Obtain a declaration from each person who will have access to the lists of electors. The declaration should include the following concepts:
- understanding of the limits on use and disclosure of the lists
- understanding of the importance of protecting the personal information contained in the lists
- undertaking to protect the security and confidentiality of the personal information contained in the lists of electors
- undertaking to use the lists only for the purposes authorized by the CEA
- undertaking to return the lists of electors upon completion of the task for which the lists were provided
Attached to these guidelines as annexes A, B and C are sample declaration forms that may be used by authorized recipients.
b) Technical and Physical Measures
Authorized recipients should also implement technical and physical measures to protect the security and confidentiality of the lists of electors, whether in paper or electronic format. The lists of electors should be kept in a secure and restricted area when not in use, such as a locked filing cabinet. The electronic copy of the lists of electors should be stored on a secure, password-protected computer. Passwords and keys to the area where lists of electors are stored should be strictly controlled by the person responsible for safeguards.