Wollaston Township Reeve Barb Shaw says copies of the 2018 municipal election voters list along with charts of eligible voters at Red Eagle and Bear Ridge campgrounds were part of a data breach.
“Besides stakeholder emails being shared, and the voter’s list, legal documents were disclosed, closed session information was shared along with details on taxes, property values, and personal information pulled from our tax rolls,” Shaw says. “While staff did complete some Freedom of Information requests using the prescribed framework, it appears that certain members of our community were receiving information in a way that contravened (Municipal Freedom of Information and Protection of Privacy Act).”
The audit suggests that information and documents were released to individuals involved in legal challenges against the municipality and also that copies of leases were collected and held during the 2018 election.
“I don’t know what has happened with the information,” Shaw tells the MyBancroftNow.com newsroom. She says announcements will be made as they continue with their internal audit and finding out more about the situation.
Shaw explains the situation started in June 2019. “A complaint filed with the Municipal Integrity Commissioner included a package of emails that had been released by the municipality without following the process outlined in the Municipal Freedom of Information Protection of Privacy Act,” she says. A complaint was filed against Wollaston through the Information and Privacy Commissioner of Ontario because of that.
A related Freedom of Information request is what ended up revealing the breach. Shaw states that municipal staff sent an electronic copy of the municipal voter’s list to a shared, personal Hotmail account during the 2018 election. “This discovery was self-reported, by the Township, to the IPC, as required,” Shaw says.
Shaw notes that since Wollaston’s current council was sworn-in in 2019, “most” of the municipality’s senior staff has been replaced over the past year, but did not comment on any specific staffing changes in relation to this data breach. “Our duty is to report what has happened and try to get to the bottom of it,” she says.
“Wollaston Township has worked to contact those community members who were the recipients of the documents that were released but to date, they are not responding to our inquiries and as a result, we are now required to proceed with legal assistance,” Shaw says. “This breach is extensive and impacts anyone that was on the last voter’s list because names and addresses were released,” she continues. “The released list also includes data on anyone who had returned ballots before October 16, 2018.”
She continues that the municipality has been working with the IPC to understand the extent of the privacy breach. “It is our responsibility to determine why information has been released, where it was released to, who shared it, who has copies, and we are also responsible for determining if this was a systemic practice,” Shaw says. She adds that the IPC encouraged an audit of staff emails and files to determine if this is a regular practice and the preliminary findings are “concerning.”
Shaw says the municipality will continue to work with the IPC to complete its audit. They will also work to develop and implement training so that a situation like this does not happen again in the future. “This was an upsetting discovery and the process is a difficult one to be navigating,” Shaw says. “All stakeholders have the right to fair and equitable treatment by municipal staff and breaches of this nature are unsettling and unfortunately, they leave more questions than answers.” Shaw says training will be key in this. “We all need to understand that when we are collecting information about our residents and ratepayers we need to manage that responsibly,” she says.
Shaw asks any members of the community to reach out to the municipality if they believe they have gotten any personal information from them that was not the result of a Freedom of Information request.