Privacy commissioner calls for better training, stricter consequences after breach of Sask. NDP database

CBC

Updated September 22, 2018 at 5:00 a.m.

Woman says childhood sexual trauma details leaked in privacy breach

The Saskatchewan NDP says it has taken steps to contain a privacy breach and improve training for its volunteers, following a privacy commissioner's investigation into a breach of the party's electoral database.

"It is concerning that an individual was able to breach personal data 30 times over a short period of time and that those breaches went undetected," wrote Ronald Kruzeniski, Saskatchewan's information and privacy commissioner, in the Sept. 19 investigation report.

"This case may highlight the need for all political parties to do more to prevent privacy breaches and to detect them when they do occur."

The NDP said in January that it had launched its own investigation into the alleged breach following a complaint, and later found a volunteer inappropriately accessed information from the party's database system, Populus.

However, Kruzeniski said the Opposition NDP is not a government institution, and that his office did not have jurisdiction over political parties.

Instead, the privacy commissioner made some recommendations for political parties around privacy, including better training for volunteers, logs of user activity, and stricter consequences for volunteers who inappropriately access personal data.

The NDP said it suspended the volunteer's access rights to the database after the complaint surfaced.

However, the privacy commissioner said the volunteer had retrieved the contact details of 12 other people in addition to the complainant. He noted the NDP did not notify those other people about the privacy breach.

The breach would have included voter data such as the person's name, address, gender, occupation and contact details.

"In my view, personal data in the possession of political parties is sensitive data that could be used to cause harm to individuals," Kruzeniski wrote, adding that people should be notified when their privacy has been breached.

Changes have been made: NDP

The party's provincial secretary, John Tzupa, said the NDP had informed the people affected about the breach over the past week.

He said the party has also strengthened its privacy training for volunteers and staff, including offering more rigorous training, and requiring them to sign a confidentiality agreement before providing them access to databases.

The party is also keeping logs of user activity and working to implement checks of that activity, he said.

"We take the protection of people's privacy incredibly seriously, and we are constantly trying to improve, and we have taken several steps this year," said Tzupa.