The City of Hamilton is apologizing to several residents for an information breach that exposed the personal information of delegates who registered for public meetings over the past year.
City Manager Marnie Cluckie says they have reached out to Ontario’s Information and Privacy Commissioner after learning some 59 persons may have had addresses and phone numbers unmasked.
“So the city … was notified of the privacy breach on Tuesday … and very regrettably, email addresses, residential addresses and telephone numbers of individuals who had registered for public delegations for GIC were available for public view,” Cluckie explained.
In a release, the city said 32 delegates to a Jan. 16 public meeting were affected as were some 27 select individuals between the start and end of 2023.
Cluckie said the personal data was improperly inputted via software not compatible with eScribe — an online minutes tool where council meeting agendas and reports are stored.
“So the city uses Adobe, but in this circumstance, staff used functions in Microsoft Word,” she said.
“Unfortunately that redaction didn’t work properly.”
The records in question have since been reposted without personal information and measures have been taken to “prevent similar incidents in the future,” according to the city manager.
Technology analyst and journalist Carmi Levy says without seeing the original documents in question it’s hard to tell exactly what happened, but he believes it’s likely connected with privacy policies that had not been monitored for compliance.
“Registering as a delegate to a meeting, you provide certain identifying information to confirm that it is in fact, you,” Levi explained.
“Then there are processes in place, or at least that are supposed to be, using certain tools to make sure that that private information does not get leaked to the public.”
Levy says when used correctly, the Canadian-based eScribe software allows users to redact certain pieces of information so documentation can be shared with the public openly.
He suggests the city of Hamilton’s problem was “human error” and could be the result of a flawed system that may have been exposed over a year.
“The process to do so is relatively straightforward,” he said.
“What seems to have sort of gone wrong here is there was some question as to which pieces of data, what categories of data, should have been redacted, and what categories of data should have been shared with the public.”
Having an email address “out there” makes it easier for scammers to harvest information and potentially use it against the owner, according to Levy.
“That information, in concert with other pieces of information, may have been shared on social media or other publicly accessible resources that could get you into trouble,” he suggested.
Cluckie characterized the breaches as “deeply concerning” saying it underscores how important it is to have “robust privacy protection measures” in place.
“We’re going to identify areas for improvement, and then implement comprehensive measures that strengthen our practices because we have to be committed to diligence and accountability on this front,” said Cluckie.
“People are counting on us and we absolutely cannot let them down.”
Individuals who wish to complain can direct queries to the Information and Privacy Commissioner of Ontario.