Guidelines for Electoral Products

Office of the Chief Electoral Officer

Elections Ontario

October 19, 2021

Document History

Table of Contents

Document History

Section 1: Introduction

Section 2: Requirement for Access to List Products

2.1 Privacy Policy Filing Requirement

Table 1: Filing Requirements Annual Release

Table 2: Filing Requirements During Electoral Events

Section 3: Requirements for the Use of List Products

Table 3: Filing Requirements for Acknowledgedment Form 8 Table 4: Filing Requirements for the Distribution Tracking Form

Table 4: Filing Requirements for the Distribution Tracking Forms

3.1 List Products Reproduction Restrictions

3.2 Authorized and Prohibited Use of List Products

Table 5: Authorized Use of List Products

Section 4: Requirements of the Use of Digital Acknowledgements

Section 5: Requirements for the Secure Destruction of List Products

Section 6: Privacy and Security Best Practices

Section 7: Requirements for Breach Management

Appendix A: Privacy Policy Acceptance Criteria

Section 1: Scope of Policy

Section 2: Restriction of Use

Section 3: Privacy Requirements

3.1 Implementation and Enforcement of Privacy Controls

3.2 Disposition Protocol for List Products

3.3 Training on Privacy Controls

3.4 Breach Management

Section 4: Roles and Responsibilities

Section 5: Privacy Policy Approval

Appendix B: Acknowledgement for the List of Electors (F0101)

Appendix C: Distribution of List of Electors (F0315)12

Appendix D: Annual Update Distribution Tracking for Political Parties

Appendix E: Annual Update Distribution Tracking for MPPs

Appendix F: Distribution of List Products Overview

Guidelines for the Use of Electoral Products

Section 1: Introduction

The Election Act requires the Chief Electoral Officer to establish and maintain a “Permanent Register of Electors for Ontario” (Permanent Register or “PREO”) and a Register of Absentee Electors (Absentee Register), and to make available the personal information of electors contained in these two registers to Political Entities (specifically registered political parties, candidates, members of the Legislative Assembly and municipal clerks).

The purpose of these Guidelines is to provide Political Entities with the requirements in the Election Act and the privacy requirements for access to, and use of, electors’ personal information that is received from Elections Ontario. In the event of a conflict, inconsistency or a discrepancy between the Election Act and these Guidelines, the provisions in the Election Act shall be regarded as paramount and the governing law.

These Guidelines are applicable to the following electoral products:

1. List Products refers to any list containing electors’ personal information, such as:
   • The Annual Update: refers to a yearly update to the Permanent Register and Absentee Register, and subsequent lists of electors provided to political entities at the end of each calendar year.
   • Lists with Elector Information: refers to any list created from the Permanent Register and Absentee Register provided to political entities during an electoral event.
2. Geographical Products: refers to all maps and polling division information provided during an electoral event.

Where the Chief Electoral Officer or Returning Officer is required to provide List Products to Political Entities, only the following information will be provided (unless the Election Act specifically states otherwise) from the Permanent and Absentee Registers:

• Permanent Register: contains the personal information of electors, including names, unique identifiers, residential and mailing addresses.
• Absentee Register: contains the personal information of electors, including names and unique identifiers.

Registered Political Parties and candidates can choose to not receive the List Products and geographical products from Elections Ontario by not submitting a request. Elections Ontario will continue to provide List Products to Political Entities that meet the requirements for access outlined in the Election Act and these Guidelines.

The Chief Electoral Officer may, on the written request of an elector, redact from all lists provided to Political Entities, any information that the Chief Electoral Officer reasonably believes would, if made available, endanger the life, health, or security of the electors.

For additional information on these Guidelines, please contact Elections Ontario’s Privacy Office.

Section 2: Requirement for Access to List Products

In accordance with the Election Act under Section 17.6(2), the Chief Electoral Officer has the right to refuse disclosure of List Products to Political Entities that do not submit a privacy policy, or whose privacy policy does not comply with the requirements stated in these Guidelines and in the Election Act. Political Entities must develop and implement an acceptable privacy policy to ensure its candidates, Members of the Legislative Assembly, employees, volunteers and agents comply with the restrictions on the use of information extracted from the Permanent Register and Absentee Register under Section 17.4(1) of the Election Act and these Guidelines. List Products for electoral events will be made available following the issuance of a Writ for a by-election or general election.

Appendix A outlines the minimum criteria that must be included in a privacy policy submitted by Political Entities to the Chief Electoral Officer should they request access to list products containing electors’ personal information. Political Entities that do not file a privacy policy will only be entitled to receive Geographical Products during an electoral event.

2.1 Privacy Policy Filing Requirement

Elections Ontario maintains privacy policy filing requirements in accordance with both annual release schedules and electoral event calendars. All privacy policy submissions are reviewed by Elections Ontario. Political Entities will be contacted if additional information is required. A privacy policy submitted for the Annual Release is valid for a 12-month period. The filed privacy policy will apply for any electoral event that falls within a 12-month period unless the Political Entity notifies Elections Ontario in writing of changes to the privacy policy and/or leadership. Political Entities that register after the Annual Release are required to submit a privacy policy after they receive the Confirmation of Registration Notice and are eligible to receive the Annual Release within 30 days after Elections Ontario has approved their privacy policy. List Products for electoral events are made available either electronically or in printed format following the issuance of a Writ for a by-election or general election.

Table 1: Filing Requirements to Receive and Access the Annual Release

Table 2: Filing Requirements to Receive and Access Lists of Electors During Electoral Events

Section 3: Requirements for the Use of List Products

Under Section 17.4 of the Election Act, Political Entities are only permitted to use list products containing electors’ personal information for electoral purposes and not for commercial purposes.

Acknowledgement for the List of Electors and Distribution Tracking Requirements

Political Entities and persons may only request List Products upon completing and filing an Acknowledgment for the List of Electors (F0101 Form) with Elections Ontario whereby persons are only authorized to receive list products upon verifying that the individual:

• Understands List Products can only be used for electoral purposes and not commercial purposes.
• Understands the importance of protecting electors’ personal information contained in list products.
• Understands safeguard measures to protect electors’ personal information and confirms compliance with privacy policies.
• Confirms compliance to securely destroy List Products obtained for electoral usage purposes.

Table 3: Filing Requirements for the Acknowledgment for the List of Electors Form

Appendix B provides a sample of the Acknowledgement for the List of Electors (F0101 Form) that must be submitted to Elections Ontario.

A distribution tracking record must be maintained and completed for all list products distributed during an electoral event and for the Annual Update. The record must include all persons who have received extracts from the list products.

Table 4: Filing Requirements for the Distribution Tracking Forms

Appendix C provides a sample of the Distribution of List of Electors (F0315 Form) to be maintained during electoral events by Political Parties and Candidates, and for Annual Updates by Political Parties and MPPs.

Appendix D and E provides a sample of the Distribution Tracking Record to be maintained by Political Parties and MPPs when receiving list products for Register Annual Updates.

3.1 List Product Reproduction Restrictions

Under Section 17.4(3) of the Election Act, no person or Political Entity may reproduce, store, or transmit any part of the information obtained electronically from the Permanent and/or Absentee Registers (including the lists of electors) for any purpose except as follows:

• Registered Political Parties and Members of the Legislative Assembly who receive an Annual Release Update of the Permanent and Absentee Registers for Ontario as per Section 17.1(3)(1)(i) or (ii).
• Update for a specific electoral district as per Section 17.1(3)(2).
• An individual or entity who receives the information from the Registered Political Party or Member of the Legislative Assembly, so long as that person or entity signs a written or digital acknowledgment that they are bound to the restrictions in the Election Act, i.e. information can be used for electoral purposes only and not for commercial purposes as per Section 17.4(4)(b).

3.2 Authorized and Prohibited Use of List Products

The Election Act requires any person or Political Entities who receive and examine the lists of electors in any format (e.g. printed, electronic format or on data storage devices and applications) to adhere to restrictions on the use of electors’ personal information, i.e. for electoral purposes only. It is an offence under the Election Act to use electors’ personal information for commercial purposes as per Section 17(4)(1). Unauthorized use is punishable by a fine, as stipulated in Section 97. A full list providing an overview of the distribution of list products is detailed in Appendix F.

Table 5: Authorized Use of List Products

Section 4: Requirements of the Use of Digital Acknowledgements

Political Entities developing digital applications for recipients to access List Products are permitted to administer digital acknowledgements. The digital acknowledgment must include a Terms of Use on an entry page prior to accessing the application. The Terms of Use statement must state the following:

Please read the following statements carefully, then acknowledge that you have understood and accept them by providing the information requested at the bottom of the page. Please note that an eSignature is the equivalent of a handwritten signature. This application includes information obtained from the Permanent Register of Electors for Ontario and Absentee Register. In accordance with Section 17.4 of the Election Act, I acknowledge the following regarding the information I obtain, directly or indirectly, from the Permanent Register, or from a list of electors prepared from the Permanent Register and/or Absentee Register, whether the information obtained is in printed or electronic format, or examined in either format without obtaining a copy:

• I will only use it for electoral purposes and will not use it for commercial purposes.
• I will only disclose it to others after obtaining their written acknowledgement that they are bound by the restrictions in the subsection.
• I have read and will comply with the privacy policy developed by my Political Party and approved by Elections Ontario.
• I will comply with Elections Ontario’s Guidelines for the Use of Electoral Products (available at elections.on.ca).
• I will securely destroy the List Products on completion of the activities for which I received them.

Do not e-Sign until you have read and understood the statements above and the documents referred to in the statement. By providing my eSignature below, I certify that I have read, fully understand, and accept all the terms of the preceding statements.

eSignature: * Please enter your full name in lieu of a handwritten signature.

The “Accept” button should not work without text entered here. Please press “Cancel” if you don’t agree or need to first review the relevant policies and Guidelines; or “Accept” to continue.

In addition to obtaining digital acknowledgements, the digital application must collect user information required, and as mentioned, maintain a Distribution Tracking Record of all recipients who have been given access to electors’ personal information, whether in its entirety or portions/copies of List Products.

Section 5: Requirements for the Secure Destruction of List Products

Political Entities who receive electronic and paper copies of List Products are required to securely destroy or permanently delete copies immediately after integrating them into the Political Entity’s database. The secure destruction requirements do not require political entities to dispose of elector information that has been integrated into databases created for electoral purposes, provided that Political Entities comply with the restriction on the use of elector information under Section 17.4(1) of the Election Act. The database servers used to store electors’ personal information must not be hosted outside of Canada.

A secure shredding service provider may be procured to securely destroy lists containing electors’ personal information; however, Political Entities are responsible for specifying how the destruction is to be accomplished, under what conditions and by whom. All Political Entities must create or obtain from the service provider a certificate of destruction that documents the following:

• Records and/or list products that are being destroyed.
• Date, time, and location of destruction.
• Method of destruction.
• Name and signature of the individual responsible for destruction or the operator.

The following provides the requirements for Political Entities on how to dispose of electors’ personal information in a safe and secure manner:

• Methods used must ensure that personal records cannot be reconstructed.
• Electronic data must be permanently erased using methods that prevent the restoration of such data.
• Data erasure software must conform to the standard set by the Communication Security Establishment Canada wiping method.
• Destruction of printed copies of documents means cross-cut shredding, not continuous (single strip).
• All decommissioned electronic media that was used to store elector data must be permanently erased.

Political Entities must return electoral products to Elections Ontario if they are unable to destroy the products. For additional questions on the secure destruction of electoral products, please contact Elections Ontario.

If a Member of the Legislative Assembly resigns or has forfeited the office to which they were elected or ceases to be a member of a Political Party and becomes an independent Member of the Legislative Assembly, the Member must either destroy and/or return all documents containing electors’ personal information and election-related information to the Chief Electoral Officer within 30 days of their resignation or removal.

Section 6: Privacy and Security Best Practices

All Political Entities are responsible for preventing unauthorized persons from accessing electors’ personal information, including taking reasonable steps to protect the security and confidentiality of the information during its use, storage, transfer, and destruction.

To effectively prevent unauthorized use and access of electors’ personal information, Political Entities should implement the following best practices:

Chief Privacy Officer

• Appoint a Chief Privacy Officer who is responsible for safeguarding electoral products, communicating these Guidelines to persons who are given access to electors’ personal information, developing, and implementing privacy policies, and answering questions about the Political Entity’s use of list products.
• Elections Ontario must be notified once the person no longer holds the title and an updated privacy policy must be submitted.

Access to Electors’ Personal Information

• Limit the number of people who have access to electoral products to reduce the chances of a privacy breach.
• Only authorized employees, volunteers and/or agents of Political Entities who require access to electors’ personal information should be provided with secure access to the Political Entity’s database.
• Ensure that all individuals who are given access to electors’ personal information understand the importance of protecting the privacy of electors’ information.
• Obtain from each individual an acknowledgement that the individual will abide by the restrictions on the use of electors’ personal information (see sample in Appendix B).

Password and Keys

• Passwords and keys should be strictly controlled by the person responsible for privacy safeguards.
• Individual and unique passwords should be provided to authorized employees, volunteers and/or agents of Political Entities who require access to electors’ personal information on the entity’s database.
• Passwords must be kept confidential by each user and must be sufficiently complex.
• Passwords should be encrypted in transmission, and where passwords must be stored, they must also be encrypted in storage.
• Encryption of stored passwords should ensure that both the password, and any information describing the use or systems to which the password corresponds, are both encrypted.

Electronic Record

• Electronic records containing electors’ personal information must be stored and encrypted on password-protected data storage devices and applications or removable drives, rather than on the hard drive of a laptop or home computer.

Laptops and Home Computers

• Access to laptops and home computers must be password-controlled, and any data on the hard drive must be encrypted and stored in a secure location.
• Safeguards such as anti-virus software and personal firewalls could also be installed.
• Password enabled screen lock must be activated on laptops and home computers that are temporarily unattended.

Emails

• When working at home or other locations outside the office, employees, volunteers and/or agents should avoid sending electors’ personal information by e-mail.
• If personal information must be sent by email, the email must be encrypted, including any file attachments.

Paper Records

• Paper records should be kept in locked filing cabinets when not in use.
• While in transit, paper records must be securely packaged and sealed while in the possession of the employees, volunteers and/or agents of the Political Entity.
• If used at home, records must be accessible only by employees, volunteers and/or agents of the Political Entity.
• Where photocopies of List Products are required, photocopy machines must not be left unattended while conducting the task.

Removing Records from the Office

• Original documents must be securely stored and should remain in the office. Employees, volunteers and/or agents of the Political Entity must obtain the necessary approvals to remove documents from the office, and a record of the information removed and by whom must be kept.

Public Transit and Other Public Spaces

• Electors’ personal information, whether in printed or electronic format, must never be accessed by employees, volunteers and/or agents of the Political Entity while travelling on public transportation or in other public spaces.

Section 7: Requirements for Breach Management

A privacy breach is an incident where an electors’ personal information is collected, used, disclosed, retained, or disposed of in ways that do not comply with applicable legislation (e.g. Election Act and Election Finances Act), privacy policies and procedures. Privacy breaches include, but are not limited to:

• Unauthorized access, modification or copying of an electors’ personal information.
• Loss or theft of an electors’ personal information in the custody and control of the Political Entity, held in any format.

Privacy breaches may be unintentional or deliberate. A privacy breach may involve aggregate or de-identified information if it is reasonably foreseeable that it may be used, either alone or with other available information, to re-identify an individual. A suspected privacy breach occurs where it is reasonable to believe that a privacy breach, as defined above, has occurred.

The actual or suspected unauthorized access, loss or theft of documents containing electors’ personal information is a privacy breach and should be dealt with quickly and effectively. While each incident will require a unique approach, it is recommended that the Chief Privacy Officer follow these general steps:

• Immediately notify the Chief Electoral Officer at Elections Ontario of the breach and steps being taken to contain/mitigate the breach by emailing priv@elections.on.ca.
• Contain the breach, identify its source, and mitigate the harm resulting from the breach.
• Document the circumstances that led to the incident and/or contact the police authorities.
• Review and update the Political Entity’s internal policies, processes, and procedures to prevent future incidents.

Appendix A: Privacy Policy Acceptance Criteria

Section 17.6 of the Election Act requires political entities who wish to access electors’ personal information held by Elections Ontario to develop and implement a privacy policy. This privacy policy must be submitted to Elections Ontario in advance of requesting access to List Products from the Permanent and Absentee Registers.

The requirements noted below outline the minimum acceptance criteria for a privacy policy submitted to Elections Ontario. All privacy policies submitted to, and accepted by, Elections Ontario must also be published on the Political Entity’s public website within 30 days of receiving an acceptance confirmation from Elections Ontario.

Elections Ontario reserves the right to audit the privacy practices of Political Entities who have submitted an accepted privacy policy to ensure that Political Entities are adhering to the terms of their privacy policies. Section 17.6(3) of the Election Act permits Elections Ontario to publish online any discrepancies between a Political Entity’s privacy policy.

Section 1: Scope of Policy

This section must contain a statement indicating to whom the policy applies and to what the policy applies (i.e. all List Products provided by Elections Ontario).

Section 2: Restriction on Use

This section must contain information on how Political Entities will ensure their employees, volunteers and/or agents will comply with the restrictions on the use of list products under Section 17.4 of the Election Act, i.e. that the information will be used for electoral purposes only and cannot be used for commercial purposes. This section must also identify:

• Authorized use of elector information (e.g. communicating with voters, soliciting campaign support, recruiting party members).
• Measures implemented to track the distribution of List Products and administer the written and/or digital acknowledgement forms as mandated by Section 17.4 of the Election Act.

Section 3: Privacy Requirements

3.1 Implementation and Enforcement of Privacy Controls

Indicate all security measures implemented to ensure that all representatives of the Political Entity remain in compliance with the privacy requirements in the Election Act, these Guidelines and the Political Entity’s privacy policy.

Security measures include safeguards implemented to protect electors’ personal information received in printed format and electronically. Security measures must cover the following categories:

Administrative controls

Procedures to protect the privacy and security of electors’ personal information, limiting access to information strictly on a “need to know” basis and the reliability of individuals having access to the electors’ personal information, and designating a person who will be responsible for implementing privacy safeguards.

Technical controls

Passwords, audit trails, encryption, firewalls, and other technical security safeguards to minimize the risk of unauthorized individuals accessing electors’ personal information.

Physical controls

Procedures that restrict access to areas where electors’ personal information is stored.

3.2 Disposition Protocol for List Products

Provide information on the protocols implemented to ensure compliance with the Secure Destruction of List Products when no longer required for electoral purposes. Disposition protocols must comply with these Guidelines.

3.3 Training on Privacy Controls

Provide information on the training provided to representatives of the Political Entity to ensure awareness and compliance with privacy safeguards and controls.

3.4 Breach Management

Provide details on internal processes implemented to mitigate and address accidental or unauthorized access, disclosure, use, modification, and disposal of electors’ personal information; and outline breach management processes, including contacting the Chief Electoral Officer in the case of loss or theft of, or unauthorized access to, electors’ personal information.

Section 4: Roles and Responsibilities

This section must contain information regarding:

• Responsibilities of the Political Entity’s Chief Privacy Officer as they relate to safeguarding electors’ personal information against accidental or unauthorized access, disclosure, use, modification, and disposal. Responsibilities must include complying with all filing requirements under these Guidelines.
• The Political Entity’s designated Chief Privacy Officer is responsible for the overall implementation and enforcement of the privacy policy, and must be the signatory on the privacy policy.
• Identify the privacy responsibilities of all representatives of the Political Entities, including Political Parties, candidates, and Members of the Legislative Assembly, employees, volunteers, and/or agents.

Section 5: Privacy Policy Approval

This section must contain the following information:

• The effective date of the privacy policy.
• The name and signature of the Political Entity’s Chief Privacy Officer.
• The date the Chief Privacy Officer signed the privacy policy.

Appendix B: Acknowledgment for the List of Electors (F0101)

Appendix C: Distribution of List of Electors (F0315)

Appendix D: Sample Register Annual Update Distribution Tracking for Political Parties

Appendix E: Sample Register Annual Update Distribution Tracking for MPPs

Appendix F: Distribution of List Products Overview

Below is an overview of the distribution of list products. The Chief Electoral Officer distributes list products, unless otherwise indicated. The products are available upon request.

(155-G044E)