Guidelines for the Use of Electoral Products

Office of the Chief Electoral Officer Elections Ontario

January 1, 2024

Document History

Table of Contents

Document History

Section 1: Introduction

Section 2: Accessing Local Electoral Products

Section 3: Accessing Provincial List Products

Section 4: Privacy Policies

Section 5: Requirements of the Use of Provincial List Products

Section 6: Requirements for the Use of Digital Acknowledgements

Section 7: Requirements for the Secure Destruction of List Products

Section 8: Privacy and Security Best Practices

Section 9: Requirements for Breach Management

Appendix A: Privacy Policy Acceptance Criteria

Appendix B: Acknowledgement for the List of Electors (F0101)

Appendix C: Distribution of List of Electors (F0315)

Appendix D: Annual Update Distribution Tracking for Political Parties

Appendix E: Annual Update Distribution Tracking for MPPs

Appendix F: Distribution of List Products Overview

Approval:

Section 1: Introduction

Elections Ontario is a non-partisan Office of the Legislative Assembly of Ontario responsible for administering provincial elections in Ontario, led by the Chief Electoral Officer.

The purpose of these Guidelines for the Use of Electoral Products (Guidelines) is to provide the requirements needed for registered political parties, Members of Provincial Parliament (MPPs), registered provincial candidates, municipal clerks, District Social Services Administration Boards^{footnote 1[1]} (DSSABs) and school boards in Territories Without Municipal Organization (TWOMOs) to access and use products made available by Elections Ontario that contain electors’ personal information.

The Election Act^{footnote 2[2]} (the Act) requires the Chief Electoral Officer (CEO) to establish and maintain the following registers:

• Permanent Register of Electors for Ontario (Register), for individuals who are eligible to vote in provincial and local elections
• Register of Absentee Voters (Absentee Register) for eligible provincial electors temporarily living outside Ontario who intend to return to Ontario

For provincial electoral purposes, the Act requires the CEO to make available the information of electors contained in the Register and Absentee Register to political entities (registered political parties and MPPs), registered candidates and municipal clerks.

Although Elections Ontario does not administer local elections, as of January 1, 2024, the Municipal Elections Act, 1996^{footnote 3[3]} (MEA), requires the CEO to provide preliminary lists of electors (PLEs) derived from the Register to municipal clerks for the purpose of conducting local electoral events.^{footnote 4[4]} Pursuant to the Act, the CEO may also provide information from the Register to DSSABs and school boards to run their board elections in TWOMOs. 

In the event of a conflict, inconsistency or a discrepancy between the Act and these Guidelines, the provisions in the Act shall be regarded as paramount and the governing law.

Section 2: Accessing Local Electoral Products

PLEs for local electoral purposes are available upon request by municipal clerks, DSSABs and school boards in TWOMOs on the Election Portal provisioned by Elections Ontario, or through other secure methods.

In accordance with section 17.4 of the Act, municipal clerks, DSSABs, school board administrators and their authorized staff will be required to provide a signed declaration acknowledging the restrictions on the use of elector information prior to accessing and using PLEs, or any other confidential extracts obtained from Elections Ontario.

Questions or requests regarding local electoral products can be sent to Elections Ontario within the Election Portal or by emailing voterslist@elections.on.ca.

Section 3: Accessing Provincial List Products

List Products are any lists containing electors’ personal information made available by Elections Ontario, upon request, and include the Register Annual Update and the Lists of Electors.

Appendix F provides an overview of the distribution of List Products, including the dates of availability.

3.1 Register Annual Update

The Register Annual Update is the yearly update of the Register and Absentee Register that is available electronically to registered political parties and MPPs at the end of each calendar year for provincial electoral purposes.

Table 1 below outlines the filing requirements needed to access the Register Annual Update.

Table 1: Filing Requirements to Receive and Access the Register Annual Update

* Newly registered political parties are entitled to receive the Register Annual Update once they have an approved privacy policy on file with Elections Ontario for at least 30 days and meet the other requirements in Table 1.

3.2 Lists of Electors

A List of Electors is any list created from the Register or Absentee Register that is available upon request to registered political parties, candidates and municipal clerks for electoral purposes.

For provincial electoral events, pursuant to the Act, Lists of Electors are made available to registered political parties, registered candidates and municipal clerks following the issuance of a Writ, provided they meet the requirements stipulated in Table 2 below.

Table 2: Filing Requirements to Receive and Access Lists of Electors During Provincial Electoral Events

To request provincial List Products and/or to submit the filing requirements listed above (excluding privacy policies), please contact:

Section 4: Privacy Policies

4.1 Background

Pursuant to section 17.6(2) of the Act, List Products for provincial electoral purposes will only be provided to registered political parties, registered candidates and MPPs that have developed and implemented a privacy policy that has been approved by and on file with Elections Ontario.

Privacy policy submissions are reviewed by Elections Ontario’s Chief Privacy Officer and a written response is provided if they are approved or if further information is required.

Privacy policies of political entities must be published on the political entity’s website within 30 days of receiving an approval confirmation from Elections Ontario. Privacy policies of registered political parties and independent candidates approved during electoral events must be posted as soon as possible.

Elections Ontario reserves the right to audit the privacy practices of political entities and independent candidates who have a privacy policy that has been approved by and on file with Elections Ontario, to ensure they are adhering to the terms of their privacy policies. Section 17.6(3) of the Act permits Elections Ontario to publish online any discrepancies found in their privacy policies.

Appendix A outlines the minimum criteria that must be included in a privacy policy.

4.2 Privacy Policies of MPPs and Registered Candidates

MPPs and registered candidates affiliated with registered political parties are covered by their party’s privacy policy. If their party does not have a privacy policy on file, they will not be able to receive List Products.

Independent MPPs and candidates must submit their own privacy policies for review and approval.

4.3 Validity of Privacy Policies

Privacy policies approved by and on file with Elections Ontario will be valid for a 12-month period from the date the policy is signed by the political entity’s Chief Privacy Officer. If the privacy policy remains the same after 12 months, a political entity can renew their policy for another 12 months by sending an email to priv@elections.on.ca and confirming there are no changes to same.

To ensure political entities review their privacy policies on a regular basis, policies will only remain valid with Elections Ontario for a maximum of 24 months, after which a new privacy policy is required. If at any point a political entity’s privacy policy or its Chief Privacy Officer changes, a new privacy policy must be submitted to Elections Ontario for review and approval.

4.4 Deadline to Submit

During electoral events, registered political parties and candidates can only receive Lists of Electors if they have a privacy policy that has been approved by and on file with Elections Ontario by 2:00 pm on the close of nominations.

To submit a privacy policy or if you have any questions about privacy and security, email priv@elections.on.ca.

Section 5: Requirements for the Use of Provincial List Products

5.1 Acknowledgement of the List of Electors Form (F0101)

Pursuant to Section 17.4 of the Act, political entities and municipal clerks are only permitted to use List Products containing electors’ personal information for electoral purposes and not for commercial purposes.

To receive provincial List Products from Elections Ontario, political entities, candidates and municipal clerks must complete and file a F0101 form declaring that they:

• Understand List Products can only be used for electoral purposes and not commercial purposes
• Understand the importance of protecting electors’ personal information contained in List Products
• Understand safeguard measures to protect electors’ personal information and confirm compliance with privacy policies; and
• Confirm compliance to securely destroy List Products obtained for electoral purposes

Elections Ontario will only provide List Products to individuals named on the signed F0101 forms. If there any changes to the name or the contact information of the individual authorized to receive the List Products on a F0101 form on file with Elections Ontario, a new F0101 must be submitted before List Products can be provided by Elections Ontario

Appendix B provides a sample of the F0101 form that must be submitted to Elections Ontario.

(Note: for local electoral purposes, if an electoral product is distributed outside of the Election Portal, the recipient will need to sign a F0101 form).

5.2 Tracking the Distribution of List Products

Registered political parties and MPPs who receive the Register Annual Update must collect and track the signed F0101 forms from any staff, volunteers, agents, etc., to whom they distribute the information.

Registered political parties and candidates who receive Lists of Electors for provincial electoral events are required to collect and track the F0101 forms from any staff, volunteers, agents, canvassers, etc., to whom the lists have been distributed.

Table 3 shows the tracking record requirements for List Products.

Table 3: Filing Requirements for the Distribution Tracking Forms

5.3 List Product Reproduction Restrictions

Under Section 17.4(3) of the Act, no political entity may reproduce, store, or transmit any part of the information obtained electronically from the Register (including the Lists of Electors) for any purpose except as follows:

• Registered political parties and MPPs who receive the Register Annual Release Update as per Section 17.1(3)(1)(i) or (ii)
• Update for a specific electoral district as per Section 17.1(3)(2)
• An individual who receives the information from a registered political entity, so long as that person or entity signs a written or digital acknowledgment that they are bound to the restrictions in the Act, i.e. information can be used for electoral purposes only and not for commercial purposes as per Section 17.4(4)(b).

5.4 Authorized and Prohibited Use of List Products

The Act requires any person or political entities who receive and examine the lists of electors in any format (e.g. printed, electronic format or on data storage devices and applications) to adhere to the restrictions on the use of electors’ personal information, i.e. for electoral purposes only. It is an offence under the Act to use electors’ personal information for commercial purposes as per Section 17(4)(1). Unauthorized use is punishable by a fine, as stipulated in Section 97. A full list providing an overview of the distribution of list products is detailed in Appendix F.

Table 4 below outlines the authorized use of List Products.

Table 4: Authorized Use of List Products

Section 6: Requirements for the Use of Digital Acknowledgements

Political entities developing digital applications for recipients to access List Products are permitted to administer digital acknowledgements. The digital acknowledgment must include a Terms of Use on an entry page prior to accessing the application. The Terms of Use statement must state the following:

Please read the following statements carefully, then acknowledge that you have understood and accept them by providing the information requested at the bottom of the page. Please note that an eSignature is the equivalent of a handwritten signature. This application includes information obtained from the Permanent Register of Electors for Ontario and Absentee Register. In accordance with Section 17.4 of the Election Act, I acknowledge the following regarding the information I obtain, directly or indirectly, from the Permanent Register, or from a list of electors prepared from the Permanent Register and/or Absentee Register, whether the information obtained is in printed or electronic format, or examined in either format without obtaining a copy:

• I will only use it for electoral purposes and will not use it for commercial purposes.
• I will only disclose it to others after obtaining their written acknowledgement that they are bound by the restrictions in the subsection.
• I have read and will comply with the privacy policy developed by my Political Party and approved by Elections Ontario.
• I will comply with Elections Ontario’s Guidelines for the Use of Electoral Products (available at elections.on.ca).
• I will securely destroy the List Products on completion of the activities for which I received them.

Do not e-Sign until you have read and understood the statements above and the documents referred to in the statement. By providing my eSignature below, I certify that I have read, fully understand, and accept all the terms of the preceding statements.

eSignature: *Please enter your full name in lieu of a handwritten signature.

The “Accept” button should not work without text entered here. Please press “Cancel” if you don’t agree or need to first review the relevant policies and Guidelines; or “Accept” to continue.

In addition to obtaining digital acknowledgements, the digital application must collect user information required and maintain a Distribution Tracking Record of all recipients who have been given access to electors’ personal information, whether in its entirety or portions/copies of List Products.

Section 7: Requirements for the Secure Destruction of List Products

Political entities who receive electronic and paper copies of List Products are required to securely destroy or permanently delete copies immediately after integrating them into their databases. The secure destruction requirements do not require political entities to dispose of elector information that has been integrated into databases created for electoral purposes, provided that political entities comply with the restriction on the use of elector information under Section 17.4(1) of the Election Act. The database servers used to store electors’ personal information must not be hosted outside of Canada.

Candidates who receive any electronic and/or paper copies of List Products must securely destroy or permanently delete same immediately after polling day.

A secure shredding service provider may be procured to securely destroy lists containing electors’ personal information; however, political entities are responsible for specifying how the destruction is to be accomplished, under what conditions and by whom. All political entities must create or obtain from the service provider a certificate of destruction that documents the following:

• Records and/or List Products that are being destroyed
• Date, time, and location of destruction
• Method of destruction
• Name and signature of the individual responsible for destruction or the operator

The following provides the requirements for political entities on how to dispose of electors’ personal information in a safe and secure manner:

• Methods used must ensure that personal records cannot be reconstructed
• Electronic data must be permanently erased using methods that prevent the restoration of such data
• Data erasure software must conform to the standard set by the Communication Security Establishment Canada wiping method
• Destruction of printed copies of documents means cross-cut shredding, not continuous (single strip)
• All decommissioned electronic media that was used to store elector data must be permanently erased

Political entities must return electoral products to Elections Ontario if they are unable to destroy the products. For additional questions on the secure destruction of electoral products, please contact Elections Ontario.

If a MPP resigns or has forfeited the office to which they were elected, or ceases to be a member of a political party and becomes an independent MPP, the MPP must either destroy or return all documents containing electors’ personal information and election-related information to Elections Ontario within 30 days of their resignation or removal. Confirmation of destruction can be sent by email to preo@elections.on.ca.

Section 8: Privacy and Security Best Practices

All political entities are responsible for preventing unauthorized persons from accessing electors’ personal information, including taking reasonable steps to protect the security and confidentiality of the information during its use, storage, transfer and destruction.

To effectively prevent unauthorized use and access of electors’ personal information, political entities should implement the following best practices:

Chief Privacy Officer

Appoint a Chief Privacy Officer who is responsible for safeguarding electoral products, communicating these Guidelines to persons who are given access to electors’ personal information, developing and implementing privacy policies, and answering questions about the political entity’s use of list products. Elections Ontario must be notified if the person no longer holds the title and an updated privacy policy must be submitted

Access to Electors’ Personal Information

• Limit the number of people who have access to electoral products to reduce the chances of a privacy breach
• Only authorized employees, volunteers and/or agents of political entities who require access to electors’ personal information should be provided with secure access to the political entity’s database
• Ensure that all individuals who are given access to electors’ personal information understand the importance of protecting the privacy of electors’ personal information
• Obtain from each individual an acknowledgement that they will abide by the restrictions on the use of electors’ personal information (see sample in Appendix B)

Password and Keys

• Passwords and keys should be strictly controlled by the person responsible for privacy safeguards
• Individual and unique passwords should be provided to authorized employees, volunteers or agents of political entities who require access to electors’ personal information on the entity’s database. Passwords must not be shared
• Passwords must be kept confidential by each user and must be sufficiently complex
• Passwords should be encrypted in transmission, and where passwords must be stored, they must also be encrypted in storage. Encryption of and stored passwords should ensure that both the password, and any information describing the use or systems to which the password corresponds, are both encrypted

Creating Strong Passwords

• Ensure your password is twelve or more characters long, and that it contains characters from three of the following four categories:
  • Uppercase characters A-Z
  • Lowercase characters a-z
  • Digits 0-9
  • Special characters (!, $, #, %)

Tips for a strong password

• A strong password can be memorable to you but nearly impossible for someone else to guess. Follow these tips to create your own:

Make your password unique

• Reusing passwords for important accounts is risky. If someone gets your password for one account, they could access your email, address, and even your money

Make your password a nonsense phrase

• If your letter combinations are not in the dictionary, in published literature, or grammatically correct, your password will be harder to crack
• Make your password long and include random words and phrases
• Include numbers, symbols, uppercase and lowercase letters
• Randomly mix up symbols, numbers and letters
• Substitute numbers for letters (zero for O, for example) or symbols for letters
• Do not use common words & patterns

Avoid choosing passwords that could be guessed by:

• People who know you
• People looking at easily accessible info (like your social media profile)
• Avoid personal info & common words
• Do not use personal info

Avoid creating passwords from info that others might know or could easily find out, for example:

• Your nickname or initials
• The name of your child or pet
• Important birthdays or years
• The name of your street
• Numbers from your address
• Avoid simple words, phrases, and patterns that are easy to guess. For example:
• Obvious words and phrases like “password” or “letmein”
• Sequences like “abcd” or “1234”
• Keyboard patterns like “qwerty” or “qazwsx”

Electronic Records

Electronic records containing electors’ personal information must be stored and encrypted on password-protected data storage devices and applications, rather than on the hard drive of a laptop or home computer

Laptops and Home Computers

• Access to laptops and home computers must be password- controlled, and any data on the hard drive must be encrypted and stored in a secure location
• Safeguards such as anti-virus software and personal firewalls could also be installed
• Password enabled screen lock must be activated on laptops and home computers that are temporarily unattended

Emails

• When working at home or other locations outside the office, employees, volunteers and/or agents should avoid sending electors’ personal information by e-mail
• If personal information must be sent by email, the email must be encrypted, including any file attachments

Paper Records

• Paper records should be kept in locked filing cabinets when not in use
• While in transit, paper records must be securely packaged and sealed while in the possession of the employees, volunteers and/or agents of the political entity
• If used at home, records must be accessible only by employees, volunteers and/or agents of the political entity
• Where photocopies of List Products are required, photocopy machines must not be left unattended while conducting the task

Removing Records from the Office

Original documents must be securely stored and should remain in the office. Employees, volunteers and/or agents of the political entity must obtain the necessary approvals to remove documents from the office, and a record of the information removed and by whom must be kept

Public Transit and Other Public Spaces

Electors’ personal information, whether in printed or electronic format, must never be accessed by employees, volunteers and/or agents of the political entity while travelling on public transportation or in other public spaces

Section 9: Requirements for Breach Management

A privacy breach is an incident where an electors’ personal information is collected, used, disclosed, retained or disposed of in ways that do not comply with applicable legislation (e.g. Election Act and Election Finances Act), privacy policies and procedures. Privacy breaches include, but are not limited to:

• Unauthorized access, modification or copying of an electors’ personal information
• Loss or theft of an electors’ personal information in the custody and control of the political entity, held in any format

Privacy breaches may be unintentional or deliberate. A privacy breach may involve aggregate or de-identified information if it is reasonably foreseeable that it may be used, either alone or with other available information, to re- identify an individual. A suspected privacy breach occurs where it is reasonable to believe that a privacy breach, as defined above, has occurred.

The actual or suspected unauthorized access, loss or theft of documents containing electors’ personal information is a privacy breach and should be dealt with quickly and effectively. While each incident will require a unique approach, it is expected that the Chief Privacy Officer follow these general steps:

• Immediately notify the Chief Electoral Officer at Elections Ontario of the breach and steps being taken to contain/mitigate the breach by emailing priv@elections.on.ca
• Contain the breach, identify its source, and mitigate the harm resulting from the breach
• Document the circumstances that led to the incident and/or contact the police authorities
• Review and update the political entity’s internal policies, processes and procedures to prevent future incidents

For municipalities, DSSABs and school boards in TWOMOs, if a breach is identified involving Elections Ontario List Products, they must advise the Elections Ontario CEO immediately of the breach and follow their own breach protocols.

Appendix A: Privacy Policy Acceptance Criteria

Section 17.6 of the Act requires political entities who wish to access electors’ personal information held by Elections Ontario to develop and implement a privacy policy. This privacy policy must be submitted to Elections Ontario in advance of requesting access to List Products from the Register.

The requirements below outline the minimum acceptance criteria for a privacy policy submitted to Elections Ontario.

Section 1: Scope of Policy

This section must contain a statement indicating to whom the policy applies and to what the policy applies (i.e. all List Products provided by Elections Ontario).

Section 2: Restriction on Use

This section must contain information on how political entities will ensure their employees, volunteers and/or agents will comply with the restrictions on the use of List Products under Section 17.4 of the Act, i.e. that the information will be used for electoral purposes only and cannot be used for commercial purposes. This section must also identify:

• Authorized use of elector information (e.g. communicating with voters, soliciting campaign support, recruiting party members)
• Measures implemented to track the distribution of List Products and administer the written and/or digital acknowledgement forms as mandated by Section 17.4 of the Act

Section 3: Privacy Requirements

3.1 Implementation and Enforcement of Privacy Controls

Indicate all security measures implemented to ensure that all representatives of the political entity remain in compliance with the privacy requirements in the Act, these Guidelines and the political entity’s privacy policy.

Security measures include safeguards implemented to protect electors’ personal information received in printed format and electronically. Security measures must cover the following categories:

1. Administrative controls

   Procedures to protect the privacy and security of electors’ personal information, limiting access to information strictly on a “need to know” basis and the reliability of individuals having access to the electors’ personal information, and designating a person who will be responsible for implementing privacy safeguards.

2. Technical controls

   Passwords, audit trails, encryption, firewalls, and other technical security safeguards to minimize the risk of unauthorized individuals accessing electors’ personal information.

3. Physical controls

   Procedures that restrict access to areas where electors’ personal information is stored.

3.2 Disposition Protocol for List Products

Provide information on the protocols implemented to ensure compliance with the Secure Destruction of List Products when no longer required for electoral purposes. Disposition protocols must comply with these Guidelines.

3.3 Training on Privacy Controls

Provide information on the training provided to representatives of the political entity to ensure awareness and compliance with privacy safeguards and controls.

3.4 Breach Management

Provide details on internal processes implemented to mitigate and address accidental or unauthorized access, disclosure, use, modification, and disposal of electors’ personal information; and outline breach management processes, including contacting the CEO in the case of loss or theft of, or unauthorized access to, electors’ personal information.

Section 4: Roles and Responsibilities

This section must contain information regarding:

• Responsibilities of the political entity’s Chief Privacy Officer as they relate to safeguarding electors’ personal information against accidental or unauthorized access, disclosure, use, modification and disposal. Responsibilities must include complying with all filing requirements under these Guidelines
• The political entity’s designated Chief Privacy Officer is responsible for the overall implementation and enforcement of the privacy policy and must be the signatory on the privacy policy
• Identify the privacy responsibilities of all representatives of the political entities, including political parties, candidates, MPPs, employees, volunteers and/or agents

Section 5: Privacy Policy Approval

This section must contain the following information:

• The effective date of the privacy policy
• The name and signature of the political entity’s Chief Privacy Officer
• The date the Chief Privacy Officer signed the privacy policy

Appendix B: Acknowledgement for the List of Electors (F0101)

Appendix C: Distribution of List of Electors (F0315)

Appendix D: Sample Register Annual Update Distribution Tracking for Political Parties

Appendix E: Sample Register Annual Update Distribution Tracking for MPPs

Appendix F: Distribution of List Products Overview

Below is an overview of the distribution of List Products available upon request. The CEO distributes list products, unless otherwise indicated.

Approval

The following table shows the authorization, amendment, and review dates for this policy.

(156-G194E)