Earlier today, I reported on the latest privacy breach by the City of Hamilton.
At the time of this writing, the breach may be limited to the personal information of one individual who delegated to City Council.
The breach does not exist in isolation. It is part of an ongoing pattern of privacy breaches by the City of Hamilton. [The 2022 election advance voter data leak, the 2024 council delegates address and phone number leak, the 2024 cybersecurity failure.]
The City of Hamilton does not practice privacy by design in how it deploys technology, or in how it designs data collection.
Two key questions to be answered when collecting personal information: is it necessary and, when collected, secure?
The City’s collection of home addresses of public delegates is not necessary.
City policies do not require delegates to reside in Hamilton, there is no preference given to local residents, and the City does not conduct any statistical analysis of delegate address data.
Once the City collects personal data, it is required by the Municipal Freedom of Information and Protection of Privacy Act to protect the information from disclosure.
Hamilton uses an online form for delegation requests. The form takes the data, and sends an unencrypted email to the clerk@hamilton.ca shared inbox.
Once received, a City staff member converts the email to PDF format and manually redacts personal information before posting the request on the City’s public website. This introduces an opportunity for error – hence the privacy breaches in the past.
Once the City has personal information, it must start segregating and securing it.
The City is not disclosing how it committed the latest breach.
The fact that personal information was emailed to “three Hamiltonians” who were not authorized to receive the data is a symptom of ongoing issues that must be addressed.
For years, I tweeted about the City’s repeated failures to renew its website SSL certificates.
The failure of the City’s IT department to fulfil the most basic security procedures was an indicator of more significant problems.
Hamiltonians are now on the hook for over $100-million in costs following the City’s February 2024 cybersecurity failure.
City Council needs to act on privacy.