A cropped version of the top half of a formal letter from the City of Hamilton. The image shows the City logo and the first three paragraphs of the letter, which detail the commitment to safeguarding information and the specific circumstances of a privacy breach where application data was indexed by search engines.
A close-up of the privacy breach notification issued by the City of Hamilton

In what marks at least the sixth documented privacy breach by City of Hamilton officials in less than three years, the City Clerk’s Office has disclosed another incident involving the City publishing personal information onto the Internet.

The City states that individuals who applied to volunteer on the City’s agencies, boards, and committees between December 2022 and February 2023 had their applications accidentally posted on the City’s public internet pages.

The breach was discovered on January 29, 2026, when a member of the public alerted municipal officials after finding an application visible through a search engine. The City has not disclosed how long the applications remained publicly accessible. Hamilton officials notified those affected beginning April 27, 2026.

A software issue with the third-party vendor eScribe caused the breach, according to the notification letter signed by Elisha Turney-Foss, Corporate Privacy Specialist in the City Clerk’s Office. The City shut down access to the portal immediately upon notification and states the vendor has confirmed the issue was a software malfunction.

The City has not disclosed which specific data fields were exposed. Board applications required applicants to provide their name, age, and home address. Applicants were also encouraged to disclose demographic information and details about personal disabilities.

The City’s notification letter states it is informing affected parties as a requirement of the Municipal Freedom of Information and Protection of Privacy Act.

The City of Hamilton does not practice privacy by design in data collection and records management.

The documents in question contained highly confidential information. Despite their sensitivity, the City Clerk’s Office uploaded them into the third-party eScribe application to provide easier access for reviewing council members and did not remove the information following council deliberations.

Privacy by design principles would require the municipality to use more secure web applications and to delete confidential information once council proceedings conclude, eliminating the risk of exposure.

This disclosure is only the latest in a string of documented privacy failures by the City Clerk’s Office.

In June 2025, the office published the bank account information of a corporation. A law firm had paid a mandatory Planning Act fee using a cheque, and the City published a copy of the cheque in a Planning Committee agenda.

In April 2025, the office disclosed the home address, personal phone number, and personal email of a person who requested to delegate to council.

In January 2025, the municipality shared the personal information of a delegate with “three Hamiltonians” who did not work for the municipality. The City did not explain the identities of those individuals or how the breach occurred.

In January 2024, the office published the personal information of 36 people who delegated to city council.

During the 2022 municipal election, the City Clerk’s Office committed the largest-ever municipal election privacy breach, revealing the identities and personal emails of hundreds of people who registered to vote by mail.

In July 2025, the Police Board’s Executive Director, a City of Hamilton employee, published the home address and personal cellphone number of a delegate.

The City’s February 2024 cybersecurity breach was one of the largest privacy breaches in Canadian municipal history.

Ontario’s Information and Privacy Commissioner has ruled, in other cybersecurity breaches, that the encryption of personal information constitutes a privacy breach—a determination Hamilton initially disputed. The Divisional Court upheld the Commissioner’s interpretation, confirming that cybersecurity failures are privacy breaches under Ontario law.

In each of these past incidents, the City of Hamilton has pledged that its digital process improvements would prevent future privacy breaches.

Questions posed to the City of Hamilton were not answered prior to publication. This story will be updated if the City provides a response.

A photograph of a formal letter on City of Hamilton letterhead dated April 27, 2026, addressed to "Dear Resident." The letter, signed by Corporate Privacy Specialist Elisha Turney-Foss, explains that the City became aware of a privacy breach on January 29, 2026, where board applications were visible through search engines. It notes that the vendor, eScribe, has since corrected the issue.
A notification letter sent by the City of Hamilton on April 27, 2026, informing residents of a privacy breach

TPR has requested the following information from the City of Hamilton: the number of people affected by the breach, the nature of the information disclosed, whether the City is considering an independent review of this breach (or if the City Clerk’s Office will conduct a self-investigation as it has done in previous breaches), why the City’s “digital process improvements” failed to detect the breach, and what changes are being made to prevent continued privacy breaches.

Production Details
v. 1.0.0
Published: April 28, 2026
Last updated: April 28, 2026
Author: Joey Coleman

Update Record
v. 1.0.0 original version

Join the Conversation

2 Comments

TPR welcomes constructive and civil discussion. Comments are moderated.
Leave a Reply to Joey Coleman Cancel reply

Your email address will not be published. Required fields are marked *

  1. Whom should I contact to find out if my personal information was posted?
    Thank you for relaying this Joey

    Reply
    1. Reply