UCP members 'at risk for identity theft' after laptop stolen, expert says

The United Conservative Party's privacy policies are being questioned after a party laptop was stolen out of an employee's car in a parkade.

Party says computer had addresses, names and phone numbers for tens of thousands of members

The United Conservative Party says no financial information was compromised when the laptop was stolen. (The Associated Press)

The United Conservative Party's privacy policies are being questioned after a party laptop was stolen out of an employee's car in a parkade.

The laptop contains the names, addresses and contact information of 40,000 UCP members.

Experts say the language used in the memo to inform members was confusing and didn't answer important questions.

"This is clearly a matter that the party needs to improve their information protection practices," said Sharon Polsky, president of the Privacy and Access Council of Canada, adding the party will have to regain public trust.

"The only way of garnering and maintaining public trust is if you can genuinely assure people that you are properly taking care of their personal information."

Sharon Polsky is with the Privacy and Access Council of Canada. (Anis Heydari/CBC)

Polsky said in general any organization needs to first look at all the information it's collecting.

"And not collect more information than they actually have need or reason to," she said. "The more you collect, the bigger the risk, because the more attractive a pack of information it is."

Letter sent to members

The party informed members of the theft in an email Wednesday.

"The laptop in question did not contain any personal financial data," reads the letter in part. "Rest assured that we take the integrity of your financial information seriously and under no circumstances does the party store that kind of information."

Emily Laidlaw, an associate law professor at the University of Calgary, said the party's email didn't give enough detail to members.

The law professor said it wasn't clear in reading the message what standards and protocols the party has in place. 

UCP privacy policies

When asked what their policies surrounding protecting personal information of members is and if there was training, the party did not respond directly.

"Staff are informed about privacy requirements regarding membership data. This was unfortunately a criminal incident outside of staff's direct control," read the response. "That said, we are undertaking additional measures and protocols going forward following this experience."

They did not elaborate on what those additional measure and protocols would be.

Emily Laidlaw is an associate law professor at the University of Calgary. (Submitted by Emily Laidlaw)

Laidlaw said the fact that the laptop was left in a car at all speaks volumes about what those standards are.

"It is quite commonly advised that you should not be keeping any laptops in your car with sensitive information," said Laidlaw, who specializes in privacy issues. 

'At risk for identity theft'

Laidlaw said it's lucky there was no financial information on the computer, but noted there is enough for concern. 

"It certainly puts the individuals at risk for identity theft," she said. 

"If whoever stole it actually gains access to this information, I mean, you could figure out who the people are, what their home addresses are. These are the people donating to the party and this is where they live."

Training key to prevention

Polsky said the key to preventing these things is training and education. 

"They need to train people, and this isn't unique to us. It is commonplace," she said.

"There is remarkably little valid information and public awareness about how to properly protect information — personal, health, political, corporate."

And according to Laidlaw, one-time training isn't sufficient. 

"Not just at the beginning," she said.

"Followup with that training to ensure that everyone still recalls what the particular rules are, that they're aware of certain updates, that systems and practices are audited, so that we have a clear sense on the kind of A to Z about information security, where the vulnerabilities are — and often those vulnerabilities are human."

The UCP said that although they are not required to, they've informed the privacy commissioner of the incident and an additional 20,000 members whose information was not compromised.


Lucie Edwardson


Lucie Edwardson is a reporter with CBC Calgary. Follow her on Twitter @LucieEdwardson or reach her by email at


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?