Parties’ privacy policies fall short
Commissioner finds gaps in area of consent
OTTAWA • The privacy policies of all the major federal political parties failed to ensure people gave valid consent to the collection and use of their personal information, concluded an analysis by the federal privacy commissioner.
The policies also fell short on setting out specific limits on use of the data, details of how long information is kept, the use of security safeguards on systems and the ability of people to see the collected information to check its accuracy, says a report on Daniel Therrien’s findings.
The Canadian Press obtained a copy of the internal report, completed in late August, through an Access to Information request.
Information about prospective voters can be extremely valuable to political parties for everything from door-to-door canvassing to shaping platforms. However, there has long been concern about how parties use personal data, particularly since the primary federal privacy laws do not apply to them.
The privacy commissioner’s office assessed the Liberal, Conservative, NDP, Green and Bloc Québécois privacy policies following the implementation of changes to the Canada Elections Act on April 1.
The law now requires parties to draft privacy policies to protect personal information, submit the policies to Elections Canada and publish them online.
Even before they took effect, Therrien said the new provisions were inadequate because they left it to parties to define the standards to apply. He also lamented the lack of oversight by his office or another independent party that could investigate and rule on complaints, something Therrien does with respect to federal privacy legislation governing the public and private sectors.
Therrien and chief electoral officer Stephane Perrault jointly issued guidance to help parties comply with the provisions and follow best privacy practices based on standards of international law. Their “fair information principles” included basic privacy and security measures a party should apply when collecting, using and storing personal data.
“None of the five parties analyzed have met all 10 principles,” says the newly disclosed report.
While some form of consent framework regarding use and collection of personal data was included in most policies, all parties generally failed to provide sufficient evidence that the consent obtained will be valid and informed, the report says.
“None of the wording appears to indicate consent is sought directly by any of the parties, but is rather implied given contact with the party.”
Most of the parties also acknowledged collecting publicly available information, including social media names and contacts.
The privacy commissioner advises parties to keep personal information only as long as necessary to satisfy legitimate purposes, and then destroy the information securely.
Each of the parties placed some limit on the use and disclosure of personal data, but none of the policies discussed how long it would be retained, the report notes.
Most parties did not provide “an adequate explanation” of the security measures used to protect personal information against loss or misuse, it adds.