Canadian Security Magazine

News Data Security
Privacy czar finds gaps in federal party policies on personal information


December 16, 2019
By Jim Bronskill, The Canadian Press

Topics

OTTAWA—The privacy policies of all the major federal political parties failed to ensure people gave valid consent to the collection and use of their personal information, concluded an analysis by the federal privacy commissioner.

The policies also fell short on setting out specific limits on use of the data, details of how long information is kept, the use of security safeguards on systems and the ability of people to see the collected information to check its accuracy, says a report on Daniel Therrien’s findings.

The Canadian Press obtained a copy of the internal report, completed in late August, through an Access to Information request.

Information about prospective voters can be extremely valuable to political parties for everything from door-to-door canvassing to shaping platforms. However, there has long been concern about how parties use personal data, particularly since the primary federal privacy laws do not apply to them.

Advertisment

The privacy commissioner’s office assessed the Liberal, Conservative, NDP, Green and Bloc Quebecois privacy policies following the implementation of changes to the Canada Elections Act on April 1.

The law now requires parties to draft privacy policies to protect personal information, submit the policies to Elections Canada and publish them online.

Even before they took effect, Therrien said the new provisions were inadequate because they left it to parties to define the standards to apply. He also lamented the lack of oversight by his office or another independent party that could investigate and rule on complaints, something Therrien does with respect to federal privacy legislation governing the public and private sectors.

Therrien and chief electoral officer Stephane Perrault jointly issued guidance to help parties comply with the provisions and follow best privacy practices based on standards of international law. Their “fair information principles” included basic privacy and security measures a party should apply when collecting, using and storing personal data.

“None of the five parties analyzed have met all 10 principles,” says the newly disclosed report.

While some form of consent framework regarding use and collection of personal data was included in most policies, all parties generally failed to provide sufficient evidence that the consent obtained will be valid and informed, the report says.

“None of the wording appears to indicate consent is sought directly by any of the parties, but is rather implied given contact with the party.”

Most of the parties also acknowledged collecting publicly available information, including social media names and contacts.

The privacy commissioner advises parties to keep personal information only as long as necessary to satisfy legitimate purposes, and then destroy the information securely.

Each of the parties placed some limit on the use and disclosure of personal data, but none of the policies discussed how long it would be retained, the report notes.

Most parties did not provide “an adequate explanation” of the security measures used to protect personal information against loss or misuse, it adds. All parties affirmed that some type of general security was in place. But only the Liberal and Green parties mentioned specific security systems, such as encryption or locked cabinets.

Each of the parties did indicate employees would be trained on handling personal data, with “varying degrees of detail.”

The privacy commissioner says political parties should give individuals access to their information upon request, including any inferences or predictions made about them and an accounting of how the data has been used.

They should also allow people to correct or amend any personal information if its accuracy or completeness is challenged and found to be outdated, the commissioner advises.

All parties spelled out ways an individual could update or correct their personal information. However, none mentioned how, or even whether, someone could see their information upon request.