The recent controversies over potential vote suppression in key ridings through the practice of robocalling have shed light upon some of the previously opaque internal practices of political parties. The commentary on these controversies has been extensive, and demonstrates a high level of public interest and engagement in the broader issues about Canadian democracy. Not far beneath the surface, however, lay a number of unanswered privacy-related questions.
I have just co-authored a report on privacy and Canada’s federal political parties for the Office of the Privacy Commissioner. This work was started at the beginning of 2011, and is now published at: https://www.priv.gc.ca/information/research-recherche/2012/pp_201203_e.asp
Canada’s federal political parties can, and do, collect a large amount and variety of information on Canadian citizens: on voters, volunteers, donors, members and supporters. A disparate and fluctuating number of employees and volunteers might also have access to these data – individuals who may have no privacy training. Increasingly the data are communicated through highly mobile electronic formats. The current reality is that all the main federal parties are managing vast databases within which a variety of sensitive personal information from disparate sources is processed.
Canadian federal privacy protection law does not cover federal political parties. Parties do not engage in much commercial activity and are therefore largely unregulated under the Personal Information Protection and Electronic Documents Act, or substantially similar provincial laws, the only exception being the Personal Information Protection Act in BC, which applies to personal information practices of all organizations acting within the province. They are not government agencies, and therefore unregulated by the Privacy Act. The only federal law that governs their practices is the Canada Election Act. But this legislation only applies to those voter registration data collected and shared with parties and candidates under the authority of that legislation. It leaves unregulated the personal data captured by parties from other sources.
For the most part, individuals have no legal rights to learn what information is contained therein, to access and correct those data, to remove themselves from the systems, or to restrict the collection, use and disclosure of their personal data. For the most part, parties have no legal obligations to keep that information secure, to only retain it for as long as necessary, and to control who has access to it.
From the point of view of an ordinary supporter or contributor who wishes to exercise control over his or her personal information, the existing voluntary privacy commitments of Canada’s main federal parties are often difficult to find, inconsistent and vague. No party is any better or worse than any other. There is little evidence that any of them have given sustained consideration to privacy and to the risks associated with amassing vast amounts of personal data.