Federal parties’ privacy policies meet bare minimum required by new law

Aug 16, 2019 | 10:54 AM

OTTAWA — The main federal political parties have developed and published privacy policies, as required by a new law, but none has adopted the stringent measures Canada’s privacy commissioner and chief electoral officer say are necessary to protect the personal information of voters.

None of the parties requires individuals to give meaningful consent for the collection, use and disclosure of their personal information, which the parties amass to help them identify and target likely supporters and the issues that move them.

None allows individuals to see what information has been collected about them.

Nor does any party promise that personal information collected, for instance, in support of a petition on a specific issue won’t be re-used for other purposes, such as general political messaging or fundraising pitches.

Rather, the parties have for the most part simply met the bare minimum required by provisions in Bill C-76, which went into effect April 1.

Sharon Polsky, president of the non-partisan Privacy and Access Council of Canada, says the policies suggest a lack of sincerity when it comes to protecting voters.

“The term lip service comes to mind,” Polsky said.

The law requires parties to develop and post privacy policies on their websites. Among other things, the policies must indicate the type of personal information collected, how it is collected, how it is protected, how employees are trained in privacy protection and whom to contact about concerns.

They must also include a statement on a party’s use of personal information gleaned from online activity and its use of cookies.

Privacy commissioner Daniel Therrien has panned the new provisions, particularly the failure to require oversight by his office or some other independent third party that could investigate and rule on complaints about parties breaching personal privacy.

“It simply says parties must have policies that touch on a number of issues, leaving it to parties to define the standards they want to apply,” he told a House of Commons committee that studied the bill last year.

“In terms of privacy protection, Bill C-76 adds nothing of substance.”

The same day C-76 went into force, Therrien and chief electoral officer Stephane Perrault jointly issued guidance to parties on how to comply with the new law. In that guidance document, they also noted that the law does not require parties to meet “internationally recognized privacy standards” or provide for independent oversight of their policies.

The duo urged parties to go further and voluntarily “adhere to principles normally found in privacy laws,” including:  

— Being transparent about how personal information will be used and whether it will be shared with others.

— Using personal information only for the purposes for which individuals have given meaningful consent.

— Not assuming consent to add personal information gleaned from individuals who simply “like” a party’s post on social media.

— Providing individuals with access to their information.

— Destroying information collected for a specific cause or petition after it has served its purpose.

None of the parties, which had until July 1 to submit their privacy policies to Elections Canada, has adopted those measures — not even the NDP or Greens, who had supported amending C-76 to require parties to abide by the same privacy laws that govern the private sector.

Indeed, the Liberal and Conservative policies specify that the parties collect personal information from a variety of sources, including from anyone who takes part in an online petition. Both the Liberals and the Greens also say that personal information can be provided by friends or volunteers who think someone might be interested in getting involved with their parties.

Of the main parties, the NDP is the only one that addresses what it would do should a privacy breach occur.

The NDP policy says the party is committed to “documenting the circumstances that led to the breach, the personal identifying information that might have been compromised and immediately and proactively informing affected individuals.”  Moreover, the party has designated a privacy officer who is responsible for ensuring the privacy policy is respected and that any recipients of personal information will safeguard its integrity.

Liberals, New Democrats, Greens and the Bloc Quebecois all say they do not sell personal information under any circumstances.  The People’s Party of Canada, meanwhile, says it does not “share, sell or rent individual personal information with anyone outside of the party without your permission or unless so ordered by a court of law.”

The Conservatives also add a qualifier, saying they will not sell “personal information that you have chosen to provide us.”

Polsky points out that individuals don’t “choose” to provide much of the personal information parties accumulate. For instance, a party volunteer who knocks on someone’s door can provide the party with information about an individual’s race, gender, age, language, religion, temperament, opinions on various issues and any other observable feature, such as whether the person has a disability, has children or owns pets.

“Any political party that genuinely supports the concept of privacy, privacy rights, access to information, if they were in power they would have long ago changed the laws to provide genuine privacy protection and genuine access to information,” she said.

“If they were not in power they could, certainly, voluntarily (abide by privacy laws that apply to the private sector).”

Joan Bryden, The Canadian Press