Unfortunately, in Canada the answer is ‘any way they see fit.’
You read that correctly: Unlike most public or private organizations in this fair nation—whether public, private, non-profit, for-profit, professional or volunteer run— federal political parties are not governed by any privacy-specific legislation.
And as parties and candidates campaign—as they fundraise, recruit supporters, distribute petitions and more— for the upcoming federal election, there is growing concern about their lack of legal obligation to keep their data secure.
Federal parties are not covered by the Privacy Act, which governs public bodies, nor are they subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), the privacy law that governs Canada’s private sector. This means that although much of the information they collect and hold is sensitive, there are no restrictions on how long they keep their data, how they decide who has access to it, or what security measures they put in place.
Rather, parties need only comply with the Canada Elections Act, which is limited in that it only applies to those voter registration data collected and shared with parties and candidates under the authority of that legislation. Their collection of personal data captured by parties from other sources, however, is totally unregulated, and their privacy policies—when they exist—are not necessarily binding.
And it’s not as though there haven’t been issues: the lack of regulation has led to some embarrassing leaks and abuses—from sending birthday cards to constituents using data from passport applications, to the accidental sharing of names and contact information of 6,000 constituents, to a Toronto cell of the a terrorist organization obtaining copies of the Canadian voter list.
FIPA has raised concerns about this lack of protection on a number of occasions, including before the Committee on Industry, Science and Technology when we travelled to Ottawa to comment on Bill S-4 (the Digital Privacy Act) in March.
We see no reason why political parties—arguably some of the most influential organizations in the country, not to mention some of the most seriously invested in social media networking and online community building—should be any exception to the rules.
After all, there has been no logjam in democracy in B.C., where provincial political parties fall under the Personal Information and Privacy Act (PIPA). This province’s Information and Privacy Commissioner has used her power to receive complaints, conduct hearings, investigate and ultimately issue orders regarding provincial political parties, and our personal information is better protected because of that.
Without laws that protect the privacy rights of citizens and hold parties to account for their use, collection and disclosure of voter information, we risk driving citizens away from an increasingly digital political landscape.
As the federal election continues, it’s important that citizens understand the risks to their personal information, and that we take this opportunity to show potential policymakers that Canadians want to close this loophole in privacy law.