Send this page to someone via email

The privacy policies of all the major federal political parties failed to ensure people gave valid consent to the collection and use of their personal information, concluded an analysis by the federal privacy commissioner.

The policies also fell short on setting out specific limits on use of the data, details of how long information is kept, the use of security safeguards on systems and the ability of people to see the collected information to check its accuracy, says a report on Daniel Therrien’s findings.

The Canadian Press obtained a copy of the internal report, completed in late August, through an Access to Information request.

Information about prospective voters can be extremely valuable to political parties for everything from door-to-door canvassing to shaping platforms. However, there has long been concern about how parties use personal data, particularly since the primary federal privacy laws do not apply to them.

Story continues below advertisement

The privacy commissioner’s office assessed the Liberal, Conservative, NDP, Green and Bloc Quebecois privacy policies following the implementation of changes to the Canada Elections Act on April 1.

4:01 Privacy commissioner questioned on what happens if government doesn’t adopt his recommendations Privacy commissioner questioned on what happens if government doesn’t adopt his recommendations

The law now requires parties to draft privacy policies to protect personal information, submit the policies to Elections Canada and publish them online.

Even before they took effect, Therrien said the new provisions were inadequate because they left it to parties to define the standards to apply. He also lamented the lack of oversight by his office or another independent party that could investigate and rule on complaints, something Therrien does with respect to federal privacy legislation governing the public and private sectors.

Therrien and chief electoral officer Stephane Perrault jointly issued guidance to help parties comply with the provisions and follow best privacy practices based on standards of international law. Their “fair information principles” included basic privacy and security measures a party should apply when collecting, using and storing personal data.

Story continues below advertisement

“None of the five parties analyzed have met all 10 principles,” says the newly disclosed report.

While some form of consent framework regarding use and collection of personal data was included in most policies, all parties generally failed to provide sufficient evidence that the consent obtained will be valid and informed, the report says.

“None of the wording appears to indicate consent is sought directly by any of the parties, but is rather implied given contact with the party.”

Most of the parties also acknowledged collecting publicly available information, including social media names and contacts.

2:20 Privacy commissioner : ‘Privacy is so much more than consenting to Terms and Conditions’ Privacy commissioner : ‘Privacy is so much more than consenting to Terms and Conditions’

The privacy commissioner advises parties to keep personal information only as long as necessary to satisfy legitimate purposes, and then destroy the information securely.

Story continues below advertisement

Each of the parties placed some limit on the use and disclosure of personal data, but none of the policies discussed how long it would be retained, the report notes.

READ MORE: Watchdog calls for modernized privacy laws following Statistics Canada data collection investigation

Most parties did not provide “an adequate explanation” of the security measures used to protect personal information against loss or misuse, it adds. All parties affirmed that some type of general security was in place. But only the Liberal and Green parties mentioned specific security systems, such as encryption or locked cabinets.

0:47 Privacy commissioner decries ‘crisis of trust’ in cyber security laws Privacy commissioner decries ‘crisis of trust’ in cyber security laws

Each of the parties did indicate employees would be trained on handling personal data, with “varying degrees of detail.”

The privacy commissioner says political parties should give individuals access to their information upon request, including any inferences or predictions made about them and an accounting of how the data has been used.

Story continues below advertisement

They should also allow people to correct or amend any personal information if its accuracy or completeness is challenged and found to be outdated, the commissioner advises.

All parties spelled out ways an individual could update or correct their personal information. However, none mentioned how, or even whether, someone could see their information upon request.