Suppose I told you that there is a country where political parties build secret databases on voters and profile them according to their political views. Its citizens have no right to see, correct or remove the data collected. The data is shared with a large number of party workers and volunteers, who use it to contact voters by phone, e-mail, direct mail or canvassing to determine whether and how they intend to vote.

Sounds like an authoritarian state, doesn’t it? In fact, it’s pretty much the way that Canada’s main political parties operate now.

In this election, each of the big three federal parties is running its own web-based “voter relationship management system”. The oldest is the Conservative Information Management System (CIMS). The Liberals recently built a new version of Liberalist, based on the U.S. Democratic Party’s Voter Activation Network. And the NDP has replaced the clunky old NDP Vote system with something called Populus.

By the people working in and reporting on Canadian federal politics, these systems are now seen as indispensible tools for the modern “data-driven” campaign. And the parties will argue that these systems help them engage and mobilize their supporters, enhancing the democratic process.

There’s just one problem with that argument: while parties have been introducing voter-tracking systems, federal voter turnout has been steadily declining over the last ten years. These systems may be good for parties, but they don’t encourage Canadians to vote.

And all of these systems are shrouded in secrecy. From what we have gathered over the years, each is based on the list of electors (name, address and unique identifier) obtained at each election from Elections Canada, the use of which is tightly controlled by the Elections Act. Each party then fills its own system with other data culled from traditional door-to-door canvassing and telephone polling. The range and quality of the data vary considerably. These systems are heavily dependent on thousands of party volunteers inputting accurate data in a timely manner.

The parties with deeper pockets — the Conservative party, particularly — may also add data obtained from other sources: the census, social media and, in some cases, data purchased from commercial geo-demographic companies such as Environics. More and more, these databases include information on specific political issues and trends.

The electorate is then profiled and scored. For instance, we know that CIMS ranks voters on a scale of plus 15 (right) to minus 15 (left). These profiles are then used to allow the party to allocate its resources more efficiently for its canvassing and get-out-the-vote operations.

The systems will also have information on a voter’s preferred contact methods. If someone does not want to be contacted, it should be recorded in the party databases. (As I mentioned in this space last week, it’s not at all easy for Canadians to register ‘no contact’ preferences.)

The parties themselves are somewhat divided on these databases, and heated debates take place behind closed doors over their utility and proper role. The Conservatives actually scrapped a new system (C-Vote) in 2013 because of glitches and internal opposition. There tends to be a split in all parties between the traditionalists — relying on face-to-face methods of canvassing — and the new breed of high-tech party workers inspired by the success of data-driven campaigns south of the border.

You have no legal right to learn what information a party database has collected about you, to remove yourself from a party database, or to restrict the collection, use and disclosure of your personal information. And for the most part, parties have no legal obligations to keep that information secure. You have no legal right to learn what information a party database has collected about you, to remove yourself from a party database, or to restrict the collection, use and disclosure of your personal information. And for the most part, parties have no legal obligations to keep that information secure.

What they don’t talk about is how far out of mainstream democratic practice these databases really are. In most other democracies, they would be illegal.

In Europe, for instance, political parties are permitted only to process personal data on their own members, or on those with whom they have regular contact. Information on political opinions and affiliations is considered highly sensitive there, and can only be collected with the express consent of the individual. The campaigning practices seen in Canada and the United States are typically regarded as intrusive and contrary to European political culture.

As a result of Canada’s complex constitutional framework — and overall political reluctance — these systems are pretty much exempted from privacy laws here. So the Privacy Commissioner of Canada has no oversight authority to receive complaints about party political databases, or to investigate and audit.

And here’s what most Canadians don’t realize: as a citizen and a voter, you have no legal right to learn what information a party database has collected about you, or to access and correct that information. You have no legal right to remove yourself from a party database, or to restrict the collection, use and disclosure of your personal information.

And for the most part, parties have no legal obligations to keep that information secure, to retain it only for as long as is necessary, or to control who has access to it.

There is one exception. In B.C., the Personal Information Protection Act (PIPA) has been held to apply to provincial political parties, and there have been one or two investigations of political parties by the provincial Information and Privacy Commissioner, Elizabeth Denham.

Some provincial parties have also responded to requests for access to personal information under this law. In my own household, we were very surprised at the breadth and complexity of the data that has been amassed on us over the years.

In 2013, Elections Canada recommended that parties voluntarily agree to a code of practice based on the ten privacy principles in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Nothing happened. It’s almost impossible to get politicians to regulate themselves.

But the federal political parties might want to think very carefully about this issue. Privacy is becoming a huge political issue. No party wants to be seen building secret systems of surveillance.

And the risk of a breach of personal data held in a party database is very real, and quite obvious. Every other type of organization holding personal information — from health care facilities to intelligence agencies — has suffered a data breach. All these systems are supposed to have strong security, clear user-based agreements and strict controls for access. They still got burned. And in the frenzy of a federal election campaign, rules can easily be forgotten or circumvented.

So it’s only a matter of time before there is a large and serious breach of a party database — either through external hacking or simply the carelessness of party workers. And the parties are playing with fire here; a data breach in the middle of an election campaign would be a political disaster that would make Ashley Madison look like small potatoes.

Colin Bennett is professor of Political Science at the University of Victoria. He is co-author of a report to the Office of the Privacy Commissioner on Privacy Protection and Canada’s Federal Political Parties.

The views, opinions and positions expressed by all iPolitics columnists and contributors are the author’s alone. They do not inherently or expressly reflect the views, opinions and/or positions of iPolitics.