Election season is upon us, with Albertans heading to the polls in a few short weeks and Canadians preparing to vote in the federal election this Fall. To address privacy concerns arising in the electoral context, the Office of the Privacy Commissioner of Canada (“OPC”) and the Chief Electoral Officer (“CEO”) jointly released new guidance for the treatment of personal information by political parties.
Background
Political parties have attracted the attention of privacy regulators in part by the revelation of Cambridge Analytica’s manipulation of data to profile and influence voters in the US. Late last year Parliament enacted Bill C-76 the Elections Modernization Act, an amendment to the Canada Elections Act (“CEA”) to require federal political parties to develop privacy policies to protect personal information.
This issue is also on the radar of provincial and federal privacy commissioners as the majority of political parties are exempt from privacy legislation.
The situation is different under British Columbia’s privacy legislation, which does capture political parties. As a result, the British Columbia’s Office of the Information and Privacy Commissioner released a report in February, saying that political parties need to be more transparent about how they collect data on voters and expressing the view that they are gathering too much personal information without the individual’s consent.
On April 1, 2019, the OPC and CEO jointly released “Guidance for federal political parties on protecting personal information” (“Guidance”) to help clarify the amendments to the CEA and to offer best privacy practices for federal political parties to protect the personal information of Canadians.
Guidance on (Compulsory) Privacy Policies
The Guidance begins by outlining the legal obligations of political parties created by the CEA. These are mandatory under the CEA and include the requirement on political parties to publish a privacy policy on their website.
Most, but not all, political parties in Canada have privacy policies published on their websites; however, the depth of disclosure on the collection and use of personal information varies from party to party. The CEA now requires federal political parties to submit a privacy policy to Elections Canada as a condition of registration and that the party keep the privacy policy up to date.
The Guidance published by the OPC puts some meat on the legislative bones of the CEA by providing illustrative examples of what, in the view of the OPC and CEO, a party’s privacy policy should contain. To be in compliance with the CEA, a privacy policy must state the types of personal information that the party collects, and the Guidance suggests it should specify such things in some detail, such as stating that the personal information collected relates to income, residence, ethnicity, or political affiliation. The policy should also, according to the Guidance, explain how the information is gathered and protected, from paper petitions stored in locked file cabinets, to electronic information purchased from data brokers protected by up-to-date firewalls.
Under the CEA, the privacy policy must also indicate how the information is used by the political party. The Guidance suggests that this includes stating if such information is used to develop individual voter profiles, shared with provincial parities (presumably of the same affiliation), or sold to other entities. The CEA also requires a party to state what the party’s practices are with respect to collecting personal information using online activity and the use of cookies; the Guidance goes further and suggests parties can fulfill this obligation by specifying whether they collect personal information through the use of website cookies, social media monitoring, and dedicated mobile apps.
Finally, the amendments to the CEA recognizes that employees and volunteers in political parties are the ones responsible for gathering and protecting personal information. As a result, the privacy policy must describe the type of training that these individuals receive to safeguard personal information gathered when they are out canvassing a neighbourhood and on acceptable disclosure practices. The Guidance suggests that each federal political party should also provide the name and contact information for a party employee who can address privacy concerns arising from the policy.
Notably, the mandatory provisions under the CEA are silent in respect of political parties obtaining the consent of individuals to collect their personal information.
Guidance on (Non-Compulsory) Best Practices
The second half of the Guidance outlines recommended best privacy practices for political parties based on international privacy standards and the Fair Information Principles. These “best practices” are non-binding on federal political parties under the CEA and federal privacy legislation, but do reflect how the regulators intend to interpret the legislation.
The recommended best privacy practices include accountability. This means going beyond simply having a privacy policy in place by taking steps such as informing individuals of any breach of personal information that poses a significant risk of harm. The OPC also recommends disclosing the purpose for which the personal information will be used. If the party is using information collected from signing a petition to build a voter database then this could be disclosed at the time of signing.
This second portion of the Guidance addresses the issue of consent, recommending that the parties obtain informed consent from each individual for the collection and use of their personal information. In practice, this is not as simple as it sounds, as it requires verifying consent and keeping track of consent for each individual. Ensuring the accuracy of personal information means taking on the obligation of keeping the information held up-to-date.
The Guidance recommends that political parties limit in general the collection of personal information. This includes avoiding collection of unnecessary information such as canvassing the views of others in the same household and limiting the use and retention of the information. Another best privacy practice suggested is to retain personal information only as long as necessary for the stated purpose and destroying the information securely.
Finally, political parties are advised that they should protect information from unauthorized access and be transparent and clear about privacy policies that are written in plain language. Individuals should be provided with the opportunity to access their information and to correct or amend their personal information on request. There should also be a process in place for handling privacy related complaints and investigation procedure and ensuring that all complaints are investigated.
Takeaways for Business
While the Guidance applies to political parties, organizations doing business with such parties may be indirectly impacted. Most private sector businesses will be subject to provincial or federal privacy laws, and to the extent they are receiving personal information collected and shared by political parties, these businesses will be accountable for its use in their hands, even if the political party in question is outside the reach of that legislation.
In the general absence of a requirement on political parties to obtain consent, businesses in receipt of such personal information should consider closely their obligations and exposure for their own handling of such information.
For more information about Denton’s data expertise, including structuring political advertising and adtech platforms, please see our Transformative Technologies and Data Strategy page and our unique Dentons Datasuite of data solutions for every business.
