If hacktivists decide to go after political parties in next year’s federal election (and Canada’s Communications Security Establishment is pretty sure they will) the personal information about the voting public that those parties hold could be up for grabs – and no party would be obliged to report the breach.
“Mandatory reporting of a breach is accepted as a basic privacy protection principle, evidenced by Personal Information Protection and Electronic Documents Act amendments that took effect on Nov. 1, 2018,” the CBA’s Privacy and Access Law Section wrote in a submission to government on proposed changes to the Elections Act. “Yet Bill C-76 does not require notifications in the event of a breach. This basic standard should apply to political parties.”
This isn’t the only area where political parties are not subject to basic standards when it comes to accessing and safeguarding personal information, despite Canada’s otherwise relatively comprehensive privacy protections. So while the Section welcomes attempts in Bill C-76 to beef up political parties’ obligations in this area, it does not believe the Elections Modernization Act goes quite far enough.
“Not being subject to privacy laws means political parties operate in an environment without standards for privacy protection and with no recourse available to citizens,” the Section writes. “The fact that information can be collected by political parties about citizens without their informed consent and with no legal right to see it, control its distribution or to correct errors or remove it from parties’ databases should they choose is increasingly out of step with broader legal and ethical norms.”
Bill C-76 proposes to amend the Canada Elections Act to require political parties to have a policy for protecting personal information. The Section notes that that’s all that’s being asked of the parties. “This amendment appears to require nothing more than a general statement without any direction or objective standard against which the sufficiency of the statement can be measured. A general statement does not suffice.”
Privacy policies should meet the minimum standards laid out in PIPEDA’s Schedule 1, the Section says.
Among other things, the policy should be required to commit to providing details about the data being collected, as well as the source and contact information of the supplier if it comes from a data broker, and clearly explain the intended use of the information. It should also indicate the privacy training to be given, not only to employees, but also to volunteers who could have access to personal information.
Complaints about violations of privacy policies should be directed to the Office of the Privacy Commissioner, or failing that, the Chief Elections Officer should be required to consult with the Privacy Commissioner if a breach or complaint comes to his or her attention.