Election season is upon us, with Albertans heading to the polls in a few short weeks and Canadians preparing to vote in the federal election this Fall. To address privacy concerns arising in the electoral context, the Office of the Privacy Commissioner of Canada (“OPC”) and the Chief Electoral Officer (“CEO”) jointly released new guidance for the treatment of personal information by political parties.
Political parties have attracted the attention of privacy regulators in part by the revelation of Cambridge Analytica’s manipulation of data to profile and influence voters in the US. Late last year Parliament enacted Bill C-76 the Elections Modernization Act, an amendment to the Canada Elections Act (“CEA”) to require federal political parties to develop privacy policies to protect personal information.
This issue is also on the radar of provincial and federal privacy commissioners as the majority of political parties are exempt from privacy legislation.
The situation is different under British Columbia’s privacy legislation, which does capture political parties. As a result, the British Columbia’s Office of the Information and Privacy Commissioner released a report in February, saying that political parties need to be more transparent about how they collect data on voters and expressing the view that they are gathering too much personal information without the individual’s consent.
On April 1, 2019, the OPC and CEO jointly released “Guidance for federal political parties on protecting personal information” (“Guidance”) to help clarify the amendments to the CEA and to offer best privacy practices for federal political parties to protect the personal information of Canadians.
Guidance on (Compulsory) Privacy Policies
Notably, the mandatory provisions under the CEA are silent in respect of political parties obtaining the consent of individuals to collect their personal information.
Guidance on (Non-Compulsory) Best Practices
The second half of the Guidance outlines recommended best privacy practices for political parties based on international privacy standards and the Fair Information Principles. These “best practices” are non-binding on federal political parties under the CEA and federal privacy legislation, but do reflect how the regulators intend to interpret the legislation.
This second portion of the Guidance addresses the issue of consent, recommending that the parties obtain informed consent from each individual for the collection and use of their personal information. In practice, this is not as simple as it sounds, as it requires verifying consent and keeping track of consent for each individual. Ensuring the accuracy of personal information means taking on the obligation of keeping the information held up-to-date.
The Guidance recommends that political parties limit in general the collection of personal information. This includes avoiding collection of unnecessary information such as canvassing the views of others in the same household and limiting the use and retention of the information. Another best privacy practice suggested is to retain personal information only as long as necessary for the stated purpose and destroying the information securely.
Finally, political parties are advised that they should protect information from unauthorized access and be transparent and clear about privacy policies that are written in plain language. Individuals should be provided with the opportunity to access their information and to correct or amend their personal information on request. There should also be a process in place for handling privacy related complaints and investigation procedure and ensuring that all complaints are investigated.
Takeaways for Business
While the Guidance applies to political parties, organizations doing business with such parties may be indirectly impacted. Most private sector businesses will be subject to provincial or federal privacy laws, and to the extent they are receiving personal information collected and shared by political parties, these businesses will be accountable for its use in their hands, even if the political party in question is outside the reach of that legislation.
In the general absence of a requirement on political parties to obtain consent, businesses in receipt of such personal information should consider closely their obligations and exposure for their own handling of such information.
For more information about Denton’s data expertise, including structuring political advertising and adtech platforms, please see our Transformative Technologies and Data Strategy page and our unique Dentons Datasuite of data solutions for every business.