Political parties should be included in privacy laws; it'll never happen

The editorial in today's Halifax Chronicle Herald calls upon the government to include political parties within the protections of privacy laws. While it's a good idea, I can't see this happening ... it would require the politicians to agree that their hands should be tied.

PROTECTING PRIVACY: Challenges growing | The Chronicle HeraldPROTECTING Canadians’ privacy in a digital universe is a growing challenge.

Just how big that challenge has become was reflected in recent stories that underline the different ways Canadians’ personal information is not as secure as it should be.

The outcry after Immigration Minister Jason Kenney’s MP office emailed thousands of Canadians on Sept. 14, to boast about government efforts to protect gay refugees, focused on a simple question: How did the politician get those addresses?

Turns out Mr. Kenney’s office captured email addresses from letters that had been automatically sent to him whenever someone had signed a 2011 online petition protesting the deportation of a gay artist from Nicaragua.

Despite the widespread concern over what had happened, however, federal privacy commissioner Jennifer Stoddart’s office last week said that, based on what was known, they lacked jurisdiction.

Which points to an ongoing, glaring weakness in Canada’s laws protecting personal information. Though they collect vast amounts of personal data about voters, political parties in Canada are not, for the most part, bound by federal privacy legislation.

A study commissioned by Ms. Stoddart’s office and released last March found that Canada was one of just a few democratic countries lacking such protection. A poll done for the privacy commissioner’s office two years ago showed 92 per cent of Canadians wanted privacy laws to also cover political parties.

Earlier this month, Elections Canada’s chief electoral officer, Marc Mayrand, said the agency, in the wake of the robocalls scandal last spring, was examining possible regulations to control the huge databanks on voters held by political parties. It’s unclear, however, how comprehensive such regulations could be.

Meanwhile, Ms. Stoddart last week also issued a warning to 11 large commercial websites in Canada that were sharing consumers’ personal data without permission.

It’s time the federal government put enough “teeth” in Canada’s privacy laws to make offenders respect their “bite” — and it’s past time the privacy commissioner was given the power to bring political parties to heel, too.

Who polices political parties' privacy practices? Nobody.

The recent minor scandal resulting from the Immigration Minister's mass e-mailing to members of the LGBT community has again focused attention on the fact that Canadian political parties are beyond the jurisdiction of Canada's public sector and private sector privacy laws.

See: Political parties operate outside Canada's privacy laws - Politics - CBC News.

This is not the first time that this gap has been noticed. Check out a few of the past examples from this blog by clicking the "political parties" tag.

Political parties can spam you as much as they want

I was contacted this week by a reporter from the Toronto Star inquiring about the legality of Members of Parliament adding constituents' names to the databases of the parties with which they are affiliated. The answer is, either intentionally or unintentionally, politicians have exempted themselves from Canada's privacy laws and Canada's anti-spam law. While it flies in the face of fair information practices, MPs and political parties are free to spam you all they want.

Email to MP lands woman in campaign database - thestar.com

Brendan Kennedy

Staff Reporter

Mary Krohnert wrote her MP earlier this year to voice her concerns about changes to CRTC regulations. The act of civic engagement also appears to have signed her up to receive Conservative attack ads in her email.

The 36-year-old Oshawa resident says she had Tory campaign literature sent to her inbox this week, though she has never signed up for anything to do with the party.

When she called the Conservative party’s Ottawa headquarters to inquire, she says she was told her email address was added to a national campaign database after she wrote her MP — Conservative incumbent Colin Carrie — on a number of different issues in recent years.

“As far as I know I’ve never given consent for my email address to be shared,” said Krohnert, an actor who is studying to become an art therapist. “I was just communicating with my MP.”

Carrie refused to be interviewed for this story through his campaign manager, Judy Pati.

What apparently happened to Krohnert is perfectly legal because political parties are exempt from Canada’s privacy rules, said David Fraser, a privacy lawyer with Halifax-based McInnes Cooper.

“They can collect, use and disclose your personal information without your consent and they can use it for whatever purpose they want.”

Ryan Sparrow, a spokesman for the Conservatives, refused to comment on whether it was common practice for the party’s elected politicians to use constituents’ personal information when campaigning, saying he could not speak on behalf of MPs. He also three-times repeated a statement saying the party is “more than happy” to remove someone’s name “from any distribution list that we have” when requested.

Federal Commissioner drops greeting card inquiry; political parties beyond reach of privacy legislation

Interesting, but not surprising, development:

CANOE -- CNEWS - Canada: Privacy czar drops Rosh Hashanah inquiry:

"OTTAWA - The federal privacy commissioner has quietly dropped her investigation into complaints that Prime Minister Stephen Harper mailed unsolicited Rosh Hashanah greetings, saying she has no jurisdiction over the matter because political parties fall outside Canada's two privacy laws."

Tory database draws ire

There's been a minor bruhaha in Canada over a recent batch of Rosh Hashanah cards sent out by Prime Minister Stephen Harper. Many recipients wondered why they received them and also wondered why the PM's office would have a mailing list indicating their religion.

Former Tory member of parliament blogged about the Tory's Constituency Information Management System (The Turner Report: Nowhere to hide) as the likely source of the lists, and wrote that all manner of info about constituents goes into the political database. I was interviewed last week about the privay law aspects of this:

The Canadian Press: Tory database draws ire of privacy experts for including constituency files

1 day ago

OTTAWA - The federal Conservative party's central database is set up to track the confidential concerns of individual constituents without their knowledge or consent, says a former Tory MP.

The issue spilled onto the floor of the House of Commons on Thursday when Garth Turner, the expelled Tory-turned-Liberal MP, accused Prime Minister Stephen Harper of an "unethical invasion of Canadians' privacy."

Privacy experts agree the practice is a clear breach of standard privacy ethics - but probably not the law, because federal political parties fall into a legislative grey area.

A recent mailing by the prime minister to some Jewish households, and households with Jewish-sounding names, highlighted the micro targeting that sophisticated modern databases now facilitate.

The Rosh Hashanah greeting from Harper prompted several recipients to complain to the federal privacy commissioner, who has begun a preliminary inquiry.

It's cast a light on the 21st century art of political communication that may make some Canadians uneasy.

Virtually all federal and provincial parties have computerized databases, but the federal Conservatives are the acknowledged leader in the field of data management and mining.

Their fundraising efforts, based on small donations by thousands of donors, are unparalleled in federal politics.

Both the federal Liberals and the NDP have separate databases for constituency work and voter tracking. Data does not migrate between the two.

But the Conservatives use a single clearing house for all data collection, storage, datamining, mailing lists, voter tracking and any other partisan use such information may serve.

Turner, the Liberal maverick who was elected as a Conservative in 2006 and subsequently turfed from the party, says every Conservative MP is required to use something called CIMS, an acronym for Constituent Information Management System.

CIMS is used not only to track voter allegiance in a given riding - something every political party attempts - but also a host of other data gathered in the course of an MP's constituency office duties.

"Any time a constituent is engaged with the member of Parliament, they get zapped into the database," Turner said in an interview. "It's unethical and it's a shocking misuse of data.

"Because once you cotton on to what's going on here, it's not good constituency work at all to allow that data to fall into any kind of hands. But the party is desperate to get more and more data in there because the primary use is fundraising. The secondary use is voter tracking to get out the vote."

Logging constituent files in a central party database that may also be used as part of election planning, fundraising, advertising strategy and policy deliberation appears to be clearly offside, two nationally respected privacy experts told The Canadian Press.

"If somebody contacts their MP because they're having a problem with their CPP benefit or their military pension, they don't expect to end up on a mailing list for a political party," said David Fraser, a Halifax lawyer who specializes in privacy issues with the firm McInnes Cooper.

"If they are going to end up on a mailing list, I think there's an ethical obligation to inform them and give them the opportunity to opt out."

Michael Geist, a law professor who serves as the Canada research chair of Internet and e-commerce law at the University of Ottawa, agrees.

"When you're going to your local MP with a concern or a problem, there is a certain level of confidentiality," said Geist.

"The notion that it's simply a data point that gets used to characterize the particular constituent could have a bit of a chilling effect."

Nonetheless, the Conservatives are likely within the letter of Canada's privacy laws, because they are neither a government agency nor considered a commercial operation.

Geist argues that political parties' fundraising efforts might make them liable under the commercial privacy law, known as PIPEDA, but Fraser says the legislation as written suggests otherwise.

"Generally, political parties aren't regulated with respect to how they collect, use and disclose personal information," said Fraser.

The Conservatives, who openly boasted about their state-of-the-art CIMS database after purchasing it in 2004, now refuse to discuss it.

"I will not talk about internal party databases," said party spokesman Ryan Sparrow. "I'm not disclosing what is in our database, who is in our database."

When asked if Canadians can request to see their file on the CIMS database, Sparrow responded: "What would be their specific need to see?"

Asked a second time, Sparrow shut down the inquiry.

"I'm not going to help you with your story. It's internal party matters."

The Liberal party says it voluntarily follows the principles of PIPEDA - including showing any individual who asks what is on their file - even though the act does not apply to political parties.

"We do not keep any information on individuals without their expressed consent," said Elizabeth Whiting, the party's communications director.

The NDP also said citizens are free to ask to see their file, although the party is not aware it has ever received such a request.

Fraser said political parties, regardless of the law, should follow the best-practice standards established by the Canadian Standards Association, upon which both federal privacy acts are based.

"Those best practices, which are almost universally recognized in most western democracies, would suggest that political parties should give notice, get consent and provide people access to their information," said Fraser.

"Whether or not they choose to do that would speak volumes to how they see themselves as responsible custodians of this personal information."

The St. John's Telegram is calling for the system to be stopped.

The Telegram, St. John’s: Editorials Someone is watching you

The Telegram

Maybe Big Brother now has a name. Maybe it’s Stephen, as in Stephen Harper. Or maybe it’s CIMS, the acronym for the federal Conservative party’s computerized Constituent Information Management System.

Garth Turner, a former Tory Member of Parliament who now sits as a Liberal, has now said that when he sat as a Tory, Conservatives were required to use the system to not only track a constituent’s allegiance to the party, but also to collect personal information about constituents that might come to light when the constituent contacted the parliamentarian.

“Any time a constituent is engaged with a member of Parliament, they get zapped into the database,” Turner said. “It’s unethical and it’s a shocking misuse of data.”

For their part, the Tories have now denied gathering partisan data through the regular daily work of Members of Parliament. At the same time, they have been tremendously tight-lipped about what information is being collected and how it’s being used: when Turner first made comments about CIMS, Conservative officials flatly refused to talk about the system, and eventually would only say “No information in CIMS is compiled through MP casework.”

Beyond that, the spokesman would only say “I will not talk about internal party databases. … I’m not disclosing what is in our database, who is in our database.”

CIMS is already under increased scrutiny, after Jewish families began receiving unexpected Rosh Hashanah greetings from Prime Minister Stephen Harper. Some of the families, especially non-practising Jewish families, found the greetings unsettling.

CIMS is also believed to be tracking information collected by responses to Parliamentary mail-outs.

The system has been touted as the most advanced tracking system for constituents in the country — it’s also one of the strongest systems for collecting small donations by scores of ordinary donors.

The issue, however, is how much personal information the Conservative party is collecting, especially because strict federal privacy laws that apply to businesses in Canada — and others who have their hands on personal information — don’t seem to apply to political parties.

There’s a simple answer to the questions being raised about CIMS, and it can be spelled out in the concept of what’s fair for the goose, is fair for the gander. Companies across the nation have done backflips to ensure that they live up to the letter and the intent of commercial privacy laws, and political parties should be required to live up to the same standard.

If it’s an abuse for a business to stockpile personal data for commercial reasons, it should be illegal for a political party to stockpile the same sorts of information for use in its political business.

The federal Conservatives have no more right to trade on details about your age, religion, personal sexual preferences or interests than anyone else does. Governments collect massive amounts of statistical information, and have a duty to keep that information private.

CIMS is blurring the line between the use and the abuse of personal, private information.

It’s about time this tracking system was stopped in its tracks.