Breaking the rules
Many businesses in this country are well familiar with a piece of federal legislation known as PIPEDA — the Personal Information Protection and Electronic Documents Act.
Organizations and companies know that PIPEDA has some interesting rules about data collection: if you collect personal data from someone, you have to reveal that you’re doing it and what you’re collecting it for.
As a result of the recent robocall scandal, much attention has been focused on the federal Conservative party and its Constituent Information Management System (CIMS), which was designed to track Conservative supporters and help raise money for the party organization.
The personal information in CIMS may include — but is not limited to — your name, home address, home telephone number, email address, birth date, electoral district, religious faith and federal voting intentions.
The information has apparently also been used to ascertain where Conservative candidates should focus their efforts, and which citizens it would be better for them to avoid — it may also have been used to direct misleading phone calls about polling station changes to voters.
I understand that some Conservative constituents may have willingly agreed to be included on this database, and that is all fine and good.
However, it has also become clear through recent news stories on the robocall scandal that Conservative officials also collected information on individuals who did not support the Conservative party and may not have been informed about the purposes the information was to be used for. For example, Conservative officials have confirmed that the names used for robocalls in the district of Guelph, Ont., matched their list of non-Conservatives in CIMS.
I’m not aware if the Conservative party collected information about me in their CIMS system. I am aware they contacted members of my household during the last federal election and asked pointed questions about voting preference. They did not at any time indicate that any information would be stored, or what the information would be used for.
That raises a number of PIPEDA issues. Here are a few sections of the act that call into question whether the party has broken these rules.
4.3 — Consent — The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information …
4.3.1 — Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).
4.3.2 — The principle requires “knowledge and consent.” Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
As well, there’s this: 4.4.1 — Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Clause 4.8).
4.4.2 — The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
4.5 — Limiting Use, Disclosure, and Retention — Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Now, the Conservative party might argue that they did not intend the information to be used to make fraudulent polling-station change robocalls. Well, there’s a section for that as well.
4.7.1 — The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
I’m going to forward my concerns about the possible storage of my personal data to Canada’s privacy commissioner.
Maybe plenty of other Canadians should, too.
Russell Wangersky is The Telegram’s
editorial page editor. He can be reached by email at firstname.lastname@example.org.