Breaking the rules

Russell Wangersky
Send to a friend

Send this article to a friend.

Breaking the rules

Many businesses in this country are well familiar with a piece of federal legislation known as PIPEDA — the Personal Information Protection and Electronic Documents Act.

Organizations and companies know that PIPEDA has some interesting rules about data collection: if you collect personal data from someone, you have to reveal that you’re doing it and what you’re collecting it for.

As a result of the recent robocall scandal, much attention has been focused on the federal Conservative party and its Constituent Information Management System (CIMS), which was designed to track Conservative supporters and help raise money for the party organization.

The personal information in CIMS may include — but is not limited to — your name, home address, home telephone number, email address, birth date, electoral district, religious faith and federal voting intentions.

The information has apparently also been used to ascertain where Conservative candidates should focus their efforts, and which citizens it would be better for them to avoid — it may also have been used to direct misleading phone calls about polling station changes to voters.

I understand that some Conservative constituents may have willingly agreed to be included on this database, and that is all fine and good.

However, it has also become clear through recent news stories on the robocall scandal that Conservative officials also collected information on individuals who did not support the Conservative party and may not have been informed about the purposes the information was to be used for. For example, Conservative officials have confirmed that the names used for robocalls in the district of Guelph, Ont., matched their list of non-Conservatives in CIMS.

I’m not aware if the Conservative party collected information about me in their CIMS system. I am aware they contacted members of my household during the last federal election and asked pointed questions about voting preference. They did not at any time indicate that any information would be stored, or what the information would be used for.

That raises a number of PIPEDA issues. Here are a few sections of the act that call into question whether the party has broken these rules.

4.3 — Consent — The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information …

4.3.1 — Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).

4.3.2 — The principle requires “knowledge and consent.” Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

As well, there’s this: 4.4.1 — Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Clause 4.8).

4.4.2 — The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.

4.5 — Limiting Use, Disclosure, and Retention — Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

 Now, the Conservative party might argue that they did not intend the information to be used to make fraudulent polling-station change robocalls. Well, there’s a section for that as well.

4.7.1 — The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

I’m going to forward my concerns about the possible storage of my personal data to Canada’s privacy commissioner.

Maybe plenty of other Canadians should, too.


Russell Wangersky is The Telegram’s

editorial page editor. He can be reached by email at

Organizations: CIMS, Management System, Conservatives

Geographic location: Guelph, Canada

  • 1
  • 2
  • 3
  • 4
  • 5

Thanks for voting!

Top of page



Recent comments

  • Russell Wangersky
    May 09, 2012 - 18:28

    Hi Mark: I did read the legislation. It does not exempt political parties as organizations, and refers to the sale or barter of lists. In the in and out scandal, individual riding associations were purchasing services from the main party - the party maintains the CIMS listing, and I'm curious as to whether individual lists are purchased from the main party for individual riding association use - hence the barter or sale. Russell Wangersky

  • Mark
    May 09, 2012 - 18:11

    If you bothered to read the legislation, you'd see that it applies to "organizations" (which are defined as including "an association, a partnership, a person and a trade union"), but does not mention political parties. In addition, PIPEDA only applies to "personal information that the organization collects, uses or discloses in the course of commercial activities". Political activities are not commercial activities. PIPEDA does not apply to any of the political parties, and that was intentional, just the same way the Liberals exempted political parties from the "do not call" legislation. So I wouldn't waste a lot of valuable time on your complaint to the Privacy Commissioner.

  • Herb Morrison
    May 09, 2012 - 07:38

    Lane, this is good. Someone who chooses to hide behind a pseudonym having the audacity, not to mention the ignorance to criticize Mr. Wangersky's concern for a person's right to privacy, while describing him as stupid.

  • John
    May 08, 2012 - 15:44

    Seems to me Seal Cove and Lane are either being very naive or wilfully obtuse. This IS a major issue, and as far as identifying themselves its hardly useful if the callers are intentionally midsidentifying themselves as another party is it?

  • sealcove
    May 08, 2012 - 11:43

    slow news day we all have to earn our pay one way or another

  • Lane
    May 08, 2012 - 09:33

    Russell, if someone calls you, identifies themselves as a representative of a political party, and asks you questions about your voting intentions, it seems pretty stupid of you to complain that they didn't tell you the information would be recorded. Why would they bother to ask you questions if they weren't recording your answers? There is no privacy issue here. If you don't want a political party (they all survey voters) to know your voting intention, then don't tell them. And ask them not to call anymore. If you choose to answer their questions, you can't fault them for having a record of your answers.

  • Eli
    May 08, 2012 - 08:37

    Thanks for the information Russell. Now, what is the Privacy Commissioner's address. I'd like to get on it right away.

    • Roxanne
      May 08, 2012 - 11:09

      Thanks, I was just trying to find out how I can have my name removed from that list. So I will contact the Privacy Commissioner as well.