The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, October 20, 2007
There's been a minor bruhaha in Canada over a recent batch of Rosh Hashanah cards sent out by Prime Minister Stephen Harper. Many recipients wondered why they received them and also wondered why the PM's office would have a mailing list indicating their religion.
Former Tory member of parliament blogged about the Tory's Constituency Information Management System (The Turner Report: Nowhere to hide) as the likely source of the lists, and wrote that all manner of info about constituents goes into the political database. I was interviewed last week about the privay law aspects of this:
The Canadian Press: Tory database draws ire of privacy experts for including constituency files1 day ago
OTTAWA - The federal Conservative party's central database is set up to track the confidential concerns of individual constituents without their knowledge or consent, says a former Tory MP.
The issue spilled onto the floor of the House of Commons on Thursday when Garth Turner, the expelled Tory-turned-Liberal MP, accused Prime Minister Stephen Harper of an "unethical invasion of Canadians' privacy."
Privacy experts agree the practice is a clear breach of standard privacy ethics - but probably not the law, because federal political parties fall into a legislative grey area.
A recent mailing by the prime minister to some Jewish households, and households with Jewish-sounding names, highlighted the micro targeting that sophisticated modern databases now facilitate.
The Rosh Hashanah greeting from Harper prompted several recipients to complain to the federal privacy commissioner, who has begun a preliminary inquiry.
It's cast a light on the 21st century art of political communication that may make some Canadians uneasy.
Virtually all federal and provincial parties have computerized databases, but the federal Conservatives are the acknowledged leader in the field of data management and mining.
Their fundraising efforts, based on small donations by thousands of donors, are unparalleled in federal politics.
Both the federal Liberals and the NDP have separate databases for constituency work and voter tracking. Data does not migrate between the two.
But the Conservatives use a single clearing house for all data collection, storage, datamining, mailing lists, voter tracking and any other partisan use such information may serve.
Turner, the Liberal maverick who was elected as a Conservative in 2006 and subsequently turfed from the party, says every Conservative MP is required to use something called CIMS, an acronym for Constituent Information Management System.
CIMS is used not only to track voter allegiance in a given riding - something every political party attempts - but also a host of other data gathered in the course of an MP's constituency office duties.
"Any time a constituent is engaged with the member of Parliament, they get zapped into the database," Turner said in an interview. "It's unethical and it's a shocking misuse of data.
"Because once you cotton on to what's going on here, it's not good constituency work at all to allow that data to fall into any kind of hands. But the party is desperate to get more and more data in there because the primary use is fundraising. The secondary use is voter tracking to get out the vote."
Logging constituent files in a central party database that may also be used as part of election planning, fundraising, advertising strategy and policy deliberation appears to be clearly offside, two nationally respected privacy experts told The Canadian Press.
"If somebody contacts their MP because they're having a problem with their CPP benefit or their military pension, they don't expect to end up on a mailing list for a political party," said David Fraser, a Halifax lawyer who specializes in privacy issues with the firm McInnes Cooper.
"If they are going to end up on a mailing list, I think there's an ethical obligation to inform them and give them the opportunity to opt out."
Michael Geist, a law professor who serves as the Canada research chair of Internet and e-commerce law at the University of Ottawa, agrees.
"When you're going to your local MP with a concern or a problem, there is a certain level of confidentiality," said Geist.
"The notion that it's simply a data point that gets used to characterize the particular constituent could have a bit of a chilling effect."
Nonetheless, the Conservatives are likely within the letter of Canada's privacy laws, because they are neither a government agency nor considered a commercial operation.
Geist argues that political parties' fundraising efforts might make them liable under the commercial privacy law, known as PIPEDA, but Fraser says the legislation as written suggests otherwise.
"Generally, political parties aren't regulated with respect to how they collect, use and disclose personal information," said Fraser.
The Conservatives, who openly boasted about their state-of-the-art CIMS database after purchasing it in 2004, now refuse to discuss it.
"I will not talk about internal party databases," said party spokesman Ryan Sparrow. "I'm not disclosing what is in our database, who is in our database."
When asked if Canadians can request to see their file on the CIMS database, Sparrow responded: "What would be their specific need to see?"
Asked a second time, Sparrow shut down the inquiry.
"I'm not going to help you with your story. It's internal party matters."
The Liberal party says it voluntarily follows the principles of PIPEDA - including showing any individual who asks what is on their file - even though the act does not apply to political parties.
"We do not keep any information on individuals without their expressed consent," said Elizabeth Whiting, the party's communications director.
The NDP also said citizens are free to ask to see their file, although the party is not aware it has ever received such a request.
Fraser said political parties, regardless of the law, should follow the best-practice standards established by the Canadian Standards Association, upon which both federal privacy acts are based.
"Those best practices, which are almost universally recognized in most western democracies, would suggest that political parties should give notice, get consent and provide people access to their information," said Fraser.
"Whether or not they choose to do that would speak volumes to how they see themselves as responsible custodians of this personal information."
The St. John's Telegram is calling for the system to be stopped.
The Telegram, St. John’s: Editorials Someone is watching youThe Telegram
Maybe Big Brother now has a name. Maybe it’s Stephen, as in Stephen Harper. Or maybe it’s CIMS, the acronym for the federal Conservative party’s computerized Constituent Information Management System.
Garth Turner, a former Tory Member of Parliament who now sits as a Liberal, has now said that when he sat as a Tory, Conservatives were required to use the system to not only track a constituent’s allegiance to the party, but also to collect personal information about constituents that might come to light when the constituent contacted the parliamentarian.
“Any time a constituent is engaged with a member of Parliament, they get zapped into the database,” Turner said. “It’s unethical and it’s a shocking misuse of data.”
For their part, the Tories have now denied gathering partisan data through the regular daily work of Members of Parliament. At the same time, they have been tremendously tight-lipped about what information is being collected and how it’s being used: when Turner first made comments about CIMS, Conservative officials flatly refused to talk about the system, and eventually would only say “No information in CIMS is compiled through MP casework.”
Beyond that, the spokesman would only say “I will not talk about internal party databases. … I’m not disclosing what is in our database, who is in our database.”
CIMS is already under increased scrutiny, after Jewish families began receiving unexpected Rosh Hashanah greetings from Prime Minister Stephen Harper. Some of the families, especially non-practising Jewish families, found the greetings unsettling.
CIMS is also believed to be tracking information collected by responses to Parliamentary mail-outs.
The system has been touted as the most advanced tracking system for constituents in the country — it’s also one of the strongest systems for collecting small donations by scores of ordinary donors.
The issue, however, is how much personal information the Conservative party is collecting, especially because strict federal privacy laws that apply to businesses in Canada — and others who have their hands on personal information — don’t seem to apply to political parties.
There’s a simple answer to the questions being raised about CIMS, and it can be spelled out in the concept of what’s fair for the goose, is fair for the gander. Companies across the nation have done backflips to ensure that they live up to the letter and the intent of commercial privacy laws, and political parties should be required to live up to the same standard.
If it’s an abuse for a business to stockpile personal data for commercial reasons, it should be illegal for a political party to stockpile the same sorts of information for use in its political business.
The federal Conservatives have no more right to trade on details about your age, religion, personal sexual preferences or interests than anyone else does. Governments collect massive amounts of statistical information, and have a duty to keep that information private.
CIMS is blurring the line between the use and the abuse of personal, private information.
It’s about time this tracking system was stopped in its tracks.
Labels: privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.