Political parties in British Columbia are required by law to tell individuals what information they’ve collected about them, how they are using it, and with whom they’ve shared it.
But when I asked what the three main provincial parties knew about me, all I got was a partial response from one of them. The other two didn’t respond to the initial request at all.
“Just simply not responding obviously is the worst-case scenario, but providing a partial response is not adequate either,” said Bradley Weldon, the acting deputy commissioner in British Columbia’s Office of the Information and Privacy Commissioner.
The province’s Personal Information Protection Act, which the OIPC enforces, applies to the private sector, which includes the political parties. The OIPC launched an investigation in September to find out how the parties are interpreting B.C.’s privacy law and to develop guidelines so they understand what is and isn’t authorized under the Act. It expects to release the report within a couple of months.
“People should be encouraged to seek the information that organizations have about them and to ask them to whom it’s being disclosed,” Weldon said in a phone interview. “The more people hold organizations accountable, the more organizations will be careful in what they’re doing.”
If people aren’t satisfied with the response they get from an organization, they should contact the OIPC, he said. “We don’t want to have the situation that you had where you just were ignored ... They have a right to that information under PIPA.”
He added, “The more people exercise them, the more their rights will be respected.”
Data driven campaigns
Making use of data from multiple sources has become standard for modern political parties. At the BC Liberal Party convention in 2016, speaker Jim Messina talked about how when he worked managing Barack Obama’s re-election campaign in 2012, the team had 700 points of data on individual voters.
After the Brexit vote in 2016, campaign disclosures showed that Vote Leave campaigners spent £3.5 million — about $5.75 million — with AggregateIQ Data Services Ltd., a digital advertising company on the other side of the planet from the U.K. in downtown Victoria.
That was more than the Leave side paid any other company or individual during the campaign and about 40 per cent of its spending ahead of the referendum that saw Britons narrowly vote to exit the European Union. AggregateIQ develops advertising to be used on sites such as Facebook, Twitter and YouTube, then targets messages to audiences who are likely to be receptive.
The Tyee reported in March on the links between AggregateIQ and SCL Group, whose website says it has worked to influence election outcomes in 19 countries. Its associated company in the U.S., Cambridge Analytica, has worked on a wide range of campaigns, including Donald Trump’s presidential bid.
AggregateIQ’s roots are in the federal and provincial Liberal parties in Canada. Its CEO is Zack Massingham, who reportedly worked as a volunteer on Mike de Jong’s losing BC Liberal leadership campaign in 2011. Chief operating officer Jeff Silvester was executive assistant to former Liberal and Reform Party MP Keith Martin.
Elections BC records show Massingham gave the BC Liberal Party $1,250 in 2015 and the company is currently working on Todd Stone’s campaign to lead the BC Liberals.
The U.K.’s Information Commissioner, Elizabeth Denham, who held a similar position in B.C., announced in May a formal investigation “into the use of data analytics for political purposes.”
The investigation is complicated, she wrote. “It’s a complex and far-reaching investigation, involving over 30 organisations including political parties and campaigns, data companies and social media platforms. Among those organisations is AggregateIQ, a Canadian-based company, used by a number of the campaigns.”
In B.C., the OIPC is reviewing whether AggregateIQ is complying with PIPA.
A BC Liberal spokesperson assured me in March that the party wouldn’t hire AggregateIQ to work on the 2017 provincial election campaign and that it hadn’t hired the company for the 2013 campaign.
Nonetheless, I wondered what data the province’s main parties were collecting, how they might be using it, and whether any of them were sharing it with AggregateIQ or other similar companies.
One way to find out was to make a request under the Personal Information Protection Act. When an individual asks, political parties and other groups in the private sector have 30 days to provide any personal information under its control about the person, details of how it has been used or is being used, and the names of any individuals and organizations the organization has disclosed it to.
Citing the Act, I made a formal request to the three parties last May, using the email addresses they provide to the public on their websites. In the requests, I mentioned that I’m a news reporter and gave enough information that they could find me in any records they might have. I wrote that I was making the requests as a private individual and asked that it apply to the party’s constituency association where I live as well.
Within a week, I had a response from the BC Liberal Party’s privacy officer, Kevin Tang. The party knew my full name, my residential address, my mailing address, the riding I live in and the number for the polling station where I would vote.
In the “support” section they had me marked as a “will not say,” which is what I always tell canvassers, a response they dated to May 2009. They also knew that I had voted in 2017.
“This reflects what the Party and the local riding association have on file for you,” Tang wrote. “The information would have been used for Voter ID purposes.”
Failure to respond
The response from the BC Liberal Party did not, however, include anything about individuals or organizations to whom the information may have been disclosed, and Tang did not respond to follow up messages about that part of the law.
While the BC Liberal response was incomplete, the BC NDP and the BC Green Party didn’t respond at all.
The automated response from the NDP thanked me for taking the time to write, then warned that the party receives a high volume of messages. “Please be assured that we review all our incoming messages and distribute them to appropriate staff,” it said.
But eight months later I hadn’t received a response. Nor was there a prompt response to a reminder I sent last week, so I put my reporter’s hat back on and wrote to a media contact, who said the party would need a couple business days to respond.
As of Monday afternoon, I was assured a response was on the way, but it hadn’t arrived by publication time.
In April, the Canadian Press Creative Commons Licensed reported that BC Liberal Party president Sharon White had signed a letter to the acting Information and Privacy Commissioner, Drew McArthur, alleging that the NDP was routinely breaking PIPA.
"We have obtained documentation concerning the activities of the B.C. NDP, Strategic Communications, the municipal political parties, Vision Vancouver, Coalition of Progressive Electors and the Surrey Civic Coalition, and B.C. NDP officials in Saanich, B.C., which show serious and ongoing breaches of the Personal Information Protection Act," CP reported the letter saying.
‘Should be very easy’: official
From the BC Greens, the automated response I received last May thanked me and assured me my email was important to them. “Our volunteer-powered response team will get back to you as soon as possible,” it said, adding that due to the high volume of messages it could take a few days.
Not having had a response, I sent a reminder last week and received the same automated message, but this time attributed to a different party official.
A little later, it was followed by an email from Laura Lavin, the party’s executive director, apologizing that the May message had reached the party but not been forwarded to her or the party’s privacy officer. She gave me an address for the privacy officer, and I sent him a message to which I’ve not yet heard back.
Weldon at the OIPC said it’s reasonable to use the addresses the parties provide to the public, especially if there’s confirmation the request has been received. “At that point you’ve provided your request to the organization and at that point the 30 days starts ticking.”
It should be unnecessary to badger the parties for a response, he said. “It should be very easy.”
If an organization fails to respond to a request under PIPA, the requester can complain to the OIPC, something I’ve so far chosen not to do. Weldon said the office gets few complaints about the parties, but added that’s likely because few people know the parties are subject to PIPA and few request their personal information from them.
Weldon said the OIPC’s investigation into how the parties are complying with PIPA is related to a change made in 2015, when MLAs voted unanimously to expand the information that would be provided to the parties.
Particularly controversial was a change that would allow them to know whether or not an individual had voted.
Asked what the parties can do with the information they collect, Weldon said, “That is the substance of what we’re trying to sort through with our investigation.”
One of the challenges, Weldon said, is the parties collect information from multiple sources, including from Elections BC, canvassing, petitions, event attendance and fundraising. “It all obviously is going to be mixed up in their database, and how do they keep track of what right they have to treat information in a certain way based on it’s source, when maybe there’s just one profile for ‘Andrew MacLeod’ and it’s got the information all mixed up.”
And then there’s the question of consent. When a party or other organization is pulling data from many places, then feeding it through algorithms to make predictions about you and your behaviour, it is very difficult for most people to fully understand how their information is being used.
“In order for consent to continue to be meaningful, people really have to understand what it is they are consenting to, which is the main concern that we have,” Weldon said.
Following PIPA, with its requirement that the parties tell individuals what they know about them and how that information has been used, would be a start.