The Green Party posted sensitive and personal information belonging to its members and supporters online, violating the party’s own internal rules.
Tens of thousands of names, phone numbers, addresses and other sensitive items of information were left available online, accessible through the party’s website.
It’s not clear how long the information was available online. CBC was made aware of potential concerns about Green Party data on Tuesday. Access to the Google Drive document that contains the information closed down on Thursday after CBC contacted the party.
One privacy expert said posting the personal information online qualifies as a breach of trust.
“Appalling,” said Ann Cavoukian, the head of Toronto Metropolitan University’s Privacy by Design Centre of Excellence and a former Ontario information and privacy commissioner.
“I’m sorry, I just find that so appalling that the Green Party would post this information, make it publicly available.”
CBC did not find any credit card or financial information in the files — but names, addresses, postal codes, phone numbers, birthdates, internal party documents and training videos were all available for viewing and downloading. The information was stored in the cloud in a Google Drive.
It’s not clear how long the data was available online. The folders and files were date-stamped July 2022.
CBC viewed spreadsheets marked “voters list” that belonged to former 2020 Green leadership candidates Dylan Perceval-Maxwell, Andrew West, Amita Kuttner, David Merner, Glen Murray, Judy Green, Courtney Howard and Annamie Paul.
Paul won that leadership race; she resigned a year later following an internal political struggle over her leadership. Her voter list had 26,000 rows of voter information exposed when it was posted online.
Some information from the campaign of Dimitri Lascaris, who placed second in the 2020 leadership race, was also shared online.
Greens shut down access
The party immediately restricted access to its Google Drive after CBC contacted the Greens.
The party ended 2022 with the return of former leader Elizabeth May to the top job and a new executive director, Kevin Dunbar. In a statement, Dunbar said the party has “been tirelessly reviewing” its internal systems and website.
“The information you refer to was never meant to be publicly available and has now been removed,” he said in the statement.
“We take data security seriously and have already begun investigations into how it ended up in a publicly available section of our website.”
Estranged Green Party member Saul Bottcher saw some of his own personal information released online. Bottcher volunteered for the party on policy, membership reviews and a leadership campaign.
He quit the party after he and an internal party report concluded last year that a former member was expelled through a flawed process.
Bottcher called this privacy lapse “serious” but not surprising since the party laid off staff when it was struggling financially in 2021 and 2022.
“People are stretched thin and it’s impossible to keep up the same level of execution of everything,” Bottcher told CBC News. “So it was inevitable that there would be mistakes made.”
Elections Canada calls for stricter rules
And while Canada’s Elections Act requires political parties to develop privacy policies, they face no consequences for violating such policies.
In a recent report, Chief Electoral Officer Stéphane Perrault said political parties should fall under the Personal Information Protection and Electronic Documents Act, or PIPEDA — a federal law that governs how the federal private sector collects, uses and discloses information.
“Elections Canada continues to hold the view that applying these privacy principles to political parties is the best approach moving forward,” Perrault said in the report.
As it stands, he added, “there are no provisions requiring them to actually take measures to protect personal information.
“Further, there is no oversight mechanism to monitor whether parties actually abide by the contents of their policies.”
Then-federal privacy commissioner Daniel Therrien noted in 2021 that lawmakers had “declined” to bring their political organizations under federal information and privacy laws.
May herself has said that political parties should “play by the rules.”
Many political parties maintain databases of information on voters. Interactions with voters are used by party workers as openings to collect and store voter information, and to share it with their organizing teams and headquarters.
Along with the sensitive voter information, the Green Party openly posted a number of video tutorials on how to turn interactions with voters into opportunities to collect data.
In one such video, volunteers are told that door-knocking or canvassing campaigns with candidates, fundraisers, email subscriptions and Zoom webinars offer openings to gather information about voters.
The voter data collected by Green Party workers is entered into the party’s in-house online platform, GVote. It can then be cross-referenced with the voters list to target potential supporters. Many other political parties do the same thing.
This is not the first time the Greens have posted the personal information of voters. In 2019, the party removed from a Google Drive similar training videos that contained voters’ personal information. The party apologized.