The federal government is refusing to reveal whether the Prime Minister’s Office (PMO) or most cabinet ministers’ offices have experienced any privacy breaches over the last four years. Because Canada’s privacy watchdog has no jurisdiction over those offices, there’s no way to know whether the personal information in their possession has been compromised.

Ottawa is currently reviewing the Privacy Act, which dictates how federal departments and agencies should handle personal information. But it won’t commit to extending the legislation to ministers’ offices and the PMO, which the act does not currently govern.

Scrutiny of privacy practices in Canadian politics has increased since Cambridge Analytica’s alleged misuse of Facebook users’ personal information in the 2016 U.S. presidential election. The Competition Bureau announced this month it would investigate the data practices of the federal Liberal, Conservative and New Democratic parties, following a complaint from the Centre for Digital Rights, a non-profit founded by Jim Balsillie, the former co-CEO of Research in Motion (now BlackBerry). The group has also appealed to the federal and B.C. privacy commissioners, the Canadian Radio-television and Telecommunications Commission and the commissioner of Elections Canada.

The government has not accepted repeated recommendations from both the House of Commons ethics committee and federal privacy commissioner Daniel Therrien to extend existing personal information laws to political parties. The Liberals’ updates to the election law have instead required parties to publish their own privacy policies online.

However, the privacy records of the PMO and ministers’ offices have received less attention.

The Logic asked the PMO and the offices of all 35 current ministers whether they report breaches of personal information to the federal Office of the Privacy Commissioner of Canada (OPC), and for details of any such incidents since November 2015, when the Liberals took over. The office of Treasury Board President Jean-Yves Duclos, who is responsible for the Privacy Act, responded on behalf of the government, but did not answer The Logic’s questions.

“The privacy of Canadians is of the utmost importance to our government and we are committed to safeguarding the personal information of Canadians,” said Karl Sasseville, Duclos’s director of communications. “As required by the Directive on Privacy Practices, all departments report material privacy breaches to the Privacy Commissioner and the Treasury Board Secretariat.”

However, the directive only applies to government institutions covered by the federal legislation on personal information. “Ministers’ offices and the Prime Minister’s Office are not subject to the Privacy Act, nor are they subject to the [Treasury Board’s] policy on privacy breaches,” said Vito Pilieci, a spokesperson for the privacy commissioner’s office. “They do not report privacy breaches to our office.”

Pilieci also noted that since ministers’ offices and the PMO aren’t subject to the legislation, the privacy commissioner can’t accept complaints about potential violations—meaning there is no way for the watchdog to investigate such breaches.

While cabinet bureaus aren’t covered by the Privacy Act, they are subject to the principles on personal information of the Policies for Ministers’ Offices, which include only using such data for the purpose for which it was obtained, limiting access to staff who need it, putting in place security standards to prevent unauthorized disclosure and disposing of it when it’s no longer needed.

Ottawa has seen major scandals involving personal information breaches in the past. In October 2010, the previous Conservative government apologized to Sean Bruyea, a veterans advocate and former military intelligence officer, after the OPC determined that his personal and medical information had been included in two ministerial briefing notes. Current Veterans Affairs Minister Lawrence MacAulay’s office said following that incident, it no longer receives clients’ personal information from the department.

The Liberals are focusing heavily on regulating the use of personal information in their second mandate, promising new online rights for citizens and a new data commissioner to act as a watchdog for large tech firms.

But the government has been slow to act on suggested changes when it comes to the government and political institutions. In December 2016, the House privacy committee recommended the Privacy Act’s scope be extended to ministers’ offices and the PMO, echoing Therrien’s calls.

Their exemption is a relative exception among governments in Canada—privacy legislation in at least eight provinces covers the offices of premiers and those of cabinet members, by provincial privacy legislation, although many jurisdictions do not have mandatory breach-reporting requirements.

Sasseville said Justice Minister David Lametti is currently reviewing the Privacy Act with input from Duclos. The government is “currently developing potential options to modernize [the legislation],” he said, adding that it will take “take into account the views of a variety of interested stakeholders” including the ethics committee, and that the justice department solicited feedback from experts last year.

Some other cabinet members did respond to The Logic’s questions. The offices of Defence Minister Harjit Sajjan, Innovation Minister Navdeep Bains and Transport Minister Marc Garneau all said they have suffered no material breaches of personal information since 2015. Todd Lane, Sajjan’s press secretary, said all personal-information incidents within the defence department and Canadian Armed Forces “are tracked, reviewed and resolved by the Director, Access to Information and Privacy and their staff.”

Three other cabinet offices have only recently been set up, after Prime Minister Justin Trudeau appointed Middle Class Prosperity Minister Mona Fortier, Youth Minister Bardish Chagger, and Digital Government Minister Joyce Murray to independent portfolios in November 2019.

The OPC has continued to call for ministers’ offices and the PMO to be brought under the legislation. It included the ask in a submission to the justice department team preparing transition files for the incoming minister, according to documents obtained by The Logic via access-to-information request. “Extending coverage of the Privacy Act in that way would be consistent with one of the fundamental purposes for which Agents of Parliament [like the OPC] were created: as a window into the activities for the executive branch of government,” said Pilieci.

Continue the conversation on The Logic Council, our subscriber-only Slack channel.