Letter to the Standing Senate Committee on Rules, Procedures and the Rights of Parliament on its study on the inclusion of provisions relating to e-petitions into the Rules of the Senate

May 14, 2026

The Honourable Peter Harder, P.C., Senator
Chair, Standing Senate Committee on Rules, Procedures and the Rights of Parliament
The Senate of Canada
Ottawa, Ontario  K1A 0A4

---

Dear Chair:

Thank you for seeking my views regarding your study on the inclusion of provisions relating to e-petitions into the Rules of the Senate.

As you may be aware, the Office of the Privacy Commissioner of Canada (OPC) made a submission to the House of Commons Standing Committee on Procedure and House Affairs (PROC) in November 2014 regarding Motion 428, which concerned the establishment of an “electronic petitioning system that would enhance the current paper-based system”.^{Footnote 1} The considerations raised in that submission remain relevant today as your Committee proceeds with its study.

As Privacy Commissioner of Canada, my mandate is to oversee compliance with both the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act governs how federal government institutions handle personal information and PIPEDA governs how personal information is handled by private sector organizations in the course of their commercial activities. Neither of these Acts apply to Parliament, members of Parliament or to federal political parties.

Privacy is an internationally recognized fundamental right and a central value of our society, one which is both an essential precondition for citizens’ other freedoms, as well as a keystone right for democracy. As outlined in the Joint Statement on Privacy and Democratic Rights that I published with the United Nations Special Rapporteur for Privacy in December 2023, the right to privacy underpins the personal flourishing and development of individuals as citizens, as well as their exercise of social and political freedoms and participation.^{Footnote 2} This would reasonably extend to a citizen’s participation in the petition process, given its purpose of drawing attention to an issue of public interest or concern.

As outlined in the OPC’s 2014 submission to PROC, underpinning many data protection laws around the world, including PIPEDA, are ten key privacy principles. These include Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use, Disclosure and Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance. I will touch upon a few principles that are particularly pertinent in the context of your consideration of e-petitions, however, more information on each is also available on my Office’s website should it be of interest.^{Footnote 3}

Limiting collection

Electronic petition systems should only collect the minimum amount of personal information necessary for the purposes specified, whether it is to authenticate signatories or administer the e-petition process. The collection of unnecessary personal information should be avoided where the outlined purposes can reasonably be obtained through less intrusive means. Even if certain information is necessary to be collected, consideration should be given to only publishing the minimum amount of information required. For example, if possible, consideration should be given to publishing the number of signatories in lieu of names and addresses, or to using anonymous or pseudonymized information, particularly in cases where the petition subject involves sensitive political, social or personal matters.

I note that during the April 14, 2026, meeting of the Committee a question arose regarding the level of detail required for the collection and publication of petition signatories. On the question of individuals’ home addresses, I would draw your attention to a review by the Ontario Legislature in 2016 that recommended that although signatories must provide their full name, valid email address and postal code, there is no necessity for any of this information to be published online.^{Footnote 4} It is my understanding that the House of Commons petition site displays only the total number of signatories associated with each province or territory, with no personal information being published.

Openness

Before participating in an e-petition, individuals should be provided with specific information about policies and practices relating to the management of personal information as part of the petition process. The information should be readily accessible and provided in an understandable form. As outlined in my Office’s Guidelines for obtaining meaningful consent^{Footnote 5}, key elements to inform individuals about include:

• What personal information is being collected
• With which parties personal information is being shared
• For what purposes personal information is collected, used or disclosed
• Risk of harm and other consequences

Individuals should also be provided with clear information to understand the distinction between any publicly visible e-petition information and information that will instead be retained internally for administration purposes.

Limiting use, disclosure and retention

Personal information should not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or if is it required by law. Additionally, personal information should only be retained as long as necessary for the fulfilment of the initial purpose(s).

In the context of e-petitions, this means that information should not be repurposed or disclosed to third parties for unrelated governmental, political, profiling, or analytics activities. Petition participation should not be used to infer political beliefs, affiliations or activities. If information is used for authentication purposes and is not published as part of the e-petition, it should generally be disposed of following authentication, unless there is a legal requirement to retain the information for a longer period of time.

Safeguards

Personal information collected as part of an e-petition should be protected by security safeguards appropriate to the sensitivity of the information. Given the potential sensitivity of information related to civic engagement of this nature, e-petition systems should have robust technical safeguards. Safeguards should protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.

Access to personal information should be restricted and measures put in place to protect against unauthorized access. In the event that e-petition data may be subject to a privacy breach, it is important to have incident response protocols, including notification procedures, in place. The OPC has numerous breach-related resources available, including on how to prevent a breach, as well as how to assess and contain breaches when they occur.^{Footnote 6}

I thank you for your invitation to share my views on this timely topic, as new forms of digital advocacy continue to grow in popularity here in Canada and around the world. Please do not hesitate to contact my Office if I can be of further assistance to your ongoing consideration of the matter before your Committee.

Sincerely,

c.c.: Céline Ethier, Clerk of the Committee