In November the ICO published a report of their audits of seven political parties in the UK. They identified some common themes where political parties needed to improve their compliance with data protection. We look at the recommendations identified for improving the provision of privacy information about the data used by the parties to build up a picture of our voting habits.
The Right to be Informed
The GDPR defines the right to be informed of data collected and processed by an organisation where they are collecting it directly from the individuals. The notification to the individual should be made at the time that data is collected, so that they can withhold it if they are not happy with the purpose or some other aspect of the processing. The information provided should be comprehensive yet brief, written in clear, plain language, so that individuals will understand how their data is being used.
The ICO review identified that the parties audited need to:
• be more transparent about the processing that is taking place to profile or target individual voters with advertising as part of political campaigning activities;
• inform voters who their data is being shared with, what is being shared and why; for example the data that is shared with social media companies;
• clearly set out within privacy notices where they obtained the information from including names of commercial organisations and open sources. The types of data collected, the source of each data set and the purposes for collecting it should be set out for each purpose so that an individual can easily locate the information relevant to them from within the notice;
• provide appropriate privacy information at the door or over the telephone, at the time of collecting personal data;
• be more explicit about the processing that takes place under the public task lawful basis and ensure that, where relevant, they include separate information about the use of public interest for processing special category personal data;
• provide privacy information to all individuals that they process personal data about, for example employees or young party members; and
• provide sufficient details about the retention of personal data.
Where data is sourced from third parties
It is even more important to provide a privacy notice to data subjects when their information has been collected sourced from a third party source. This is because it is harder to exercise subject rights if an individual is unaware of the purpose for which their data is being used and the identity of the data controller. It is also probable that the purpose for using the data will not meet the original purpose for which the collection was intended, so it is important to allow the data subject to exercise his rights if he disagrees with the purpose.
The report shows that all parties who were audited typically obtained data from the following sources:
• The full electoral register, which political parties have a statutory right to access. It contains details about every registered individual in the UK who is of an eligible age to vote, or will reach that
age in the next year, and equates to over 45 million voter records.
• The marked register (which is a copy f the electoral register that has a mark by
the name of each elector who has voted).
• Directly from individuals, usually gathered by door to door campaigners or
over the telephone. The information collected usually included their voting
intention but could include answers to a variety of other questions. Parties also
collected information electors had themselves placed in the public domain about
their political views.
• Publicly available data and other data sets such as census data, election result
data, Land Registry data, polling data, social housing data and data sets
compiled by government or independent government agencies.
The audits found that where a party had been or was obtaining data from third parties, they were relying on those third parties (and other third parties throughout the supply chain) and by those who initially collected the data to provide privacy information to individuals.
The ICO do not believe this is sufficient. They recommend that where data is sourced in this way parties should undertake due diligence to make sure that proper privacy information had been provided to individuals on the party’s behalf. If they find that it has not been provided, then they should provide it as soon as possible.
Exemption requires a Data Protection Impact Assessment
There is an exemption to this which requires the parties to undertake a Data Protection Impact Assessement which includes an evaluation of the effort required to provide privacy information, balanced against the impact on the individuals. In consideration of the impact on the individuals, the parties must fully consider whether the data subjects would reasonably expect their data to be shared and used in the way being proposed, specific to the political campaigning purposes. If the assessment finds that it would not be expected, then they should explore all means of providing such information as effectively and efficiently as possible, within a reasonable period of obtaining the data.
Clearly, achieving effective transparency to the UK adult population is challenging and the ICO have recommended that wider, joined-up approaches should be also taken to raise awareness of how data is used in campaigning. The ICO is continuing to work with the Electoral Commission on this recommendation. The right to information about our privacy is one of the fundamental rights in the GDPR. The fact that the pool of data subjects is so large does not mean that data protection principles can be laid aside.
The need for due diligence
When using data from sources collected from sources other than the data subjects, organisations need to ensure that they too carry out due diligence to check that privacy information is being disclosed in an effective manner to the data subjects. When collecting personal data from with publicly available sources always consider the principle that data can only be used for the purpose it was originally collected and make sure your purpose matches the one the data was originally collected.
Let us hope that the work being done now by the ICO will make the process of political campaigning in future elections more transparent and open to scrutiny. You can read the full report on the ICO website.