The UK’s data protection watchdog – The Information Commissioner’s Office (ICO) – has issued new guidance to help political parties achieve data protection compliance. The recommendations include:
- Providing the public with clear information at the outset about how their data will be used.
- Telling individuals when they use intrusive profiling such as combining information about those individuals from several different sources to find out more about their voting characteristics and interests.
- Being transparent when using personal data to profile and then target people with marketing via social media platforms.
- Being able to demonstrate that they are accountable, showing how parties meet their obligations and protect people’s rights.
- Carrying out thorough checks on all contracted and potential processors and third party suppliers to gain assurances that they comply with the key transparency, security and accountability requirements of data protection law.
- Reviewing their lawful bases for the different types of processing of personal data used to ensure the most appropriate basis is used.
The new guidance was timely as, in January 2021, the ICO revealed that the Tory party had illegally collected data on the ethnicity of 10 million voters. Addressing a committee of MPs, the information commissioner Elizabeth Denham said that the Conservative party had acted illegally when it collected data on the ethnic backgrounds of voters before the 2019 general election. This data has since been voluntarily deleted.
Following the Facebook/Cambridge Analytica scandal in 2018, the ICO raised concerns about transparency and the use of people’s data in political campaigning. In its 2018 report ‘Democracy Disrupted?’, the ICO looked at whether personal data was being processed lawfully, and whether data subjects knew that their personal information was going to be used for political purposes.
With this report raising serious concerns, the ICO went on to audit seven political parties to assess how they manage data protection. These parties were the Conservative Party, the Labour Party, the Liberal Democrats, the Scottish National Party (SNP), the Democratic Unionist Party (DUP), Plaid Cymru, and the United Kingdom Independence Party (UKIP).
These audits informed the latest recommendations.
According to the ICO:
“All political parties must be clear and transparent with people about how their personal data is used and there should be improved governance and accountability. Political parties have always wanted to use data to understand voters’ interests and priorities, and respond by explaining the right policies to the right people. Technology now makes that possible on a much more granular level.
“This can be positive: engaging people on topics that interest them contributes to greater turnout at elections.
“But engagement must be lawful, especially where there are risks of significant privacy intrusion – for instance around invisible profiling activities, use of sensitive categories of data and unwanted and intrusive marketing. The risk to democracy if elections are driven by unfair or opaque digital targeting is too great for us to shift our focus from this area.”
The ICO will be following up on its audits by asking the political parties to demonstrate the improvements they have made in response to the latest data protection guidelines. Failure to take these recommendations seriously could result in further regulatory action.