UK political parties told to improve data protection management

In the first data protection audit carried out on political parties in the UK, seven parties have been told by the Information Commissioner’s Office (ICO) to improve the way in which personal data is handled. Specific recommendations have been issued to the Conservative Party, the Labour Party, the Liberal Democrats, the Scottish National Party, the Democratic Unionist Party, Plaid Cymru and UKIP.

(In this instance, this ICO review applies to personal data use by political parties but lessons can be learnt by every entity collecting or handling personal data; the same standards and compliance requirements apply to all entities processing personal data.)

What are the rules?

The use of personal data by political parties is largely seen as beneficial to society; it allows parties to increase public engagement with the democratic political process, particularly with younger voters who are more likely to engage with politics via social media, and therefore increase voter turnout.

Political parties in the UK are able to hold the personal data of millions of people in the UK in order to improve political campaigning. However, as social media and data analysis have developed over time, it has become increasingly difficult for voters to fully understand how their personal data is being used.

However, parties must use personal information in ways which are transparent and lawful, and they must ensure that the use of that information is understood by those individuals whose data is used. In doing so, trust and confidence of those involved in the UK’s political processes can be built and maintained.

What were they doing wrong?

The review found that all parties were typically obtaining personal data from four sources: the electoral register, the marked register, directly from individuals (via telephone and door-to-door data collection) and from publicly available data. In addition, some parties used data broking organisations to obtain lifestyle information about individuals.

In respect of privacy information, the parties were not clear with individuals precisely how their data would be used and, where privacy information was provided, it was not clear and plain enough for the average individual to gain a full picture.

Whilst the majority of the processing for campaigning was covered by a lawful basis for use, the ICO found that the parties were not appropriately applying the lawful bases to the context of the data processing. Where the lawful basis of consent was used, the consent statement did not always meet the necessary GDPR requirements.

In addition, where data was obtained from data suppliers, due diligence was not always being completed to ensure that the data had been collected in a compliant manner, opening up a risk that the data used had been processed unlawfully.

Steps to be taken

The ICO has noted that all parties involved demonstrated a commitment to making improvements to their practices and a ‘genuine desire to respect people’s data protection rights’. Therefore the ICO has adopted a voluntary compliance approach rather than enforcement action.

Key recommendations which the ICO has issued include:

• ensuring that the public is provided with clear information in respect of how their data is used
• informing individuals of the use of intrusive profiling, including using separate sources to gather information about voting characteristics and interests
• transparent targeting of individuals via social media
• considering and reviewing the lawful basis for the processing of personal data to ensure that it is always appropriate
• checking that all contracts and potential processors and third party suppliers can be held to the same levels of security and accountability.

70% of the recommendations which have been made to the parties have been flagged by the ICO as urgent or high priority. The aim of the recommendations is to help the parties meet the various requirements of accountability and to ensure transparency in the way that personal data is used.

If the parties fail, in the ICO’s view, to take appropriate steps to comply with the recommendations provided, they may find themselves subject to further regulatory action from the ICO which would be highly embarrassing, and would risk a breakdown of trust with voters.