ICO Announce Audits Investigating Data Protection Practices of Political Parties

Today (11^th November) the ICO has released a report analysing the data protection practices of UK political parties following audits into their data processing and collection activities. This follows the Democracy Disrupted report into the use of data analysis in a political context last year.

The report established some common issues across the political spectrum, mainly centred around the lack of transparency and accountability. The ICO made recommendations for improvement to all political parties that they audited, with 70% of the advisories classified as urgent or high priority.

The ICO audit covered the management structures, policies, and procedures of these political parties to ensure that the appropriate data protection principles are embedded into the political parties and are not just an after-thought. The report also investigates Data Protection Impact Assessments, accuracy of records and the use of data brokers and social media for campaigning.

The report identified that 45 million people in the UK are at voting age, and therefore could be targeted by political parties. All political parties make use of the full electoral register, the marked register (Identifying voters), direct data collection and publicly available data such as census data.

All political parties in the UK collect and process data for political campaigning although the report identified that Labour, the Conservatives and the Liberal Democrats as the parties that process the most data, including data obtained from commercial data brokers.

At the time of the audits conducted by the ICO, the SNP, DUP, Plaid Cymru and UKIP did not source any commercially available data.

Key findings

The report notes that all political parties need to improve their privacy information and ensure that the Article 13 “Right to be Informed” requirement is satisfied, the parties must also improve their transparency around profiling and retargeting and ensure that the information is as clear and concise as possible.

The next key finding relates to the lawful basis for processing. The ICO recognises three lawful bases that can apply here: Public Task (Democratic Engagement), consent and legitimate interests. The report identifies that relying on Public Task for non-electoral roll data is not appropriate, as Article 6(3) needs specific European or local law to lay down authority or identify a relevant task. If there is no separate domestic or EU law to support the use of the public task basis, then an alternative lawful basis must be applied, or processing should cease. Switching lawful basis can be extremely difficult and a DPIA must be conducted to assess the risk to the data subjects.

The third key finding relates to profiling. The ICO noted some key issues with invisible profiling, inaccurate automated decision making and unwanted direct marketing that came because of potentially unlawful profiling conducted by the political parties.

Other key findings include systematic issues with social media marketing and campaigning, the ICO recognises that the data protection issues are complex, and issues lie with social media companies and other organisations involved. The ICO highlighted that due diligence is important to ensure that the appropriate privacy information is available on social media platforms and that the processing is lawful.

The last key finding is centred around accountability. Here the ICO states the needs for political parties to document their data protection compliance, bolster their staff training from MPs down to local volunteers, implement processes to enable DPIAs to be conducted effectively and make data protection a board-level issue and promote privacy-by-design.

Summary

The DMA welcomes the investigation and report from the ICO. Overall, it will encourage political parties to align with many other businesses who have worked hard to embed privacy-by-design into their culture to ensure transparency and fairness in the processing of personal information.

Chris Combemale, CEO, Data & Marketing Association said:

“The ICO’s report analysing political parties’ data protection practices highlights a number of compliance issues with current data protection law. While it is good that the parties have made commitments to rectify shortcomings, it has come several years after the GDPR’s implementation which is concerning. It is the duty of every person within an organisation to know their responsibilities under the GDPR and compliance must be exhibited through all marketing and communication channels, including websites.

“Organisations who are able to demonstrate that they uphold the values of the GDPR help to build public trust in data sharing. So it is essential for political parties to take sufficient care to comply with the laws put in place to protect public data. We must continue to raise awareness of these laws and regulations not only at party bureaucracy level, but among MPs and political representatives too, if the UK is to continue spearheading initiatives that help to enhance global data protection standards.”

Please feel free to contact me at George.Jones@dma.org.uk if you would like to discuss this report from the ICO or any of the issues raised within the report.