At a glance
- UK GDPR Article 5(1)(a) is concerned with lawfulness, fairness and transparency.
- Lawful processing means you must have an appropriate lawful basis (or bases if more than one purpose) for processing personal data and you must also process it lawfully in a more general sense.
- Fairness means handling personal data in a way individuals expect and not using it in ways that lead to unjustified adverse effects. You must consider the fairness of your processing.
- In order to process personal data in a transparent manner you must be clear, open and honest to individuals and comply with the transparency obligation of the right to be informed.
In more detail
Introduction
The first data protection principle, listed in Article 5(1)(a) of the UK GDPR says:
“1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”
This is the cornerstone of data protection law. The three elements of lawfulness, fairness and transparency overlap, but you must make sure you satisfy all three. For example, it’s not enough to show your processing is lawful, if it is fundamentally unfair to or hidden from the individuals concerned.
What does lawfulness mean?
There are two key aspects to lawful processing.
Firstly, you must have an appropriate lawful basis for processing personal data for your particular purpose(s). The lawful bases of most relevance for processing in political campaigning are covered in detail in the section on lawful bases.
Secondly, lawfulness means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it is obviously unlawful. However, processing may also be unlawful if it results in other breaches such as duty of confidence, contractual agreements, or the Human Rights Act 1998.
As well as the Privacy and Electronic Communications Regulations, it is worth highlighting that electoral law in particular is of great relevance to political campaigning. This interacts with data protection law in many areas, particularly around the use of electoral register data.
You must ensure you fully comply with other laws. If you don’t, then you could risk breaching UK GDPR as well as committing an offence or civil breach in another area.
What does fairness mean?
In general, fairness means that you should only handle personal data in ways that people reasonably expect and not use it in ways that have unjustified adverse effects on them.
Assessing whether you are processing data fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when you obtained the personal data, then this is unlikely to be fair.
Similarly, the way in which you use personal data is also important. The purpose of political campaigning is by nature to influence individuals’ opinions and persuade them to vote in particular ways. Processing personal data for this purpose and in particular using it to profile and micro-target individuals with political messaging, can raise ethical questions both for individuals and for society at large. You should feed these ethical questions about personal data use into any assessment you make of fairness.
Because of the competitive nature of political campaigning sometimes campaigners might be inclined to utilise innovative methods to engage with voters, without necessarily thinking of the underlying fairness of doing so. Examples include new data analytics and micro-targeting methods, as well as innovative automated calling systems. You must carefully consider how fair it is to use the methods you are using. In other words, in order to process personal data fairly, you need to stop and think not just about how you can use personal data, but also whether you should. This should link to your DPIA.
What does transparency mean?
Linked to fairness is transparency. Transparent processing is about being clear, open and honest with people from the start about who you are and how and why you use their personal data.
This is of fundamental importance when using personal data in political campaigning. Often you have no direct relationship with individuals. You collect the data from the electoral register and other sources. In many cases, individuals may have no idea that you are collecting and using their personal data and this affects their ability to assert their rights over it. This is sometimes known as “invisible processing”.
People need to have confidence in the democratic process and a part of that is trusting that you are not using their personal data to influence their voting behaviour in ways they don’t expect.
You must ensure you are transparent throughout your processing, such as when responding to right of access requests or in carrying out DPIAs. The most significant aspect to this is the right to be informed. This is discussed in more detail in the section on collecting personal data.
Further reading
For more guidance on lawfulness, fairness and transparency, see the Guide to the UK GDPR.