The Information Commissioner’s Office (ICO) has set out how seven of the UK’s political parties need to improve the way they handle people’s personal data after assessing how they manage data protection.
The ICO audited the parties’ data protection compliance following significant concerns about transparency and the use of people’s data in political campaigning that were highlighted in its 2018 report, Democracy Disrupted?
A summary of the audits is published today and includes specific actions to improve data protection transparency and practice for: the Conservative Party; the Labour Party; the Liberal Democrats; the Scottish National Party (SNP); the Democratic Unionist Party (DUP); Plaid Cymru; and United Kingdom Independence Party (UKIP).
Political parties may legitimately hold personal data belonging to millions of people to help them campaign effectively. But developments in the use of data analytics and social media by political parties mean that many voters are unaware of how their data is being used.
All the political parties engaged positively with the audit process and the ICO noted a genuine desire from the parties to respect people’s data protection rights. The parties have committed to making the improvements necessary to comply with the law and make their data processing more transparent, which the ICO will monitor for effectiveness
In the report’s foreword Information Commissioner, Elizabeth Denham said:
“We recognise the unique role political parties play in a democratic society.
“Society benefits from political parties that want to keep in touch with people, through more informed voting decisions, better engagement with hard to reach groups and the potential for increased engagement in democratic processes.
“But engagement must respect obligations under the law, especially where there are risks of significant privacy intrusion.
“All political parties must use personal information in ways that are transparent, understood by people and lawful, if they are to retain the trust and confidence of electorates.
“The transparency and accountability required by data protection is a key aspect in developing and maintaining trust, and so there is an important role for the ICO in scrutinising this area.”
The ICO has made recommendations for improvements across all political parties audited, with 70% classified as urgent or high priority. Amongst those recommendations were several measures relating to both the systems in which personal data is used, and the way that the parties safeguard that data were also recommended to meet the requirements of accountability.
Key recommendations for the parties include:
- providing the public with clear information at the outset about how their data will be used;
- telling individuals when they use intrusive profiling such as combining information about those individuals from several different sources to find out more about their voting characteristics and interests;
- being transparent when using personal data to profile and then target people with marketing via social media platforms;
- being able to demonstrate that they are accountable, showing how parties meet their obligations and protect people’s rights;
- carrying out thorough checks on all contracted and potential processors and third party suppliers to gain assurances that they comply with the key transparency, security and accountability requirements of data protection law and;
- reviewing their lawful bases for the different types of processing of personal data used to ensure the most appropriate basis is used.
These are the first data protection audits carried out on political parties and the ICO will be following up by asking the parties to show the changes they have made in response to the audit recommendations. Failure to take the appropriate steps could result in further regulatory action.
This work forms an important area of focus for the ICO, reflecting its commitment to improve standards of information rights practice. This is done through clear and targeted engagement to help explain compliance in specific sectors and processing contexts. For political parties, this will take the form of guidance to be issued over the coming months.
Notes to Editors
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- Under past and current law, the ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- Section 146 of the DPA2018 gives the Information Commissioner the power to carry out compulsory data protection audits, but the ICO predominantly conducts consensual audits. These audits are completed by the Assurance Department.
- The ICO has looked at this work as part of its investigation of the wider ecosystem of large, well-established trading and profiling of personal data which included the 2018 data analytics investigation and the recent investigation into data protection compliance in the direct marketing data broking sector.