Latest update - last updated 21 February 2023
21 February 2023 - Minor clarification amendments to due diligence example under the section titled ‘Can we use data collected from third parties such as data brokers or other companies providing marketing data services?’
At a glance
- Campaigners collect data on individuals beyond the electoral register for various reasons. Demonstrating compliance with the principles, rights and obligations of UK GDPR is essential.
- You need to give individuals clear, accessible and intelligible privacy information regardless of whether the information is derived directly or from a third party, such as a data broker. The best way to do this depends on the method of collection.
- Individuals should not be surprised to learn that you are using their personal data for particular campaigning purposes.
In more detail
- What is the right to be informed?
- What are the requirements when we collect personal data directly from individuals?
- Can we collect voter registration applications?
- What are the requirements when we collect personal data not directly from the individual?
- Can we use data collected from third parties such as data brokers or other companies providing marketing data services?
- Can we collect personal data from publicly available sources including social media?
- Can we collect data from our own social media pages?
There are many reasons why you may wish to collect personal data in addition to the data contained in the electoral register. Campaigners often seek to use the register as a ‘spine’ on which to add more granular and detailed information, including to:
- inform wider campaigns through market research;
- understand more about individual voters to enable better targeting of political messages;
- identify individuals to persuade to vote;
- contact individuals; and
- sign up potential members, supporters, donors or volunteers.
Whatever the reason, whenever you process personal data (including when you collect it), you must do so in accordance with all the data protection principles and individuals’ rights.
When collecting personal data, the right to be informed is of particular importance. This right covers some of the key transparency requirements of the UK GDPR.
The UK GDPR contains specific provisions about the information that you must give to individuals when you process their personal data. These are set out at Article 13 and Article 14. This information includes, but is not limited to, the:
- controller’s details;
- purpose(s) of the processing;
- lawful basis being relied upon;
- retention periods of the data;
- rights available to the individuals; and
- details of the existence of automated decision-making, including profiling.
We call this “privacy information”.
You must ensure individuals are provided with privacy information regardless of whether you collect the personal data directly from individuals or from a third party. Privacy information must always be:
- easily accessible; and
- use clear and plain language.
However there are different considerations depending on how you obtain it.
Not only is the right to be informed of key importance for compliance with UK GDPR, it also helps individuals fully understand what it is you are doing with their data and for what purpose. This helps individuals to have trust and confidence in you and your political campaigning activities. Providing comprehensive and easy to understand privacy information can also help to reduce any complexity in responding to subject access requests. The more transparent you are with your practices, the easier it is to respond to requests.
Article 13 of UK GDPR lays out the “right to be informed” requirements when you collect personal data directly from the individual it relates to. In these circumstances you must provide them with privacy information at the time you obtain their data. There are some exemptions to this, but in the majority of cases these don’t apply to processing for the purposes of political campaigning.
You can meet this requirement by putting the information in a prominent position on your website or other digital services such as apps, but you must make individuals aware of it and give them an easy way to access it. You should also provide an alternative method, where appropriate, in case individuals do not have access to the internet.
For political campaigning purposes the best way to do this depends on the method of collection. Some collection methods and suggested ways to provide privacy information are below.
Method of Collection
Suggested ways to provide privacy information
|Face-to-face canvassing||For those collecting personal data door to door (rather than simply encouraging turnout). Either include privacy information in scripts (delivered orally) or provide individuals with a leaflet containing the privacy information or a more basic privacy statement with a link to a website with an alternative contact address where people can write to obtain the privacy information.|
|Paper petitions and surveys||Prominently display privacy information or a more basic privacy statement with a link to a website with an alternative contact address where people can write to obtain the privacy information.|
|Online petitions, surveys and quizzes||Prominently display a link to the privacy information on the petition/ survey/ quiz document itself; or prominently display a link to the privacy information on the landing page for the petition/ survey/ quiz. Carry out user testing to ensure individuals can access this information easily and are fully aware of who is behind the survey and for what purpose their data will be used.|
Prominently display privacy information before the individual downloads the app.This could be done via an app store or via a link to privacy information on your website. If you provide privacy information after an app is downloaded and installed, make sure that this is done before the app processes the relevant personal data.
|Telephone canvassing, petitions and surveys (where lawful under PECR – see direct marketing methods section)||Include privacy information in scripts for those making the phone calls. Ensure individuals have heard the information and have an opportunity to hear it again if necessary. Provide a website address or alternative contact address for individuals to access again in the future if they wish.|
In addition, you should ensure that you consider language alternatives and accessibility options in providing privacy information. You should make alternatives available on request.
You should carefully consider the necessity for collecting any personal data for individuals under the age of 18. You must provide age appropriate privacy information, if you do decide it is necessary (eg for membership purposes or where under 18 year olds are eligible to vote in an election or referendum). See our Age Appropriate Design Code for further information.
You do not need to put all your privacy information in a single block of text. In fact, displaying privacy information in this way may be disadvantageous in many cases, such as collecting data through applications. You should consider the easiest way for individuals to read and understand this information depending on your method of collection. Other ways to display privacy information include:
- A layered approach – short notices containing key privacy information that have additional layers of more detailed information.
- Dashboards – preference management tools that inform people how you use their data and allow them to manage what happens with it.
- Just-in-time notices – relevant and focused privacy information delivered at the time you collect individual pieces of information about people.
- Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing.
- Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures.
You need to have appropriate policies and procedures, and provide appropriate training and guidance for staff and volunteers, to ensure they include appropriate privacy information on relevant documents or when collecting data on the doorstep or by phone.
Political parties, candidates and others play an important role in promoting democratic engagement by encouraging individuals to register to vote. This means that you may handle registration and absent voting applications.
If you do handle these applications, then you should do so with great care and forward them to the appropriate Electoral Registration Officer at the earliest opportunity.
You must also be clear in your privacy information about the purposes for which you are collecting these forms and the lawful bases you are relying upon. In particular, you must be clear about what personal data you are collecting for your own political campaigning purposes and what personal data you are collecting for the purposes of voter registration. In other words, there should be no deception - individuals should not be surprised to learn that you have used their data for campaigning purposes.
Article 14 of UK GDPR lays out the “right to be informed” requirements when you obtain personal data from a source other than the individual it relates to, such as a data broker. In these circumstances you need to provide the individual with privacy information, including:
- the source of the data and details of the categories of the data; and
- within a reasonable period of obtaining the personal data and no later than one month.
- if you use the data to communicate with the individual, at the latest, when the first communication takes place; or
- if you envisage disclosure to someone else, at the latest, when you disclose the data.
Article 14(5) of UK GDPR provides a number of exceptions to providing privacy information to individuals where you have collected personal data from a third party. The majority of these are unlikely to be relevant in the political campaigning context. However two of these may be relevant, depending on the particular circumstances:
- the individual already has the information; or
- providing the information to the individual would involve a disproportionate effort.
If you are considering relying on the individual already having the information, you must be able to demonstrate and verify what information the individual has already been provided with. It is not sufficient to simply rely on assurances from the third party. You should do your own due diligence and request evidence, if appropriate. You must ensure that they have been provided with all of the information that is listed in Article 14 – if you are unsure what they have been given or if anything is missing you must provide this to the individual.
If you want to rely on the disproportionate effort exception not to tell people about your processing, you must assess this fully on a case by case basis. The ICO recognises that the unique circumstances of political campaigning may sometimes present situations where disproportionate effort may apply, particularly with regards to electoral register data. However, you must fully assess and document whether there’s a proportionate balance between the effort involved for you to give privacy information and the effect of the processing on the individual. If the processing has a minor effect on the individual then your assessment might find that it is not proportionate to put large resources into informing individuals. However, the more significant the effect on the individual, the less likely it is that you can rely on this exception.
It is difficult to argue disproportionate effort if you are contacting the individual as part of your processing. This includes all direct marketing by any means, including the freepost electoral address. Unless you are certain the individual has already been provided with privacy information, you should provide it as part of your communication.
If you determine that providing privacy information to individuals does involve a disproportionate effort, you must still publish the privacy information, for example on your website. You must also carry out a DPIA as the processing is considered to be “invisible processing”. See the section on DPIAs for further information.
Can we use data collected from third parties such as data brokers or other companies providing marketing data services?
Many organisations including political parties buy or rent data from data brokers or other companies to use for direct marketing purposes. In political campaigning these can be split into three broad categories:
- buying or renting a list of contact details;
- buying additional factual personal data to undertake analysis in-house and draw out inferences, such as dates of birth, number of children or car ownership; or
- buying inferred data directly from the individual or from other sources, to append to names and addresses obtained from the electoral register, such as likely interests and characteristics.
Buying or renting additional contact details in most instances is likely to be unfair without the consent of the individual. For example, buying phone numbers or email addresses to add to the address details that you already hold. This is likely be true no matter how clearly you explain in your privacy information that you might seek out further contact details from third parties. This is because individuals don’t reasonably expect you to contact them using details they never gave you or they were never required to give in their electoral registrations. In many cases, if you contact them, this is also likely to be a breach of PECR.
If an individual has consented via a third party for you to have their contact details to use for political campaigning or direct marketing then you can match this to what you already hold about them. However, it is important to be clear that the consent must have named you specifically. It is not sufficient if it referred to you in a general sense, eg ‘selected third parties’, ‘trusted partners’ or ‘for political campaigning purposes’.
Factual personal data
If you buy or rent factual personal data from a data broker or other third party, then you must ensure that the individual has been provided with appropriate privacy information and the type of information is in their reasonable expectations for you to process.
You must comply with the right to be informed and provide people with your own privacy information, detailing anything that they have not already been told. This includes informing them of any change of lawful basis (ie if processing under public task - democratic engagement or otherwise, if different from the lawful basis under which the data was originally obtained).
Whether inferred data is personal data or not depends on whether the individual is identified or identifiable, directly or indirectly, from that data or any other information you hold or are likely to hold. If a data broker or other third party provides you with purely anonymous data, and you don’t process this further in any way that could identify individuals, then this is not personal data. For example, you receive anonymous data that people living in Wilmslow are more likely to read a particular newspaper and you don’t append it to names and addresses.
However, if you receive inferred data against names or addresses or you append it to names and addresses or other identifiable information then this is personal data. You should treat this data in the same way as you treat factual personal data.
It is important to remember that you are responsible for ensuring compliance with the UK GDPR and PECR. Simply accepting a data broker or other third party’s assurances is not enough. You must be able to demonstrate your compliance and be accountable.
You must make rigorous checks to satisfy yourself that:
- the third party obtained the personal data fairly and lawfully;
- the individuals understood their details would be passed on for political campaigning purposes; and
- you have the necessary consent (where this is required) which specifically names you and covers the method of communication that you want to use.
As part of your due diligence you could ask the third party to give you:
- details of who compiled the data or direct marketing list (ie was it the third party or someone else);
- a copy of the privacy information that was used when the details were collected;
- details of how they collected the personal data;
- the dates the list was compiled (ie how old is the data);
- details of how the nature of the third parties who were to receive the data were explained – if they were told ‘third parties’ in general terms this is not enough for the consent to be informed;
- records of the consent (if it is a “consented” list) (ie what the individual consented to, what they were told, when and how they consented);
- if it is claimed that the list has already been checked against the Telephone Preference Service - evidence that this has happened and how recently.
A reputable third party should be able to demonstrate to you that the way they obtained and processed the data for sale or rent complied with data protection law. If they cannot do this, or if you are not satisfied with their explanations, you should not use the data.
As well as relevant data sharing agreements, you may wish to have a written contract confirming the reliability of the data, as well as making your own checks. The contract should give you reasonable control and audit powers. However, it is important to remember that you are still responsible for compliance and such a contract does not remove this responsibility from you.
A campaign group wants to purchase email addresses from a data broker so it can email people it believes will be supportive of their campaign. The data broker assures the campaign group that the email addresses have all been obtained and can be shared in compliance with data protection law. The campaign group is unsure about this so asks the broker to put these assurances in their contract, which they agree to do. The campaign group then uses the email addresses to send out political campaigning messages.
A few weeks later the campaign group receives a letter from the ICO. They have received a number of complaints about the emails and political campaigning messages. The campaign group tells the ICO that they have been assured that the data has been collected and shared in accordance with data protection law. The ICO ask the campaign group to provide the evidence and explain the due diligence they took. The data broker is not able to provide any evidence and the campaign group admits that the only due diligence they did was to have it written into the contract.
As the campaign group could not provide any evidence that the data broker had provided appropriate privacy information and obtained consent from the individuals to send direct marketing emails, the ICO may take regulatory action against both the campaign group and the data broker. Both the campaign group and data broker may receive enforcement action against them for breach of the UK GDPR and the campaign group may also receive enforcement action for breach of PECR. The campaign group’s reputation is significantly damaged.
Once you have obtained the list, you must be prepared to deal with any inaccuracies or complaints arising from its use. If you receive complaints from individuals whose details came from a particular source, this suggests that the source is unreliable and you should not use it.
For more information on using data brokers or other third parties see our guidance on using the marketing services of data brokers.
The UK GDPR does not stop you from obtaining and using personal data from publicly available sources for political campaigning. However, you should not assume that data protection law doesn’t apply because the data is publicly available. If you process this data, you become the controller for it, and you must ensure that you comply with the UK GDPR and PECR.
For example, the transparency requirements of the UK GDPR apply. This means you must comply with the right to be informed and ensure that you provide people with privacy information (unless you are relying on an exception).
You also cannot assume that simply because an individual has put their personal data into the public domain, they are agreeing to it being used for political campaigning purposes.
For example, individuals may want as many people as possible to read their social media post, but that does not mean they are agreeing to have that data collected and analysed to profile them to target with political campaigns. Likewise, just because an individual’s social media page has not been made private does not mean that you are free to use their data for political campaigning purposes.
You should carefully consider the use of online campaigning platforms that contain a match function capable of matching data from your databases with social media data from public profiles or other publicly available online sources. These platforms usually act as a processor and could prove a significant risk if you contract them. Of particular concern is if there is no option within the platform to turn off the matching functionality or if it matches individuals on an automatic or blanket basis.
Collecting personal data from online sources on a blanket basis, including social media platforms, is likely to be unfair, as well as lacking transparency and being in breach of the data minimisation principle. If you decide to use these platforms, you must carry out a DPIA to help identify and mitigate against the risks.
Many political parties, campaigners and candidates have dedicated pages on social media which individuals can ‘like’ or ‘follow’. These are considered a useful way to engage with members, supporters or potential supporters. Depending on the platform and terms of service, you may have the ability to collect personal data from the individuals’ personal social media profiles. In addition, the social media company is likely to place cookies or similar technologies on the individuals’ devices. If you have a dedicated page on social media, it is important to be aware that you are likely to be a joint controller with the social media company. This is because you both have a role in deciding the manner and the purpose for processing the data.
You both have joint responsibility for complying with data protection laws. In particular, this means that you need to ensure you provide appropriate privacy information for individuals on your page that clearly explains how, by whom, and for what purpose their data is being processed. You must also ensure that you and the social media company are both aware of your obligations. There is further advice on managing the joint controller relationship with social media services later in this guidance.
The social media platform places a cookie on the computer of those who visit the page (both users and non-users of the social media platform). This cookie feeds back personal data to the social media platform that helps the platform tailor its advertising services across its platform. The platform also feeds back anonymised analytics information to the party on those who have visited their page.
In this example, the party and social media platform are joint controllers. They both have a role in deciding the purpose and manner of processing the personal data. The campaign group decides on the overall purpose of processing the data and ultimately chooses to set up a page on the platform which encourages processing of personal data. The social media platform decides on the purpose to help tailor its advertising services and provide analytics to the campaign group. It also decides what personal data it processes from the cookie and the manner in which the processing takes place.
Both the political party and social media platform must ensure they process personal data in accordance with the UK GDPR, in particular providing appropriate privacy information.