The ICO exists to empower you through information.

At a glance

  • You should carry out a review of the data you have gathered and processed during a campaign.
  • You may be able to use personal data from one campaign to another, but you need to consider this carefully and in compliance with data protection law.
  • If your organisation is disbanding after a campaign, you must destroy personal data securely and in certain circumstances should use a third party to conduct an audit of how you processed the data.

In more detail

Introduction

Whether you are a political party, campaign group or candidate, it is important you carry out a review of the data you have gathered and processed during a campaign. This is important to help you learn any compliance lessons for the future about what went well and what didn’t. It is also important to assess what information you need to retain both for future campaigns and for audit purposes.

The answers to these will be different depending on your type of organisation and your circumstances. In particular they will differ depending on whether your organisation has disbanded following the campaign. This is the case with many campaign groups and others campaigning in particular referenda or elections.

Can we use personal data from one campaign to another? 

In general, it can be acceptable to keep personal data to use from one campaign to another, but you must consider:

  • whether the personal data is necessary for future campaigns;
  • whether it would be in individuals’ reasonable expectations that you keep the data;
  • what you told individuals at the point of collection;
  • whether the nature of future campaigns could amount to processing for a different purpose (eg a referendum campaign on EU membership to a local election) (see section on purpose limitation);
  • how long you have retained the data and whether it is still adequate, relevant or accurate; and
  • whether you are able to keep the data securely and whether keeping the data creates any unjustifiable risk of it being subject to unauthorised disclosure.

You should consider carrying out a DPIA to help you identify and mitigate the risks of retaining the data as well as demonstrating your compliance.

What do we need to do if our organisation is disbanding?

If your organisation is disbanding then you should ensure that you:

  • securely destroy personal data that you no longer need for audit purposes;
  • mitigate the risk as far as possible of employees, secondees or volunteers being able to take personal data for use in other campaigns or for other unauthorised purposes (eg ensuring you have robust exit procedures);
  • carry out due diligence to ensure that any processors have securely destroyed all personal data that they were processing on your behalf; and
  • do not share any personal data with any other controller unless you are able to do so in accordance with data protection law (see our data sharing code of practice for further information).

In addition, if your organisation is disbanding, and you hold a significant amount of personal data, it is advisable to use a third party to conduct an audit. This creates a clear record of how you processed data both during and after the campaign including what was deleted and when. This is particularly relevant to campaigners that have been operating at scale in a national referendum using comprehensive datasets. This helps to demonstrate that you have complied with the law and in turn encourages public trust in our democratic system.

Further reading

For more information, see our guidance on records management and security.