The ICO exists to empower you through information.

At a glance

  • Profiling is analysing information in a way that classifies individuals into different groups or sectors, using algorithms or machine-learning.
  • When carrying out profiling you must consider the fairness of the processing. This includes the potential effects on individuals and wider society.
  • Individuals have the right to object to profiling. If you are profiling for direct marketing purposes there are no grounds to refuse this objection.
  • Article 22 of the UK GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them. If carrying out profiling or micro-targeting you should fully consider whether Article 22 could apply.
  • Where Article 22 does apply to your processing you must take additional steps including carrying out a DPIA and obtaining the explicit consent of the individuals subject to the decisions.

In more detail

Introduction

Political parties and campaigners have been employing techniques to understand more about potential voters’ interests and characteristics for decades, even centuries. This is an important part of democratic engagement. However in recent years, rapid technological advancements, including the ever increasing scale of data collection and sophistication of analytics techniques, mean there is greater scope for significant privacy intrusion or wider societal risks. This is because:

  • profiling is often invisible to individuals;
  • people might not expect their personal data to be used for political campaigning purposes in this way;
  • people might not understand how the process works or how it can affect them;
  • people’s trust in the democratic system can be undermined if there is a lack of transparency and understanding of techniques being used; and
  • campaigns involving sophisticated profiling techniques have the potential to influence the voting behaviour of a large number of individuals.

If you are carrying out or intend to carry out profiling then there are particular considerations that you need to take into account in order to comply with data protection law.

What is profiling?

Article 4(4) of UK GDPR says that profiling is:

“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

In other words, profiling is analysing information in a way that classifies individuals into different groups or sectors, using algorithms or machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. For example, a list of people who read a particular newspaper or who you think are likely to vote a certain way.

There is more information about algorithms and machine-learning in our paper on big data, artificial intelligence, machine-learning and data protection.

How does the concept of fairness apply to profiling?

Fairness is of utmost importance when profiling or using data analytics techniques. Fairness is used in its general sense and is about processing personal data in ways that are in the reasonable expectations of individuals. It is very closely linked to data ethics.                         

You must consider the potential effects of your processing on individuals, whether these are direct or indirect. You should also consider the general effects on wider society in using certain techniques in political campaigning. As techniques become less expensive and perhaps more effective you need to ask yourself not just whether you can use these techniques but also whether you should.

You need to pay particular attention if you use psychographic analytics and psychometric profiling with regards to fairness obligations in the law. These techniques involve attempting to deduce certain personality attributes from both factual and inferred personal data about individuals. Using these attributes to target particular political messages designed to influence voting behaviour could be considered unfair and therefore in breach of UK GDPR.

Example

A campaign group uses psychometric profiling and scores certain individuals highly on a scale of neuroticism about crime. It then targets these individuals with political messaging about knife crime in a way that is designed to invoke a fear response.

Processing personal data in this way is likely to be unfair. Individuals would be unlikely to expect the campaign group to process personal data like this. Also, profiling individuals to target them would likely be seen as intrusive and could raise ethical questions.

What are the other key considerations when carrying out profiling for political campaigning purposes?

If you are carrying out profiling for political campaigning purposes, you should also do the following:

  • Revise your privacy policy and clearly inform individuals about the profiling that you carry out. This should be in a prominent position in the policy. This is particularly important if you are profiling individuals who have had no contact with you, such as members of the public who you are trying to understand. Profiling is often not well understood and when carried out in a political context can be disconcerting if people do not fully understand what it entails and how it is used.
  • Remember that if the data you’re using isn’t correct then any profile or decision based on the data will also be flawed. Where possible you should try to ensure the accuracy of the personal data you use.
  • Don’t collect too much information or keep it for too long. Just because your systems allow you to retain vast quantities of data doesn’t mean you should. It also makes it more difficult to keep the data up-to-date, accurate and relevant for the profiling you’re carrying out.

Can individuals object to profiling?

Article 21 of the UK GDPR gives individuals the right to object to profiling.

Most profiling in political campaigning is for direct marketing purposes (see the section on direct marketing for more information). If this is the case, you must stop the profiling as soon as you receive an objection. There are no exemptions or grounds to refuse this objection.

The right to object applies slightly differently if you are profiling for purposes other than direct marketing, such as creating models with no intention to send political campaigning messages to those individuals. In these cases an individual can object on any grounds relating to the individual’s interests. You have to stop the processing unless you can show that you have a compelling reason to continue the profiling that overrides the individual’s interests.

You must bring this right to object to the attention of individuals and present it separately from other information.

If you receive an objection under Article 21, you need to respond within one month and confirm the action you’ve taken.

Can we use third parties to carry out profiling or analytics on our behalf?

You may wish to use third parties to carry out profiling on your behalf. What considerations you need to take into account will partly depend on whether the third party is acting as your processor, a joint controller or a separate controller (see our guidance on controllers and processors for more information). However, you should also:

  • consider where the third party is going to process the data. If this is outside the EEA then this is an international transfer and you need to take other considerations into account. (See our guidance for further information on this.);
  • carry out due diligence to ensure they are carrying out profiling in compliance with data protection law;
  • ensure there is an appropriate mechanism for complying with individuals rights; and
  • ensure that any personal data shared with the third party is not being amalgamated into a shared pool of data used across multiple campaigns or organisations.

What profiling is restricted?

Article 22(1) of the UK GDPR limits the circumstances in which you can make “solely automated decisions”, including those based on profiling, that have a “legal or similarly significant effect on individuals”.

If you carry out automated decisions that are subject to Article 22(1) then you must not do this without the explicit consent of the individuals subject to the decisions.

It is important that political parties and campaign groups are able to engage with voters. It is equally important for campaigners to communicate information and promote their opinions effectively. Where it is carried out fairly, transparently and in compliance with the law, the use of profiling and micro-targeting is an acceptable communication method. As a general approach, Article 22(1) does not restrict this. 

Much of the profiling and micro-targeting carried out by political parties and campaign groups is likely to be considered “solely automated decision-making”. In most cases, this is unlikely to produce a legal or “similarly significant effect” on an individual. However, there are likely to be exceptions to this.

In this context a decision producing a “legal effect” is something that affects a person’s legal status or their legal rights. For example, affecting somebody’s legal right to vote. 

A decision that has a “similarly significant effect” is something that has an equivalent impact on an individual’s circumstances, behaviour or choices. This effect must be on the individual specifically subject to the profiling. Although political campaigning can have significant effects for society in general, this does not mean that a decision to target an individual with a campaign message will have a significant effect on that particular individual. It may indeed have an effect on the way in which they choose to vote, but it is very difficult to establish cause and effect – there could be many reasons that influenced their choice. Simply changing an opinion, even on something as important as voting choices, is unlikely to be similarly significant to a legal effect. 

What could be considered a legal or similarly significant effect?

Particularly intrusive methods or outcomes of a decision about whether to micro-target an individual with a political campaigning message could theoretically have a legal or similarly significant effect.

It is also possible that a similarly significant or even legal effect on the individual could come from the compound effect of:

  • the underlying profiling;
  • the methods and techniques used to target an individual;
  • the individual’s expectations and lack of knowledge about how their data is being used; and
  • the nature of the message.

If you are carrying out profiling or micro-targeting you should fully consider whether the decision could have a legal or similarly significant effect on the individuals you profile. You should consider the following questions:

  1. Is the profiling process particularly intrusive?
    • Would individuals likely be surprised to discover you were profiling them in this way? Is there a lack of transparency?
    • Is the personal data you are using to profile individuals particularly sensitive or special category data?
  2. Is the way the advert is delivered particularly intrusive?
    • Is the frequency of messages beyond an individual’s reasonable expectations?
    • Are you delivering the messages in a way that is designed to have a strong effect on an individual, such as at a particular time of day?
    • Do the techniques you are using exploit the possibility of conveying a message, or of otherwise influencing their minds without their being aware, or fully aware, of what has occurred?
  3. Is the combination of the profiling of personal data alongside the nature of the message of a particular type that is highly emotive and affects the individual?
    • Could this combination amount to seeking to influence the autonomy of an individual, rather than simply seeking to influence views or change opinions?
  4. Are there any particular vulnerabilities of the individuals targeted that could be significantly affected by the message?
    • Are you using psychometrics to target people with particular characteristics in order to invoke a particularly strong reaction?
  5. Is the profiling and targeting likely to cause detriment to an individual?
    • Does the decision produce a discriminatory effect?
    • Could the message be considered threatening in nature?
    • Could the individual in effect be disenfranchised as a result of profiling and micro-targeting?

If your answer is ‘yes’ to any of the questions above or you have reason to believe your decision about whether to micro-target could legally or similarly significantly affect the individuals concerned, you need to give serious consideration about whether you continue with the processing. As a minimum, you should carry out a DPIA to identify and help mitigate any risks.

If you find that your processing is likely to have a legal or similarly significant effect on an individual and you are unable to mitigate this risk sufficiently, then Article 22 is likely to apply.

If Article 22 applies, what do we need to do?

If your processing is restricted by Article 22 then, in addition to complying with UK GDPR requirements as normal, you must:

  • have the explicit consent of the individual subject to the decision;
  • carry out a DPIA;
  • inform individuals that you are using their data for solely automated decision-making processes with legal or similarly significant effects; and
  • provide meaningful information about the logic involved and what the likely consequences are for individuals.

You will also need to ensure that individuals are able to:

  • obtain a human intervention;
  • express their point of view; and
  • obtain an explanation of the decision and challenge it.

Further reading

For further information about automated decision making and the application of Article 22, see our Guidance on Automated Decision Making and Profiling.

For general guidance on key data protection concepts, see our Guide to Data Protection.