The current data protection law says, amongst other things, how people’s personal data should be collected, used or stored.
The new data protection regime, including the GDPR, is an evolution of the existing law. Whilst the law changes on 25 May 2018 many of the fundamentals remain the same. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process - these are all principles on which the GDPR builds.
Complying with the current data protection regime is therefore a major step towards compliance with the new arrangements.
It is also worth noting that much of the content in our guidance on Political Campaigning and Constituency casework of Members of Parliament will remain relevant going forward. We will update this guidance once the Data Protection Bill becomes law but in the interim we have highlighted some key areas of difference in the existing resources.
In addition to these FAQs, there is lots of other help available. You can find the latest ICO guidance on the new legislation in our Guide to the GDPR. We will regularly update it and you can check it for the latest position.
We’ve also created the following resources:
- Getting ready for the GDPR – a practical self-assessment tool
- Our 12 steps to take now checklist, and
- A dedicated advice line for small organisations.
I am an elected representative and have always paid my fee. The rules have changed, do I still have to pay?
It depends. On 1 April 2019, Lords, elected representatives and prospective representatives were exempted from paying the data protection fee. But if you still process personal data for purposes outside your role as a Lord or an elected, or prospective representative then the data protection fee applies. So, if you have your own business that processes personal data or if you use CCTV for business or crime prevention purposes in connection with that business, you may still have to pay the fee. You can get more information about paying the fee in our data protection fee guidance.
Does the GDPR require me to have consent for personal data my office already holds?
It is a commonly held misconception that consent is always required under data protection law.
Consent is one lawful basis for processing in Article 6, but there are five others. They are contract, legal obligation, vital interests, public task and legitimate interests. No single basis is ‘better’ or more important than the others.
‘Public task’ is likely to be of particular relevance to Parliamentarians and may provide a basis for holding and processing personal data for the work you do as elected representatives. The Data Protection Bill contains a specific provision in clause 8, which clarifies that the public task basis includes processing of personal data necessary for an activity that supports or promotes democratic engagement.
And ‘legitimate interests’ is likely to also be a relevant alternative for Parliamentarians. Guidance to help identify the appropriate lawful basis for processing personal data is available in our Guide to the GDPR and via our interactive lawful basis tool. The guidance focuses on the GDPR provisions and we will add further detail regarding the Data Protection Bill when it is passed.
If consent was given under the 1998 Act, do I need to refresh it now?
As stated above you may be able to identify a more appropriate lawful basis such as public task to continue processing the data. You will need to be transparent with people about your basis for processing their data.
You are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard and are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.
Our consent checklist sets out the steps you should take to seek valid consent under the GDPR. This can help you review existing consents and decide whether they meet the GDPR standard, and to seek fresh consent if necessary.
You are also likely to need consent under existing ePrivacy laws for political campaigning calls, texts and emails. These rules are currently found in the Privacy and Electronic Communications Regulations 2003 (PECR). For more information please see our Guidance on Political Campaigning and our Direct Marketing guidance.
Do I need to delete/shred all personal data my office holds where I don’t have consent?
No, not necessarily you need to review the personal data that your office processes and identify a lawful basis for processing. This is important because you need a lawful basis to be able to process personal data. As identified above, this may include public task for an activity supporting or promoting democratic engagement including casework.
Under the 1998 Act all data must be adequate, relevant and not excessive for the purpose(s) for which the data is being used for. Carrying out regular reviews of the personal data you hold and securely deleting or disposing of information you no longer require is therefore good practice.
Do I need to require those already on my mailing lists to opt-in to future communications?
You will need to be clear about each of the purposes for which you use the personal data on your mailing lists and the associated lawful basis.
If the recipients have previously opted-in/given express consent to be on your mailing list then you do not need to re-obtain consent if this meets the GDPR standard as explained below.
If you don’t have opt-in consent, you will need it if you use personal data on the lists to send communications promoting your own or your party’s political objectives or ideals to individuals by any of the following means in order to gain support at the ballot box, or otherwise influence them:
- Automated phone calls;
- Live phone calls to numbers registered with the Telephone Preference Service (TPS);
The requirement for consent in these circumstances is not new and is governed by the existing Privacy and Electronic Communications Regulations 2003 (PECR). From 25 May 2018 consent for PECR purposes must meet the GDPR standard of consent. In practice this includes ensuring that in addition to consent being freely given, informed and specific, consents must be properly documented, meet the requirement that they are clear and prominent and can be easily withdrawn. See our consent guidance for further information on what is valid consent under the GDPR.
For more information on mailing lists that are purchased from third parties, please see our Guidance on Political Campaigning.
Do I need to seek consent to name my constituents when engaging with councils or government departments on their behalf?
No, not necessarily. It is important that you process the constituent’s personal data fairly, lawfully and in a transparent manner. Therefore, you must be clear with them about what will happen to their information. The GDPR should not be a barrier to proportionate and necessary use of constituents’ personal data in response to their contact with you.
If using consent as your lawful basis, the act of the constituent approaching you to ask for assistance and reasonably expecting that their data will be shared with relevant third parties, is likely to be a sufficient demonstration of their wishes. See our consent guidance for further information.
However, there may be circumstances where the processing will go beyond the expectation of the constituent, or where there is uncertainty over the constituent’s wishes. In cases like this it may be appropriate to go back to the constituent to make sure consent to share their data is in place, though other lawful bases may also be available.
What if the information contains sensitive personal data?
Under the GDPR sensitive personal data is replaced with special category data (Article 9) and separately defined criminal offences data (Article 10).
The requirement to satisfy Article 9 or 10 in respect of special category or criminal offence data is similar to the conditions for processing currently required for sensitive personal data under schedule 3 of the 1998 Act.
Under the existing regime, Parliamentarians can usually rely on The Data Protection (Processing of Sensitive Personal Data)(Elected Representatives) Order 2002 to satisfy the schedule 3 condition requirement when processing sensitive personal data connected with casework.
If you currently rely upon the 2002 Order condition you will likely be able to rely on clauses 23 or 24 of Schedule 1 of the Data Protection Bill in the future to satisfy Article 9 or 10 requirements in respect of any special category or criminal conviction data you process for constituency casework.
Special category data is similar to sensitive personal data under the 1998 Act and includes details of an individual’s political opinions, their health and sexual orientation. It also covers genetic data and some biometric data. In order to process special category data you must satisfy a lawful basis under Article 6 and one of the conditions for processing special category data under Article 9.
Criminal offence data is personal data relating to criminal convictions and offences, or related security measures. This includes the type of data about criminal allegations proceedings or convictions that would have been sensitive personal data under the 1998 Act. In order to process criminal offence data you must satisfy a lawful basis under Article 6 and a separate condition for processing this data under Article 10.
What wording do I need to use on my website and other communications when people sign up for my email list?
If you are gathering email contact details you must clearly explain the purpose or purposes for which you will use this information, in order to ensure that you are fair and transparent.
If you plan to send emails promoting political views to individuals this will constitute direct marketing. Therefore the individual must agree to you contacting them for this purpose via this particular channel.
When seeking consent to such communications you must prominently and clearly explain what you are asking them to agree to so that their choice to provide you with their details is fully informed.
In all email communications you must identify yourself and provide a mechanism that individuals can use to object and request that you do not send them any further communications, such as an unsubscribe option.
For further information please see the Marketing by email section of our Guidance on political campaigning.
Can I send mailings addressed to ‘the occupier’ rather than a named individual when writing to constituents/voters?
Yes. Only personally addressed correspondence constitutes direct marketing so mailings sent to ‘the occupier’ will not fall within the statutory definition. If an organisation knows the name of the person it is mailing, it cannot avoid its obligations by simply addressing the mail to ‘the occupier’, as it is still processing that individual’s personal data behind the scenes. This is explained in our guidance on direct marketing.
Where you are sending out such material to a number of individuals as part of a general mailing including where the details have come from the electoral register, you can contact them by post unless the individual has asked you not to write to them or not to send them marketing material by post. In addition, electoral law sets out whether a political party, candidate or referendum campaigner has the right to send a Freepost mailing. This specific right applies even if the individual has asked the organisation not to contact them.
For further information please see the Marketing by post section of our Guidance on political campaigning.
These requirements are set out in the Electoral Commission’s guidance for each election and referendum at electoralcommission.org.uk.