“UK political parties must improve data protection practices” warns ICO
12 November 2020
THE INFORMATION Commissioner’s Office (ICO) has set out how seven of the UK’s political parties need to improve the way in which they handle people’s personal data after assessing in some depth how they manage the issue of data protection.
The ICO audited the parties’ data protection compliance following significant concerns about transparency and the use of people’s data in political campaigning that were highlighted in the 2018 report entitled ‘Democracy Disrupted?’. That document included specific actions to improve data protection transparency and practice for the Conservative Party, the Labour Party, the Liberal Democrats, the Scottish National Party, the Democratic Unionist Party, Plaid Cymru and United Kingdom Independence Party.
Political parties may legitimately hold personal data belonging to millions of people to help them campaign effectively, but developments in the use of data analytics and social media by political parties mean that many voters are unaware of how their data is being used.
All of the political parties engaged positively with the audit process and the ICO noted a genuine desire from those parties to respect people’s data protection rights. The parties have committed to making the improvements necessary to comply with the law and make their data processing more transparent which the ICO will monitor for effectiveness.
Obligations under the law
In the report’s Foreword, Information Commissioner Elizabeth Denham states: “We recognise the unique role political parties play in a democratic society. Society benefits from political parties that want to keep in touch with people through more informed voting decisions, better engagement with hard-to-reach groups and the potential for increased engagement in democratic processes. However, that engagement must respect obligations under the law, especially so where there are risks of significant privacy intrusion.”
Denham continues: “All political parties must use personal information in ways that are transparent, understood by people and lawful if they are to retain the trust and confidence of electorates. The transparency and accountability required by data protection is a key aspect in developing and maintaining trust. It follows that there’s an important role for the ICO in scrutinising this area.”
The ICO has made recommendations for improvements across all of the political parties audited, with 70% of those recommendations being classified as either urgent or high priority. Among those recommendations are several measures relating to the systems in which personal data is used. The way that the parties safeguard data must meet the requirements of accountability.
Key recommendations for the political parties include:
*providing the public with clear information at the outset about how their data will be used
*telling individuals when they use intrusive profiling such as combining information about those individuals from several different sources to find out more about their voting characteristics and interests
*being transparent when using personal data to profile and then target people with marketing via social media platforms
*being able to demonstrate that they’re accountable, all the while showing how parties meet their obligations and protect people’s rights
*carrying out thorough checks on all contracted and potential processors and third party suppliers to gain assurances that they comply with the key transparency, security and accountability requirements of data protection law
*reviewing their lawful bases for the different types of processing of personal data used to ensure the most appropriate basis is used
Data protection audits
These are the first data protection audits carried out on political parties and the ICO will be following up by asking the parties to show the changes they’ve made in response to the audit recommendations. Failure to take the appropriate steps could result in further regulatory action.
This work forms an important area of focus for the ICO, reflecting its commitment to improve standards of information rights practice. This is done through clear and targeted engagement to help explain compliance in specific sectors and processing contexts. For political parties, this will take the form of guidance to be issued over the coming months.