The Information Commissioner’s Office (ICO) has issued formal warnings to major political parties across the UK after it found risks in relation to the way they obtain and process personal data and meet data protection requirements.
Many of the findings in its investigation into the use of data analytics in political campaigns relate to the General Data Protection Regulation (GDPR), which came into effect in 2018 and is designed to regulate the use of personal data in the internet age.
The ICO’s investigators said the most concerning issues that their work revealed included political parties purchasing marketing lists and lifestyle information from data brokers or using third-party data analytics companies without carrying out sufficient checks on how the data had been gathered and whether the companies had obtained the proper consents for use of the data for a political purpose.
In addition, there are concerns that some political parties may have been providing contact lists of their members to social media companies without appropriate fair processing information and collating social media with membership lists without adequate privacy assessments.
Use of personal data must be transparent and lawful
The ICO’s investigation was launched in 2017 after allegations were made about the ‘invisible processing’ of people’s personal data and the micro-targeting of political adverts during the EU referendum. In her introduction to the investigation report, Elizabeth Denham, UK Information Commissioner, said: “Citizens can only make truly informed choices about who to vote for if they are sure that those decisions have not been unduly influenced. The invisible, ‘behind the scenes’ use of personal data to target political messages to individuals must be transparent and lawful if we are to preserve the integrity of our election process.”
She added: “We have uncovered a disturbing disregard for voters’ personal privacy. Social media platforms, political parties, data brokers and credit reference agencies have started to question their own processes – sending ripples through the big data eco-system. We have used the full range of our investigative powers and where there have been breaches of the law, we have acted.”
As a result of the investigation, formal warnings have been issued to 11 political parties (Conservatives, Labour, Lib Dems, Greens, SNP, Plaid Cymru, DUP, Ulster Unionists, Social Democrat, Sinn Féin and UKIP), which include a demand for each party to provide Data Protection Impact Assessments (DPIAs) for all projects involving the use of personal data, as required under GDPR. The warnings also detail the outcomes of the ICO investigation so far and the steps the parties need to take in response.
The ICO is also pushing for the government to introduce a new statutory code of practice for the use of personal information in political campaigns, which would apply to all data controllers that process personal data for the purpose of political campaigning. The code would therefore apply to social media companies, who would be required to inform users when their data is being used by political parties for targeted advertising. Denham argues that a code of practice could ensure that “everyone is playing by the same rules” and that political parties are using personal data to engage with voters in a way that is lawful, transparent and fair.
Focusing on social media
According to a report in The Telegraph, Facebook has already implemented changes to its political advertising structure to provide greater transparency to users, but the ICO has said that the actions Facebook has taken so far are not enough.
It has already issued the social media platform with the maximum monetary penalty available (£500,000) under the data protection laws that were in place before GDPR came into effect for lack of transparency and security issues relating to the harvesting of data. It will also be referring other outstanding issues about Facebook’s targeting functions and the techniques used to monitor individuals’ browsing habits, interactions and behaviour across the internet and different devices to the Irish Data Protection Commission, as the lead supervisory authority for Facebook for GDPR.
“The time for self-regulation is over, that ship has sailed,” Denham said. “I think there needs to be a code backed by statute and a regulator with extra-territorial reach, with the kinds of powers that the ICO has, to look at content and conduct online.”
The wider impact
While the report is focused on the use of data by those involved in political campaigning, the issues raised affect businesses of all kinds that use personal information and either hold their own databases, buy them in from data brokers or employ data analytics companies.
As Denham states, there have been ripples through the big data ecosystem, and now may be the time for risk managers to brush up on GDPR and review the way their organisation utilises personal data, to avoid any future problems and costly breaches.