Code of Practice for the use of personal information in political campaigns: ORG response

Q1 Do you agree with our understanding of ‘political campaigning’ and what processing should be covered by the code?

Yes

Open Rights Group agrees with the definition provided on the Call for Views page:

Activity, which relates to elections or referenda, in support of, or against, a political party, a referendum campaign or a candidate standing for election.

Open Rights Group would like to emphasise that this definition is different to the definition in the existing definition in the existing political campaigning guidance:

Activity in support of, or against, a political party, a referendum campaigner, or a candidate standing for election. (para 2 page 2)

The proposed definition is wider than that of the existing guidance, which is welcome. The previous guidance, read strictly, could be construed as only applying to activity in support of or against particular individuals or groups, rather than issues at stake in a referendum. In the varied campaigning environment, campaigns are run, not in support of an individual candidate, but issues. For instance, Britain Stronger in Europe and Vote Leave were never campaigning for a particular campaigner in the referendum on the United Kingdom’s membership of the European Union, but for ideas and issues within a referendum.

Modern political campaigning comprises multiple different actors, and multiple different approaches. Campaigning is not about supporting a candidate or party’s position but is more splintered and multifarious. This does not mean responsibility is watered down or diffuse, it means that more actors are responsible for processing activities during campaigns and as a result more actors are subject to the Data Protection Act 2018. This is an important reflection to make and the ICO should ensure the definition reflects that change in the nature of campaigns to include activity in support of, or against the ideals of an organisation or campaign in elections and referenda.

Q2 Should the code apply to other data controllers in the political campaigning process, beyond registered political parties, electoral candidates, referendum permitted participants and third party campaigners? Eg data controllers processing personal data on behalf of political campaigns, parties or candidates.

Yes

The code should apply to:

• Data controllers processing personal data on behalf of political parties or campaigns (e.g. Facebook, Google, Twitter who provide space to advertise based on users personal data).

• Data processors processing personal data on behalf of political campaigns under contract (e.g. AIQ)

• Data brokers who sell data to political parties or campaigners for political campaigning purpose (for example, Lifecycle Management Marketing).

• Data controllers sharing their data for political campaigning purposes (e.g. Eldon Insurance sharing data with Leave.EU)

As well as the different bodies that PPERA 2000 applies to (registered political parties, referendum permitted participants, and third- party campaigners).  

In particular the Information Commissioner’s Office should pay close to attention to groups that operate as unregistered campaigners that may not be registered with the Electoral Commission. For instance, during the EU referendum BeLeave were an unregistered campaign group (neither lead campaigner nor third party campaigner) according to the Electoral Commission. They ran advertisements and shared the same personal data as Vote Leaveto identify audiences and select targeting criteria, and contracted with Aggregate IQ in a common plan with Vote Leave. While the Information Commissioner found no evidence of misuse of personal data, BeLeave were a data controller and participant in a political campaign, while not being a “referendum permitted participant” or “third party campaigner” yet the code should still apply to such an organisation.

 Q3 Who should the code also be aimed at ie data brokers, analytical companies, online platforms? (List as many as you think are applicable)

• Data controllers processing personal data on behalf of political parties or political campaigners (e.g. Facebook, Google, Twitter who provide space to advertise based on users personal data).

• Data processors processing personal data on behalf of political campaigns under contract (e.g. Aggregate IQ)

• Data brokers who sell data to political parties or campaigners for political campaigning purpose (for example, Lifecycle Management Marketing).

• Data analytics firms performing work on behalf of political parties or campaigners for political campaigning purpose.

•  Data controllers sharing personal data for political campaigning purposes.

It is important not to be construed as an exhaustive list. If an actor or individual aims to participate in an election or referendum for a particular outcome or particular policy, with the aim to convince individuals to vote in a particular way or participate, or even not participate, in the electoral process should have the code applied to them.

We propose the code will include the following broad topic areas:

- The role of data controllers in the political campaigning ecosystem;

- Transparency requirements in practice;

- Accountability, security and data minimisation requirements;

- Lawful bases including the new ‘democratic engagement’ aspect of the ‘public interest’

basis in the Data Protection Act 2018;

- Using special category data;

- The use of personal data from the Electoral Register;

- Data collection directly from individuals;

- Using personal data collected by third parties;

- Personal data analytics;

- Direct marketing including the application of the Privacy and Electronic Communications

Regulations;

- Online advertising and the use of social media;

- Post political campaign/election considerations.

Q4 Do you agree with the proposed topics?

Yes, covering new conditions would be useful. They have not appeared in guidance or jurisprudence previously, such as processing special category data if it is necessary “for an activity that supports or promotes democratic engagement” - section 8(e) of the DPA 2018, and also the Schedule 1 Part 2 Section 22 condition of processing by political parties. 

In particular the standards of substantial damage or substantial distress under Subsection 2 of Schedule 1. Part 2 Section 22, that would mean the conditions were not met. It should be kept in mind in mind that research cited by the Information Commissioner’s Office in the previous guidance on political campaigning has talked about certain marketing as ‘distressing’ (page 14 and page 17). Similar reflections would be important to include in the updated guidance.

These other areas reflect the various uses personal data is put to in modern political campaigning, in comparison with the previous guidance which was mostly focused on mailouts and direct communications. 

The challenge faced is that the models developed for commercial advertising, and in some cases the data collected for that purpose, are being used in political campaigning. This includes data matching, forming custom or lookalike audiences, data enhancement, using information held by data brokers and credit reference agencies. It is important the ICO ensures the code recognises those practices and addresses the different responsibilities and limitations that use of personal data for political campaigning purposes attract. 

 What topic areas in particular ought to be covered in the most detail?

An explanation of when the Commissioner considers processing that reveals political beliefs to have taken place. 

• Are there some categories of Lookalike audiences that could be formed by social media companies that would be considered processing revealing political beliefs?

• Where data analytics of non-sensitive data can infer “sensitive data” (such as political opinions), what protections do those inferences attract and what responsibilities do the data controllers and processors have regarding the legal bases for processing?

Transparency requirements in practice:

• What information should be immediately available to individuals when they receive a political marketing advertisement?
• Proactive disclosure of the source of the data when not collected directly from the person.

The role and effect of purpose limitation in data protection in the electoral context. Referring to the European Data Protection Board’s guidance on the application of Union data protection law in the electoral context page 6: 

Data collected for one purpose can only be further processed for a compatible purpose; otherwise a new legal ground, provided for by the General Data Protection Regulation, such as consent, has to be found for the processing for the new purpose. In particular, when lifestyle data brokers or platforms collect data for commercia purposes, that data cannot be further processed in the electoral context. With regard to social media platforms, whether there should be a distinction between the political advertising uses of the personal data they hold, and the commercial advertising uses.

The use of data from the electoral register and what analytics, or matching is legitimate to perform on that data, if any.

Q5 What do you think should be covered in the new code of practice that isn't covered in current political campaigning guidance?

Guidance and responsibilities of the various actors that now play a role in the electoral context that were not included in the current political campaigning guidance, including but not limited to:

• data analytics platforms;
• social media companies;
• data brokers;
• permitted referendum participants;
• third-party participants; and
• unregistered groups using data for political campaigning purposes.

Q6 What factors ought to be taken into account regarding the particular circumstances of different types of election or referenda?

It may not be about factors between different types of election or referenda but more pertinent the code takes into account the factors between commercial use of personal data and political use of personal data.

The effect in these circumstances are not whether or not a person buys a product but whether a person votes for a particular party, on a particular issue, or even votes at all. 

Q7 Please state any case studies or scenarios you would like to see included in the code? 

Data minimisation in political campaigning.

Examples of the new lawful bases for processing sensitive data in the Data Protection Act 2018.

Transparency standards in practice.

Examples of automated decision-making in the electoral context that would be considered to have a “sufficiently significant affect” on an individual. 

What form provision of information should take to a user of the source of data when the controller has not collected the data directly from the individual (e.g. political parties advertising using data collected by data brokers).

The use of social media platforms to construct look-a-like audiences using sensitive personal data such as political beliefs, breaking down the responsibilities and the bases for processing that need to be in place.