Title: Code of Practice for the use of personal information in political campaigns: ORG response
Author: Matthew Rice
Published: 19 December 2018
Download the report as a PDF
Yes
Open Rights Group agrees with the definition provided on the Call for Views page:
Activity, which relates to elections or referenda, in support of, or against, a political party, a referendum campaign or a candidate standing for election.
Open Rights Group would like to emphasise that this definition is different to the definition in the existing definition in the existing political campaigning guidance:
Activity in support of, or against, a political party, a referendum campaigner, or a candidate standing for election. (para 2 page 2)
The proposed definition is wider than that of the existing guidance, which is welcome. The previous guidance, read strictly, could be construed as only applying to activity in support of or against particular individuals or groups, rather than issues at stake in a referendum. In the varied campaigning environment, campaigns are run, not in support of an individual candidate, but issues. For instance, Britain Stronger in Europe and Vote Leave were never campaigning for a particular campaigner in the referendum on the United Kingdom’s membership of the European Union, but for ideas and issues within a referendum.
Modern political campaigning comprises multiple different actors, and multiple different approaches. Campaigning is not about supporting a candidate or party’s position but is more splintered and multifarious. This does not mean responsibility is watered down or diffuse, it means that more actors are responsible for processing activities during campaigns and as a result more actors are subject to the Data Protection Act 2018. This is an important reflection to make and the ICO should ensure the definition reflects that change in the nature of campaigns to include activity in support of, or against the ideals of an organisation or campaign in elections and referenda.
Yes
The code should apply to:
As well as the different bodies that PPERA 2000 applies to (registered political parties, referendum permitted participants, and third- party campaigners).
In particular the Information Commissioner’s Office should pay close to attention to groups that operate as unregistered campaigners that may not be registered with the Electoral Commission. For instance, during the EU referendum BeLeave were an unregistered campaign group (neither lead campaigner nor third party campaigner) according to the Electoral Commission. They ran advertisements and shared the same personal data as Vote Leaveto identify audiences and select targeting criteria, and contracted with Aggregate IQ in a common plan with Vote Leave. While the Information Commissioner found no evidence of misuse of personal data, BeLeave were a data controller and participant in a political campaign, while not being a “referendum permitted participant” or “third party campaigner” yet the code should still apply to such an organisation.
It is important not to be construed as an exhaustive list. If an actor or individual aims to participate in an election or referendum for a particular outcome or particular policy, with the aim to convince individuals to vote in a particular way or participate, or even not participate, in the electoral process should have the code applied to them.
Yes, covering new conditions would be useful. They have not appeared in guidance or jurisprudence previously, such as processing special category data if it is necessary “for an activity that supports or promotes democratic engagement” - section 8(e) of the DPA 2018, and also the Schedule 1 Part 2 Section 22 condition of processing by political parties.
In particular the standards of substantial damage or substantial distress under Subsection 2 of Schedule 1. Part 2 Section 22, that would mean the conditions were not met. It should be kept in mind in mind that research cited by the Information Commissioner’s Office in the previous guidance on political campaigning has talked about certain marketing as ‘distressing’ (page 14 and page 17). Similar reflections would be important to include in the updated guidance.
These other areas reflect the various uses personal data is put to in modern political campaigning, in comparison with the previous guidance which was mostly focused on mailouts and direct communications.
The challenge faced is that the models developed for commercial advertising, and in some cases the data collected for that purpose, are being used in political campaigning. This includes data matching, forming custom or lookalike audiences, data enhancement, using information held by data brokers and credit reference agencies. It is important the ICO ensures the code recognises those practices and addresses the different responsibilities and limitations that use of personal data for political campaigning purposes attract.
An explanation of when the Commissioner considers processing that reveals political beliefs to have taken place.
Transparency requirements in practice:
The role and effect of purpose limitation in data protection in the electoral context. Referring to the European Data Protection Board’s guidance on the application of Union data protection law in the electoral context page 6:
Data collected for one purpose can only be further processed for a compatible purpose; otherwise a new legal ground, provided for by the General Data Protection Regulation, such as consent, has to be found for the processing for the new purpose. In particular, when lifestyle data brokers or platforms collect data for commercia purposes, that data cannot be further processed in the electoral context. With regard to social media platforms, whether there should be a distinction between the political advertising uses of the personal data they hold, and the commercial advertising uses.
The use of data from the electoral register and what analytics, or matching is legitimate to perform on that data, if any.
Guidance and responsibilities of the various actors that now play a role in the electoral context that were not included in the current political campaigning guidance, including but not limited to:
It may not be about factors between different types of election or referenda but more pertinent the code takes into account the factors between commercial use of personal data and political use of personal data.
The effect in these circumstances are not whether or not a person buys a product but whether a person votes for a particular party, on a particular issue, or even votes at all.
Data minimisation in political campaigning.
Examples of the new lawful bases for processing sensitive data in the Data Protection Act 2018.
Transparency standards in practice.
Examples of automated decision-making in the electoral context that would be considered to have a “sufficiently significant affect” on an individual.
What form provision of information should take to a user of the source of data when the controller has not collected the data directly from the individual (e.g. political parties advertising using data collected by data brokers).
The use of social media platforms to construct look-a-like audiences using sensitive personal data such as political beliefs, breaking down the responsibilities and the bases for processing that need to be in place.