10,000,000 voters racially profiled by Conservatives

The summary report of ICO’s audits of UK political parties have finally been published. The most surprising revelation is that the Conservative and Unionist Party racially and religiously profiled 10 million voters, in a manner likely to be unlawful. Although in previous analyses Open Rights Group (ORG) has found both Labour and the Liberal Democrats at fault for their profiling practices, the scale and the nature of profiling shown by the ICO’s investigation is truly shocking.

Whilst it is known that other political parties conducted this sort of activity in the past, the report singles out the Conservatives as other political parties stopped such activity in 2018 due to data protection law concerns. ORG has written to the Conservatives seeking urgent clarity on this issue – and amongst other things, whether this practice is still continuing.

For people less familiar with how this works, the general idea is that the parties use the basic data in the Electoral Register – things like your first name and surname, and your postcode – to make educated guesses about your characteristics, perhaps your age, income bracket and education level, usually by looking at commercial profiles of area postcodes typically used for direct mailing.

The ICO stopped short of saying that ethnic profiling was unlawful. We believe it is likely to be. The Conservatives purchased and used data that drew on people’s names to estimate (‘onomastic data’) an individual’s country of origin, ethnicity, and religion. Although the DPA 2018 allows political parties to process special category data under the public interest lawful basis under certain conditions, this is limited to “personal data revealing of political opinions”.

Just as concerning then is that the ICO appears not to have considered this outrage a sufficient threshold for regulatory action. The ICO has said it will provide finalised guidance for political campaigners further down the line. But racial profiling in this manner appears to be a straightforward breach of data protection law. This begs the question: if the racial and religious profiling of 10 million voters is not a sufficient threshold to enforce the law, then what is?

In more general terms, the ICO’s report confirms many of the findings of our report, “Who Do They Think We Are?” published earlier this year. For example it records that political parties purchased commercially available data from ‘data brokers’ – whilst declining to name and shame them. ORG by contrast has identified data brokers where we can – for example the credit agency Experian seems to supply both Labour and the Conservatives.

This lack of detail is a weakness that runs through the report. Whilst providing a summary is often necessary, it alone is not sufficient for such a long running and high profile investigation. The ICO provides some detail of its methodology, but not the evidence it reviewed. For example, where are the results of the initial desk based review? What about (easily anonymised) transcripts of the qualitative interviews with selected staff?

Without this, such a document cannot be properly peer reviewed. ORG hope that this detail will shortly be published as an annex. Otherwise, this report will be open to accusations of ethics washing.

Similarly, the report declines to comment on the legal question of necessity in data processing for political campaigning. The use of both personal and special category data is justified under public interests tests in the DPA 2018. However the processing of both personal data (“for the purposes of democratic engagement”) and special category data (for particular types of “political activities” of certain people and organisations covered under PPERA 2000) must be ‘necessary’.

The lack of legal clarity on the limits of ‘necessary’ use of data means many political parties assume there are almost no limits to the amount of data they can amass on an individual without seeking their consent, when they are processing it for “democratic engagement” or for certain conditions of “political activities”. The limits of necessity requires urgent clarification. The ICO has avoided doing so here, although has offered plenty of advice about other, more obvious matters. This must be addressed in the finalised code of practice for the use of personal data in political campaigning.

There are positives to take away from this report. For example, the confirmation from the ICO that all parties used the services of data brokers suggests that these parties, at best, misled the Democracy and Digital Technologies Committee about the scope of their activities. However, for now the report leaves as many questions as it does answers. The ICO must offer real transparency, legal clarity and proper enforcement over the use of personal data by UK political parties, for example by committing to regular audits of the parties. If it does, this report will be a first step towards that, not the last.

If want to understand what data parties hold on you, you can use ORG’s tool to get a copy of the data from all major UK political parties operating near you.