We are living in an unprecedented historical moment. Although public health is everyone’s first priority, we are seeing a worrying encroachment on civil liberties by the UK government. The Covid-19 Bill gives extraordinary powers to the police and intelligence services. As a result, ORG’s work of defending human rights online is possibly of more consequence than it ever has been before.
ORG’s Data Subject Access Request research (forthcoming), has shown the extent of personal data collection by political parties in the UK which predates the current crisis. However the legal basis for them to collect information about individuals, such as their spending habits, address, and social media activity, is considerably more shaky.
To process your personal data, organisations must rely on one or more lawful bases. These are generally limited by the kind of organisation in question. Most people might assume that political parties rely on the informed consent for citizens to process their data: after all, that is how they get elected! Instead, they tend to rely on three lawful bases: Legitimate interest, public interest, and substantial public interest. It’s the latter two that ORG takes particular issue with.
The public interest test is invoked when any personal data is processed by a political party. There is a specific provision for what counts as ‘public interest’ for political parties : in this case when processing personal data is “necessary” for “an activity that supports or promotes democratic engagement”.
However, when processing information such as political opinion or sexuality (known as special category data), there is a higher threshold - the substantial public interest test. For this to be met, data processing must again be “necessary” for“the purposes of the person’s or organisation’s political activities”. In short, this means if processing an individual's political opinion is not necessary for political parties’ political activities, then it is unlawful.
Both of these tests have over time become known as “exemptions” or “exceptions” for the political parties. However the parties by and large reject this characterisation. For example Labour, in its written evidence to the House of Lord’s Democracy and Digital Technologies Committee stated that “It is not... the case that the current statutory provisions provide an “exception” for political parties.” The Conservatives said much the same.
It is true that the law does not provide carte-blanche “exceptions” for political parties to use all sorts of personal data without consent. But the political parties interpret their lawful bases so broadly, that they have been used as exemptions in practice. The key issue for the political parties is that in both lawful bases, the word “necessary” is doing a lot of heavy lifting. Both DPA guidance, and the ICO itself, have said that “ you do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result”. The processing must be more than useful, standard practice; it must be targeted and proportionate, for a specific purpose.
Our current legal action against the political parties limits what I can say on this specifically. But most reasonable people will understand this:
Attempting to collect data on every registered voter in the UK is not ‘targeted’.
Attempting to get as much personal information as is possible on each of those voters is not ‘proportionate’.
Doing this year round, limited only by a party’s financial or data assets, implies that a ‘specific purpose’ is lacking.
In addition, I question whether the public would so readily conflate “democratic engagement” with trading and grading personal information. The bulk of this activity is to work out who it is worth the political parties spending further resources on to encourage them to vote for them. This means cutting people out of their operations. Electioneering and democratic engagement are not the same thing.
The claim that mass data collection is “necessary” for democratic engagement or political activities is false. There are several routes by which this can be proved. The simplest: the ICO could clarify the position of the law and offer strict- ideally binding by statute- guidance to political parties about what constitutes necessity here. Indeed the ICO stated they think political parties have overstepped the line during their recent evidence to the Fairvote APPG.
They should now go further and offer clear, detailed, firm guidance to political parties about what level of data processing is really necessary for a functioning democracy.