ORG Takes Political Parties to Privacy Watchdog

On 11 December 2020, the eve of the anniversary of the 2019 General Election Open Rights Group submitted complaints, represented by the data rights firm AWO, to the Information Commissioner’s Office on behalf of data subjects on the processing of personal data by the Labour Party, the Conservative and Unionist Party and the Liberal Democrats. The complaints cap off a phase of our work on data and democracy which began back in 2019 when ORG staff and supporters sent data subject access requests to all of the main political parties of the United Kingdom, continuing throughout 2020 with discussions between ORG and the parties.

Through these subject access requests and subsequent discussions we found two core concerns. Firstly, the parties had a poor system for dealing with requests for personal data, producing files containing scores and codes that had no rational explanation attached, requiring us to return to the parties a number of times to understand just what this personal data actually meant. Secondly and perhaps more importantly, the political parties seemed to place no meaningful limit on the profiling or processing of personal data they believe they can undertake. Their positions as to what they consider necessary for their practices boiled down to “whatever it is that helps us win elections”. That position has no practical limitation, and as we saw in our subject access requests response the parties take that position to allow them to collect a large amount of personal data and generate profiling information on voters in the United Kingdom.

We are asking the Information Commissioner’s Office to ensure that the parties uphold their responsibilities for providing clear, transparent information to individuals when they request their personal data and to ensure that a proper test of necessity is applied by the parties on their data processing activities. The complaints reinforce many of the findings and concerns surfaced by the Information Commissioner’s audit of political parties released in November 2020.

The aim of our complaints is not to create a system where no profiling can ever take place but there has to be a clear limit from the political parties keeping in mind the rights of individuals, and the important role their messaging, and their targeting, play in the health of our democratic debate. The use of data by political parties cannot be a race to the bottom of the data profiling barrel, we need to see strong moral leadership from parties through greater respect for our personal data.

With Scottish Parliamentary elections alongside local elections scheduled to take place in May this year, it is important we see action taken to clarify these areas and improve processes.

Hurdles to access personal data

Way back in May 2019 ORG staff and supporters began sending subject access requests to all of the main political parties in the United Kingdom. We were seeking to understand what personal data the parties held, where they got that data from, and what purposes they put it to.

We found that the Labour Party, Conservatives and the Liberal Democrats were out in front of all other parties in the United Kingdom in their collection and use of profiling tools generating scores and values on our lifestyle and our political opinions. But even finding out what these scores meant were met with difficulty. The Labour Party failed to respond to the requests in the required time, taking 5 months to respond to the original request sent in May 2019. The information that was contained in were mostly unintelligible and ran to over 100 pages for one member of staff.

The Labour response contained codes and scores some of which were inexplicable. Propensity scores titled lp_prod.SPV without any sort of explanation as to what that meant, or codes relating to level of education attained (3, for example) without explaining what those codes meant. 

The Conservatives also provided unintelligible responses. For example, Mosaic scores had been attributed to the staff, including political opinions. However no explanation was given as to how the Conservatives obtained the information, why they had it, how it was generated, or what the Conservatives intended to do with it, including who they had shared it with. While reference was made to third party brokers, such as Experian, as a source of data it was not explained what data came from which particular source.

The Liberal Democrats had similar aims attempting scores such as prag_ld which turned out to be the likelihood of being a pragmatic liberal, whatever that means. The Liberal Democrats also failed to provide a full account of the information held, with one request referring to 9 of 37 scores but only providing 7 of those scores.

None of the these scores were explained at the time of receiving the requests, requiring staff to ask repeatedly about what this or that score meant, or what purposes they were put to. This was a source of frustration and we expect would be frustrating for many people who might also exercise their right to access personal data held about them. This was why we created a tool in 2020 that helped people understand the data they may receive in a subject access request: Who Do They Think We Are?

However, the creation of a tool by Open Rights Group should not satisfy the responsibility that parties have as data controllers to tell people when their personal data is being processed, why, what that data means and who it has been shared with. Without a right of access that is genuinely meaningful, individuals can’t begin to exercise other key data rights.

How much data is too much data?

The legal bases most likely to be relied upon by political parties, public interest and legitimate interests, to justify their political campaign processing include a requirement of necessity:

Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

and

Article 6(1)(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of persona data, in particular where the data subject is a child. (emphasis added)

And for special category data, such as political opinions, in the specific context of processing by political parties under Paragraph 22 of Schedule 1 of the Data Protection Act 2018 where it “is necessary for the purposes of the person’s or organisation’s political activities”.

Seeking to understand how the parties applied that test of necessity, Open Rights engaged in discussions with them, with the assistance of the data rights firm AWO. The responses we received from the parties were deeply concerning.

The discussions showed that the parties treat any activity which they believe will help them win an election as a necessary measure. For example Labour, when asked, how they could justify that all the personal data and extensive profiling they undertake is necessary responded:

“The Party…. does consider that all of its data processing is in the substantial public interest because it reasonably believes that this data processing contributes to the prospects of the election of Labour Party MPs who could implement the Party’s policy platform.”

If every controller adopted this approach, the test would apply no limit to the processing that can be deemed lawful. Such an approach deprives the test of necessity of substantive content, and it is simply unsustainable.

The test of necessity is a key concept in law, and under data protection law has been reinforced by European and domestic courts to require that the processing or interference with the right to privacy is strictly necessary, and justified based on objective evidence. Even the draft guidance on processing of personal data by political parties from the Information Commissioner’s Office makes clear that processing to meet the test of necessity:

“must be more than just useful or standard practice. It must be targeted and proportionate way of achieving your specific purpose. This basis does not apply if you can reasonably achieve your purpose by some other less privacy intrusive means, or by processing less personal data.”

In seeking to understand where the parties draw the line on their use of personal data, we have found that the parties believe there isn’t one. Or at least, if there is, then it is one that can be moved as they see fit for their political needs. That cannot be the way forward.

These concerns do not rely on political micro-targeting working, that isn’t what data protection law seeks to respond to. Even useless micro-targeted ads that fail to convince any citizen to vote will have broken data protection law if they use more personal data than is necessary, or fail to transparently account to individual’s what that personal data is. And this is exactly what we have found.

Next steps

We don’t assume that the results of our research are unique to us. In fact we believe that the profiling we have seen is pretty standard in the system. That systemic approach to the use of personal data is exactly the problem. The political parties are treating anything that helps them achieve their political goals  as necessary or otherwise lawful. This is why we are asking the Commissioner to address these issues in the complaint, as part of her ongoing audit process.

It appears as though parties have been unwilling or unable to draw a line in the sand on their processing. If they can’t do this, then it is time for somebody else to.