A Labour spokesman has just told the BBC that the Party was confident "the processes of verification and handling applications (to vote in the leadership election) are compliant with the Data Protection Act".
I will leave readers to judge this issue as I have just received an email from a colleague whose application to vote in the forthcoming Labour Party Leadership election has been rejected. The letter he received reads as follows:
Thank you for your recent application to become an Affiliated/a Registered Supporter of the Labour Party.
As part of the process to sign up as an Affiliated/a Registered Supporter all applicants are asked to confirm the following statement; I support the aims and values of the Labour Party, and I am not a supporter of any organisation opposed to it.
We have reason to believe that you do not support the aims and values of the Labour Party or you are a supporter of an organisation opposed to the Labour Party and therefore we are rejecting your application.
Although you may have received or may still receive a ballot paper, it will not work and if you do vote it will not be counted.
Should you wish to dispute rejection by the Labour Party you would have to submit and pursue an application to join Labour as a full member.
The Labour Party
The first question to ask in any data protection analysis is: “Can the Labour Party process personal data in order to vet applicants seeking a vote in the forthcoming leadership election?”. Answer “yes”; it is necessary in the legitimate interest of the Party (as data controller) to defend the integrity of its leadership election by carrying out such processing of personal data. Consequently the Party can rely on the balance of interests grounds (Schedule 2, paragraph 6) so long as the Party takes steps to protect any overriding legitimate interests of the data subject.
However, there is no evidence (e.g. in the letter) that such steps to protect the legitimate interests of the data subject have been taken. If someone fails to get a vote because “We have reason to believe that you do not support the aims and values of the Labour Party”, it is not clear how applying for full membership (as suggested in the letter) is going to protect the data subject’s legitimate interest at the time of the processing of his personal data.
In other words, any appeals process which has been established to protect the legitimate interests of the data subject should be applied when processing of personal data occurs. An appeals process which relates to the processing of personal data at some time in the future (e.g. when personal data associated with a full membership application is made) is, in my view, not going to work.
Can the Labour Party scour the internet to find out the political views of the applicant? Answer “yes”, if data subjects have taken steps to put their own sensitive personal data (e.g. political views) into the public domain. However this ground does not apply if a data subject has not taken such steps.
In other words, if the Labour Party has been careful there should not be a Schedule 2&3 problem; however, if the Party is relying on a Third Party to provide sensitive personal data about the applicant, then there could be difficulties.
Fair processing issues also arise if the Party have obtained sensitive personal data about a data subject from a Third Party. For instance, when applicants provide personal data and sign a statement of the kind “I support the aims and values of the Labour Party, and I am not a supporter of any organisation opposed to it”, any fair processing notice should include a description of any Third Party source used to vet the applicant, especially as use of such sources could lead to rejection of the data subject’s ability to vote.
In addition, given that data subjects can be rejected on the grounds: “We have reason to believe that you do not support the aims and values of the Labour Party or you are a supporter of an organisation opposed to the Labour Party and therefore we are rejecting your application”, fairness would be easier to prove if such a statement was accompanied with a summary of the personal data that substantiates that rejection.
This is especially the case if such evidence is placed in the public domain by the data subject. I see no problem in stating something like “Your public Facebook pages shows you canvassed for Party X in the General Election in 2014” if the data are factually correct.
If the Party is using personal data like these, I think it will be able to justify their use as being “necessary” in the legitimate interests of the data controller. In other words, if the use of such personal data is “necessary” there is no need to be coy about it; one only needs coyness when the processing is, perhaps, not as “necessary” as claimed.
If Labour Party has incorporated personal data derived from the Electoral Register into its vetting activities, then that processing could be unlawful. The full Electoral Register, according to the Electoral Commission’s website, can only be used for “for electoral purposes, such as making sure only eligible people can vote” (in elections organised by an Electoral Registrar).
The Commission add that the full Electoral Register “is also used for other limited purposes specified in law, such as: detecting crime (e.g. fraud), calling people for jury service, checking credit applications”. I do not think that “vetting voters in a party leadership election” is one of those “other limited purposes specified in law”.
A Labour supporter who has been debarred from voting could consider making a subject access request (SAR) in an attempt to find out what personal data the Party have been used. However, before that I suggest that you Google your name to see what personal data have been displayed by you.
If such personal data have been used to debar a voter, they could have been inspected but not retained by the Party. So such personal data would not be revealed via a SAR as they are not being processed at the time the SAR is received. More likely was that such personal data were processed (e.g. inspected) at the time of the application to vote.
That is why, a claim of unfair processing or unlawful processing might be better complaint route; I am not sure that the SAR approach will work. So complain to the ICO for free (First Principle breach) and save £10.
In data protection terms, I think other problems (e.g. relevance, accuracy, retention and security of personal data) are similar to those identified in the ICO’s “Violent Warning Markers” advice except of course the context has changed; the context for the Labour Party is “Political-view Warning Markers”.
At the end of the day, I suspect the Party will be content that the “end justifies the means”. If the ICO ever gets round to an investigation, or if data subjects pile in with SARs which no doubt will take 40 days to respond, the leadership election will be done, dusted and history; subsequent data subject complaints will be largely irrelevant.
In other words, the political adage that “the end may justify the means as long as there is something that justifies the end” will apply.
P.S. If you know the above quote, then you should definitely be barred from voting in Labour’s leadership election!
Advert: we have a PIA, DP Audit course, BCS DP Foundation Course and a GDPR workshop in September (details accessible from www.amberhawk.com ).
References: Labour Party is confident about data protection: http://www.bbc.co.uk/news/uk-politics-34013497