Ever since the Scottish National Party breached the PECR Regulations back in 2005, all political parties have had problems using personal data to identify potential supporters at election time. It is a tricky issue; those standing for election need to process personal data in order to contact supporters and voters.
Last Sunday, it emerged that the Conservative Party appears to have used USA-style polling techniques to create a database of voters which, in part, is legitimised by a simple privacy axiom: personal information that is published is not private; hence there cannot be any obligation to protect privacy.
This privacy axiom might work in the USA but it does not work in the UK as most Data Protection Principles are not negated, even when data subjects publish personal data about themselves. For instance, if a data controller gathers together all sorts of personal data from the Internet, it cannot claim that because these details are in the public domain, then there is no right of access to these personal data or that security obligations can be ignored.
With that in mind, just consider this passage from The Sunday Times (3rd March 2012, page 19). It explores a database that supports future Conservative Election Campaigns in the following terms:
“The key to victory may lie in technology. For several months, four brainboxes have quietly creating the most sophisticated ever database for use in future by-election and general election campaigns”.
This database is stored “in the Cloud” and will “amass data from public records, pollsters, fundraisers and political activists and volunteers… It will also trawl social networking sites for information on voters’ habits and preferences”.
“Facebook, Twitter – if it’s in the public domain it’s not off limits”, says Jag Singh, a digital whizz-kid who has worked on two US presidential elections……Singh hopes the database will contain details of as many as 20 million voters by 2015”.
Before progressing, I am making the assumption that this system is up and running in some form and that some (possibly most) personal data are being processed without the consent of the data subject.
However, I can’t resist making a comment that these “brainboxes” and “whizz-kids” appear to know little of the data protection consequences of their processing actions. Their plans also reveal why users of web-browsers need to consider very carefully what electronic trails they are leaving, and why in the case of social media software, there are risks of making personal details available to others.
The first comment to say is that in many cases, sensitive personal data about voters are being processed; this is likely to bring with it enhanced security obligations as the particular context includes expressions of opinion in support of, or opposition to, a particular political or social policy (e.g. Immigration, Gay Marriage etc).
So there is an immediate accuracy problem in cases where a “friend” of the data subject has published commentary on the data subject’s political views, or if that friend inadvertently places a data subject’s preliminary views in the public domain (e.g. by forwarding a private posting to his friends). For instance, how many times have you said something on a topical issue, a colleague then mentions something that you haven’t considered, and you then modify your view.
Secondly, the personal data that are being processed extend well beyond the name and address details that are provided when political parties obtain copies of the Electoral Roll for each constituency. What in essence is happening is that the Electoral Roll provides the core name and address data for a central register, which is then linked to other personal data obtained which is likely to be obtained without the consent of the data subject concerned.
Third, there is the issue of fairness. Is it fair to process personal data from social media postings when in many circumstances they have not been posted with the intent that they can be copied for general use or for a political purpose? Do the fairness requirements mean that data subjects need to be informed that a political party is amassing their personal details on them in order, for example, to profile their political preferences?
Of course one could argue that there is no need for a fair processing notice at all, as a data subject should know that if his personal data are published by him then these published data can be used for anything. (This is despite the fact that it is well known that many data subjects do not appreciate this point and that in many cases, the default privacy setting provided by social networking sites is “no privacy”).
Consequently, I have constructed an argument that requires the data controller to contact with the data subject with the fair processing details that does not depend on the fair processing requirements of the First Principle.
In the absence of consent, the processing by the data controller of any additional personal data (i.e. additional to name and address from the Electoral Roll) is very likely to be subject to the balance of interests grounds (i.e. Schedule 2, paragraph 6). This means that the processing by a data controller, if necessary, is legitimate if there is no overriding interest of the data subject to protect.
Given that sensitive personal data are likely to be processed, the question then arises as to how can a data controller take account of any overriding legitimate interests of each data subject without making contact with that data subject?
In addition, the right of objection (S.10 of the DPA) applies. So how can a data subject exercise their right to object to the processing of personal data by a data controller if they do not know that such personal data are being processed and for what purpose? How, for instance, can a data subject exercise their rights of access without knowing the identity of the data controller or where to send any request for access?
In other words, contact by a data controller with data subjects to alert them to the processing purpose and the identity of the data controller is a consequence of the Sixth Principle, and the legitimisation arm of the First Principle (and not only the fairness limb of the First Principle).
Handily, because the Conservative Party has the Electoral Roll, contact with data subjects should not prove too difficult; a brief billet-doux should suffice (e.g. “Dear Data Subject. XYZ Party is processing your personal data for a political purpose. Lots of love…”).
Other data protection issues also show that the claim of Jag Singh (“if it’s in the public domain, it’s not off limits”) is clearly misguided. For instance, how long are details kept on the central database and how on earth are these additional details (i.e. other than name and address) are kept up to date? What details are deemed relevant to the political purpose and when are political views of electors deleted (if ever)? Finally there are the Cloud issues and transfers outside the EEA.
Lurking in the background are other important questions such as: “Would a database that contained the political views of voting adults in the UK present a target for unauthorised access?” or questions that arise from function creep (e.g. would employers use such a database in their employment decisions).
In summary, I think that Conservative Party (and to be fair, probably the other main political parties as well) are considering steps that urgently… how shall I put it… need a Privacy Impact Assessment (PIA) at the very least.
Hopefully when doing this PIA they can employ whizz kids and brainboxes who appreciate that “if it’s in the public domain, the Data Protection Act still applies”!
We still have places on our half day workshop on the Data Protection Regulation on Monday March 18th in London (details on http://www.amberhawk.com/bookevents.asp)