The long awaited audit into the data protection practices of the UK’s political parties has unearthed serious concerns with how most – including the Government and the official Opposition – handle people’s personal data, especially around transparency, but stops short of any enforcement action.
The Information Commissioner’s audited the parties’ data protection compliance as part of its two-year investigation in the use of data analytics for political purposes, which was widened to include other organisations following the Cambridge Analytica scandal.
The audits, published today, include specific actions to improve data protection transparency and practice for the Conservative Party; the Labour Party; the Liberal Democrats; the Scottish National Party (SNP); the Democratic Unionist Party (DUP); Plaid Cymru; and UKIP.
While political parties are legitimately entitled to hold personal data belonging to millions of people to help them campaign effectively, the ICO insists that developments in the use of data analytics and social media mean that many voters are unaware of how their data is being used.
The regulator was quick to point out that the political parties engaged positively with the audit process and the ICO noted a genuine desire from the parties to respect people’s data protection rights. The parties have committed to making the improvements necessary to comply with the law and make their data processing more transparent, which the ICO will monitor for effectiveness.
The ICO has made recommendations for improvements across all political parties audited, with 70% classified as urgent or high priority. Among those recommendations were several measures relating to both the systems in which personal data is used, and the way that the parties safeguard that data were also recommended to meet the requirements of accountability.
Key recommendations for the parties include providing the public with clear information at the outset about how their data will be used as well as being transparent when using personal data to profile and then target people with marketing via social media platforms.
Parties must also tell individuals when they use intrusive profiling such as combining information about those individuals from several different sources to find out more about their voting characteristics and interests and be able to demonstrate that they are accountable, showing how parties meet their obligations and protect people’s rights.
In addition, parties must carry out thorough checks on all contracted and potential processors and third party suppliers to gain assurances that they comply with the key transparency, security and accountability requirements of data protection law and review their lawful bases for the different types of processing of personal data used to ensure the most appropriate basis is used.
The ICO claims it will be following up the audits by asking the parties to show the changes they have made in response to the audit recommendations. Failure to take the appropriate steps could result in regulatory action.
Information Commissioner Elizabeth Denham said: “We recognise the unique role political parties play in a democratic society.
“Society benefits from political parties that want to keep in touch with people, through more informed voting decisions, better engagement with hard to reach groups and the potential for increased engagement in democratic processes. But engagement must respect obligations under the law, especially where there are risks of significant privacy intrusion.
“All political parties must use personal information in ways that are transparent, understood by people and lawful, if they are to retain the trust and confidence of electorates. The transparency and accountability required by data protection is a key aspect in developing and maintaining trust, and so there is an important role for the ICO in scrutinising this area.”
In response, DMA chief executive Chris Combemale commented: “While it is good that the parties have made commitments to rectify shortcomings, it has come several years after the GDPR’s implementation, which is concerning. It is the duty of every person within an organisation to know their responsibilities under the GDPR and compliance must be exhibited through all marketing and communication channels, including websites.
“Organisations who are able to demonstrate that they uphold the values of the GDPR help to build public trust in data sharing. So it is essential for political parties to take sufficient care to comply with the laws put in place to protect public data. We must continue to raise awareness of these laws and regulations not only at party bureaucracy level, but among MPs and political representatives too, if the UK is to continue spearheading initiatives that help to enhance global data protection standards.”
Facebook finally pays ICO fine but accepts no liability
Here we go again: Google back in dock for data tracking
Google summoned to High Court to defend data tracking
Facebook finally hit with maximum £500,000 data fine
Not us guv…Facebook says no-one in EU was hit by CA
Experian in ICO sights as Emma’s Diary gets walloped
ICO vows to pursue chiefs as Cambridge Analytica folds
Facebook admits over a million Brits hit by data scandal
Acxiom faces $25m hit from loss of Facebook data deal
Facebook tears up data deals with Acxiom and Experian
Cambridge Analytica row ‘lets genie out of the bottle’