Information Commissioner's Office
Information Commissioner’s report brings the ICO’s investigation into the use of data analytics in political campaigns up to date
When we launched our investigation into the use of data analytics for political purposes in May 2017, we had little idea of what was to come.
We were concerned about invisible processing – the ‘behind the scenes’ algorithms, analysis, data matching and profiling that involves people’s personal information.
When the purpose for using these techniques is related to the democratic process, the case for a high standard of transparency is very strong.
Since we began, the scope of our investigation has extended to 30 organisations, we have formally interviewed 33 individuals and are working through forensic analysis of 700 terabytes of data. In layman’s terms, that’s the equivalent of 52 billion pages.
Now we have published a report to Parliament that brings the various strands of our investigation up to date.
It sets out what we have found and what we now know. But it is not the end. Some of the issues uncovered in our investigation are still ongoing or will require further investigation or action.
Throughout our enquiries we found a disturbing disregard for voters’ personal privacy by players across the political campaigning eco-system — from data companies and data brokers to social media platforms, campaign groups and political parties.
Where there have been breaches of the law we have acted. We have issued monetary penalties - including the maximum £500,000 (under the previous law) to Facebook– and enforcement notices that compel companies and campaigns to comply with the law. We’ve instigated criminal proceedings against SCL Elections Ltd and referred issues to other regulators and law enforcement agencies. And where we have found no evidence of illegalities, we have shared those findings openly too.
But it’s not just about enforcement action.
We are at a crossroads. Trust and confidence in the integrity of our democratic processes risks being disrupted because the average person has little idea of what is going on behind the scenes.
This must change. People can only make truly informed choices about who to vote for if they are sure those decisions have not been unduly influenced.
What can we do to ensure that we preserve the integrity of future elections? How can we make sure that voters are truly in control of the outcome?
Whilst voluntary initiatives by the social media platforms are welcome, a self-regulatory approach will not guarantee consistency, rigour or shore up public confidence.
That is why we are calling for views for a code of practice covering the use of data in campaigns and elections. It will simplify the rules and give certainty and assurance about using personal data as a legitimate tool in campaigns and elections.
This code should be given the same statutory footing as other codes of practice in the Data Protection Act 2018.
Codes about data sharing, age appropriate design and a code for the media are all enshrined in law. The integrity of our democracy is equal to these issues. It’s important enough to the public and to the wider world that the regulator’s guidance be given a sharper edge and be included in primary legislation too.
We have also called for the UK Government to consider where there are regulatory gaps in the current data protection and electoral law landscape to ensure we have a regime fit for purpose in the digital age. We are working with the Electoral Commission, law enforcement and other regulators in the UK to increase transparency in election campaign techniques.
Finally, this is a global issue, which requires global solutions. Our work has helped inform the EU’s initiatives to combat electoral interference. A Canadian Parliamentary Committee has recommended extending privacy law to political parties and the US is considering introducing its first comprehensive data protection law.
We are immensely proud of the work of the team and the impact that our investigation has had.
We hope our investigation provides a blueprint for other jurisdictions to take action and sets the standard for future investigations.
Latest News from
Information Commissioner's Office
India-UK Future Tech Festival12/12/2018 15:15:15
Elizabeth Denham's speech to the India-UK Future Tech Festival in New Delhi.
Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution12/12/2018 12:20:00
A motor industry employee has been sentenced to six months in prison in the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence.
A statement from Information Commissioner, Elizabeth Denham in support of International Human Rights Day 201811/12/2018 09:10:00
This year is the 70th anniversary of the signing of the Universal Declaration of Human Rights (UDHR), which exists to create equal dignity and worth for every person.
Blog: Sleigh-ing the Christmas GDPR myths07/12/2018 14:10:00
In the latest of our series of GDPR myth-busting blogs, a new post by Deputy Commissioner (Policy) Steve Wood tackles some misconceptions which have sprung up around how the new data protection law might affect your Christmas.
Blog: ICO regulatory sandbox06/12/2018 15:25:00
Following our call for evidence and analysis of the submissions we received, work on the ICO Regulatory Sandbox continues with an event in the New Year to gather more detailed evidence, ideas and opinions.
Former headteacher prosecuted for unlawfully obtaining school children’s personal information06/12/2018 10:20:00
A former headteacher has been fined in court for unlawfully obtaining school children’s personal data from previous schools where he worked.
International Privacy Forum05/12/2018 16:15:00
Elizabeth Denham’s speech to the International Privacy Forum, a public event following the 50th Asia Pacific Privacy Authorities (APPA) Forum in Wellington, New Zealand on 4 December 2018.
ICO statement in response to Marriott Hotels breach announcement03/12/2018 12:20:00
ICO statement given recently (30 November 2018) in response to Marriott Hotels breach announcement.