Information Commissioner's Office
UK political parties must improve data protection practices
The Information Commissioner’s Office (ICO) has set out how seven of the UK’s political parties need to improve the way they handle people’s personal data after assessing how they manage data protection.
The ICO audited the parties’ data protection compliance following significant concerns about transparency and the use of people’s data in political campaigning that were highlighted in its 2018 report, Democracy Disrupted?
A summary of the audits was yesterday published and includes specific actions to improve data protection transparency and practice for: the Conservative Party; the Labour Party; the Liberal Democrats; the Scottish National Party (SNP); the Democratic Unionist Party (DUP); Plaid Cymru; and United Kingdom Independence Party (UKIP).
Political parties may legitimately hold personal data belonging to millions of people to help them campaign effectively. But developments in the use of data analytics and social media by political parties mean that many voters are unaware of how their data is being used.
All the political parties engaged positively with the audit process and the ICO noted a genuine desire from the parties to respect people’s data protection rights. The parties have committed to making the improvements necessary to comply with the law and make their data processing more transparent, which the ICO will monitor for effectiveness
In the report’s foreword Information Commissioner, Elizabeth Denham yesterday said:
“We recognise the unique role political parties play in a democratic society.
“Society benefits from political parties that want to keep in touch with people, through more informed voting decisions, better engagement with hard to reach groups and the potential for increased engagement in democratic processes.
“But engagement must respect obligations under the law, especially where there are risks of significant privacy intrusion.
“All political parties must use personal information in ways that are transparent, understood by people and lawful, if they are to retain the trust and confidence of electorates.
“The transparency and accountability required by data protection is a key aspect in developing and maintaining trust, and so there is an important role for the ICO in scrutinising this area.”
The ICO has made recommendations for improvements across all political parties audited, with 70% classified as urgent or high priority. Amongst those recommendations were several measures relating to both the systems in which personal data is used, and the way that the parties safeguard that data were also recommended to meet the requirements of accountability.
Key recommendations for the parties include:
- providing the public with clear information at the outset about how their data will be used;
- telling individuals when they use intrusive profiling such as combining information about those individuals from several different sources to find out more about their voting characteristics and interests;
- being transparent when using personal data to profile and then target people with marketing via social media platforms;
- being able to demonstrate that they are accountable, showing how parties meet their obligations and protect people’s rights;
- carrying out thorough checks on all contracted and potential processors and third party suppliers to gain assurances that they comply with the key transparency, security and accountability requirements of data protection law and;
- reviewing their lawful bases for the different types of processing of personal data used to ensure the most appropriate basis is used.
These are the first data protection audits carried out on political parties and the ICO will be following up by asking the parties to show the changes they have made in response to the audit recommendations. Failure to take the appropriate steps could result in further regulatory action.
This work forms an important area of focus for the ICO, reflecting its commitment to improve standards of information rights practice. This is done through clear and targeted engagement to help explain compliance in specific sectors and processing contexts. For political parties, this will take the form of guidance to be issued over the coming months.
Notes to Editors
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- Under past and current law, the ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- Section 146 of the DPA2018 gives the Information Commissioner the power to carry out compulsory data protection audits, but the ICO predominantly conducts consensual audits. These audits are completed by the Assurance Department.
- The ICO has looked at this work as part of its investigation of the wider ecosystem of large, well-established trading and profiling of personal data which included the 2018 data analytics investigation and the recent investigation into data protection compliance in the direct marketing data broking sector.
Latest News from
Information Commissioner's Office
Providing certainty on how we enforce the laws we regulate08/12/2022 12:05:00
John Edwards, UK Information Commissioner, recently set out our strategic approach to regulatory action where he said: “Members of the public, and those affected by a breach or infringement, are entitled to know that we have held the business or organisation to account, and that they have changed their practices as a result.”
ICO and Ofcom strengthen partnership on online safety and data protection25/11/2022 15:20:00
The Information Commissioner’s Office (ICO) and Ofcom have today set out how we will work together to ensure coherence between the data protection and the new online safety regimes.
International transfers: empowering innovation and growth whilst protecting people’s personal information18/11/2022 12:25:00
Blog posted by: Emma Bate, 17 November 2022.
ICO launches consultation on how it prioritises FOI complaints09/11/2022 10:20:00
The Information Commissioner’s Office (ICO) has launched a consultation on how it prioritises the complaints it receives about public bodies’ handling of Freedom of Information (FOI) requests.
Department for Education warned after gambling companies benefit from learning records database08/11/2022 12:25:00
The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children.
ICO and Cabinet Office reach agreement on New Year Honours data breach fine03/11/2022 15:05:00
The UK Information Commissioner has agreed to reduce the £500,000 Monetary Penalty Notice (MPN) imposed on the Cabinet Office in 2021 in relation to the New Year Honours data breach to £50,000, which the Cabinet Office has agreed to pay, reflecting our new approach to working more effectively with public authorities.
Making our employment guidance work for you28/10/2022 09:05:00
A blog by Elanor McCombe, Group Manager - Policy
‘Immature biometric technologies could be discriminating against people’ says ICO in warning to organisations26/10/2022 09:10:00
The Information Commissioner’s Office (ICO) is warning organisations to assess the public risks of using emotion analysis technologies, before implementing these systems.
‘Biggest cyber risk is complacency, not hackers’ - UK Information Commissioner issues warning as construction company fined £4.4 million24/10/2022 12:25:00
The UK Information Commissioner has warned that companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff.