Information Commissioner's Office
UK political parties must improve data protection practices
The Information Commissioner’s Office (ICO) has set out how seven of the UK’s political parties need to improve the way they handle people’s personal data after assessing how they manage data protection.
The ICO audited the parties’ data protection compliance following significant concerns about transparency and the use of people’s data in political campaigning that were highlighted in its 2018 report, Democracy Disrupted?
A summary of the audits was yesterday published and includes specific actions to improve data protection transparency and practice for: the Conservative Party; the Labour Party; the Liberal Democrats; the Scottish National Party (SNP); the Democratic Unionist Party (DUP); Plaid Cymru; and United Kingdom Independence Party (UKIP).
Political parties may legitimately hold personal data belonging to millions of people to help them campaign effectively. But developments in the use of data analytics and social media by political parties mean that many voters are unaware of how their data is being used.
All the political parties engaged positively with the audit process and the ICO noted a genuine desire from the parties to respect people’s data protection rights. The parties have committed to making the improvements necessary to comply with the law and make their data processing more transparent, which the ICO will monitor for effectiveness
In the report’s foreword Information Commissioner, Elizabeth Denham yesterday said:
“We recognise the unique role political parties play in a democratic society.
“Society benefits from political parties that want to keep in touch with people, through more informed voting decisions, better engagement with hard to reach groups and the potential for increased engagement in democratic processes.
“But engagement must respect obligations under the law, especially where there are risks of significant privacy intrusion.
“All political parties must use personal information in ways that are transparent, understood by people and lawful, if they are to retain the trust and confidence of electorates.
“The transparency and accountability required by data protection is a key aspect in developing and maintaining trust, and so there is an important role for the ICO in scrutinising this area.”
The ICO has made recommendations for improvements across all political parties audited, with 70% classified as urgent or high priority. Amongst those recommendations were several measures relating to both the systems in which personal data is used, and the way that the parties safeguard that data were also recommended to meet the requirements of accountability.
Key recommendations for the parties include:
- providing the public with clear information at the outset about how their data will be used;
- telling individuals when they use intrusive profiling such as combining information about those individuals from several different sources to find out more about their voting characteristics and interests;
- being transparent when using personal data to profile and then target people with marketing via social media platforms;
- being able to demonstrate that they are accountable, showing how parties meet their obligations and protect people’s rights;
- carrying out thorough checks on all contracted and potential processors and third party suppliers to gain assurances that they comply with the key transparency, security and accountability requirements of data protection law and;
- reviewing their lawful bases for the different types of processing of personal data used to ensure the most appropriate basis is used.
These are the first data protection audits carried out on political parties and the ICO will be following up by asking the parties to show the changes they have made in response to the audit recommendations. Failure to take the appropriate steps could result in further regulatory action.
This work forms an important area of focus for the ICO, reflecting its commitment to improve standards of information rights practice. This is done through clear and targeted engagement to help explain compliance in specific sectors and processing contexts. For political parties, this will take the form of guidance to be issued over the coming months.
Notes to Editors
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- Under past and current law, the ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- Section 146 of the DPA2018 gives the Information Commissioner the power to carry out compulsory data protection audits, but the ICO predominantly conducts consensual audits. These audits are completed by the Assurance Department.
- The ICO has looked at this work as part of its investigation of the wider ecosystem of large, well-established trading and profiling of personal data which included the 2018 data analytics investigation and the recent investigation into data protection compliance in the direct marketing data broking sector.
Latest News from
Information Commissioner's Office
Information Commissioner’s Office tells platforms to respect information rights when moderating online content16/02/2024 12:25:00
The Information Commissioner’s Office (ICO) is working to support people's information rights online by ensuring organisations understand their data protection obligations when seeking to make their platforms safer.
Practical tips for small beauty and wellbeing businesses this Valentine’s Day14/02/2024 13:15:00
Show your customers you care – about their information rights – this Valentine’s Day.
ICO approves legal services certification scheme14/02/2024 10:20:00
The Information Commissioner’s Office (ICO) has approved a certification scheme aimed at legal service providers who process personal data.
ICO responds to Home Office’s draft regulations to the immigration exemption13/02/2024 10:25:00
The Information Commissioner's Office has welcomed proposed government changes to provide clearer safeguards around how people in a potentially vulnerable position within the immigration system are able to access the information held about them.
ICO urges all app developers to prioritise privacy09/02/2024 10:15:00
The Information Commissioner’s Office (ICO) is reminding all app developers to ensure they protect users’ privacy, following the regulator’s review of period and fertility apps.
ICO warns organisations to proactively make advertising cookies compliant after positive response to November call to action31/01/2024 15:20:00
Last November we wrote to 53 of the UK’s top 100 websites, warning that they faced enforcement action if they did not make changes to advertising cookies to comply with data protection law.
New ICO campaign promotes sharing data to safeguard children30/01/2024 09:10:00
The Information Commissioner’s Office is partnering with education, law enforcement and social service organisations to raise awareness about responsible data sharing to protect children from harm.
South Tees Hospitals NHS Foundation Trust reprimanded for “serious, harmful” data breach25/01/2024 16:20:00
The Information Commissioner’s Office (ICO) has today announced it has reprimanded South Tees Hospitals NHS Foundation Trust for a data breach which resulted in a disclosure containing sensitive information to a unauthorised family member.
ICO fines financial services company £50k for spam text messages19/01/2024 14:10:00
Financial services company LADH Limited has been fined £50,000 by the Information Commissioner’s Office (ICO) for sending tens of thousands of spam text messages, in breach of Privacy and Electronic Communications Regulations (PECR).