An EDW blog reader who stresses they are NOT a lawyer or data protection specialist, but who has extensive knowledge of the subject, has this to say about the questionnaire currently being circulated by the local Conservative party as part of their electioneering:
If you have contact with anybody who knows about GDPR and the Data Protection Act 2018, you might like to get them to take a look. My knowledge is better than average but not complete. However, I think the policy is dodgy:
Item 3 says ‘All processing is carried out by consent’. The problem here is that Consent cannot be assumed to have been given. It MUST be a positive action on the part of the data subject so in the case of the questionnaire that you mention, there must be a means by which respondents can give their consent to having their data stored and processed.
Item 3 adds ‘or public interest’. This isn’t a lawful basis for storing and processing data. The Information Commissioner’s Office (ICO) has a list of the 6 permitted lawful bases here:
There are 6 lawful bases:
Consent (as I say this MUST be given by a positive action – it cannot be assumed to have been given or be ‘given’ by means of a pre-checked tickbox. Contract (e.g. if you buy something from an organisation, they can store your data in order to complete the contract).
Legal obligation (can be used if the organisation needs to store and process personal data ‘to comply with a common law or statutory obligation’. Vital interest (to be used if the data must be processed in order to protect somebody’s life so passing medical history to A&E if you have an accident falls under this one).
Public task (The ICO says that this one ‘can apply to any organisation that exercises official authority or carries out tasks in the public interest’. It would be interesting to see whether the ICO would consider the Conservatives’ distribution of election material to be in the public interest).
Legitimate interests (is a catch-all category but the ICO says ‘It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing’. This is one that’s used, for example, by membership organisations because a member would expect the organisation to retain and process members’ details. Again, it would be interesting to see this one tested with the ICO in the case of the Conservatives.)
Overall, I think it could be argued that the Conservatives should be relying only on Consent when it comes to campaigning activities. Obviously Legitimate interest is the the correct lawful basis in the case of members of the Association. However, if they’re relying on Consent, the questionnaire must include a checkbox that respondents must tick in order to give their consent to having their data stored by the Conservative Association.
Item 6 relates to Special category data which includes some of the data identified in your story viz. ‘ethnic origin, political opinions, and religious, philosophical and other beliefs’. The Data protection legislation says that this data requires special handling. This is a complex area but it doesn’t look as if the East Devon Conservatives have understood it.
Item 8 is their data retention policy. They appear to be saying that they may hold the data for up to 10 years ‘two election cycles’. For ordinary voters who are not members of the Association, this looks to me to be excessive.
Item 10 appears to say that they’ll share people’s data with a surprisingly wide range of organisations: ‘entities of Political Party associations, federations, branches, groups and affiliates’. I doubt that this permitted under the legislation without specific consent.
Item 11 says, amongst other things, ‘you have the right to object to certain types of processing, such as direct marketing’. They appear to be confusing the Data Protection Act 2018 with the Privacy and Electronic Communications Regulations (PECR). This sits alongside the DPA but isn’t part of it. PECR governs the use of personal data for electronic marketing e.g. email, text messaging, telephones etc.
Item 11 also says ‘you also have the right to be subject to the legal effects of automated processing or profiling’ [my emphasis]. This looks like a typo.
Item 11 also says you have the ‘Right to judicial review:’. This seems to be a curious and confusing way of telling people that they have the right to complain to the ICO which is dealt with in Item 12.