Is the East Devon Conservatives election questionnaire breaking Data Protection rules?

An EDW blog reader who stresses they are NOT a lawyer or data protection specialist, but who has extensive knowledge of the subject, has this to say about the questionnaire currently being circulated by the local Conservative party as part of their electioneering:

“Your story on the East Devon Conservatives’ questionnaire led me to take a look at their privacy policy available here:

https://www.eastdevonconservatives.org/privacy

If you have contact with anybody who knows about GDPR and the Data Protection Act 2018, you might like to get them to take a look. My knowledge is better than average but not complete. However, I think the policy is dodgy:

Item 3 says ‘All processing is carried out by consent’. The problem here is that Consent cannot be assumed to have been given. It MUST be a positive action on the part of the data subject so in the case of the questionnaire that you mention, there must be a means by which respondents can give their consent to having their data stored and processed.

Item 3 adds ‘or public interest’. This isn’t a lawful basis for storing and processing data. The Information Commissioner’s Office (ICO) has a list of the 6 permitted lawful bases here:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

There are 6 lawful bases:

Consent (as I say this MUST be given by a positive action – it cannot be assumed to have been given or be ‘given’ by means of a pre-checked tickbox. Contract (e.g. if you buy something from an organisation, they can store your data in order to complete the contract).

Legal obligation (can be used if the organisation needs to store and process personal data ‘to comply with a common law or statutory obligation’. Vital interest (to be used if the data must be processed in order to protect somebody’s life so passing medical history to A&E if you have an accident falls under this one).

Public task (The ICO says that this one ‘can apply to any organisation that exercises official authority or carries out tasks in the public interest’. It would be interesting to see whether the ICO would consider the Conservatives’ distribution of election material to be in the public interest).

Legitimate interests (is a catch-all category but the ICO says ‘It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing’. This is one that’s used, for example, by membership organisations because a member would expect the organisation to retain and process members’ details. Again, it would be interesting to see this one tested with the ICO in the case of the Conservatives.)

Overall, I think it could be argued that the Conservatives should be relying only on Consent when it comes to campaigning activities. Obviously Legitimate interest is the the correct lawful basis in the case of members of the Association. However, if they’re relying on Consent, the questionnaire must include a checkbox that respondents must tick in order to give their consent to having their data stored by the Conservative Association.

Item 6 relates to Special category data which includes some of the data identified in your story viz. ‘ethnic origin, political opinions, and religious, philosophical and other beliefs’. The Data protection legislation says that this data requires special handling. This is a complex area but it doesn’t look as if the East Devon Conservatives have understood it.

Item 8 is their data retention policy. They appear to be saying that they may hold the data for up to 10 years ‘two election cycles’. For ordinary voters who are not members of the Association, this looks to me to be excessive.

Item 10 appears to say that they’ll share people’s data with a surprisingly wide range of organisations: ‘entities of Political Party associations, federations, branches, groups and affiliates’. I doubt that this permitted under the legislation without specific consent.

Item 11 says, amongst other things, ‘you have the right to object to certain types of processing, such as direct marketing’. They appear to be confusing the Data Protection Act 2018 with the Privacy and Electronic Communications Regulations (PECR). This sits alongside the DPA but isn’t part of it. PECR governs the use of personal data for electronic marketing e.g. email, text messaging, telephones etc.

Item 11 also says ‘you also have the right to be subject to the legal effects of automated processing or profiling’ [my emphasis]. This looks like a typo.

Item 11 also says you have the ‘Right to judicial review:’. This seems to be a curious and confusing way of telling people that they have the right to complain to the ICO which is dealt with in Item 12.

I think one of the difficulties of this privacy policy is that it is trying to cover all instances of gathering, storing and processing of data by the Association. If somebody contacts their local Councillor or MP with, for example, a housing problem, then Legitimate interest would apply. The same is true of somebody applying to join the Association. However, to collect, store and process personal information gathered through the type of questionnaire you describe is probably (and I emphasise probably) in breach of the legislation.”

2 thoughts on “Is the East Devon Conservatives election questionnaire breaking Data Protection rules?

  1. P.S. “Special Category” data is also likely to require especially attention to security to avoid the risks of it being stolen or inadvertently shared (or indeed accessed by even authorised people for uses beyond that for which it was collected), both during the initial collection of the data and in the subsequent storage and processing.

    Indeed GDPR requires the Data Controller to have explicitly considered the security requirements for the data, and to be able to demonstrate this regardless of whether any data was lost or inadvertently processed.

    It is possible that Conservative Central Office provides specially constructed IT infrastructure to allow the secure collection and processing of personally identifiable political data, but if not, then I would suspect that the local Conservative Association is very unlikely to have either the knowledge / skills / money to create such a secure environment, in which case they would be guilty of a further GDPR offence.

    Like

  2. As someone with 25+ years experience in IT and with specific knowledge of data protection, I would say that your correspondent is spot on with their analysis except for the following respects…

    When you are collecting the data you need to provide a Privacy Policy which states explicitly which of the 6 legal bases you are relying on to legally store and process the data, and if you are relying on the Legitimate Interests basis, then you have to state explicitly what the legitimate interests are.

    Whatever legal basis you are using, you need to be explicit about the purposes for collecting the data and the uses to which you are putting it. Future use of the data must be limited to the specific purposes you have declared when collecting the data.

    If you are not relying on any of the 5 legal bases which do NOT require explicit consent, then you need to collect and retain proof of explicit consent having been given for the SPECIFIC uses you will put the data to.

    It seems to me to be impossible for the Conservative Party to use 4 of the 6 legal bases: Contract (no contract being formed), Legal obligation (i.e. required by law), Vital interests (life saving) or Public Task (i.e. by a legally official role for a legally official purpose – example would be for processing Council Tax).

    “Legitimate Interests” generally would be those interests clearly implied by e.g. the survey i.e. to statistically analyse the survey. However, collection of personally identifiable information does not seem to be necessary for the statistical analysis of the information, so that would not seem to be a Legitimate Interests for storing that. In any case, GDPR clearly states that if you are relying on Legitimate Interest then you have to state clearly in the Privacy Information accompanying the data collection exactly what your Legitimate Interest is.

    Finally, political data (which this rather obviously is) is considered to be “Special Category” data, and this requires a far stricter interpretation of legal basis as defined in Section 9(2) of GDPR which has much tighter requirements for implied consent, and stricter requirements on gaining explicit consent.

    My personal opinion, therefore, is that the collection of this personal data is illegal under GDPR for several reasons, and the Conservative Party should immediately be reported to the Information Commissioner for illegal processing of data.

    Like

Comments are closed.