Another correspondent has added more information on that (now looking rather dodgy) questionnare being circulated by our local Conservative party. Perhaps time for a rethink on it Tories?
Owl is no expert on this but it seems a couple of experts agree! But then again Tories (ie Michael Gove) don’t like experts!
“As someone with 25+ years experience in IT and with specific knowledge of data protection, I would say that your correspondent is spot on with their analysis except for the following respects…
Whatever legal basis you are using, you need to be explicit about the purposes for collecting the data and the uses to which you are putting it. Future use of the data must be limited to the specific purposes you have declared when collecting the data.
If you are not relying on any of the 5 legal bases which do NOT require explicit consent, then you need to collect and retain proof of explicit consent having been given for the SPECIFIC uses you will put the data to.
It seems to me to be impossible for the Conservative Party to use 4 of the 6 legal bases: Contract (no contract being formed), Legal obligation (i.e. required by law), Vital interests (life saving) or Public Task (i.e. by a legally official role for a legally official purpose – example would be for processing Council Tax).
“Legitimate Interests” generally would be those interests clearly implied by e.g. the survey i.e. to statistically analyse the survey. However, collection of personally identifiable information does not seem to be necessary for the statistical analysis of the information, so that would not seem to be a Legitimate Interests for storing that. In any case, GDPR clearly states that if you are relying on Legitimate Interest then you have to state clearly in the Privacy Information accompanying the data collection exactly what your Legitimate Interest is.
Finally, political data (which this rather obviously is) is considered to be “Special Category” data, and this requires a far stricter interpretation of legal basis as defined in Section 9(2) of GDPR which has much tighter requirements for implied consent, and stricter requirements on gaining explicit consent.
My personal opinion, therefore, is that the collection of this personal data is illegal under GDPR for several reasons, and the Conservative Party should immediately be reported to the Information Commissioner for illegal processing of data.
P.S. “Special Category” data is also likely to require especially attention to security to avoid the risks of it being stolen or inadvertently shared (or indeed accessed by even authorised people for uses beyond that for which it was collected), both during the initial collection of the data and in the subsequent storage and processing.
Indeed GDPR requires the Data Controller to have explicitly considered the security requirements for the data, and to be able to demonstrate this regardless of whether any data was lost or inadvertently processed.
It is possible that Conservative Central Office provides specially constructed IT infrastructure to allow the secure collection and processing of personally identifiable political data, but if not, then I would suspect that the local Conservative Association is very unlikely to have either the knowledge / skills / money to create such a secure environment, in which case they would be guilty of a further GDPR offence.”