Site navigation

ICO Political Data Audit Highlights ‘Significant’ Data Protection Failings

Ross Kelly


political data

The ICO has called on a host of political parties to improve their data protection practices and place a stronger focus on ensuring privacy.

A report from the Information Commissioner’s Office (ICO) has called on seven of Britain’s political parties to improve the way they handle sensitive personal data.

The call follows an audit on the back of a 2018 report into how political parties manage and protect personal data. The report, titled ‘Democracy Disrupted?’ raised significant concerns over transparency and the use of data in political campaigning.

Published in the wake of the Cambridge Analytica scandal, the report suggested that a lack of transparency and nonchalant approach to data protection could undermine democratic processes.

Leading by example?

A number of issues were raised in the ICO audit, with problems largely centred around a lack of accountability and transparency of data usage.

According to the watchdog, it made recommendations for improvements to all political parties audited and 70% of advisories classified as ‘urgent’ or ‘high priority’.

Parties audited include the Conservatives, Labour and Liberal Democrats, as well as the Scottish National Party, Plaid Cymru and Democratic Unionist Party (DUP).

Political parties legitimately hold personal data belonging to millions of people in order to help them campaign effectively. However, concerns are growing that developments in the use of data analytics and social media by political parties mean that many voters are unaware of how their data is being used.

Earlier this year, a report from the Open Rights Group (ORG) revealed that the Conservatives, Labour and Liberal Democrats were attempting to profile millions of voters based on a range of factors, such as income, religion and political views.

The publication of the report sparked claims that parties were stereotyping voters based on racial or religious grounds. Additionally, the ORG warned that political profiles were often found to be “wholly inaccurate” and used to influence voters.

Commenting on the report, Information Commissioner Elizabeth Denham said: “Society benefits from political parties that want to keep in touch with people, through more informed voting decisions, better engagement with hard to reach groups and the potential for increased engagement in democratic processes.

“But engagement must respect obligations under the law, especially where there are risks of significant privacy intrusion.”

Denham insisted that parties must use personal information in ways that are “understood by people and lawful” to avoid damaging public confidence.

“The transparency and accountability required by data protection is a key aspect in developing and maintaining trust, and so there is an important role for the ICO in scrutinising this area,” she said.

Key recommendations

While the ICO highlighted a number of failings in terms of data protection practices, it stopped short of taking action. Instead, the regulator has outlined a series of recommendations that parties are advised to take.

These include providing the public with “clear information at the outset about how their data will be used,” as well as carrying out “thorough checks on all contracted and potential processors” of political data.

Parties must also carry out thorough checks on third-party suppliers to ensure they comply with the transparency, security and accountability requirements of data protection law.

Individuals must also be told when parties use “intrusive profiling,” such as combining information on them from several different sources to establish interests or voting characteristics.

The data protection audits mark the first carried out on political parties, and the watchdog hailed the response from all involved.

“All the political parties engaged positively with the audit process and the ICO noted a genuine desire from the parties to respect people’s data protection rights,” the ICO said.

The ICO added that the parties “engaged positively” with the audit process.

Chris Combemale, CEO of the Data & Marketing Association questioned the urgency of political parties to address lingering data protection issues.

He said: “While it is good that the parties have made commitments to rectify shortcomings, it has come several years after the GDPR’s implementation, which is concerning.

“It is the duty of every person within an organisation to know their responsibilities under the GDPR and compliance must be exhibited through all marketing and communication channels, including websites.”

Combemale added: “Organisations who are able to demonstrate that they uphold the values of the GDPR help to build public trust in data sharing.

“So it is essential for political parties to take sufficient care to comply with the laws put in place to protect public data.”

Join the Debate: Data Protection 2020 Summit

Handling personal data and maintaining compliance with GDPR will be a key area of discussion at the upcoming Data Protection Virtual Summit on 10th December.

Hear from leading experts from across the data protection landscape and explore the crucial issues facing frontline practitioners.

Register your free place now at:

Ross Kelly

Staff Writer

Latest News

%d bloggers like this: