Tag: Conservatives

The High Court on Subject Access Requests

Article 15 of the UK GDPR gives a Data Subjects, a right to receive all the information held about them by a Data Controller. In addition, they have a right to receive information on “the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.” Does the Data Controller have a choice whether to disclose the recipients or categories of recipient? 

In a recent High Court case, Mark Harrison v Alasdair Cameron and Alasdair Cameron Limited (2024), Mrs Justice Steyn ruled that Data subjects are entitled to know the identities of the recipients of their personal data, not just the categories of recipients. Steyn J also clarified the nature and scope of the Subject Access Right (SAR).

Background

The case involved Mr. Cameron, a director of a gardening company, and Mr. Harrison, a wealthy homeowner involved in property investment. Mr. Cameron recorded threatening calls from Mr. Harrison during a dispute and shared these recordings with family members and others. These recordings eventually reached Mr. Harrison’s business peers, allegedly causing his company to lose a significant property acquisition.

Mr. Harrison submitted SARs to Mr. Cameron and his company, ACL, requesting details of who received his personal data. The requests were initially denied on several grounds:

  • Mr. Cameron argued that he was processing the data in a purely personal context, which would be outside the scope of the UK GDPR.
  • It was claimed that Mr. Cameron, as an individual, was not a Data Controller under the UK GDPR.
  • ACL invoked an exemption, arguing that disclosing the identities of recipients would involve sharing information about other individuals without their consent.

Court’s Findings

  • The court disagreed with Mr. Cameron’s assertion that the data processing was purely personal. It ruled that he acted as a director of ACL, meaning the processing was within a professional context and thus subject to the UK GDPR.
  • Despite Mr. Cameron’s role in processing the data, the court ruled that he was not a Data Controller. Following legal precedents, the court said that a company director, acting in that capacity, is not a controller but the company itself is.
  • Despite Mr. Harrison’s entitlement in principle to know the identities of recipients, the court decided against disclosing this information. Mr. Harrison had a history of making numerous SARs and exhibited intentions to pursue legal actions beyond data protection law. ACL argued that revealing the recipients would expose them to significant risks of harassment and legal threats from Mr. Harrison. The court agreed, highlighting that the potential for hostile litigation was a relevant factor in balancing interests. The motive behind a SAR can be considered, especially when there is a need to protect third parties from harm that extends beyond the scope of data protection rights.

The High Court’s judgment brings clarity to the SAR process, emphasising the Data Subject’s right to specific recipient information and reinforcing the limited purpose of SARs in protecting privacy rights. It also introduces a nuanced approach to balancing the rights of the requester against potential risks to third parties, particularly when the requester’s motives suggest potential misuse of the information.

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

What does the Liberal Democrat Manifesto say about AI and Data Protection?

This morning the Liberal Democrats launched their 2024 General Election Manifesto. The 116-page document includes pledges to recruit 8,000 more GPs, give unpaid carers a right to paid carers’ leave from work, and introduce free personal care in England. But what are their plans for AI regulation and DP reform (we hear some of you ask)?

Here are our some quotes which answer the above questions (and we must admit it is our first reading of the manifesto):

AI Regulation

Create a clear, workable and well-resourced cross-sectoral regulatory framework for artificial intelligence that:   

  • Promotes innovation while creating certainty for AI users, developers and investors.
  • Establishes transparency and accountability for AI systems in the public sector.
  • Ensures the use of personal data and AI is unbiased, transparent and accurate, and respects the privacy of innocent people
  • Negotiate the UK’s participation in the Trade and Technology Council with the US and the EU, so we can play a leading role in global AI regulation, and work with international partners in agreeing common standards for AI risk and impact assessment, testing, monitoring and audit.

Surveillance and Human Rights

  • Introducing a Digital Bill of Rights to protect everyone’s rights online, including the rights to privacy, free expression, and participation without being subjected to harassment and abuse. 
  • Ending the bulk collection of communications data and internet connection records.
  • Introducing a legally binding regulatory framework for all forms of biometric surveillance.

Data Sharing

Establish a firewall to prevent public agencies from sharing personal information with the Home Office for the purposes of immigration enforcement and repeal the immigration exemption in the Data Protection Act.

Surprisingly, the manifesto does not address Freedom of Information reform or even extension. It does say: “all Ministers’ instant-messaging conversations involving government business must be placed on the departmental record”

The Conservative Party will publish its manifesto on Tuesday and Labour will do so on Thursday. Still no news from Count Binface about his plans!

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Manifesto Week: What will the parties say about DP and AI?

The UK’s two main political parties are set to publish their election manifestos this week. Information governance professionals will be keen to find out what the parties’ plans are in relation to the current hot IG topics including data protection reform, AI regulation and data sharing.

The Conservative Party will publish its manifesto on Tuesday. Penny Mordaunt said in a BBC television debate on Friday:

“You have already heard some announcements and you’ll see more in our manifesto next week. We have got to cut people’s taxes and we have got to alleviate burdens on business.” 

That’s all fine but what IG professionals will want to know is, will the Government bring back the Data Protection and Digital Information Bill which fell in the House of Lords after not making “wash up”. Could they propose to combine the Bill with AI regulation, having previously opted for a non statutory approach on the latter? We will know better on Tuesday. 

The Labour manifesto is due to be published on Thursday. Whilst it is still being finalised, clues about what IG proposals it may contain can be found in the National Policy Forum document which the party says is “set to shape the next Labour manifesto”. It states, amongst other things, that Labour will:

  • Ensure our world-class researchers and businesses have the data and computing infrastructure they need to compete internationally

  • Harness data for the public good and introduce robust regulation that opens up data while enshrining consumer rights

  • Maintain Britain’s data adequacy status meaning our data protection rules are deemed equivalent to those in the EU

  • Make it easier for public services to adopt innovative technologies by removing barriers to data-sharing and smart procurement.

  • Use new capabilities in data analysis and AI to deliver better public services and improve people’s quality of life, and ensure society is fairly rewarded for the data it generates, built on frameworks and institutions that build public trust and uphold the privacy and security rights of UK citizens, including in the workplace

  • Ensure we have cyber resilience and security against rogue states and other hostile actors

  • Harness technology for public good, ensuring the UK is the best place in the world for safe and responsible technology, building the world’s most competent regulatory environment for AI and automation and supporting a thriving and effective AI and automation assurance ecosystem

  • Ensure that the regulatory environment appropriately and proportionally mitigates the potential harms that AI could cause by taking a principles-based approach to tech and AI

  • Explore whether the companies developing the underlying ‘foundation models’ that power specific AI tools and applications should also be subject to regulation

  • Act quickly to set the standards for safe and responsible AI

  • Ensure that workers have new rights, protections and access to training to keep pace with the changing nature of work and technological advancement

The Liberal Democrats are launching their manifesto today. If you can’t wait till later, their Fair Deal for voters offers some insights on what might be included. We are still waiting for Count Binface to publish his manifesto; we could see a repeat of his London Mayoral Manifesto which promised, amongst other things, to bring back Ceefax to all households within the M25!

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

General Election: Political Parties’ Personal Data Processing

As the UK heads into a General Election, understanding how political parties collect and use personal data is crucial for voters. The UK GDPR provides protections, in the form of data subject rights, but it is up to voters to exercise their rights and stay vigilant. By doing so, they can ensure their privacy is respected and contribute to a fair and transparent electoral process.

Both Labour and the Conservatives have recently been accused of breaching the UK GDPR. Last month we wrote about The Good Law Project’s challenge to the Tory’s “data harvesting” from its online tax calculator and a data breach exposed by Rachel Cunliffe, Associate Political Editor of the New Statesman. We also reported on a case where the Labour party has been accused of failing to comply with a Subject Access Request from a Palestinian activist who was ejected by police from a fund raising event.

Data Collection Methods

Political parties utilise multiple methods to gather personal data about voters.
These include:

  1. Electoral Registers: The most straightforward source of voter data is the electoral register, which provides names and addresses of registered voters. Political parties have legal access to the full electoral register, unlike commercial entities that can only access the edited version.
  2. Canvassing and Surveys: Traditional door-to-door canvassing and telephone surveys remain essential tools. Party volunteers and staff collect information directly from voters about their political preferences and concerns.
  3. Social Media and Online Platforms: Political parties increasingly rely on social media to gather data. Platforms like Facebook and Twitter provide rich data on user preferences, interactions, and behaviours. Parties use cookies and tracking pixels on their websites to collect additional data on visitors.
  4. Data Brokers: Political parties also purchase data from commercial brokers. These brokers aggregate data from various sources, providing detailed voter profiles that include demographic and behavioural information.

Data Processing and Usage

Once collected, this data is processed to create detailed voter profiles. The aim is to tailor political messages to specific segments of the electorate, enhancing the effectiveness of campaigns. Key techniques include:

  1. Profiling: Using algorithms and machine learning, parties analyse data to identify patterns and predict voting behaviour. This helps in segmenting the electorate into various categories based on age, gender, location, interests, and past voting patterns.
  2. Micro-targeting: With profiling, parties engage in micro-targeting, delivering highly personalised messages to small groups of voters. This could mean targeted social media ads, personalised emails, or direct mail tailored to specific concerns and preferences.
  3. Campaign Strategy: Data-driven insights influence overall campaign strategy, helping parties decide where to focus their resources. For example, identifying swing voters or areas with low voter turnout allows for more efficient campaign planning.

ICO Guidance

The ICO has long been concerned about how political parties use personal data.
In July 2018 it published a report, Democracy Disrupted, which highlighted significant concerns about transparency around how people’s data was being used in political campaigning. The report revealed a complex ecosystem of digital campaigning with many actors. In 2019, the ICO issued assessment notices to seven political parties.

Last month, the ICO published a blog on handling personal information during the election campaign to ensure expectations around compliance with the law are clear. The blog sets out answers to some of the common questions that the ICO is asked during elections and explains what voters can expect from the ICO during the
pre-election period. Last week, John Edwards, the Information Commissioner, also wrote to political parties reminding them of their data protection obligations.

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Screenshot 2024-04-12 at 10.44.26

Tory Party Data Sharing Revealed

We recently wrote about the The Good Law Project (GLP) challenging one aspect of the Conservative Party’s data collection practices. The party’s website contains an online tool which allows an individual to calculate the effect on them of recent changes to National Insurance contributions. However GLP claims this tool is “a simple data-harvesting exercise” which breaches UK data protection laws in a number of ways. It says that a visit to the website automatically leads to the placement of
non-essential cookies (related to marketing, analysis and browser tracking), on the visitor’s machine without consent. This is a breach of Regulation 6 of PECR. GLP also challenges the gathering and use of website visitors’ personal data on the site claiming that (amongst other things) it is neither fair, lawful nor transparent and thus a breach of the UK GDPR.

Director of GLP, Jo Maugham, has taken the first formal step in legal proceedings against the Conservative Party. The full proposed claim is set out in the GLP’s Letter Before Action. The Conservative Party has issued a response arguing that they have acted lawfully and that: 

  • They did obtain consent for the placement of cookies. (GLP disagrees and has now made a 15-page complaint to the ICO.) 
  • They have agreed to change their privacy notice. (GLP is considering whether to ask the court to make a declaration of illegality, claiming that the Tories “have stated publicly that it was lawful while tacitly admitting in private that it is not.”) 
  • They have agreed to the request by GLP to stop processing Jo Maugham’s personal data where that processing reveals his political opinions.  

Following a subject access request, Mr Maugham received 1,384 pages of personal data held about him. GLP claim he is being profiled and believe that such profiling is unlawful. However the Conservative’s would not say who Mr Maugham’s personal data was being shared with. Following a threat of legal action, the party has now disclosed that it shared the data with PR companies and media companies all with links to the Tory Party. According to GLP the disclosure  throws “some light on the type of grubby tactics we can likely expect to see in the upcoming general election.”

As an election draws nearer, expect the spotlight will be on all political parties’ data processing activities. 

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.