Tag: General Election

The High Court on Subject Access Requests

Article 15 of the UK GDPR gives a Data Subjects, a right to receive all the information held about them by a Data Controller. In addition, they have a right to receive information on “the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.” Does the Data Controller have a choice whether to disclose the recipients or categories of recipient? 

In a recent High Court case, Mark Harrison v Alasdair Cameron and Alasdair Cameron Limited (2024), Mrs Justice Steyn ruled that Data subjects are entitled to know the identities of the recipients of their personal data, not just the categories of recipients. Steyn J also clarified the nature and scope of the Subject Access Right (SAR).

Background

The case involved Mr. Cameron, a director of a gardening company, and Mr. Harrison, a wealthy homeowner involved in property investment. Mr. Cameron recorded threatening calls from Mr. Harrison during a dispute and shared these recordings with family members and others. These recordings eventually reached Mr. Harrison’s business peers, allegedly causing his company to lose a significant property acquisition.

Mr. Harrison submitted SARs to Mr. Cameron and his company, ACL, requesting details of who received his personal data. The requests were initially denied on several grounds:

  • Mr. Cameron argued that he was processing the data in a purely personal context, which would be outside the scope of the UK GDPR.
  • It was claimed that Mr. Cameron, as an individual, was not a Data Controller under the UK GDPR.
  • ACL invoked an exemption, arguing that disclosing the identities of recipients would involve sharing information about other individuals without their consent.

Court’s Findings

  • The court disagreed with Mr. Cameron’s assertion that the data processing was purely personal. It ruled that he acted as a director of ACL, meaning the processing was within a professional context and thus subject to the UK GDPR.
  • Despite Mr. Cameron’s role in processing the data, the court ruled that he was not a Data Controller. Following legal precedents, the court said that a company director, acting in that capacity, is not a controller but the company itself is.
  • Despite Mr. Harrison’s entitlement in principle to know the identities of recipients, the court decided against disclosing this information. Mr. Harrison had a history of making numerous SARs and exhibited intentions to pursue legal actions beyond data protection law. ACL argued that revealing the recipients would expose them to significant risks of harassment and legal threats from Mr. Harrison. The court agreed, highlighting that the potential for hostile litigation was a relevant factor in balancing interests. The motive behind a SAR can be considered, especially when there is a need to protect third parties from harm that extends beyond the scope of data protection rights.

The High Court’s judgment brings clarity to the SAR process, emphasising the Data Subject’s right to specific recipient information and reinforcing the limited purpose of SARs in protecting privacy rights. It also introduces a nuanced approach to balancing the rights of the requester against potential risks to third parties, particularly when the requester’s motives suggest potential misuse of the information.

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

General Election: Political Parties’ Personal Data Processing

As the UK heads into a General Election, understanding how political parties collect and use personal data is crucial for voters. The UK GDPR provides protections, in the form of data subject rights, but it is up to voters to exercise their rights and stay vigilant. By doing so, they can ensure their privacy is respected and contribute to a fair and transparent electoral process.

Both Labour and the Conservatives have recently been accused of breaching the UK GDPR. Last month we wrote about The Good Law Project’s challenge to the Tory’s “data harvesting” from its online tax calculator and a data breach exposed by Rachel Cunliffe, Associate Political Editor of the New Statesman. We also reported on a case where the Labour party has been accused of failing to comply with a Subject Access Request from a Palestinian activist who was ejected by police from a fund raising event.

Data Collection Methods

Political parties utilise multiple methods to gather personal data about voters.
These include:

  1. Electoral Registers: The most straightforward source of voter data is the electoral register, which provides names and addresses of registered voters. Political parties have legal access to the full electoral register, unlike commercial entities that can only access the edited version.
  2. Canvassing and Surveys: Traditional door-to-door canvassing and telephone surveys remain essential tools. Party volunteers and staff collect information directly from voters about their political preferences and concerns.
  3. Social Media and Online Platforms: Political parties increasingly rely on social media to gather data. Platforms like Facebook and Twitter provide rich data on user preferences, interactions, and behaviours. Parties use cookies and tracking pixels on their websites to collect additional data on visitors.
  4. Data Brokers: Political parties also purchase data from commercial brokers. These brokers aggregate data from various sources, providing detailed voter profiles that include demographic and behavioural information.

Data Processing and Usage

Once collected, this data is processed to create detailed voter profiles. The aim is to tailor political messages to specific segments of the electorate, enhancing the effectiveness of campaigns. Key techniques include:

  1. Profiling: Using algorithms and machine learning, parties analyse data to identify patterns and predict voting behaviour. This helps in segmenting the electorate into various categories based on age, gender, location, interests, and past voting patterns.
  2. Micro-targeting: With profiling, parties engage in micro-targeting, delivering highly personalised messages to small groups of voters. This could mean targeted social media ads, personalised emails, or direct mail tailored to specific concerns and preferences.
  3. Campaign Strategy: Data-driven insights influence overall campaign strategy, helping parties decide where to focus their resources. For example, identifying swing voters or areas with low voter turnout allows for more efficient campaign planning.

ICO Guidance

The ICO has long been concerned about how political parties use personal data.
In July 2018 it published a report, Democracy Disrupted, which highlighted significant concerns about transparency around how people’s data was being used in political campaigning. The report revealed a complex ecosystem of digital campaigning with many actors. In 2019, the ICO issued assessment notices to seven political parties.

Last month, the ICO published a blog on handling personal information during the election campaign to ensure expectations around compliance with the law are clear. The blog sets out answers to some of the common questions that the ICO is asked during elections and explains what voters can expect from the ICO during the
pre-election period. Last week, John Edwards, the Information Commissioner, also wrote to political parties reminding them of their data protection obligations.

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Screenshot 2024-04-12 at 10.44.26

Could a Labour Election Candidate Face a DP prosecution?

According to the BBC news website yesterday, Council leader and Labour Party GE Candidate, Darren Rodwell claimed he used official systems to find the address of the person who had threatened him online.

“I found out where the person lived,” he told a law firm’s podcast, “because I have the ways and means – so I used them. Potentially Mr Rodwell has committed a criminal offence. Section 170 of the Data Protection Act 2018 makes it a criminal offence for a person to knowingly or recklessly:

(a) obtain or disclose personal data without the consent of the controller,

(b) procure the disclosure of personal data to another person without the consent of the controller, or

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

Section 170 is similar to the offence under section 55 of the old Data Protection Act 1998 which was often used to prosecute employees who had accessed healthcare and financial records without a legitimate reason. A recent ICO prosecution under s.170 involved a man who worked for Enterprise Rent-A-Car where he illegally accessed customers’ records. He was ordered to pay a fine of £265, along with costs of £450 and a victim surcharge of £32.

In the present case, whilst a number defences are available to Mr Rodwell (including preventing and detecting crime), we wonder if he will be contacted by Information Commissioner’s Office. 

STOP PRESS: The BBC now reports that Mr Rodwell has been removed from the list of election candidates being approved today by Labour’s National Executive Committee (NEC).


This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

The DP Bill is Dead. Long Live the UK GDPR!

After 24 hours of speculation, it is now confirmed that the Data Protection and Digital Information Bill has fallen in the House of Lords and will proceed no further. It is now an ex-Bill!

The Bill failed to make it into the “wash-up” process following Rishi Sunak’s surprise General Election announcement. It seems that the controversial parts of the Bill, such as the DWP’s bank account snooping powers, prevented cross party agreement.

We now have to wait for publication of the political parties’ manifestos to see their plans for Data Protection reform (if any). It could be that they propose to combine DP reform with AI regulation. Watch this space!

Another Conservative Party GDPR Breach 

Yesterday, Rachel Cunliffe, Associate Political Editor of the New Statesman, reported that she had received an email from the Conservative Campaign Headquarters (CCHQ) about their forthcoming conference. However she could also see the other 344 recipients as they were all listed in the “To” box, along with their email addresses. CCHQ had made the classic mistake of failing to use blind carbon copy (BCC) and thus, by exposing the personal data of recipients, breached the UK GDPR. 

Failure to use BCC correctly in emails is one of the top data breaches reported to the ICO every year. But this incident is not just about exposing some email addresses. Recipients of the CCHQ email will be able to make assumptions about the political affiliations of their fellow recipients. Even if these assumptions are wrong, the emails can be classed as Special Category Data under the UK GDPR and thus more sensitive than other personal data. 

So can the CCHQ expect a knock on the door from the ICO? Will they be fined? Whatever your political persuasion, you may think this error from those who run the Government, deserves the strongest sanction. As Cunliffe writes: 

“If you can’t trust the Conservatives with your email address, why should you trust them with anything else.”  

Inadvertent disclosure of personal data email, by failing to use BCC, has been the subject of a number of GDPR enforcement actions by the ICO in the past few years. Just last December, the Ministry of Defence (MoD) was fined £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.  In October 2021, HIV Scotland was issued with a £10,000 fine when it sent an email to 105 people which included patient advocates representing people living with HIV. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk; also Special Category Data.  

The ICO could follow the above examples and issue a fine; although in two recent cases it has gone for a softer option. Last year the Patient and Client Council (PCC) and the Executive Office were the subject of ICO reprimands for disclosing personal data in the same way.   

In statement issued on X, the ICO said: 

“The Conservative Party has made us aware of this incident and we are assessing the information provided.” 

The Conservative Party has form when it comes to GDPR non-compliance. 
Recently we wrote about The Good Law Project’s challenge to the Tory’s “data harvesting” from users of its online tax calculator. But this latest data breach is about more than GDPR compliance. To quote Rachel Cunliffe again: 

“This is such a basic error, so easily avoided, it inevitably sets alarm bells ringing. If CCHQ doesn’t have the staff and training procedures to prevent a classic email-sharing error, what does that say about their resilience as a whole? How are their cybersecurity defences? What else is getting missed?” 

The breach came on the day Rishi Sunakgave a speech to the Policy Exchange about the power of technology and how he, rather than Keir Starmer, could keep us safe.  You can watch Sunak’s speech here although we prefer comedian Matt Green’s brilliant satirical take on it here.

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security.

Conservative Party Challenged Over “Data Harvesting” 

In the run up to the General Election this year, political parties in the UK will face the challenge of effectively communicating their message to voters whilst at the same time respecting voters’ privacy. In the past few years, all parties have been accused of riding roughshod over data protection laws in their attempts to convince voters that they ‘have a plan’ or that ‘the country needs change’.  

In May 2017, the Information Commissioner’s Office (ICO) announced that it was launching a formal investigation into the use of data analytics for political purposes after allegations were made about the ‘invisible processing’ of people’s personal data and the micro-targeting of political adverts during the EU Referendum.
This culminated in a report to Parliament and enforcement action against Facebook, Emma’s Diary and some of the companies involved in the Vote Leave Campaign.  

In July 2018 the ICO published a report, Democracy Disrupted, which highlighted significant concerns about transparency around how people’s data was being used in political campaigning. The report revealed a complex ecosystem of digital campaigning with many actors. In 2019, the ICO issued assessment notices to seven political parties. It concluded: 

“The audits found some considerable areas for improvement in both transparency and lawfulness and we recommended several specific actions to bring the parties’ 

processing in compliance with data protection laws. In addition, we recommended that the parties implemented several appropriate technical and organisational measures to meet the requirements of accountability. Overall there was a limited level of assurance that processes and procedures were in place and were delivering data protection compliance.” 

In June 2021, the Conservative Party was fined £10,000 for sending marketing emails to 51 people who did not want to receive them. The messages were sent in the name of Boris Johnson in the eight days after he became Prime Minister in breach of the Privacy and Electronic Communications Regulations 2003 (PECR).  

The Tax Calculator 

The Good Law Project (GLP), a not for profit campaign organisation, is now challenging one aspect of the Conservative Party’s data collection practices. The party’s website contains an online tool which allows an individual to calculate the effect on them of recent changes to National Insurance contributions. However GLP claims this tool is “a simple data-harvesting exercise” which breaches UK data protection laws in a number of ways. It says that a visit to the website automatically leads to the placement of non-essential cookies (related to marketing, analysis and browser tracking), on the visitor’s machine without consent. This is a breach of Regulation 6 of PECR.
GLP also challenges the gathering and use of website visitors’ personal data on the site claiming that (amongst other things) it is neither fair, lawful nor transparent and thus a breach of the UK GDPR 

Director of GLP, Jo Maugham, has taken the first formal step in legal proceedings against the Conservative Party. The full proposed claim is set out in the GLP’s Letter Before Action. The Conservative Party has issued a response arguing that they have acted lawfully and that: 

  • They did obtain consent for the placement of cookies. (GLP disagrees and has now made a 15-page complaint to the ICO.) 
  • They have agreed to change their privacy notice. (GLP is considering whether to ask the court to make a declaration of illegality, claiming that the Tories “have stated publicly that it was lawful while tacitly admitting in private that it is not.”) 
  • They have agreed to the request by GLP to stop processing Jo Maugham’s personal data where that processing reveals his political opinions.  

Following a subject access request, Mr Maugham received 1,384 pages of personal data held about him. GLP claim he is being profiled and believe that such profiling is unlawful. They have instructed barristers with a view to taking legal action.

George Galloway

This is one to watch. If the legal action goes ahead, the result will have implications for other political parties. In any event, in election year, we are already seeing that all political parties data handling practices are going to be under the spotlight.

George Galloway’s landslide win in the Rochdale by-election last week has lead to scrutiny of his party’s processing of Muslim voters’ data. In his blog post , Jon Baines, discusses whether the Workers Party of Britain (led by Mr Galloway) has been processing Special Category Data in breach of the UK GDPR. In the run up to the
by-election, the party had sent different letters to constituents based, it seems, on their religion (or perhaps inferring their religion based on the their name). If this is what it did then, even if the inference is wrong, the party has been processing Special Category Data which requires a lawful basis under Article 9 of the UK GDPR.
In 2022, the ICO issued a fine in the sum of £1,350,000 to Easylife Ltd. The catalogue retailer was found to have been using 145,400 customers personal data to predict their medical condition and then, without their consent, targeting them with health-related products. Following the lodging of an appeal by Easylife, the ICO later reduced the fine to £250,000 but the legal basis of the decision still stands. Will the ICO investigate George Galloway?

The DP Bill

The Data Protection and Digital Information (No.2) Bill is currently in the Committee stage of the House of Lords. It will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Some of the changes will make it easier for political parties to use the personal data of voters and potential voters without the usual GDPR safeguards.
For example political parties could, in the future, rely on “legitimate interests” (as an Article 6 lawful basis) to process process personal data without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are “recognised”. These include personal data being processed for the purpose of “democratic engagement”.  The Bill will also amend PECR so that political parties will be able to rely on the “soft opt-in” for direct marketing purposes, if they have obtained contact details from an individual expressing interest.

As the General Election approaches, and with trust in politics and politicians at a low, all parties need to ensure that they are open, transparent and accountable about how they use voters’ data.  

Our workshop, How to do Marketing in Compliance with GDPR and PECR, is suitable for those advising political parties and any organisation which uses personal data to reach out to potential customers and service users. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.