Political campaigning and data protection: ICO consults on a new Code

At a time of ever-increasing speculation about a possible general election and/ or referendum in the coming months, the ICO has published a draft framework code on political campaigning.

The Code follows the ICO’s policy report “Democracy Disrupted” which aimed to “draw back the curtain on how personal information is used in modern political campaigns”. The Code is further evidence that getting a handle on the exploitation of personal data for political purposes is high on this Commissioner’s agenda!

The Code is unequivocal in emphasising the threats presented by the misuse of personal data for political purposes. “Trust and confidence in the integrity of our democratic processes risks being disrupted because recent evidence suggests that voters don’t understand the invisible nature of these uses of personal data”

The Code is non-statutory and therefore doesn’t introduce any new legal requirements but the ICO has stated that it is seeking to persuade the Government to put the Code on a statutory footing. Despite its status as a framework Code (limited to providing guidance and clarity on the existing law) the ICO makes clear that those who process personal data for political campaigning processes without complying with the Code are likely to find it hard to demonstrate that their processing is fair and compliant.

The Code is wide ranging in the campaigning practices it seeks to cover – from traditional party political campaigning (at local and national level) to the more recent practices of “micro-targeting” so vividly illustrated by the Cambridge Analytica scandal

(i.e. targeting individuals where the targeting and the materials sent to them are based on perceived characteristics and assumptions about them). Anyone who’s watched the Netflix documentary film The Great Hack will be familiar with the controversy surrounding these practices.

The Code is aimed at controllers processing personal data for political campaigning purposes and therefore is relevant to a much broader collection of activities and organisations than those caught by electoral law.  Similarly the “regulated periods” applicable under electoral law (e.g. 4 months or 365 days before an election) will not apply. The Code will apply to the processing of personal data irrespective of whether that is before, during or after a particular campaign! Charities and other campaigning groups need to be aware that they may be required to comply with the Code even where they are not required to register with the Electoral Commission.

The Code contains fairly restrictive guidance on the interpretation of the “purpose limitation” principle, i.e. the principle that personal data collected for particular purposes should not be further processed in a way that is not compatible with those original purposes. For instance it states that, in general, personal data obtained during constituency casework should not be used for political campaigning purposes. Organisations which are engaging in any form of political campaigning should go back and assess what they first told individuals when they collected their personal data. If their privacy notices related to wholly separate campaigns, it is likely that they will need to think again about whether they can continue to use the personal data they hold for new campaigns without taking further steps.

The Code draws a clear link between fairness under the GDPR and ethics. In assessing the fairness of processing activities (as required under the GDPR) it advises that organisations should question the ethics of some of the more modern techniques used to target individuals with political messaging. Using personal data “to profile and micro target individuals with political messaging, can raise ethical questions both for individuals and for society at large.” In particular where individuals are misled when their personal data is collected, any subsequent processing of that personal data is unlikely to be considered fair.

The Code helpfully flags the exemption available to not-for-profits under the GDPR for processing sensitive (or special category) personal data. Charities processing the political opinions of their members or contacts may wish to explore whether they can rely on this exemption (pages 46 and 47).

The Code contains a useful list of suggestions (page 53) for how campaigners can provide privacy information (i.e. privacy notices) in a range of different political campaigning scenarios, from face to face canvassing to collecting data through online petitions and surveys. It also contains a useful acknowledgement that providing privacy information in the context of using contact details from the electoral register may prove difficult. “The ICO recognises that the unique circumstances of political campaigning may sometimes present situations where disproportionate effort may apply, particularly with regards to electoral register data.”

Political messaging will usually be considered direct marketing and the Code examines the different channels that can be used for direct marketing and the implications for those involved in political campaigning. The Code also explores the collection of personal data from organisations’ social media pages as well as the use of social media platforms to target messages – including through the use of lookalike audiences. The consultation is open until Friday 4th October so if you have any feedback see here. If you would like to discuss the potential impact of the Code on your organisation with anyone in the Bates Wells Data Privacy Team, please contact Mairead O’Reilly on [email protected] or Victoria Hordern on [email protected]


All content on this page is correct as of August 21, 2019.