The worst experience for many data protection officers (apart from conversations which include the question ‘was it encrypted?’) is when their employer has spent a large amount of time and money developing some amazing, world-changing initiative involving personal data without asking them about it. A finger hovers metaphorically or sometimes literally over the start button, and somebody finally says ‘Hey, shouldn’t we ask DP guy about this?’. And so DP guy trudges from whatever mouldy corner of the organisation they have been exiled to after the last time this happened, and they are asked something along these lines. “This is all fine, ISN’T IT?”
And they are obliged to say no. Sometimes it’s just a bloody stupid idea, but most of the time, the project is at the very least achievable in some form, but asking at the end of the process means that the easiest, cheapest and most convenient solutions are lost because they needed to be included in the design of the process. The organisation has the unattractive choice of breaching the DPA or bolting on expensive and unwieldy solutions to the problem. Different organisations react in different ways, but DP guy is usually blamed. The way to avoid the above problem is to carry out a privacy impact assessment – as early as possible, the people designing the new amazing thing look at what they’re planning to do, think deeply (and with as many views as they can find) about what might go wrong from a data protection and privacy perspective, and then build the solutions into the design of the project. Alternatively, they decide to leave the thing as it is, but knowing what risks they are running, rather than living in denial.
There are three problems with the PIA approach, First, you have to be willing to do one. Second, you have to be willing to imagine what might go wrong with your new amazing thing. Third, you must be willing to change your new amazing thing if the risks are sufficiently great. And thus, we return for my fourth blog on the Labour leadership election, if you can call it that.
I am certain that Labour has breached the the Data Protection Act in a variety of different ways, and yet all of it could have been avoided had they done a PIA. Here are some of the possible breaches:
- Labour did not informed those registering as supporters that their data would be obtained from a variety of formal and informal sources, and their social media accounts would searched. This is particularly true for information like canvass data, which was obtained for a separate purpose This is a breach of principle 1, which requires data subjects to be informed how their data will be used. This could easily have been prevented by developing a clear set of criteria in advance and explaining this and the vetting process when supporters signed up.
- Labour did not obtain Twitter names and other social media information from supporters, so the data obtained was not adequate for the purpose – this in turn is likely to lead to data being inaccurate. This is a breach of principle 3 and 4. This could have been prevented by realising that a vetting process would be required, and would need to be robust and fair, requiring more than the sparse details that were actually requested.
- Registered supporters cannot appeal their decision properly, which means that data is not be processed fairly (principle 1), or adequately (principle 3). As above, clear criteria would have allowed such appeals.
- Data is being obtained and shared from a wide variety of sources, and shared across different locations. Harriet Harman has said that vetting is going on in constituencies as well as Labour’s offices in Newcastle. Unless the data (which is sensitive personal data about political beliefs) is shared and stored securely, Labour will have breached the 7th principle, which requires appropriate technical and organisational security measures.
- Data Protection requires an organisation to justify its use of personal data from a list of conditions set out in the Act. The only two possible conditions for the vetting are consent and legitimate interests. Consent must be freely given, specific and informed – supporters cannot be assumed to have consented to a process that they were not told about. There is no such thing as ‘implied’ or ‘assumed’ consent. An organisation can infer consent from a person’s actions – tell me that you want to do a blood test and I willingly offer you my arm, you can reasonably infer that I am consenting to the test. But by taking my £3 and offering me a vote, you cannot pretend that I have consented to a bargain-bin witch-hunt that you didn’t mention. What remains for Labour is the legitimate interests condition, which only applies when there is no unwarranted harm to the rights of the data subject. They could have relied on that, but only with a proper process. Without a right of appeal, based on hearsay and Tweets possibly taken out of context, done in a rush, and with no clarity about the criteria or even the people doing it, this condition is not made out. I do not believe that the party has a legal basis to do what it is doing because of the way it is doing it.
An election is not just an important political process; it is a massive exercise in the processing of personal data, and Data Protection applies to it. There is no exemption, and for a party election no legal obligation to allow Labour to skate around the tricky bits. Equally, a vetting exercise is not just a necessary step to deny Matthew Parris’s Llamas a vote – it is another massive instance of processing that requires a sensitive and intelligent approach. I suspect Labour has panicked and made the process up as it went along (no doubt partially in a doomed attempt to prevent a Corbyn win), and in the process breached most of the DP principles.
Supporters should have been told exactly who would be excluded and why. Labour should have asked for enough data to be certain that they were looking at the right people. The process for vetting should have been open, transparent, consistent and with a right of appeal. PIAs are evolving, living processes, so when all of these problems started to surface, Labour should have reacted, either by dropping the vetting altogether because they couldn’t do it legally at this stage, or perhaps pausing or extending the election to allow something more watertight to go ahead.
But here we have the second and third problems with PIAs. Politicians and political people are peculiarly incapable of thinking that things might go wrong. Everything has to be presented as wonderful, inspirational, positive. Even if the risks had occurred to them, I suspect Labour’s leaders would have been unwilling to present the kind of strict rules that a compliant process would have required. They wanted to welcome people, to have a summer of vibrant inclusive debate. We all know what the British summer is like: stormy and disappointing. They should have anticipated these storms and brought an umbrella. They went out in shorts.
My experience of all political parties is that they are incapable of complying with Data Protection and Privacy law: I’ve already written about the rampant direct marketing breaches, and I’ve heard about worse. It’s pointless to expect them to do it any differently. Instead, let this rolling disaster be a lesson to others, for any organisation trying something new. Think about what you’re doing, and how you want to achieve it. Think about what might go wrong. Put measures in place to manage the risks. Whoever wins this election will inherit a smouldering mess; how much better would it have been not to set it on fire in the first place?