The MP for Ochil & South Perthshire, John Nicolson, wrote to the Information Commissioner last week, asking for clarification on what political parties can lawfully do with certain types of personal data. Nicolson previously enjoyed a minor coup at the DCMS select committee by coaxing Ms Denham into admitting that the Conservative Party’s profiling of 10 million people on the basis of religion and ethnicity was unlawful, highlighting the fact that the ICO decided to punish the party for such a significant infringement by asking them not to do it again. There’s also the small matter that the DCMS minister John Whittingdale told Parliament that it wasn’t a breach. It’s worth noting that HMRC were served with an enforcement notice when they used voice recognition without the consent necessary to process biometric data, but somehow formal action wasn’t deemed necessary for the Tories.
Nicolson complained that the ICO has not made available any formal and detailed guidance to political parties on the matter of political profiling. Is profiling by race or religion ever lawful, he asked. I don’t want to be unfair to Nicolson here – he’s not a data protection specialist and so I wouldn’t expect him to know. However, I am surprised that nobody in the Scottish National Party (which I am certain has multiple data protection specialists) has seen fit to clue him in, because the answer to his question is quite straightforward. The answer is no, unless you have consent or you’re profiling your members or supporters.
Racial or ethnic origin, and religious or philosophical beliefs, like political opinions, are all special categories data. As such, the normal requirement to have a lawful basis like consent or legal obligation is not enough to justify the processing. You also have to have an exemption taken from Article 9 of the UK GDPR (yes, I really am going to keep calling it that because it annoys a particular person who I enjoy annoying).
The first exemption is explicit consent, so if a political party asks a person directly “can we process your ethnicity or religious belief in order to build up a profile of you?” and they say yes, job done, move on.
The fourth exemption is detailed, but it’s not impossible to imagine that a political party could make a case for it: “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects“
If a party was profiling members, former members or regular correspondents with proper protections and using that data for legitimate, internal purposes, there must be some circumstances where they could use this as an alternative to consent. However, it obviously doesn’t apply to the wider population, so could not be used for profiling for elections and campaigning.
If a person has plainly made their special categories data public, the fifth exemption could possibly apply, but it’s hard to imagine how scraping a person’s race or religion from websites or social media could be done fairly and transparently. The idea that a political party might advertise the fact that they were doing it sounds far-fetched, and it would only work where a person had actually specified the data in question. Having a name or an appearance from which ethnicity or religion can be inferred isn’t manifestly making your data public. SIDENOTE: I think inferring religious or ethnic identity from a person’s name or appearance is automatically an infringement of UK GDPR because it’s impossible for such a practice to be fair or necessary.
The ambitious reader might wonder whether substantial public interest might not offer some options, but there are scant rewards to be had. To use the SPI exemption, one must select a condition from the back of the Data Protection Act 2018. A party could conceivably argue that they were profiling people to ensure equality of opportunity or treatment – so perhaps monitoring the progress of different ethnic or religious groups as employees or candidates could be justified. I think it’s inconceivable that this could work for campaigning (the context in which Nicolson asked the question). There’s also a more limited authorisation for the monitoring of ethnicity (but not religion) at senior levels within an organisation.
Way down the list, there is a specific authorisation for political party profiling, and while it specifically applies to “campaigning, fund-raising, political surveys and case-work”, it only applies to political opinions. It cannot be used for religious or ethnic profiling.
And that’s it. One reasonable option (consent), one more challenging one and only for members and supporters (legitimate activities), one theoretical possibility that probably falls apart in reality (made public by the subject) and one that doesn’t work for campaigning. For activities aimed at campaigning and voters in general, I believe it’s consent or nothing.
It will be interesting to see if Nicolson’s enquiry gets a response. The Information Commissioner’s Office has a queasy relationship with politics. The previous Commissioner Christopher Graham was a former Liberal Democrat candidate, while for a long time, the ICO staffer managing the team responsible for complaints about political parties was at the same time acting as Labour Leader of Stockport Council. This episode was scandalous, and there is something profoundly wrong with the culture of an organisation where nobody – not the person concerned or his managers – thought this outrageous conflict of interest was a problem. They only (partially) addressed it when I wrote a blog having seen the chap’s name in my local paper. It’s entirely possible that they still would have ignored it, but the stalwart BBC journalist Martin Rosenbaum asked Denham about it in an interview and she had to act.
Denham devoted millions of pounds and countless staff chasing Cambridge Analytica’s imaginary involvement in the Brexit referendum, while the investigation’s offshoots had very different outcomes depending on who was involved. Leave.EU were fined for the trivial issue of having banners for Arron Banks’ insurance company on their newsletter. However, when the Labour Party unlawfully bought personal data about a million new mums from the pregnancy advisory service Emma’s Diary, ICO fined Emma’s Diary for selling it, but not the Labour Party for buying it. I do suspect there is some bias creeping in here – what Labour did was plainly a more serious breach, but they got off scot-free, while Leave.EU got multiple fines for minor matters. But more generally, outside PECR, occasional security breaches and Denham’s pet political project, I don’t think there’s any appetite in the ICO for enforcement in general, and for taking on the political establishment in particular. It’s the lack of consequences that leads to problems like racial and ethnic profiling, and buying dodgy data.
Nicolson is entitled to chase the Tories over their data misuse, but I would be surprised if any party has clean hands over their data protection practices. Even the SNP transgressed with their unlawful Sean Connery automated calls. While I welcome politicians trying to persuade the ICO to take a stronger line (on anything), I think any MP worried about the way the electorate’s data is handled should take time to be sure that their own house is in order.