Open Goal

by | Dec 12, 2019 | Uncategorized

The OpenRightsGroup currently have a tool on their website to make subject access requests to political parties; they say that it is intended to investigate political profiling: “Who do political parties think we are?” is the heading on the page. There is definitely a problem with the way all parties use personal data, and the unhelpful and misleading narrative that only the Leave side in politics has questions to answer about data protection flatters the heinous practices of all major political parties. To be honest, if it was transparent, the Tories, Brexit Party and UKIP using profiling techniques to come to the conclusion that they should never contact me would be a very good thing and I wouldn’t feel any need to consent to it. As it happens, I made still valid opt-out requests to all the parties under the old Data Protection Act, and the only one who contacted me this time was the Labour Party. Thanks for nothing, comrades.

The language in ORG’s blog about profiling is emotive and potentially misleading, describing normal features of the DPA 2018 as ‘loopholes’. The blog says “DPA says that data processing can be in the public interest if it “supports or promotes democratic engagement”. This means that political parties could try to claim that their invasive scrutiny of you is lawful purely because they are trying to get you to vote”. If the processing was invasive, it would be unfair and so unlawful. If there is a reasonable alternative to the profiling, it’s not ‘necessary’ and so it’s unlawful.

GDPR allows special categories data to be processed where there is an exception, and one such exception is substantial public interest, based on specific legal authorisations. The DPA contains such authorisations for certain activities, and one such is that political parties can process political opinions (and only political opinions) for political purposes. Again, for ORG, this is a ‘loophole‘.  The SPI provisions aren’t a clever way for parties to get around the law: they are the law. It’s legitimate for parties to do what the law allows them to do; if ORG complained that the parties don’t abide by the SPI provisions or aren’t sufficiently transparent, that might be fair comment. This might seem like a minor point, but I think ORG are attacking the legislation unfairly, not possibly non-compliance with it.

I think there are also some #GDPR issues to consider with the tool itself. The chief problem is lack of a formal, explicit fair processing notice, which results in confusion that could easily have been avoided. The tool identifies which part of the country you’re in, in order to rule in / out parties which only stand in individual nations rather than all of the UK. After uploading proof of your ID, it then makes a request to all the parties. You cannot pick and choose; it has to be all of them. Before you finally send, the tool clearly shows you which parties your requests will be going to which is good, but another aspect doesn’t sit right with me. This is ORG’s explanation of why you can’t use the tool to select individual parties to apply to:

The aim of you sending this request is to contribute to Open Rights Group’s research understanding how all UK political parties use personal data for campaigning and other purposes. To gain the necessary information to analyse this properly, we need to gather data from all parties across all parts of the UK. It would not be helpful to our research to gather data selectively so we have not allowed for the tool to do this.

I assume ORG don’t get access to the data disclosed to you because there is no mention that they do anywhere on the page or on the forms when you use the tool. Any such access would be a serious, penalty-deserving infringement of #GDPR, so presumably it doesn’t happen

The site says “To gain the necessary information to analyse [profiling] properly”, they have to make you apply to all parties. Then: “If you opt-in to future emails from Open Rights Group, we will check in with you after 30 days to confirm whether you have received a response”. But that can’t be the end of it; knowing whether the request was answered will not tell ORG “how all UK political parties use personal data for campaigning and other purposes“. Either ORG intend to ask to see the data that was requested, or the exercise is pointless. So why aren’t they clear about the later stages of the process now? Do they know what they’re going to do, and if so, why not explain it?

Of course, ORG will almost certainly counter my concerns by saying that any data supplied to them from received requests will be obtained with consent (there’s no other lawful way they could get it), but the assertions about the aim of the research aren’t matched by transparency about how it will be carried out. This is, at best, not good practice. When you’re scrutinising an opaque process, you shouldn’t be running one yourself. A proper fair processing notice would solve this, and there isn’t one.

There’s more. I’m sure there will be people who want to know about every party’s processing, even if the one they support. But equally, there will be people using the tool who aren’t interested in what every party has got – ORG might be, but the applicant may not. There will be people who never would have made the request at all without the tool’s existence. Are these requests unfounded?

If a party receives an ORG SAR (which will be easily identifiable from the standard text they’re using), could they argue that answering a SAR sent solely for someone else’s research purpose is unfounded or excessive? A lot of people – especially those who come to Data Protection from a political or campaigning perspective – see SARs and other rights as campaigning tools. A queasy assortment of characters have already attempted to weaponise data rights as a tool in the Brexit Wars (possibly encouraged by a Data Protection regulator who seems unusually preoccupied with the activities of only one side of the debate). Admittedly, ORG are targeting all parties rather than one side, but I still question the wisdom and legality of what they’re doing.

If I was a political party DPO, inundated with SARs and complaints (albeit deservedly), I’d probably look askance at these SARs and look for reasons to knock them back. Some campaigners might be outraged at the idea, but Data Protection in practice isn’t always a high-minded exercise in civil rights. Sometimes, it’s trench warfare. Sometimes, data protection practitioners will do what they can to deal with the torrent of work that spills onto them.

I accept that my opinion that organised SAR campaigns are inherently unethical isn’t widely shared, but when I tell you that they’re also stupid, I’m a lot more confident that I’m right. The Data Protection Act 1998 kept the door to why the request was being made firmly closed, but even the Directive talked about subject access existing “in order to verify in particular the accuracy of the data and the lawfulness of the processing“. The GDPR blows the door wide open – ‘unfounded‘ and ‘excessive‘ both invite attention to why the request was made. ORG would probably argue that they’re trying to verify the lawfulness of political party processing, but the parties could equally argue that they’re encouraging requests that the applicant themselves probably wouldn’t have made. The indiscriminate nature of the tool and the inadequate explanation of why such a blunderbuss is being deployed could play into the hands of a party that decides to roll the dice.

The UK’s political shitshow is not going to end any time soon, and if you want to use your data rights to find out what anyone is doing with your data, that is entirely your business and clearly part of what SARs are for. But if you’re doing it to make a point rather than to see your data, I think you’re misusing your rights and if you get refused, you probably deserve it. Worse still, if you’re participating in an orchestrated campaign, I think you’re playing with fire. The very politicos you might object to may notice the inconvenience and irritation of mass SARs, and decide, as the UK floats away from the European data protection mainstream, to create some real loopholes where none currently exist.