Roast Lamb

by | Jun 21, 2015 | Data Protection

Politicians rarely handle data protection with anything like aplomb. The political parties’ record on compliance with DP and PECR is awful, and they often seem to think privacy laws don’t apply to them. An impressive example of this emerged today, with a largely nonsensical tale of skullduggery in the Liberal Democrat leadership campaign.

FULL DISCLOSURE: I wouldn’t be interested in the outcome of the Liberal Democrat leadership campaign unless it was being decided using swords.

The story seems to be that the campaign teams of the gratingly folksy Tim Farron and the ponderous Norman Lamb have been given the LibDem membership lists by the party. The Farron camp complain that while conducting polls using the data, Lamb’s team have asked pointed questions that apparently reveal that Farron may not be all that liberal on issues like abortion and LGBT rights, including gay marriage. If you can find the Data Protection breach here, you’re a better nerd than me. Nevertheless, The Daily Telegraph reports:

The Information Commissioner, the information watchdog, is set to be asked to investigate whether there was a breach of data laws in a move which could land the party with heavy fines

THIS WON’T HAPPEN. NOT NOW, NOT EVER.

Meanwhile the Independent states: “There will be a formal discussion with the party’s data controller* tomorrow morning over a potential self-referral to the Information Commissioner.

THIS IS A COMPLETE WASTE OF TIME.

I don’t doubt that the Information Commissioner’s Office will feel obliged to accept the complaint and pick at it for a while, and there is the entertaining prospect of some discomfort for the Commissioner himself, a former LibDem candidate before his switch to Commissionering. Unless there is more to the story than unfair push-polling however, there’s nothing to see here, because what is the breach?

If Lamb’s team had purloined the membership list for the purpose of polling, that would be a criminal offence, but it seems clear from every version of the story that I have read, the party gave the list to the candidates for the purposes of campaigning. No breach. If both teams had accepted the data on the basis that they would not use the data for polling, Lamb’s use of the data would be a breach of the first data protection principle on the basis that it was unfair, but again, there is no hint of that in the coverage. The only two conceivable uses of the membership list would be polling or marketing, and if you were going to restrict the use of the data, preventing marketing would make more sense. Of course, if the *polling* is a breach, then presumably Farron’s team hasn’t done any polling, because otherwise, they would have the same problem that Lamb has.

You could, if you really wanted to stretch the point as far as it could possibly go, say that using the LibDem membership list to ask skewed questions is processing personal data for an unfair purpose. But if whoever first raised DP in this context thinks that this is how it should be enforced in the UK, it would mean that every instance of direct marketing with an exaggerated claim or biased message would be illegal. The Information Commissioner would be issuing CMPs every other minute, and they certainly wouldn’t start with this case.

Every journalist who types a sentence about an alleged data protection breach needs to ask this question (ask me, I’m available through a variety of channels): WHICH PRINCIPLE DID THEY BREACH? DP isn’t anywhere near as woolly or generic as it is cracked up to be. The ill-informed, fact-free way that this story has been reported is a good example of why the legislation is so widely misunderstood. From a political perspective, the best part of it is that the fuss must originally have been kicked up by supporters of Tim Farron. I had no idea that he was not a full-throated supporter of gay marriage and abortion, but I do now, as presumably do many people within the LibDem movement who, unlike me, might be voting in the upcoming election.

FOOTNOTE: Organisations do not have a ‘data controller’; the organisation is the data controller. To misunderstand the Act’s concepts at such a basic level is a very bad sign. In my experience, the Liberal Democrat Party has the worst grip on data protection and privacy of any of the major parties in the UK, so it isn’t a surprise.