Another day, another story in the Observer about Dominic Cummings and the Brexit vote, inspired (if that is ever the right word in this context) by revelations from Ian Lucas, the former MP for Wrexham. Lucas did not stand in the 2019 General Election and his former seat went to the Tories. Notwithstanding his decision to step down from politics, his determination to re-fight the 2016 Brexit Vote is undiminished, despite the fact that Boris Johnson’s victory means that Brexit is now a certainty, and any hope of going back in time is dead and gone.
Lucas has now passed correspondence he obtained when an MP to the Observer. Inevitably written up by the paper’s Cummings Conspiracy Correspondent Carole Cadwalladr, the revelation is that in correspondence with the Information Commissioner, Cummings said that had the referendum been won narrowly by the Remain side, he would have contested its legitimacy. Cummings claimed that the electoral process is compromised and nobody has done anything about it. I guess there might be some minor interest in seeing Cummings’ hypocrisy exposed – the man who lectures Remainers about picking which votes to respect turns out to be unprincipled and two-faced. Given the Leave campaign’s now total victory in the Brexit debate, I’m not sure what the point really is.
There is, however, an interesting angle to the story which is very relevant to today, especially given the large numbers of MPs on all sides who were either vanquished on Thursday night or decided like Lucas that their time was done. In Data Protection terms, politicians have a complicated identity, being associated with a number of different data controllers. As a party representative, an MP is likely to receive or have access to data from their party, and so must answer to them. Separately, as an MP, MSP, AM or councillor, a politician may well have a committee or other official role that gives them access to personal data for which the Parliament, Assembly or Council will be controller. Finally, as a representative of constituents and for other specific purposes, a politician will be a controller in their own right, liable directly for the way in which they use personal data.
When they cease to be an elected representative, much of this falls away. There isn’t much personal data in Cummings’ correspondence with Wood, but there is some, and Lucas isn’t the data controller for that data – Parliament is. Lucas’ role on the Culture, Media and Sport Committee will undoubtedly have given him access to private, possibly confidential data and some of it would have been personal data. Considering the scope of other Committees – health, security, and other sensitive matters – other ex-MPs will have significant data in their possession which should be in the control of Parliament. The same goes for lists of supporters or volunteers which are the responsibility of the party, not the ex-MP. Even the constituency casework data, for which the ex-MP would be responsible should arguably be disposed of or passed on to either the new MP or the local party. The purpose of providing sensitive personal data to your MP is for your MP to represent you – if that person is no longer doing that job, it’s arguably a breach of the first principle (fairness), the second principle (purpose limitation), and the third principle (relevance) for a former politician to retain their casework data once they have left office.
There are two serious issues here. The institutions must have clear processes to secure and recover personal data held by their former representatives. Once an MP has left Parliament by whatever route, if the Parliamentary authorities do not have processes to ensure that data is handed back and devices erased, this is very likely to be a breach of the GDPR’s security requirements to have appropriate organisational measures in place. I don’t underestimate the difficulty of this exercise with ex-MPs and their staff literally scattered across the UK, but if Parliament is the controller, they are required to recover the data. The same is true for the parties – if (for example) Jo Swinson remains an active member of the Liberal Democrats, it might well be reasonable for her to retain personal data she held as a LibDem MP, but if she walks away, the party needs to obtain any data she used as a LibDem representative or see it that it has been deleted. This is particularly important in a world where politicians will jump from one party to another.
The flipside of this is that the Data Protection Act 2018 makes it a criminal offence for a person to retain personal data without the authorisation of the data controller. If Parliament is the controller for the Cummings correspondence, Lucas has by his own admission retained and disclosed it without Parliamentary approval: “I used every means possible to secure the publication of them by parliament but ultimately was blocked from doing so, so I have chosen to make them public myself“. I wondered whether there could be an argument that MPs are joint controllers for all the data they access from Parliament or Party, but Lucas was an MP for 18 years and knows a lot more about it than I do. He doesn’t seem to think he was controller of the data, so I think that’s very persuasive. Any ex-MP who merely keeps data for which Parliament or Party is controller is likely to be committing a criminal offence, and any disclosure or other use of the data only multiplies the possible offences. There is, of course, a public interest defence to an allegation of these DP offences, but I believe that this should be tested.
The irony of Lucas’ claims to be valiantly exposing the truth about Cummings’ hypocrisy (and Cadwalladr’s enthusiastic reporting of it) is that the correspondence in question has apparently been on Parliament’s website since March 2019, made available following contempt proceedings against Johnson’s goblin advisor. I’ve never been a fan of Lucas’ self-promoting antics or Cadwalladr’s wayward approach to fact-checking, but this particular story is a joke. It does inadvertently raise a serious point about the conduct of Lucas and other ex-MPs; if Cadwalladr and the Observer are as concerned about data protection as they claim, looking at misuse by ex-politicos would be a more fertile area of research than old news from 2017 that was already in the public domain.