As regular readers of this blog will doubtless be aware, the Data Protection Act is based on the idea that all uses of personal data have to be justified. Specific conditions are set out for both ordinary data (names, addresses, financial data) while additional conditions are listed for sensitive data (political opinions and ethnicity amongst other categories). In the feverish atmosphere surrounding the upcoming General Data Protection Regulation, it’s worth noting that the GDPR works in exactly the same way with broadly similar conditions and definitions of sensitive (AKA special) data.
There are exceptions: national security is the most obvious, while journalistic purposes can sometimes trump the need for a condition (though in reality, legitimate interests covers much of what they do). However, there is no exception for political campaigning or electioneering. Any use of personal data for the purposes of an election or political campaign must meet one of the conditions in Schedule 2 of the DPA. Any targeting or profiling of potential voters based on their political beliefs, their ethnicity or religion must meet one of the Schedule 2 conditions, and one of the Schedule 3 conditions.
If you are not a Data Protection nerd, your attention may currently be wandering, so permit me to get it back. The Conservative Party are racially profiling voters in London, and I believe that the Data Protection Act makes this unlawful.
The Guardian reports that voters in London have received targeted mailings from David Cameron, specifically aimed at persuading members of the Gujarati community to vote for simpering toff the Conservative Mayoral candidate Zac Goldsmith. The letter makes play of his links with the Indian Prime Minister Navendra Modi, and exhorts recipients to vote Tory in May.
Not only is this rather crass politics, the Guardian highlights that it hasn’t even worked. One recipient, retired biochemist Barbara Patel described it as a “facile and inaccurate attempt at racial profiling”, falsely assuming that her surname Patel = Gujarat, and Gujarat = Hindu. Patel is in fact of Jewish descent, while her husband is from a family of lapsed Muslims. We’ll come back to this problem later.
In order to target a group on the basis of their ethnicity (i.e. the fact that they are Gujarati), the Conservatives need to meet two conditions. Schedule 2 offers scant possibilities – there is no legal obligation, public function or vital interest to help them. The only possibilities are consent and legitimate interests. As the letter appears to have taken at least some recipients by surprise (Patel for example confirms that she is definitely not a Tory voter), consent is clearly out of the window. This leaves only legitimate interest, and while I have no doubt that political campaigning even as inelegant as this would make the grade as such an interest, this is only half of the battle. The interest in question (i.e. the campaigning) is only acceptable if it does not cause prejudice to rights, freedoms and legitimate interests of the data subject.
Here, I think the false assumption about Barbara Patel’s ethnicity rears its head for the first time – Patel’s rights are clearly infringed if she receives wrongly targeted marketing based on her ethnicity, and moreover, as it is obvious that the Conservatives have not informed people in advance that they are using some kind of surname-based technique to identify certain ethnicities, legitimate interests is equally dead in the water because of the lack of fairness. Fairness is a key part of the first Data Protection principle, and is almost as difficult to get out of as the need to meet a condition.
Because I am certain that the Tories haven’t got a Schedule 2 condition, it seems pointless to consider whether they have a Schedule 3 condition to justify the use of sensitive data. But they haven’t, so let’s just enjoy pointing that out. Schedule 3 allows for a variety of uses of sensitive personal data, many related to wholly justifiable law enforcement, medical and therapeutic purposes. The only one tailored for political parties is of no use to the Conservatives, as it applies solely to information about members or those in regular contact – thus sending unsolicited letters to non-voters couldn’t possibly be covered. The condition also requires “appropriate safeguards” for the rights of individuals; by targeting the wrong people, the Tories lose again. Consent is the Tories’ only friend in Schedule 3, and they don’t have it here.
There are other breaches – as I have already mentioned, if the Conservatives have not clearly informed people that they will be racially profiled for marketing and political campaigning, they have breached the first Data Protection principle. As they have – in at least one case but I suspect many others – misidentified people’s sensitive data, they have breached the Fourth Data Protection principle, which requires all personal data to be accurate.
There are number of questions to be answered here. What justifications do the Conservatives think they have? How often do they profile on racial (and potentially religious) grounds? Where did the personal data come from? How was the profiling carried out? Actually, I suspect I know the answer to this question as I remember attending a hilariously awful presentation from a Well Known Data Broker That You Probably Think Of As A Credit Reference Agency about how they could carry out racial profiling using people’s surnames. I wonder if they are still hawking the same service? But fundamentally, the most important question is the one I always ask, and it’s the one regular readers will be expecting. Rather than trotting out another pointless undertaking, will the Information Commissioner take action on an outrageous example of data abuse?