The ICO report on the investigation into the use of data analytics in political campaigns
In July 2018, the Information Commissioner’s Office (ICO) published a progress report on its ongoing investigation into the use of people’s personal data to influence political opinion. This forms part of a larger parliamentary inquiry into the proliferation of fake news in the digital age. Although the final report is expected to be presented in October 2018, this progress report already contains some lessons for data processors on creating robust procedures for establishing the legal basis for processing.
Ms Elizabeth Denham, the UK Information Commissioner, announced in May 2017 that a formal investigation into this matter was being launched, with specific focus on the use of personal data to ‘micro-target’ political adverts and manipulate political opinion in the run-up to the June 2016 United Kingdom European Union membership referendum (or ‘Brexit Referendum’).
Specifically, the aim of the fact-finding phase of the investigation was to understand the ‘complex eco-system that exists between data brokerage organisations, social media platforms and political campaigns and parties,’ as well as any suspected breaches of the Data Protection Act 1998 (DPA 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR).
In the document, the ICO reports that they explored and analysed the following:
- The nature of the relationship between social media platforms, political parties and campaigns, and data brokers in respect of the use of personal data for political purposes;
- The extent to which profiling of individuals is used to target messages and political adverts at voters;
- The type and sources of the data-sets being used in the profiling an analysis of voters for political purposes;
- How political parties and campaigns, social media platforms and data brokers are informing individuals about how their data is being used; and
- The voters’ understanding of how their personal data is being used to target them with political messaging and adverts.
Whilst this report specifically targets how data is being manipulated and used in the political arena, collection of personal data and profiling algorithms exist across a wide array of different sectors.
Fines hit political-marketing companies
Last month it was confirmed that a £140,000 fine has been issued by the ICO to a relevant data brokering company for violating the DPA 2018 provisions. This fine came as a direct result from the ICO investigation.
The company was found to have illegally gathered and commoditised the personal data of over one million people (1,065,200 records) in the United Kingdom. This personal information was sold to a marketing company engaged by a major political party in the run-up to the 2017 General Election. The marketing company compiled this data into a database enabling their client party to target direct mail to mothers living in marginal seats about their plans to save children centres. The data brokerage company used to offer free gift packs and vouchers in exchange for mothers registering personal details such as pregnancy information or number of children. Each record contained the following information:
- Name of the parent
- Home address of the parent
- If any children aged five or under were present at the address
- The dates of birth of both the mother and children
The ICO found that the data brokerage company did not have sufficient disclosure in their privacy policy to inform individuals that their information would be sold on and used for political purposes.
They currently dispute these findings of the report.
Lessons learnt from this
Although this breach of data protection law was related to data brokers involved in the political process, the lessons still apply to other organisations operating in different sectors.
The fine issued should serve as a strong warning to organisations who collect personal data during a registration process. Increased public awareness around this issue following several high-profile incidents has clearly prompted the ICO to start taking more action.
The first step is to ensure front-facing privacy notices are written in a way that fully informs the data subject about what happens to their personal data once they submit it. The tenants of lawfulness, transparency and fairness should be adhered to at all times.
Your privacy policy should include information about:
- Who the data controller is
- Which lawful basis for processing is being used for that processing activity (consent, legitimate interest etc.
- What categories of data are being collected
- If the data is being shared with third-parties, with whom it is shared
- How long the data will be retained for
- How the data subject can exercise their rights over the data they have supplied
This should all be provided in plain writing, which is easily understandable by the general public. The use of legal jargon and overly complex technical terms to confuse and distract data subjects as to what is actually happening with their data will not be tolerated by the ICO.
Secondly, an organisation’s data protection policy should attest commitment to the fundamental principles of data protection. Unlike the privacy notice, the data protection policy is for internal use, clearly setting out the rights and obligations of the parties involved in the data processing process for employees handling the data. This document should serve as the “ten commandments of data protection.” (although not necessarily limited to 10 clauses).
A data protection policy should address:
- The scope of the policy
- To whom the policy applies to
- Which types of data does the policy apply to
- Information security standards
- Retention and destruction schedules
- How to escalate an issue involving data protection
With the GDPR now fully applicable as of 25th May 2018, organisations undertaking questionable practices involving data subject’s personal data will now be met with more punitive measures. The harsher penalties (up to 4% of global annual turnover or €20m, whichever is higher) will act as a strong deterrent to organisations with poor data protection practices and give some assurance to data-subjects. Taking these first steps in a compliance project can serve as a platform for the compliance project as a whole.
At a time where public distrust of data collection practices is high, those who take a proactive approach to the fundamental rights and freedoms of data subjects and data protection as a whole are in pole position to win the trust and confidence of data subjects.
For more information visit Trilateral Data Governance page and contact our team: dpo@trilateralresearch.com
