Use of data services and analytics
All political parties, and indeed all organisations, are making increasing use of digital communications. But our use complements existing means of communication including grassroots campaigning. Political parties remain voluntary sector organisations.
It may be helpful to explain that the Information Commissioner has carried out a statutory audit of all major political parties, including the Conservative Party.
We have committed to working through the ICO’s constructive recommendations and will be welcoming back the ICO at a later date to review our improvement. The audit covered our use of data brokers; they have identified areas where our use could be improved, this includes due diligence, audits and the how we check incoming data.
Our data protection processes, policies and procedures continue to evolve, in part due to our work with the ICO, but also as the Data Protection Act 2018 and GDPR bed in and legal cases establish a deeper understanding.
Data Protection Act / basis for data
Through the Data Protection Act 2018, Parliament intentionally legislated to provide a legal basis for processing of ‘democratic engagement’, as a ‘task in the public interest’. This allows for data to be processed as an alternative to explicit prior consent. This is not an ‘exception’, rather it is one of the different legal bases in data protection law on which to process data.
As an example of how it may be used, MPs may routinely send a birthday card to a constituent at the point at which they reach 18 and are entered onto the electoral register as a full elector. It would not be practical to obtain prior consent from the 18-year-old to ask permission to send them a birthday card.
Separately, there is also a permitted provision for political parties to process the ‘special category data’ of political opinions. It would be perverse if political parties were not able to process political opinions. For example, if a party identifies that a voter has views on (say) pensions, after undertaking a survey or canvassing, that then allows the party to record that interest, and subsequently communicate the party’s policies on pensions at an election time. Parties may use other pieces of collected data to help refine who to write to.
This is an important feature of how our democracy has always worked: parties (including candidates and elected representatives) listen to voters, and then communicate with voters, to gain their mandate at the ballot box. There is also an important interaction with electoral law: parties and candidate spending are capped at a national and local level, and consequently both are forced to narrow and target audiences. This practice is not new. If parties were further restricted in targeting voters under data protection law, the practical effect would be to raise the cost per communication; this would result in less democratic engagement overall, and raise barriers to entry to participating in elections.
We have a number of concerns about the Information Commissioner’s draft code on the use of data for political campaigning. In the interests of transparency, I enclose a copy of the response that the Conservative Party sent to the consultation. I would particularly flag the potential chilling effect on long-standing practices of MPs and councillors from engaging with their local constituents.
As we state in our response, targeting people to receive political messaging is a normal part of democratic engagement. It is consistent with the long-held rights of free speech and freedom of expression. Targeted messages to those voters believed to be interested in a given issue specifically aligns with the definitions of democratic engagement (as defined in the Data Protection Act’s Explanatory Notes) which includes: communicating with electors and interested parties; surveying and opinion gathering, campaigning activities.
I would observe that there has been minimal Parliamentary scrutiny of the detail of the numerous codes being produced by the ICO – this is not something that the DCMS or PACAC Select Committees have considered. The lack of any democratic scrutiny of quasi-legislation from a public body should be a cause for concern.
Political and commercial advertising
You asked about the distinction between political and commercial advertising. This is addressed in our response to the ICO’s draft code on political campaigning. This issue stems from electronic communication regulations, rather than data protection legislation or trading/advertising standards.
The provisions of ePrivacy Directive (2002/58/EC) were intended to apply to ‘commercial communications’ for ‘direct marketing’. The (then) Labour Government transposed these
‘PECR’ regulations in 2003, and they did not apply to party political communications (as political parties do not sell goods or services). The Information Commissioner subsequently resolved that it did apply to political communications, following a Tribunal case involving the SNP. This case has never been tested by the higher courts, and never been ratified or agreed by Parliament. The underlying European Union legislation gave discretion to member states on this matter (and would continue to do so within the EU under the future ePrivacy Regulation).
Moreover, even under the PECR regulations, commercial organisations may undertake a ‘soft opt in’ communication: a one-off email to ask existing ‘customers’ if they wish to continue to be contacted. In its draft Code, the ICO has argued that this does not apply to political communications. Again, this is confused. Either political communications are marketing and fall under PECR, and should therefore enjoy the permitted exemptions open to businesses under PECR, or they are not commercial marketing and PECR should not apply in the first place.
These issues have also been raised in the ICO’s separate consultation on a statutory code on direct marketing. The ICO has proposed that public sector communications should be caught as direct marketing, and gives an example that pro-active public health communications on GPs’ flu vaccinations would not be permitted without explicit consent. The code would thus have the effect of further extending the legal definition of ‘commercial advertising’. This has deeply concerning implications for public health and safety, but is an unsurprising conclusion from the ICO unilaterally deciding that the definition in Parliament’s 2003 regulations should apply to far more than just commercial marketing activities.
We believe that the Government should ultimately review this confused legislative basis in PECR, with scope then for Parliament to agree a clearer legislative framework in secondary legislation. It would be open to legislators to set out activities which are permitted without explicit consent, and ones which would not be permitted. There would also be clear merits in a more consistent alignment with data protection law, rather than having two overlapping and confusing regimes. There are also new opportunities outside the European Union to tailor legislation specifically for the UK’s needs.
We hope these points will be useful.
Alan Mabbutt OBE
Registered Treasurer and Legal Officer
 The draft code states: ‘If, as a public body, you use marketing or advertising methods to promote your interests, you must comply with the direct marketing rules... [Case study] Scenario B: A GP sends the following text message to a patient: “Our flu clinic is now open. If you would like a flu vaccination please call the surgery on 12345678 to make an appointment.” This is more likely to be considered to be direct marketing’ (ICO, Direct marketing code of practice Information Commissioner’s Office Draft code for consultation, January 2020, p.22).