Personal data in political campaigns: Canadian takeaways from the UK Information Commissioner’s guidance
Politics are more personal than ever. Political parties and candidates have come to identify and target voters with no less ambition than large companies do, through specific product recommendations and personalized user experiences. To do so, parties and political campaigns have amassed — and are continuing to amass — significant volumes of data about individuals and their preferences. They then apply predictive algorithms to that data to derive insights, which inform their campaign strategies, which can help to decide a close election. The end result: individuals’ personal data is increasingly part of the political process.
The UK Information Commissioner’s Office (the “ICO”) recently published Guidance on Political Campaigning (the “ICO Guidance”). While the ICO Guidance is only applicable in the United Kingdom, it demonstrates, particularly in the midst of a Canadian election, what a robust data protection regime could require of political parties in Canada — where, as it stands, political parties’ data collection and use is largely unregulated.
The ICO Guidance is a draft framework for the use of personal information by political parties. The ICO Guidance is not of itself legally enforceable; however, it provides clarity and practical advice to those processing personal data in political campaigns on how they can ensure compliance with the legally binding EU General Data Protection Regulation (“GDPR”) and the UK Data Protection Act (“DPA”) On a broader level, the ICO Guidance helps to address issues of individual privacy and trust in the democratic process, in the wake of major data scandals.
UK political parties must comply with UK privacy law
Unlike in Canada, political organizations and candidates in the UK who process personal data — defined as data about an identified or identifiable individual — must comply with the UK’s data protection and electronic marketing laws. The ICO Guidance seeks to clarify these laws and how they relate to political campaigning. To do so, the ICO Guidance explains how political parties and candidates should go about respecting the key principles, rights, and obligations for processing personal data, as summarized below.
There are a variety of ways in which political parties can collect personal information about individuals. The ICO Guidance suggests different methods of providing appropriate information about a party’s privacy policies in various circumstances.
Data processing by political parties must be lawful, fair, and transparent
The ICO Guidance states that, pursuant to the GDPR and the DPA, any processing of personal data must be lawful, fair, and transparent.
- Lawful processing means that political parties must have an appropriate lawful basis for processing personal data and must also process it in a lawful manner.
- Fairness refers to handling personal data in a way that individuals expect, and not using it in ways that lead to unjustified adverse effects.
- Transparency means that political parties must be clear, open and honest with individuals and provide information about the purposes for collecting their personal data, the retention periods, and with whom, if anyone, it will be shared.
Parties cannot use data beyond the purpose for which it was collected
Political parties may want to use personal data obtained for one purpose in a political campaign for a different purpose. The ICO Guidance reiterates that pursuant to Article 5(1)(b) of the GDPR, parties should not be using personal data obtained through an MP’s constituency work for political campaigning purposes.
Pursuant to the GDPR and the DPA, parties must be clear about why they are processing the data from the start, and must be able to explain it to individuals. The ICO Guidance suggests that:
- Face-to-face campaigning: political parties are expected to provide individuals either with a leaflet containing the privacy information or a more basic privacy statement with a link to a website where people can obtain the privacy information.
- Online: political parties are expected to display privacy information prominently on their website or before an individual downloads a mobile app.
Data collection and storage must be justified and should be limited
The ICO Guidance explains that, pursuant to the GDPR and DPA, political parties must not keep personal data for longer than needed. Parties must justify why and how long they are holding personal data — and for what purpose this is being done.
Maintaining accuracy, integrity, and confidentiality of data is key
The ICO Guidance suggests that political parties, like all data controllers under the GDPR and DPA, are expected take steps to ensure the accuracy and safety of the data they use.
One way of maintaining data accuracy in the political context is by requesting updated versions of the voter register on a regular basis. Using older versions of the voter register risks parties’ writing to people who are no longer living at certain addresses, whose names have changed, or who have died.
Political parties are accountable for their use of personal data
Accountability is one of the most important data protection principles and is enshrined in both the GDPR and DPA. The ICO Guidance stresses that political parties should be held accountable for their use of personal data.
Canada’s framework for political parties and privacy is evolving
In contrast to the UK, Canada’s major federal privacy protection law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), does not regulate political parties. Nevertheless, personal data in political campaigns is still a hot-button issue in Canada, as all parties continuously analyze Canadians’ personal information in their efforts to gain an electoral edge.
The ICO Guidance is important from a Canadian perspective because it highlights what imposing a comprehensive privacy regime for political parties could look like. While there has been an effort to improve data privacy for Canadian political parties, the ICO Guidance highlights the disparity between the UK and Canada.
On June 13, 2019, the Elections Modernization Act (the “EMA”), came into force. This law amended the Canada Elections Act to, among other things, require political parties to develop specific privacy policies to protect personal information, to submit those policies to Elections Canada, and to publish the policies online (see our previous blog post on the EMA).
The Office of the Privacy Commissioner (the “OPC”) has also issued Guidance for federal political parties on protecting personal information. The OPC Guidance addresses what must be included in political parties’ privacy policies, including:
- A statement indicating the types of personal information that the party collects and how it collects that information.
- A statement indicating how the party protects personal information under its control.
- A statement indicating how the party uses personal information under its control and under what circumstances that personal information may be sold to any person or entity.
- A statement indicating the training concerning the collection and use of personal information to be given to any employee of the party who could have access to personal information under the party’s control.
- A statement indicating the party’s practices concerning:
- the collection and use of personal information created from online activity, and,
- The name and contact information of a person to whom concerns regarding the party’s policy for the protection of personal information can be addressed.
The bottom line
The mixing of personal information and politics is a growing concern around the world, and expectations regarding transparency and security for personal data are increasing. In Canada, the OPC Guidelines and the EMA represent the first steps towards bringing political parties in line with these expectations. The UK, with the ICO Guidance, demonstrates how much further some countries are willing to go to ensure robust data protection by their political parties. Canadian political parties — and every Canadian who interacts with our democratic process — should take note, monitor these trends, and consider the impact that a more stringent privacy regime could have on our politicians’ data collection and analysis efforts.