ICO Demands Urgent Data Protection Changes from UK Parties
The UK’s privacy watchdog has told the country’s largest political parties to make urgent improvements to their data handling practices, following concerns that many voters are unaware of how their information is being used.
The Information Commissioner’s Office (ICO) released a new audit of data protection compliance covering: the Conservative Party, the Labour Party, the Liberal Democrats, the Scottish National Party (SNP), the Democratic Unionist Party (DUP), Plaid Cymru and the United Kingdom Independence Party (UKIP).
It raised serious concerns that the parties may be breaking the GDPR in several key areas, including: use of social media, profiling, accountability, privacy information and the lawful basis for processing personal information.
Among the many recommendations it made, 70% were classified as “urgent” or “high priority.”
Information commissioner, Elizabeth Denham, said that although the ICO recognizes the unique role parties play in a democratic society, they cannot operate above the law.
“Society benefits from political parties that want to keep in touch with people, through more informed voting decisions, better engagement with hard to reach groups and the potential for increased engagement in democratic processes,” she added.
“However, engagement must respect obligations under the law, especially where there are risks of significant privacy intrusion. All political parties must use personal information in ways that are transparent, understood by people and lawful, if they are to retain the trust and confidence of electorates.”
Among the ICO’s recommendations are a call for parties to provide clear information in privacy notices about how voters’ data will be used and to be clear when they use profiling techniques combining info from different sources, especially when done via social media.
Parties must also demonstrate how they are protecting people’s rights and ensure contractors and suppliers are adhering to data protection laws. Finally, they must review their lawful basis for the different types of processing of personal data, to ensure the most appropriate basis is used.