Information commissioner calls for stricter regulation on political use of data

The Information Commissioner’s Office (ICO) has taken regulatory action against a number of organisations, as its investigation into the use of data analytics in political campaigns concludes.  

Information commissioner Elizabeth Denham presented the final report on the investigation to the Digital, Culture, Media and Sport (DCMS) select committee today (6 November), which looked at 30 different organisations’ use of personal data and analytics, including political campaigns, parties and social media companies. 

As part of the investigation, the ICO has taken enforcement action against Leave.EU and Arron Banks’ insurance company Eldon Insurance for “serious breaches of the Privacy and Electronic Communications Regulations 2003”. Leave.EU and Eldon, trading as GoSkippy, will be given a £60,000 fine, while the Leave.EU campaign will get an additional £15,000 fine for breaching email regulations.

As previously reported by Computer Weekly, the investigation has also fined Facebook £500,000, as well as Denham calling for the company to change its business model and practices “to maintain trust.” 

She told the select committee that following the Cambridge Analytica scandal, Facebook still needs to do more, and “should be subject to stricter regulation and oversight”.

Eleven political parties have also been sent warning letters and the ICO will issue “assessment notices for audits later this year,” according to the report.

“We have concluded that there are risks in relation to the processing of personal data by many political parties,” the report said.

“Particular concerns include the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing and the use of third-party data analytics companies, with insufficient checks around consent.”

In a blog on the ICO website, Denham said the investigation has found “a disturbing disregard for voters’ personal privacy by players across the political campaigning ecosystem - from data companies and data brokers to social media platforms, campaign groups and political parties.”

In its July update on the investigation, the ICO set out plans for a code of practice on the use of data in campaigns and elections. 

Denham has now called for views on the code, which she said aims to “simplify the rules and give certainty and assurance about using personal data as a legitimate tool in campaigns and elections”.

“This code should be given the same statutory footing as other codes of practice in the Data Protection Act 2018,” she said in her blog.

“Codes about data sharing, age-appropriate design and a code for the media are all enshrined in law. The integrity of our democracy is equal to these issues. It’s important enough to the public and to the wider world that the regulator’s guidance be given a sharper edge and be included in primary legislation too.”

She has also called on the government to look at potential regulatory caps in the current data protection and electoral landscape “to ensure we have a regime fit for purpose in the digital age”.

“We are at a crossroads. Trust and confidence in the integrity of our democratic processes risks being disrupted because the average person has little idea of what is going on behind the scenes,” Denham said.

“This must change. People can only make truly informed choices about who to vote for if they are sure those decisions have not been unduly influenced.”