The UK’s political parties are collecting personal data to create profiles on voters that include attempts to deduce sensitive data such as their religion, political opinions, nationality and income.
Subject access requests made by voters show that the parties obtain data from commercial data brokers and combine it with the electoral register and data gathered from canvassing to build profiles on voters that often contain sensitive personal information.
The Open Rights Group (ORG), which co-ordinated the research, said political parties exploit a legal grey area in data protection law by buying commercial data, processing “special category data” and profiling and inferring their political opinions.
“This leaves most voters in the dark about what political parties do with their personal data,” said Pascal Crowe, the ORG’s data and democracy project officer. “These practices have the potential to seriously undermine trust in the democratic process and damage its integrity.”
The Labour Party is the most prolific collector of personal data, holding up to 100 pages on each individual, broken down into more than 80 categories of data.
The party has been reluctant to disclose information to people who request their data under the Data Protection Act and has repeatedly delayed its response to individual requests, potentially putting it in breach of data protection law.
However, earlier subject access requests and research by the ORG shows that Labour gathered data from canvassing the electoral register and other sources to estimate personal data on each voter.
This included data about their political opinions, including estimates of how strongly each voter supported remaining in the European Union (EU), how strongly they supported the Scottish National Party (SNP), and how likely they were to switch from Tory to Labour.
The party also keeps estimates of the income of voters, how strongly they rate the importance of childcare, and how important they feel it is to devolve powers to the Scottish Parliament.
The ORG analysed 25 subject access responses from the Liberal Democrats, which contained a mixture of data from the electoral roll, descriptive data, and inferences about individual voters.
This suggests that although the Lib Dems, which outsource some of their processing, aspire to sophisticated data analysis, they have not yet achieved it, or may have had sampling issues, the ORG said in a report.
The party uses personal data to infer political views, including the likelihood that voters are members of the Brexit party or whether they supported Remain, and whether they are likely to be a “soft Tory”.
The Conservative Party collects demographic information and scores on voters, using data bought from credit reference and data broker Experian.
This includes data classed as sensitive under the Data Protection Act, including “mysticism”, and attempts to estimate the religion of an individual, and “mother tongue”, which could be used as a proxy to identify a voter’s nationality.
The party is interested in how likely voters are to read and enjoy the Daily Mail, whether voters have a university education, their income and employment status.
The list is not complete. The Conservative Party also outsources profiling to Hanbury Strategy, which did not form part of this study.
Most party data appears inaccurate
Anecdotal evidence gathered by ORG suggests that in many cases, the data collected by political parties bears little resemblance to reality.
A sample of voters described their subject access requests as mostly or completely inaccurate, and only a small number of results were completely accurate.
One participant said their profile from the Conservative Party was based on cheap postcode aggregation. “It identified me as a tabloid-reading Labour leaver with a poor education, all of which is incorrect,” the participant said.
Some people said they were concerned that inaccurate financial profiling by political parties could affect their credit rating. “It made me feel a bit anxious and powerless,” said one.
Others said the picture was wholly inaccurate and reading their profile was like “reading about a strange hybrid caricature”.
Breaches of the law
The General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2019 require organisations to collect accurate data, raising a potential legal conflict for political parties’ collection and use of personal data, the ORG claims in its report.
The inaccuracy of the data on many voters also raises questions about the value of voter profiling for political parties. “Political profiling may incur a significant financial resource and reputational cost for very little gain,” said Crowe. “It is unclear what the business case is for its continuation.”
Parties may be better off using low-tech solutions, such as canvassing and focus groups, to provide more accurate data and less legal risk.
The Labour Party may be in breach of data protection law, which requires organisations to respond to subject data requests in 30 days, following a long delay in it releasing personal data.
Computer Weekly made a subject access request to the Labour Party before the General Election in December 2019. Four months later, the party wrote back asking for another copy of photographic identity to process the request, which was provided.
It has yet to provide the information requested.
Calls for reforms
The ORG is calling on regulators to investigate whether the processing of voter data is strictly necessary to promote democratic engagement, as is required by the law.
It also calls for the government to enforce Article 80 (2) of the GDPR, which would allow third-party organisations to initiate claims with regulators on behalf of the public.
“It is unrealistic to expect members of the public to be fully aware of when their data rights are being infringed,” it said.
The ORG argues that political parties should move towards consent as a legal basis for profiling voters, rather than rely on exemptions, such as the right to process political opinion data, which may be open to legal challenge.