Guidance for the use of personal data in political campaigning

Introduction

It is vital in any democratic society that political parties and campaigners are able to communicate effectively with voters. But it is equally vital for the integrity of elections and democracy that all organisations involved in political campaigning handle and process personal data in a way that is compliant with data protection law.

In recent years political campaigning has become increasingly sophisticated as new digital technologies and communication tools have developed rapidly. Campaigners now use the latest technology and commercial marketing techniques to attempt to understand their potential voters and communicate their political messages. 

The often invisible nature of these techniques can affect people’s trust and confidence in how their personal data is being used. However unintended, this poses a risk which undermines the democratic process. People can only make truly informed choices about who to vote for if they are sure their decisions have not been unfairly influenced.

The messaging and technologies used by political parties and campaigners may vary and change over time. But they all need to be working to the same rules when it comes to data protection and direct marketing laws, regardless of the method or future technological developments.

Organisations and candidates campaign using a variety of methods to engage with voters. Where this campaigning involves processing personal data you must carry it out in compliance with data protection law.

PECR complements the UK GDPR and DPA and provides additional rules for direct marketing by electronic means, such as phone, text message, and electronic mail. Direct marketing is defined in the DPA, section 122, Paragraph 5 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. This includes contacting an individual to promote a political view or otherwise influence an individual.

This guidance provides practical advice and good practice recommendations to aid compliance with the UK GDPR, DPA and PECR. In order to do this, the guidance refers to other legislation including electoral law. However, you should direct requests for guidance and questions on compliance with electoral law to the

What is the purpose of this guidance?

This guidance provides clarity and practical advice to help those processing personal data in political campaigning to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations (PECR).

This guidance does not introduce any new obligations or responsibilities for campaigners above existing data protection and electronic marketing laws.

Who is this guidance for?

This guidance is aimed at controllers (see section on controllership for further information) processing personal data for political campaigning purposes.    

By political campaigning purposes we mean:

“activity in support of, or against, a political party, a referendum campaign or a candidate standing for election, or the success or failure of a recall petition.”

This includes, but is not limited to, processing by registered political parties, candidates, referendum campaigners, non-party campaigners and recall petition campaigners. (Specifically, as defined in Political Parties and Referendums Act 2000 sections 23, 88, 105. Also the Representation of the People Act 1983 s118A and other equivalent electoral legislation, and Recall of MPs Act 2015, Schedule 3, Part 5.)

This guidance applies to you if you process personal data for political campaigning purposes, regardless of your status under electoral law.     

It is not intended to cover internal party or campaign group election campaigning, such as leadership elections. It is also not intended to cover more general campaigning activities where these do not relate to referendum campaigns or elections. However, some of the points covered in the guidance may be useful for those purposes.

It applies to you if you have a branch, office or other ‘establishment’ in the UK, and process personal data in the context of the activities of that establishment, whether or not you are based in the UK.

It may also apply to you even if you don’t have an establishment in the UK and you are based outside the UK. The UK GDPR and the DPA still applies if you offer services to users in the UK, or monitor the behaviour of users in the UK, if your establishment is overseas.

This guidance applies to processing for political campaigning in elections and referenda or potential elections and referenda in the UK. However, if you are processing for campaigning in non-UK elections and referenda and you are based in the UK, then the UK GDPR and DPA still applies and you may find this guidance helpful.

When does this guidance apply?

This guidance is not restricted to any ‘regulated periods’. You can collect, process and handle personal data for political campaigning purposes before, during, after and between particular campaigns. This guidance applies for as long as you are processing personal data for political campaigning purposes.

What are the data protection principles and rights?

The UK GDPR sets out the key principles, rights and obligations for most processing of personal data.

The DPA supplements and tailors the UK GDPR, for example in specifying how lawful bases may apply or in providing further conditions for processing certain types of sensitive information.

The key principles set out by the UK GDPR are:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

The UK GDPR also provides the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

What happens if we don’t follow with this guidance?

Whilst this guidance is issued under the Commissioner’s general powers, it does not have any special legal status beyond that. However, if you are processing personal data for the purposes of political campaigning and you don’t take reasonable steps to follow this guidance, you are likely to find it difficult to demonstrate that your processing is fair and complies with the UK GDPR and PECR. If you process personal data in breach of the UK GDPR or PECR, we can take action against you.

Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to £17 million or 4% of your annual worldwide turnover, whichever is higher.

In using these powers the Commissioner will follow the ICO Regulatory Action Policy.  Our approach is to encourage conformance. Where we find issues we take fair, proportionate and timely regulatory action with a view to guaranteeing that individuals’ information rights are properly protected. We will take account of the size and resources of the organisation concerned.

We are more likely to allow controllers time to bring their activities into compliance if you have a well-documented and reasoned case to support the approach you have taken.

How should we use this guidance?

This guidance assumes you are familiar with key terms and concepts in the UK GDPR, DPA and PECR. If you need an introduction to data protection – or more context and guidance on key concepts – you should refer to our separate Guide to Data Protection and Guide to the Privacy and Electronic Communications Regulations.

For the avoidance of doubt, references in this guidance to UK GDPR can be taken to also include the EU GDPR as it stood at 31 December 2020, known as ‘the frozen GDPR’. Personal data relating to individuals located overseas that was collected prior to the end of 31 December 2020 is technically covered by the ‘frozen GDPR’ rather than the UK GDPR. However, in practice this makes little material difference to the way in which this guidance applies. For more information on the application of ‘the frozen GDPR’ please see our guidance on Data Protection after the end of the transition period.

This guidance focuses on specific compliance and good practice points for using personal data in political campaigning. It is divided into several sections, designed loosely to follow the lifecycle of a political campaign.

It is not intended as an exhaustive guide to compliance. It only covers processing for political campaigning purposes; it does not cover your wider obligations such as processing employment data or carrying out wider administrative tasks. Similarly, it does not elaborate on all your data protection obligations for political campaigning. For example, it does not cover accuracy, security, breach reporting or the right of access. Such obligations are equally as important as those explained in this guidance. However, the ways in which they apply are broadly the same whether you are processing for political campaigning purposes or any other purpose, so we have not included them.

You need to ensure you are aware of all of your obligations, and you should read this guidance alongside our other guidance.

This guidance applies to you if you process personal data for political campaigning purposes, regardless of your status under electoral law.