Data protection, Brexit and campaigners: Privacy policy? Eh?

Were you phoned up by the Leave or Remain Campaigns on your ex-directory telephone number during the Referendum Campaign (probably in breach of PECR)? I was. If so, how did they get my number?

How did one of the Campaigns, for example, know who was a Millwall fan so the caller from a Campaign gloated (sorry, I mean commiserated) with him or her over the 3-1 defeat by Barnsley at Wembley in May?

Intrigued, I have done a little digging; first in relation to the Referendum Campaigns and then secondly with respect to the UK political parties. This blog summarises what I have found, mainly based on a reading of many turgid Privacy Policies; in short, some important privacy issues need attention.

The items of personal data used

As far as I can see the various Referendum Campaigns (and most political parties during an election campaign) have access to the following personal data obtained from the data subject and from public sources.

• Electoral rolls from all UK constituencies (names and address nationality)
• Whether an individual voted in 2015 (General) and 2016 (Local) Elections
• Telephone numbers (including those ex-directory) and email addresses
• Siblings living at home (from electoral roll one presumes)
• Linkedin profile – gives photo, racial, profession/job, contact details, social classification (e.g. professional status) and of course a contacts list
• Facebook profile – this gives usually location, age, social class and hobbies (e.g. what football team they support) and of course a “friends” list
• Twitter activity
• I also assume there are also have fields (e.g. voting intentions) depending on what campaigners are told over the phone.

There are many other legitimate sources of public information (e.g. Land Registry, Companies House) and commercially available sources (e.g. Credit Reference Agencies provide a range of non-credit related data services) that may be used. The Lib Dems Privacy Policy states that it uses such sources of personal data, but these sources are not identified in the Privacy Policies of either Campaign or other political parties.

Ex-directory telephone numbers could also be obtained from third party list providers; this emerged at the Leveson Inquiry where journalists often used such list providers to obtain them. Lord Leveson (at line 9, page 17 of evidence 25th Jan 2012) states “It just concerns me that I simply do not know whether somebody has got hold of my personal data, and I don't know how I would ever find out, and therefore, if I never find out, I don't know to make the complaint” (to the ICO about the use of an ex-directory telephone number).

It is clear that the personal data above provides a detailed profile of the data subject’s social and political views, their economic and social status and points to other contacts who are then become a potential target. It is also easy to see how in future that such profiles have the potential to be assessed against a collection of Big Data to make predictions concerning the data subject.

Privacy Policies of the Campaigns

The Leave Campaign (as do most other political parties) use a platform called “NationBuilder” hosted in the USA. The way in which this platform works is well worth viewing to see how all the personal data identified above are inter-linked (see references for a link to a ten-minute demo).

It is also clear that NationBuilder could be a data controller. This arises from NationBuilder’s Terms and Conditions relating to “Law Enforcement and Third-Party Complaints” which states that the company will disclose customer data to others if “required to do so by law or subpoena”. I am not convinced that NationBuilder or its clients are aware of this rather fundamental data protection issue; NationBuilder is not a mere data processor.

The Leave Campaign’s Privacy Policy does not make it clear what items of personal data are collected on this platform; it infers all personal data are directly provided by the data subject to the Campaign when, as far as I can see, this is not the case (e.g. electoral roll personal data).

The statement in the Leave Campaign’s Privacy Policy “You can read more about that company and its features and policies at nationbuilder.com, and how the NationBuilder service interacts with and protects your information at “nationbuilder.com/privacy” and “nationbuilder.com/confidentiality” does not reassure. It does not make it clear which of these policies (i.e. the “privacy” one or “confidentiality” one applies to ordinary voters).

NationBuilder’s two thousand word Privacy Policy raises three concerns:

1. First it contains an obligation to read it. The Policy warns that “if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them”.
2. Second it states that “If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes” (this is a curious form of consent).
3. Finally, the Privacy Policy is dated 1st Feb 2014, and refers at the bottom of the webpage to the fact that Safe Harbor is used to protect the personal data (e.g. from the Leave Campaign) when they are transferred in the USA. In other words, the Privacy Policy is not up to date.

However, the Leave Campaign does state that “Vote Leave will authorise the complete destruction of its database, including the electoral register, as soon as reasonably practicable following polling day” and that “Data will not be retained or transferred to any successor organisation for any non-referendum purpose”.

By contrast, the Privacy Policy of the Britain Stronger in Europe Campaign (which also uses NationBuilder) is silent on the deletion of personal data after the Brexit vote, and does not refer to the transfer personal data to the USA (although transfers of personal data to Google in the USA are mentioned).

Other political parties

Given the paucity of relevant information on the Referendum Campaign websites, I decided to look at the UK main political parties; in summary, the lack of relevant information continues (although there is in my view, a great deal of unnecessary detail). The Political Parties, unlike the Referendum Campaigns, are likely to retain their bulk personal datasets from one election to the next so the data protection problems are exacerbated.

The Labour Party uses NationBuilder; its Privacy Policy “reassuringly” states: “We are compliant with the Safe Harbor scheme, which is recognised by the European Commission as providing adequate protection for the rights of data individuals in connection the transfer of their personal data to signatories of the scheme in the USA”. In other words, the demise of Safe Harbor has yet to register at Labour HQ.

From the website’s look and feel, I suspect the Conservative website uses NationBuilder; however, there is no statement in this regard or of any specific transfer to the USA.  The Privacy Policy merely states that a transfer outside the EEA “may happen if one of our service providers is located in a country outside of the EEA”.  UKIP uses NationBuilder, but says nothing about transfers outside the EEA.

I now suspect the dataset built on NationBuilder allowed the Labour Party to vet the political views of those applying for a vote in Leadership elections, and permitted Conservative Party workers to talk of databases of 20 million voters (“Facebook, Twitter – if it’s in the public domain it’s not off limits”, see references). If this suspicion is correct, it highlights the privacy concerns (and suggest the political parties have the capability of undertaking limited surveillance of its membership if/when the need arrives).

The Lib Dem website is hosted by NationBuilder fails to mention the USA at all (although in many other respects, the Privacy Policy provides a description of the harvesting of personal data from social media usage which is missing from other websites I looked at).  It is silent on the Safe Harbor position.

For completeness, I am not sure about the Greens or Scottish National Party (these sites do not have the NationBuilder look and feel).  However, I have to admit when I got to these Policies (they took some finding), a kind of Privacy Policy fatigue set in.

Concluding comments

My comments that relate to the Referendum Campaigns and most of the political parties are as follows:

• I am not convinced that data subject consent is explicit with respect to the processing of sensitive personal data (e.g. political opinions)
• That processing which is justified in the absence of consent should be identified as to the source of personal data and a description of the personal data collected in the absence of consent (especially if it relates to, or combined with, sensitive personal data).
• The status of NationBuilder needs resolution; it would be a data controller if NationBuilder discloses personal data to law enforcement and national security agencies without approval of its client. This is an important issue if all or most UK Electoral Rolls and bulk datasets on political views are processed in the USA. The Safe Harbor position also needs to be updated.
• I could find no detail concerning voter profiling (but I suspect it occurs) and no reference to a Privacy Impact Assessment concerning the processing of sensitive personal data. Such a PIA is a mandatory requirement of the GDPR.
• Privacy Policies need updating to describe what personal data are collected from sources other than the data subject; they should explain the harvesting of personal data via social networking, the extent of any profiling and what retention policies applies to the personal data. A few comments on the management of the NationBuilder platform would not go amiss.
• There is no simple mechanism whereby data subjects can object to the processing of personal data, request the deletion of personal data or reverse consent; one should be provided as a matter of urgency.

Finally, I would assume that the above problems are not unique to political parties (e.g. they could afflict supporters of a single issue campaign group or charity). ®

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.