How did they get your number – and was it legal?
Were you phoned up by the Leave or Remain Campaigns on your ex-directory telephone number during the Referendum Campaign (probably in breach of PECR)? I was. If so, how did they get my number?
How did one of the Campaigns, for example, know who was a Millwall fan so the caller from a Campaign gloated (sorry, I mean commiserated) with him or her over the 3-1 defeat by Barnsley at Wembley in May?
Intrigued, I have done a little digging; first in relation to the Referendum Campaigns and then secondly with respect to the UK political parties. This blog summarises what I have found, mainly based on a reading of many turgid Privacy Policies; in short, some important privacy issues need attention.
The items of personal data used
As far as I can see the various Referendum Campaigns (and most political parties during an election campaign) have access to the following personal data obtained from the data subject and from public sources.
- Electoral rolls from all UK constituencies (names and address nationality)
- Whether an individual voted in 2015 (General) and 2016 (Local) Elections
- Telephone numbers (including those ex-directory) and email addresses
- Siblings living at home (from electoral roll one presumes)
- Linkedin profile – gives photo, racial, profession/job, contact details, social classification (e.g. professional status) and of course a contacts list
- Facebook profile – this gives usually location, age, social class and hobbies (e.g. what football team they support) and of course a “friends” list
- Twitter activity
- I also assume there are also have fields (e.g. voting intentions) depending on what campaigners are told over the phone.
Ex-directory telephone numbers could also be obtained from third party list providers; this emerged at the Leveson Inquiry where journalists often used such list providers to obtain them. Lord Leveson (at line 9, page 17 of evidence 25th Jan 2012) states “It just concerns me that I simply do not know whether somebody has got hold of my personal data, and I don't know how I would ever find out, and therefore, if I never find out, I don't know to make the complaint” (to the ICO about the use of an ex-directory telephone number).
It is clear that the personal data above provides a detailed profile of the data subject’s social and political views, their economic and social status and points to other contacts who are then become a potential target. It is also easy to see how in future that such profiles have the potential to be assessed against a collection of Big Data to make predictions concerning the data subject.
Privacy Policies of the Campaigns
The Leave Campaign (as do most other political parties) use a platform called “NationBuilder” hosted in the USA. The way in which this platform works is well worth viewing to see how all the personal data identified above are inter-linked (see references for a link to a ten-minute demo).
It is also clear that NationBuilder could be a data controller. This arises from NationBuilder’s Terms and Conditions relating to “Law Enforcement and Third-Party Complaints” which states that the company will disclose customer data to others if “required to do so by law or subpoena”. I am not convinced that NationBuilder or its clients are aware of this rather fundamental data protection issue; NationBuilder is not a mere data processor.
- First it contains an obligation to read it. The Policy warns that “if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them”.
However, the Leave Campaign does state that “Vote Leave will authorise the complete destruction of its database, including the electoral register, as soon as reasonably practicable following polling day” and that “Data will not be retained or transferred to any successor organisation for any non-referendum purpose”.
Other political parties
Given the paucity of relevant information on the Referendum Campaign websites, I decided to look at the UK main political parties; in summary, the lack of relevant information continues (although there is in my view, a great deal of unnecessary detail). The Political Parties, unlike the Referendum Campaigns, are likely to retain their bulk personal datasets from one election to the next so the data protection problems are exacerbated.
I now suspect the dataset built on NationBuilder allowed the Labour Party to vet the political views of those applying for a vote in Leadership elections, and permitted Conservative Party workers to talk of databases of 20 million voters (“Facebook, Twitter – if it’s in the public domain it’s not off limits”, see references). If this suspicion is correct, it highlights the privacy concerns (and suggest the political parties have the capability of undertaking limited surveillance of its membership if/when the need arrives).
My comments that relate to the Referendum Campaigns and most of the political parties are as follows:
- I am not convinced that data subject consent is explicit with respect to the processing of sensitive personal data (e.g. political opinions)
- That processing which is justified in the absence of consent should be identified as to the source of personal data and a description of the personal data collected in the absence of consent (especially if it relates to, or combined with, sensitive personal data).
- The status of NationBuilder needs resolution; it would be a data controller if NationBuilder discloses personal data to law enforcement and national security agencies without approval of its client. This is an important issue if all or most UK Electoral Rolls and bulk datasets on political views are processed in the USA. The Safe Harbor position also needs to be updated.
- I could find no detail concerning voter profiling (but I suspect it occurs) and no reference to a Privacy Impact Assessment concerning the processing of sensitive personal data. Such a PIA is a mandatory requirement of the GDPR.
- Privacy Policies need updating to describe what personal data are collected from sources other than the data subject; they should explain the harvesting of personal data via social networking, the extent of any profiling and what retention policies applies to the personal data. A few comments on the management of the NationBuilder platform would not go amiss.
- There is no simple mechanism whereby data subjects can object to the processing of personal data, request the deletion of personal data or reverse consent; one should be provided as a matter of urgency.
Finally, I would assume that the above problems are not unique to political parties (e.g. they could afflict supporters of a single issue campaign group or charity). ®
Sponsored: Becoming a Pragmatic Security Leader