ICO calls for code of practice on use of data in politics

Following the ICO’s 18-month investigation on the use of data analytics for political purposes, Denham presented the regulator’s report to the parliament’s DCMS Select Committee today.

The investigation found “a disturbing disregard for voters’ personal privacy by players across the political campaigning ecosystem,” according to Denham.

The report reiterated Denham’s earlier call for views on a code of practice covering data as a tool in campaigns and elections and asked that such a code be given statutory footing within the Data Protection Act 2018.

Enshrining the code in law would give the ICO’s current powers “a sharper edge”, the report said, “providing clarity and focus to all sectors”.

Denham said in a statement: “It will simplify the rules and give certainty and assurance about using personal data as a legitimate tool in campaigns and elections.”

Self-regulation by social media platforms does not “guarantee consistency, rigour or shore up public confidence”, added Denham.

The ICO has also asked the government to look at the regulatory gaps within the existing data protection and electoral law landscape, and said it is working with the Electoral Commission and other regulators to increase transparency in campaign techniques.

Denham said: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risks being disrupted because the average person has little idea of what is going on behind the scenes.

“This must change. People can only make truly informed choices about who to vote for if they are sure those decisions have not been unduly influenced.”

Last month, Facebook was fined £500,000 over the Cambridge Analytica scandal, the maximum fine that can be issued for pre-GDPR breaches.

The report also revealed that the ICO fined pro-leave campaign group Leave.EU and Eldon Insurance, the company owned by its founder Arron Banks, £60,000 each for breaches of the Privacy and Electronic Communications Regulation 2003 (PECR), which governs electronic marketing.

The report said one million emails sent to Leave.EU subscribers contained marketing for Eldon Insurance’s firm GoSkippy, without subscribers’ consent.

Leave.EU was also issued with a notice of intent to be fined £15,000, which the ICO says is for a separate breach of PECR following almost 300,000 emails being sent to Eldon Insurance customers containing a Leave.EU newsletter.

The ICO is still investigating how the remain side of the EU referendum campaign handled personal data and will consider whether any data protection or electoral breaches require further action, according to the report.

Denham said in the report: “We may never know whether individuals were unknowingly influenced to vote a certain way in either the UK EU referendum or the in US election campaigns. But we do know that personal privacy rights have been compromised by a number of players and that the digital electoral ecosystem needs reform.”

During its investigation, the ICO identified 71 witnesses of interest, interviewed 33 individuals and reviewed the practices of 30 organisations, and is currently analysing 700 terabytes of data, which it says equates to 52bn pages.