Political campaigning: data protection & electronic marketing Rob Luke Deputy Commissioner

Today’s session Introduction and ICO role ICO guidance explained ICO powers Q and A Future contact

Political campaigning: ICO guidance explained Judith Jones – Group Manager Jenny Childs - Senior Policy Officer Parliament and Government Affairs

Introduction Political campaigning is a vital part of a democratic society, engaging with voters by: finding out their views persuading informing; and communicating BUT You must still comply with the law regarding data protection and direct marketing

Why does this matter? Citizens’ confidence and trust Legal obligation for data controllers Your reputation with potential supporters Information is a key asset Important rights for individuals

Updated guidance Updated to reflect latest ICO guidance No new rules but packaged in one document to help you comply

What’s new? Use of analytics Updated in line with current guidance - direct marketing and privacy notices

Use of analytics Even where personal data is publicly accessible, this does not automatically mean that it can be re-used for another purpose. If a political organisation collects and processes this data, then it is a data controller and has to comply with the DPA. If a political organisation commissions a third party to carry out analytics, then that company is likely to be a data processor – and must have a written contract.

Key legal concepts Principle 1 DPA: Personal data must be processed fairly and lawfully and on the basis of a schedule 2 and (where necessary) schedule 3 condition. Fairness – 2 parts Transparency – Telling individuals who you are and what you are doing with their personal data. Fairness – Not processing personal data in ways individuals would not reasonably expect.

Key legal concepts Section 27(5) ‘Except as provided by this part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.’ In simple terms – unless you can satisfy an exemption from within the Data Protection Act 1998, the duty to provide fair processing information to individuals will apply

Re-use of publicly available data Publicly available information covers a range of data: • Electoral register • Public registers (Companies House) • Press reports • Social media Key point: It is not fair game! Remember s.27(5) – You must still provide fair processing information unless an exemption applies

Transparency You have to tell people what you are going to do with their data whether collected: directly from them (eg via a website) or obtained from another source Tell people, clearly and prominently what you are doing with their data. Would individuals reasonably expect you to do what you are doing? If not, the more important it is that you tell them and that you do so clearly, prominently and in a way they can understand.

Security of personal data Appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage to personal data Must consider nature of data to be protected, type of technology available and cost Risk assessment, staff training, levels of access to databases, data minimisation Cybersecurity

What is direct marketing? DPA defines direct marketing as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals” Communicating by post or by electronic means with individuals to promote a political view in order to gain support in an election, or otherwise influence an individual = direct marketing

Privacy and Electronic Communications Regulations (PECR) contain privacy rules on marketing and advertising by electronic means direct marketing rules derive from both DPA and PECR

Marketing - by post You can use the full electoral register during elections or referendums. You may contact an individual to promote a political campaign unless you are aware that the individual objects to direct marketing. Candidates, political parties and referendum campaigners have a right to send an ‘election address’ by Freepost, either addressed to each individual elector or unaddressed to each postal address.

Marketing –by live call You can call those not listed with the Telephone Preference Service (TPS) unless they have told you not to call them. You can call those registered on the TPS where you have their specific consent to do so. When calling you must- Identify your organisation - Allow a contact number to be displayed to the person. - Provide an address or number to object to marketing if requested. - Record and respect any objection.

Marketing - by automated call - If you wish to use automated calling you will need the specific prior consent of the individual for automated calls. - When calling calls must- Identify your organisation - Allow a contact number to be displayed to the person. - Provide an address or number to object to marketing.

Marketing – by electronic mail -‘Electronic mail’ includes email, text message, social media, video message and voicemail. You must have the individual’s specific consent to communicate with them in this way. When calling you must identify your organisation, provide an address that individuals can use to object and request that it does not send them any further communications. - Consent must be specific to the method of communication and to the instigator of the message.

What is meant by ‘consent’? To ensure consent is valid, there must be a prominent and clear explanation of what the individual is agreeing to. You must ensure consent is specific, informed and freely given by the individual. Consent should be demonstrated by a positive indication of choice.

The right to opt out Make it simple for individuals to object to or to opt out from receiving direct marketing from you. Enable individuals to object by responding directly to the marketing message they’ve received from you. Suppress their details to ensure you do not contact them again

Section 11 Right Section 11 of the DPA gives individuals the right to contact an organisation in writing to stop or prevent it from using their contact details for the purpose of sending marketing materials. You must respect any such objection (the only exception is for a single addressed freepost mailing at a General Election, allowed under the RPA).

Using third parties Take particular care when using third parties: to supply information to you eg lists of contacts to carry out direct marketing for you Make sure data was obtained fairly and lawfully Check there is clear, informed, specific consent Explanation must be in broad enough terms to include political campaigning messages Check and monitor what they are doing How accurate / current is the data?

Using surveys There is a difference between genuine market research and direct marketing. Examples of communications that will be considered direct marketing: A person from a local constituency office of Party X phones Mrs Y and asks for her opinions on local public transport. Party X records Mrs Y’s responses together with her name and contact details. It later uses her contact details to send her emails promoting Party X in an election campaign.

Using social media Social media can provide an effective way of communicating to and interacting with the public….. But don’t forget: -If you collect peoples’ details, to explain what you’ll use these for. -To obtain clear, informed consent if you plan to contact them again. -To take care when using viral marketing or “tell a friend” campaigns. -Be aware of risks in branding / renaming official social media channels as political campaigning channels.

Overview of ICO Enforcement – Powers Andy Curry, Enforcement Group Manager

Enforcement at the ICO Anti-Spam Investigations Teams within ICO Enforcement department – 15 investigators. Range of enforcement options including Monetary Penalties – £500,000 maximum Enforcement Notice Criminal prosecution – section 17, section 20 of Data Protection Act – the ‘notification offences’

ICO Enforcement – Political Campaigns £5,000 monetary penalty for David Lammy MP – 35,000+ automated calls. No consent obtained by sender. £50,000 monetary penalty for Better for the Country / Leave.EU. 500,000+ SMS text messages. No consent obtained by sender. Undertaking* for Better Together. 300,000+ SMS text messages. No consent obtained by sender.

Prize draw website / Travel company Sender of messages / dialler platform Instigator of political campaign List / Data Broker Prize draw website / Travel company

Central Party Membership or Supporter Data Instigator of political campaign Central Party Membership or Supporter Data Terms and conditions: Are members / supporters asked to consent to receive automated calls or SMS messages?

Any Questions?

Subscribe to our e-newsletter at www.ico.org.uk Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on… /iconews http://ico.org.uk/livechat @iconews