Commissioner’s progress report includes revelations about UKIP’s non-compliance and a six-figure penalty for a pregnancy website that supplied data for Labour Party marketing

Credit: CROFT MALCOLM CROFT/PA Archive/PA Images

The government should “legislate at the earliest opportunity” to create rules that govern how personal data is used in political campaigns, the Information Commissioner’s Office has recommended.

The ICO today published a report providing updates on its ongoing investigation into the use of data analytics and algorithms in political campaigning. 

The data privacy watchdog revealed that it has issued Facebook with a notice of its intent to fine the company £500,000 – the maximum financial penalty available – for two breaches of the Data Protection Act. 

Buckinghamshire-based Lifecycle Marketing (Mother and Baby) Ltd (LCMB), which runs Emma’s Diary, a website offering advice to pregnant women, is also facing a fine of £140,000. 

11
Number of political parties compelled to allow the ICO to audit their data-protection practices. Only one, UKIP, refused to do so.

£640,000
Total intended fines announced today, including £500,000 for Facebook and £140,000 for pregnancy website Emma’s Diary

1,026,220
Number of records from which the parent company of Emma’s Diary supplied personal information. This data was subsequently used by the Labour Party.

14 months
Duration of the investigation so far. The next phase is expected to wrap up in October.

40
Approximate number of people at the ICO working on the investigation.

The ICO found that the firm supplied Experian Marketing Services with personal information from more than a million records in its database. The data was then used by Experian’s client – the Labour Party – during a “direct marketing mail campaign for the general election in 2017”.

Facebook and LCMB have until 18 and 30 July, respectively, to respond to the notices and make representations, should they so wish. After which, information commissioner Elizabeth Denham will decide whether the fines will be imposed.

Today’s report also reveals that, during its investigation, the ICO wrote to the 11 political parties who had at least one MP as of May 2017. Each received an information notice “compelling them to agree to audits of their data-protection practices”. 

Ten of these parties – the Conservatives, Labour, SNP, the Liberal Democrats, Plaid Cymru, the Democratic Unionists, Sinn Féin, the Social Democratic and Labour Party, the Ulster Unionists, and the Green Party – complied with the notice. 

“Only UKIP failed to cooperate with our investigation,” said the ICO report. “It should be noted that we have not been able to progress our investigation in regards to UKIP.”

However, a recent tribunal hearing rejected UKIP’s appeal of the information notice, and found that the information supplied by the party thus far is “brief, inadequate and, in some instances, possibly inaccurate”.  

“Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.”
Information commissioner Elizabeth Denham

“UKIP will now have to respond to the commissioner’s request for information,” the report said. “We will look carefully at the evidence they send us.”

The parties that have already provided information were asked for details of what type of data they hold and where it came from, the purpose for which they processed it, whether individuals were informed of the data that is held about them, whether they share data with other parties – and, if so, why – and whether they use any form of analytics or “micro-targeting techniques”.

In addition to the written responses provided by the 10 parties, the ICO held multiple face-to-face meetings with each of the Conservatives, Labour, and the Liberal Democrats.

Recommendations
At this stage, the ICO has made 10 policy recommendations:

• Political parties should work with the ICO, the Electoral Commission, and the Cabinet Office to find a way for all political parties to increase transparency around how data is used.
• Sometime before the next election, the same organisations should work together on a new version of the ICO’s Your Data Matters campaign, with the aim of improving trust among the electorate.
• Parties must ensure due-diligence processes are implemented and adhered to when obtaining personal information from external sources.
• The government should work with the ICO to bring into law as soon as possible a statutory code of practice governing how personal info is used in political campaigns.
• Once a referendum has concluded, audits should take place to ensure campaigns either delete personal information or have the appropriate consent needed to share it.
• The newly created government Centre for Data Ethics and Innovation should work the ICO and the Electoral Commission to engage a “citizen jury” in a debate about the impact of emerging technologies and how data analytics is used in political campaigns.
• Any online platform hosting political adverts should employ in-house experts who can provide parties with advice on their accountability and transparency obligations.
• The ICO and its counterparts across Europe should work with the European Data Protection Board to ensure online platforms comply with GDPR, and that their users are aware of how their information is being processed.
• Online platforms must implement transparency features related to political advertisements as a matter of urgency.
• The government should undertake a review to identify “regulatory gaps” in its ability to scrutinise where political adverts come from and how widely they are disseminated. This review should include looking at the possibility of creating an “open data repository”.

Information commissioner Elizabeth Denham urged parliament, political parties, the civil service, regulators, and internet companies to take some time to reflect on what the big-data age means for them and their responsibilities to citizens and customers.

“People cannot have control over their own data if they don’t know or understand how it is being used,” she said. “That’s why greater and genuine transparency about the use of data analytics is vital.”

Denham added: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes. New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law. Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”

Other actions taken by the ICO so far in its 14-month review include a criminal prosecution against SCL Elections Ltd – the parent company of Cambridge Analytica – for failing to comply with an earlier enforcement notice from the ICO, compelling the firm to deal with a subject access request. The company is now in administration.

Aggregate IQ – which the ICO found “had access to personal data of UK voters provided by the Vote Leave campaign” has been handed an enforcement notice requiring the firm “to stop processing retained UK citizen data”.