Important (Non-Political) Takeaways for GDPR Compliance from UK ICO Draft Code of Practice for Use of Data in Political Campaigns

August 12, 2019Alerts

The United Kingdom's Information Commissioner's Office (ICO) published a Code of Practice for use of Data in Political Campaigning for public consultation which ends October 9, 2019. Though it officially applies to UK-based political campaigns, the code contains deep analysis of General Data Protection Regulation (GDPR) issues and can serve as useful, actionable guidance on compliance to companies and organizations subject to GDPR on topics such as: How to provide the privacy information and how to determine whether your profiling might have a legal or similarly significant effect.

Key generally applicable takeaways:

Controller  Processor

  • A processor may have the freedom to use its technical knowledge to decide how to carry out certain activities on the controller’s behalf. However, it cannot make any of the overarching decisions, such as what types of personal data to collect or what the personal data will be used for.
  • A company hired to carry out research for customer modelling purposes is a joint controller with the company hiring it regarding the processing of personal data to carry out the survey, even though the hiring company retains overall control of the data because it commissions the research and determines the purpose the data will be used for.

Inferences

  • To establish whether opinions or inferences are personal data, it is not about whether the inferences or opinions are correct. The key question is whether they are processed with the intention to identify and relate to, or in a manner that identifies and relates to, individuals; whether by name, address or any other identifying factor.
  • If you make inferences about people living in a particular area, you should do this in a way that avoids processing personal data where possible. For example, using as large a mapping area as possible to cover more properties or households; and using formats such as heat maps.
  • When developing or purchasing software that makes inferences about people in an aggregated form, you should assess carefully whether this software processes personal data or adds special category data. If it does, you need to assess the necessity of processing this personal data and fully comply with data protection law.

Purpose Limitation

  • You must not collect or retain personal data on the off-chance that it might be useful in the future. You must be able to justify the necessity of processing the data for your purpose(s).
  • You may only use data collected for a certain purpose if
    • your intended purpose is compatible with the original purpose;
    • or where you have obtained the individual’s specific consent for processing data

To decide whether a new purpose is compatible with your original purpose you should take into account:

  • any link between your original purpose and the new purpose;
  • the context in which you originally collected the personal data – in particular, your relationship with the individual and what they would reasonably expect;
  • the nature of the personal data — e.g. is it particularly sensitive;
  • the possible consequences for individuals of the new processing; and
  • whether there are appropriate safeguards- e.g. encryption or pseudonymization

How to Provide the Privacy Notice Information (Article 13)

This depends on the method the information is collected:

  • Face to face canvassing — Leaflet with basic information and link to website with the full information.
  • Paper petitions and surveys —Promptly display basic information and link to website with the full information.
  • Online petitions, surveys and quizzes — Prominently display a link to the privacy information on the petition/ survey/ quiz document itself OR on the landing page for the petition/ survey/ quiz and carry out user testing to ensure individuals can access this information easily and are fully aware of who is behind the survey and for what purpose their data will be used.
  • Mobile applications — Display privacy information before the individual downloads the app via an app store or via a link to privacy information on your website. If you provide privacy information after an app is downloaded and installed, make sure that this is done before the app processes the relevant personal data.
  • Telephone canvassing, petitions and surveys (where lawful under PECR – see direct marketing methods section) — Include privacy information in scripts for those making the phone calls. Ensure individuals have heard the information and have an opportunity to hear it again, if necessary. Provide a website address or alternative contact address for individuals to access again in the future if they wish.
  • You should also provide an alternative method, where appropriate, in case individuals do not have access to the internet.

Data Collected From Third Parties

When receiving personal data from third parties (e.g. data brokers), it is not enough to get a contractual written assurance about the provenance of the data. You must conduct due diligence and have evidence of it and get the contractual assurances and get the ability to audit.

You must make rigorous checks to satisfy yourself that:

  • the third party obtained the personal data fairly and lawfully;
  • the individuals understood their details would be passed on for political campaigning purposes; and
  • you have the necessary consent (where this is required) which specifically names you and covers the method of communication that you want to use.

As part of your due diligence you could ask the third party to give you:

  • details of who compiled the data or direct marketing list – i.e. was it the third party or someone else;
  • a copy of the privacy information that was used when the details were collected;
  • details of how they collected the personal data;
  • the dates the list was compiled — i.e. how old is the data;
  • details of how the nature of the third parties who were to receive the data were explained– if they were told ‘third parties’ in general terms this is not enough for the consent to be informed;
  • records of the consent (if it is a ‘consented’ list) — i.e. what the individual consented to, what they were told, when and how they consented;
  • if it is claimed that the list has already been checked against the Telephone Preference Service (Do not call list) — evidence that this has happened and how recently.

A reputable third party should be able to demonstrate to you that they obtained and processed the data for sale or rent in compliance with data protection law. If they cannot, you should not use their services.

Profiling

You need to pay particular attention if you use psychographic analytics and psychometric profiling with regards to fairness obligations in the law. These techniques involve attempting to deduce certain personality attributes from both factual and inferred personal data about individuals.

Legal or similarly significant effect:

When carrying out profiling or microtargeting, consider the following questions to determine whether or not there is a "legal or similarly significant effect":

1. Is the profiling process particularly intrusive?

  • Would individuals likely be surprised to discover you were profiling them in this way? Is there a lack of transparency?
  • Is the personal data you are using to profile individuals particularly sensitive or special category data?

2. Is the way the advert is delivered particularly intrusive?

  • Is the frequency of messages beyond an individual’s reasonable expectations?
  • Are you delivering the messages in a way that is designed to have a strong effect on an individual, such as at a particular time of day?
  • Do the techniques you are using exploit the possibility of conveying a message, or of otherwise influencing their minds without their being aware, or fully aware, of what has occurred?

3. Is the combination of the profiling of personal data alongside the nature of the message of a particular type that is highly emotive and affects the individual?

  • Could this combination amount to seeking to influence the autonomy of an individual, rather than simply seeking to influence views or change opinions?

4. Are there any particular vulnerabilities of the individuals targeted that could be significantly affected by the message?

  • Are you using psychometrics to target people with particular characteristics in order to evoke a particularly strong reaction?

5. Is the profiling and targeting likely to cause detriment to an individual?

  • Does the decision produce a discriminatory effect?
  • Could the message be considered threatening in nature?

Could the individual in effect be disenfranchised as a result of profiling and micro-targeting?

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.