What with the never-ending Brexit saga and the continuing toxic political stalemate, it may not be popular to delve into any topic with political associations. Nevertheless, this is the intention, and it is one that is primarily inspired by the upcoming European and Irish local elections. Both sets of elections have a novel element, to the extent that they will be the first Euro and local elections to take place since the introduction of the GDPR and The Data Protection Act 2018.
Key actors on this changed set include a number that may play the role of the data controller. In previous blogs and on our website, we have seen how the notion of accountability of controllers and joint controllers is a central feature of the GDPR. Individual election candidates, political parties, data analytics companies and public authorities responsible for the electoral process can all act as controllers. It is not within the scope of this blog to discuss all facets, and so the less ambitious plan is to look at election candidates in the light of canvassing related activities. Data protection issues arise whenever personal data is being collected, and at election times it is collected in different forms. Canvassing door to door, direct mail marketing, and electronic direct marketing may raise concerns. More data protection issues surface in relation to requests for representation. Inevitably, organisations that receive these requests must also come under the same scrutiny.
The focus of this article lies within the confined context of elections and electoral activities, and the application of Union and National law within this defined landscape. Micro-targeting of voters by unlawful processing of personal data is still fresh in peoples’ minds following on from Cambridge Analytica and other similar disclosures. A starting point is to acknowledge, as stated by the UK’s Information Commission Office (ICO), that, “engaging voters is important in a healthy democracy, and in order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so; this includes the handling of the personal data that they collect and hold”. (ICO, Guidance on Political Campaigning; more details here). This is especially true since the inception of the GDPR, The Data Protection Act 2018 and the E-Privacy Regulation.
The Very Basic Ground Rules.
Individuals now have enhanced rights, and these are strengthened and particularly relevant in the electoral context. These rights place onerous responsibilities on candidates seeking office. Primary responsibilities fall on the candidates and affiliated parties where that is the relationship. Public authorities also have responsibilities under the GDPR and the various Electoral Acts. Whoever is processing the personal data, previously viewed as purely mundane, such as names and addresses, must now pay more attention. Simple names and addresses represent ‘personal data’ under the GDPR. Processing of such data must now be done lawfully, fairly and in a transparent manner, and for a defined specified purpose. Another limitation (purpose limitation) means the personal data are now less likely to be strategically stored with ulterior motives in mind. Data cannot be further processed in a manner incompatible with the purposes for which the data were initially collected. (Note: a few strict exceptions to this rule). There must be some lawful basis for personal data processing. All data protection principles must be followed without any ‘cherry-picking’.
Most of us are well used to the barrage of literature that ends up on our hall floors in the run-up to elections. S.39 DPA 2018 specifically allows for the use of personal data for the purpose of communication in writing (including newsletter or circular) with the data subject. It is qualified and is limited to ‘specified persons’, namely: a political party; a member of either house of the Oireachtas, the European Parliament or a local authority; or a candidate for election to the office of The President of Ireland or for membership of any of the above mentioned. Here the DPA 2018 provides a lawful basis for processing. There is a useful guidance booklet available at the DPC website. Section 59 DPA 2018 expressly modifies Art. 21 GDPR, so that there is no right to object to electoral direct marketing by post. When communicating by text, e-mail, phone or fax a candidate must have prior consent from the constituent. If contact is then lawfully made, it must be clear about its origin, and it must incorporate an easy opt- out.
Frantic times precede elections and normal rules should apply, but it is probably unrealistic for the office of the DPC to expect candidates to include the amount of information described within this pamphlet with their canvassing materials. What is more unrealistic is to expect the same information to be given by a candidate when going door to door. Time constraints make this impractical. It will be interesting to hear from candidates after the elections about how the new regulations and the DPA 2018 affected their campaigns. Just as interesting will be any feedback from constituents concerning the information they were given regarding data protection rights from candidates. Under Art.9 GDPR there is a general prohibition on the processing of special categories of personal data but there are exceptions to the rule. Section 48 DPA 2018 expressly permits one of these special categories of personal data (revealing political opinions) to be processed. Provided safeguards are taken to protect the data subject’s fundamental rights and freedoms, such data can be processed in the course of electoral activities by a political party, a candidate for election to, or a holder of, elective political office in the State. (Note: applies to Referendum Commission also). The specific purpose is the compiling of data on people’s political opinions. Section 48 DPA 2018 provides a lawful basis.
Requests for Representation
In the course of canvassing at election time, candidates receive numerous requests for representation regarding access to services or the provision of services. Whilst such requests are genuine, they represent a higher level test of a candidate’s knowledge or ability, as perceived by the voter, in the run-up to the election. If a voter gets a favourable and swift response from the candidate the chances are he/she will also get a vote. It is only proper that no short cuts are taken to get this information quickly before Election Day. When we speak of ‘candidates’, it is important to distinguish between candidates who are current officeholders seeking re-election, and those running for election who do not currently hold any office. All elected representatives should be aware of, or quickly become familiar with S. 40 Data Protection Act (DPA) 2018. In fact, they should be more conscious of, and extra vigilant in their responsibilities because the number of requests will increase exponentially at election times. Being knowledgeable on S.40 potentially benefits the representative’s reputation. Passing on the relevant specifics of that knowledge to the constituent will deliver benefits to both parties. After the introduction of the GDPR, the office of the DPC issued interpretive guidelines on S. 40 DPA 2018. Data protection consultants GDPRXpert have the document available here. We will now look at some of the main points from the guidelines.
Some Guidelines on Requests for Representation.
Sections 40(1) and (2) DPA 2018 gives the legislative basis to elected representatives for the processing of personal data of constituents. This includes the special categories of personal data from Art. 6 GDPR. Processing is allowed where the elected representative either receives a request for representation directly from the data subject or where the elected representative receives a request for representation from another person on behalf of the data subject. In all cases, the elected representative must be able to demonstrate that they are compliant with the principles of data protection. At a minimum, representatives are obligated to meet their transparency responsibilities set out in the GDPR (especially Arts. 12, 13 &14). An elected representative has an obligation to be certain at all times they are acting upon a request from the voter.
There will be many situations where “the permission can be implied from the relevant action or request. For example, the raising of the matter by an individual will create an expectation that their personal data will be further processed by the elected representative and other relevant organisations”. (DPC Guidelines 2018 p.4) A normal expectation is that personal data will be processed. As part of the representative‘s request for information, the local council, for example, will disclose personal details necessary to satisfy the request. However, best practice is to be sure that the constituent is aware of the likely processing, and we recommend a signed consent form. In many instances, a formal, signed consent form may not be practical. Contemporaneous detailed notes should be taken by the representative, and the DPC suggests this as a good record to demonstrate compliance with S.40DPA 2018.
If any unexpected processing becomes necessary it is advisable to revert to the constituent. An elected representative must be careful not to go beyond the specified purposes for which the consent was given. One recommendation from the DPC is that elected representatives should use Privacy Notices when they collect personal details from people and have a Privacy Notice on their website. All notices should meet the transparency requirements and “satisfactorily address the requirements set out in Articles 12, 13, 14 &30 (where relevant) of the GDPR and also should be clear, accessible and informative to help people understand what will be done with their personal information”. (Office of the DPC, 2018) Simple, best advice: be straight with people on all aspects. Following data protection principles will operate to safeguard both the constituent and the elected representative.
Requests From Someone on Behalf of Someone Else
In this scenario, all parties should be extra cautious. Here a request is being made by one person on behalf of another. Common situations include son/daughter on behalf of one or both parents; some family member on behalf of another family member; relative on behalf of another relative; neighbour/friend on behalf of another neighbour/friend, etc. It is no longer sufficient to take the word of one party and accept the bona fides. Therefore, the elected representative will have to ensure that the individual making the request has the authority from the person whose personal data will be processed on foot of the request. This is a potential minefield and the onus lies on the representative to “demonstrate the data subject has consented to the processing of his or her personal data” (Art.7 (1) GDPR).
Trust is no longer a reliable basis on which to proceed with such a request. Other aspects that merit detailed attention include the competency of the data subject and the legal standing of the person making the request. For example, is there an enduring power of attorney to manage the affairs of the data subject? Any prudent representative should strive to have a signed consent form provided. Failing that, it will be a decision for the representative whether or not to make a representation. Where the representative has not been able to fully ascertain the wishes of the individual prior to processing of personal data, he or she should have set out and recorded the specific steps taken to ascertain those wishes. Such records will stand as evidence of reasonable efforts having been made. This will be crucial at the time the representation is made to the appropriate organisation.
Disclosure by an Organisation following a Request under S.40 DPA 2018.
As noted earlier, there is an exponential increase in the number of requests for representation approaching election time. Section 40 (4) DPA 2018 gives an organisation the legal basis to respond to and process the personal data on foot of a representation from the elected representative. In doing so the organisation must demonstrate compliance with all the data protection principles under Art. 5 GDPR. A precondition is that the disclosure is necessary and proportionate to enable the representative to deal with the request, and safeguards referred to in S. 36 DPA 2018 are taken. Special categories of personal data are allowed to be processed by the organisation under S. 40(4). Where the organisation receives a written representation on foot of S.40 the organisation can assume the constituent has given permission. In other words, it can accept the bona fides of the representative while at the same time satisfying itself it is reasonable to assume the individual would have no objection to the release of the personal data.
With verbal representations from an elected representative to an organisation, it is advisable that a staff member of the organisation logs appropriate details. Where the elected representative is present when the representation is made it is good practice to have a short form confirming the details signed by him /her. Best practice is for the organisation to have policies and privacy notices in place that outlines how the organisation deals with requests. Ultimately, the organisation decides whether to accede to requests made. In particular, the organisation must ensure they meet responsibilities under Art. 12, 13, 14 and 30 GDPR. Any disclosure must be only what is necessary and proportionate in its impact on the fundamental rights of the individual. An organisation must consider the potential impact and negative implications of any representation and take safeguards to mitigate any risks.
Mitigating risk must reach a higher level of security in the context of special categories of personal data. These are by their nature sensitive. Extra safeguards are advisable where the representation has been made on behalf of the data subject by another individual due to incapacity or age. Where the personal data falls under the special category class, any safeguards must be strengthened. It must always be borne in mind that reliance on S.40 (4) DPA 2018 as a legal basis to disclose data on foot of a representation is dependent on certain conditions being met in advance: any processing must be necessary and proportionate and suitable measures must be taken to protect the individual’s rights and freedoms. If an organisation acting on foot of a representation has any concern about the level of awareness on the part of the representative or individual, in relation to the sensitive nature of the personal data, it would be prudent to refer back to both. It is only proper that the individual is fully aware of the implications that will follow the processing of their personal data as a consequence of the request. Both the nature and purpose of the request will influence actions taken. For example, some requests may be time-sensitive and getting explicit consent may not be practical. The DPC advises a common-sense approach be taken.
Personal Data of Third Parties
As a general rule, it is not permissible to process the personal data of third parties under S. 40 DPA 2018. This is allowed under very limited circumstances. If a third party has not been involved in a request for representation processing of personal data of that third party will not be permissible unless one of the following apply: the third party cannot give explicit consent; the processing is necessary in somebody else’s interest and explicit consent has been “ unreasonably withheld” by the third party; the balance favours the disclosure in the public interest; the elected representative “cannot reasonably be expected to obtain” the third party’s explicit consent; seeking the third party’s explicit consent would “prejudice the action taken by the elected representative.
Other Considerations Re Special Category Data
Earlier we noted how S. 48 DPA 2018 allowed for one category (personal data revealing political opinions ) within the ‘special categories’ grouping. However, S. 40 (1) DPA 2018 allows the general processing of personal data within these special categories. The elected representative in processing such categories must “impose limitations on access to that data to prevent unauthorised consultation, alteration, disclosure or erasure of that data” (S.40 (3) DPA 2018). In conjunction with these limitations, suitable and specific measures that take on board the provisions of the Data Protection Health Regulations ( S.I No.82/1989 and S.I. No. 83/1989) should be considered, as these remain in force under S. 58 DPA 2018. Both equally apply to the elected representative and the organisation receiving the representation. These regulations provide that health data relating to an individual should not be made available to an individual, in response to an access request, if that would be likely to cause serious harm to the physical or mental health of the individual.
If a person is not a health care professional, he or she should not disclose health data to an individual without first consulting that individual’s own doctor, or some other suitably qualified healthcare professional. Where it has been deemed appropriate to disclose such information to an elected representative it should include a warning in regard to the sensitive nature of the data. The elected representative will need to apply safeguards outlined in S. 40 (3) DPA 2018. Finally, in relation to processing of personal data that involves criminal convictions or offences (Art. 10 data), any disclosure on foot of a representation will necessitate an assurance from the representative that explicit consent has been obtained for the request.
Much of the foregoing is evidence of the complicated nature of data protection in the context of electoral activities. A high level of awareness is expected from elected representatives and from organisations that receive representations from them. Once the relevant information is provided by the elected representative a decision should be common sense based. The Office of the DPC believes any refusal by the organisation should be easily explained by reference to S.40 DPA, without citing data protection requirements as a general ground for refusal. Where the organisation has followed S.40 (4) DPA 2018, the GDPR, data protection principles and implemented suitable and specific safeguards it should be confident it has acted in compliance with DPA 2018.
Patrick Rowland, GDPRXpert.ie
Data Protection Consultants GDPRXpert.ie, with bases in Carlow/Kilkenny and Mayo, offer their expert service nationwide.
Visit www.gdprxpert.ie to learn more.