Fear and Loathing: GDPR on the Campaign Trail

It was inevitable that someone in Medway politics would screw up in this brave new GDPR world.

Politicians sharing reports and images from the campaign trail is standard practice at this point. Barely a weekend can go by without local activists telling us about the ‘fantastic response on the doorstep’ that they achieved. So it would have been easy to glance at the below image shared by Medway Conservative candidate for Luton and Wayfield Robbie Lammas and not think much of it.

Unless you care about data protection, anyway.

Zooming in on the original image, we were easily able to identify names, addresses, electoral roll numbers, and postal vote statuses for at least five voters in Lammas’ photo.

To be clear, we have used a smaller version here where it is impossible to extract much data, but the original image made this data incredibly easy to read.

The way that political parties are granted access to full electoral register data already raises issues about data protection, particularly in this post GDPR environment. The right to have personal data protected is ever stronger, with substantial potential penalties now in place for companies and organisations that breach the rules.

Recent events have demonstrated that political parties may not be living up to the rules of GDPR, such as the recent security flaw in the Conservative Party conference app.

Upon this clear breach of data protection rules being highlighted to Lammas, he did immediately delete the tweet and replace it with another, which was obviously the right thing to do. However, no apology was offered for the error, Lammas seemed to believe deleting the tweet alone resolves the issue, and we were labelled ‘nasty and viscous’ (sic) for having the temerity to highlight his reckless mistake.

As per the Information Commissioner’s rules, all personal data breaches need to be reported to the ICO within 72 hours.
As of writing, that deadline is a little over 12 hours away, and we have not received any confirmation from either Lammas or the relevant Conservative association that this action has or will be taken.
This does not give a perception that either Lammas, as a candidate, or local Conservatives take this matter particularly seriously.

Will Lammas or the Conservatives report this data breach as per their legal requirement? Should parties have access to this level of personal data, if candidates and activists are so blasé about how they protect it? What sanctions should Lammas face for his actions? As usual, let us know in the comments or on social media.

2 Replies to “Fear and Loathing: GDPR on the Campaign Trail”

  1. No you are disclosing just as much information. All you have to do is get an electoral register and match it up. If you don’t think canvass sheet photos should be published then don’t publish them.

Leave a Reply