iFAQs: Personal data and doorstep breaches

This week for inFrequently Asked Questions, we decided to mix up the format yet again. Instead of contacting every councillor with a question, we decided to ask each party two questions on data protection. Political parties can obtain copies of the electoral register from local authorities to use for political purposes. Each party is responsible for complying with the rules on data protection, and so in light of the recent accident by Medway Conservative Robbie Lammas, it seemed like an appropriate topic.

We sent the following questions to Medway Conservatives, Medway Labour, Medway UKIP, Medway Lib Dems, and Medway Greens. We told each party that we would publish their responses entirely unedited. All responses are published below, in the order that they were received by us.

Q1. What training and resources does your party provide to councillors, candidates, and activists regarding GDPR and the personal data of voters when canvassing?

Q2. Does your party have a clear procedure in place in the event of councillors, candidates, and activists breaching data protection rules?

The first response came from Cllr Stuart Tranter, who stated that he was only responding in a personal capacity rather than on behalf of his party:

All Medway councillors, not just Conservatives, have had the benefit of training regarding GDPR, and they also have available to them support should they have any questions or concerns. The recent by-election took place before GDPR came into force, but even so great care was taken to protect any data. All paper records were shredded.
Cllr Stuart Tranter, Conservative, Rochester West

Next up, Cllr Gary Etheridge, Chairman of Rochester and Strood Conservatives, sent us this:

I’m leaving this for the Leader to reply.
Cllr Gary Etheridge, Conservative, Strood Rural

Dear reader, the Leader did not reply.

As a political party we take the issue of individual’s personal data very serious and have done so long before the introduction of GDPR:

Locally we have processes in terms of sharing data, essentially:

1)      Only approve individuals can get access to data through our contact creator system, on a ward level this is limited to Councillors.
2)      The party has lots of training in place to provide support on GDPR and data management.
3)      If there was a breach we would refer the issue to the regional and national party as per procedures and provide additional training.
4)      We treat all personal data provided with the strictest confidence.
Cllr Vince Maple, Medway Labour Leader, Chatham Central

It all went a bit quiet after this, and we started to think the other parties would not be responding on this issue. Until, at the last minute, Cllr Freshwater sent us this response of epic proportions. He even decided to answer each question separately! Here follows his answer to Q1:

Ukip takes seriously both nationally and locally compliance with any legislation and in this respect GDPR. Knowing that there is a perception among our members that we will be specifically targeted for any innocent breach we have taken steps to inform our volunteer officers and attach an early example of our Head office letter sent out prior to implementation. UKIP keep matters under review breaches or concerns can be raised or reported to local officials, Regional or Head office a volunteer organisation as we are not infallible. 
Head Office: Dear Branch Officer, 
UKIP is working hard to ensure that we will be compliant with the new Data Protection laws (GDPR) by the deadline. 
We have contacted all current members, and former members who have an email address, requesting that they update us with their preferences and a letter will shortly be posted to those members who do not have email.

After the deadline, Branch Officers will automatically become Data Processors which simply means that your role is to ‘maintain and process membership data’.  Please take the time to read the attached document UKIP Compliance for GDPR for Data Processors  Under the new legislation, any activity outside of membership business(garden party, street stall, social function) needs to be entered onto a Communication Log and submitted to your Regional Officer (Data Controller) each month.  One Branch Officer should be nominated to coordinate this procedure;  I have attached a sheet to help you keep a record – a copy in Excel format or a PDF which you can print off and fill in.

Membership Lists – Added to your Membership Lists will be extra columns that will reflect members’ preferences and how they wish to be contacted (or not) in future.

The preferences are as follows and the columns will be populated with either a Yes or No.  ‘Yes’ gives us permission to make contact.  ‘No’ indicates either they have not yet responded or they do not wish to be contacted regarding the particular subject.

Conferences, Events and Promotions
Fundraising, Appeals, Raffles
Newsletters and Magazines
Party Updates and Policies
Cllr Roy Freshwater, Medway UKIP Leader, Peninsula
And his rather more succinct answer to Q2:
We would not anticipate any breaches but have been advised to seek UKIP HQ advice if there were any breaches of data protection rules on the appropriate
action to be taken and any appropriate notification required to be given to the relevant authority or party affected by the said breach. been advised that it is important to
record and report any potential breaches and where appropriate to notify our volunteers in the field. We are after all a Grassroots up party and GDPR responsibilities and personal data are therefore restricted. An appropriate warning would be put in place when any personal data is used when canvassing and any personal data will be returned to the responsible person.
Cllr Roy Freshwater, Medway UKIP Leader, Peninsula
Last but not least, we received this response from the Medway Lib Dems:

The national party has taken GDPR very seriously. It is a major piece of legislation and it relates to data standards regarding living people, as a political organisation the vast majority of the data we collect and process relates to living people and therefore it is vital that we are complying the regulations, not just in spirit, but embracing the principles as well.

The national party has provided several sessions relating to how campaigners should ensure we, as a party, are complying the the spirit of the legislation to ensure we are handling data in an open and transparent manner. This include fair processing notices, opt-outs and ensuring secure storage of data. These are examples, the practices and activities are not limited to just this list of examples.

Locally, our Data Officer (Terry Lucy) and I (the Chairman) have taken training sessions to ensure we, as a local active campaigning party, are complying the regulations. We believe it is important and we have changed our practices accordingly.

Regarding breaches we have a clear procedure in place that would include our national compliance department who are very much clued up on procedures and practices for dealing with breaches. Locally and nationally, we strongly believe prevention of breaches is much more important that handling breaches, however minor, and we believe we have processes in place that are compliant both in practice and spirit.

The posting of printed electoral roll material online is shocking, we didn’t need the headlines to see this was against not only the spirit of the legislation, the picture alone was enough to know that the candidate in question was not thinking about data security. It’s good see parties out engaging with the electorate, however keeping data safe is vital.

We hope this case serves to highlight the value of the legislation, the potential costs for non-compliance are very high, so we hope all parties are regarding data security and fair processing of data as an important campaigning aspect in their practices.
John Castle, Chairman, Medway Lib Dems

We received no response to these questions from Medway Greens.


Leave a Reply