Collecting personal data (2024)

At a glance

• Campaigners collect data on individuals beyond the electoral register for various reasons. Demonstrating compliance with the principles, rights and obligations of UK GDPR is essential.
• You need to give individuals clear, accessible and intelligible privacy information regardless of whether the information is derived directly or from a third party, such as a data broker. The best way to do this depends on the method of collection.
• Individuals should not be surprised to learn that you are using their personal data for particular campaigning purposes.

In more detail

• Introduction
• What is the right to be informed?
• What are the requirements when we collect personal data directly from individuals?
• Can we collect voter registration applications?
• What are the requirements when we collect personal data not directly from the individual?
• Can we use data collected from third parties such as data brokers or other companies providing marketing data services?
• Can we collect personal data from publicly available sources including social media?
• Can we collect data from our own social media pages?

Introduction

There are many reasons why you may wish to collect personal data in addition to the data contained in the electoral register. Campaigners often seek to use the register as a ‘spine’ on which to add more granular and detailed information, including to:

• inform wider campaigns through market research;
• understand more about individual voters to enable better targeting of political messages;
• identify individuals to persuade to vote;
• contact individuals; and
• sign up potential members, supporters, donors or volunteers.

Whatever the reason, whenever you process personal data (including when you collect it), you must do so in accordance with all the data protection principles and individuals’ rights.

What is the right to be informed?

When collecting personal data, the right to be informed is of particular importance. This right covers some of the key transparency requirements of the UK GDPR.

The UK GDPR contains specific provisions about the information that you must give to individuals when you process their personal data. These are set out at Article 13 and Article 14. This information includes, but is not limited to, the:

• controller’s details;
• purpose(s) of the processing;
• lawful basis being relied upon;
• retention periods of the data;
• rights available to the individuals; and
• details of the existence of automated decision-making, including profiling.

We call this “privacy information”.

You must ensure individuals are provided with privacy information regardless of whether you collect the personal data directly from individuals or from a third party. Privacy information must always be:

• concise;
• transparent;
• intelligible;
• easily accessible; and
• use clear and plain language.

However there are different considerations depending on how you obtain it.

Not only is the right to be informed of key importance for compliance with UK GDPR, it also helps individuals fully understand what it is you are doing with their data and for what purpose. This helps individuals to have trust and confidence in you and your political campaigning activities. Providing comprehensive and easy to understand privacy information can also help to reduce any complexity in responding to subject access requests. The more transparent you are with your practices, the easier it is to respond to requests.

What are the requirements when we collect personal data directly from individuals?

Article 13 of UK GDPR lays out the “right to be informed” requirements when you collect personal data directly from the individual it relates to. In these circ*mstances you must provide them with privacy information at the time you obtain their data. There are some exemptions to this, but in the majority of cases these don’t apply to processing for the purposes of political campaigning.

You can meet this requirement by putting the information in a prominent position on your website or other digital services such as apps, but you must make individuals aware of it and give them an easy way to access it. You should also provide an alternative method, where appropriate, in case individuals do not have access to the internet.

For political campaigning purposes the best way to do this depends on the method of collection. Some collection methods and suggested ways to provide privacy information are below.

In addition, you should ensure that you consider language alternatives and accessibility options in providing privacy information. You should make alternatives available on request.

You should carefully consider the necessity for collecting any personal data for individuals under the age of 18. You must provide age appropriate privacy information, if you do decide it is necessary (eg for membership purposes or where under 18 year olds are eligible to vote in an election or referendum). See our Age Appropriate Design Code for further information.

You do not need to put all your privacy information in a single block of text. In fact, displaying privacy information in this way may be disadvantageous in many cases, such as collecting data through applications. You should consider the easiest way for individuals to read and understand this information depending on your method of collection. Other ways to display privacy information include:

• A layered approach – short notices containing key privacy information that have additional layers of more detailed information.
• Dashboards – preference management tools that inform people how you use their data and allow them to manage what happens with it.
• Just-in-time notices – relevant and focused privacy information delivered at the time you collect individual pieces of information about people.
• Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing.
• Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures.

You need to have appropriate policies and procedures, and provide appropriate training and guidance for staff and volunteers, to ensure they include appropriate privacy information on relevant documents or when collecting data on the doorstep or by phone.

Can we collect Voter Registration Applications?

Political parties, candidates and others play an important role in promoting democratic engagement by encouraging individuals to register to vote. This means that you may handle registration and absent voting applications.

If you do handle these applications, then you should do so with great care and forward them to the appropriate Electoral Registration Officer at the earliest opportunity.

You must also be clear in your privacy information about the purposes for which you are collecting these forms and the lawful bases you are relying upon. In particular, you must be clear about what personal data you are collecting for your own political campaigning purposes and what personal data you are collecting for the purposes of voter registration. In other words, there should be no deception - individuals should not be surprised to learn that you have used their data for campaigning purposes.

What are the requirements when we collect personal data not directly from the individual?

Article 14 of UK GDPR lays out the “right to be informed” requirements when you obtain personal data from a source other than the individual it relates to, such as a data broker. In these circ*mstances you need to provide the individual with privacy information, including:

• the source of the data and details of the categories of the data; and
• within a reasonable period of obtaining the personal data and no later than one month.

Also:

• if you use the data to communicate with the individual, at the latest, when the first communication takes place; or
• if you envisage disclosure to someone else, at the latest, when you disclose the data.

Article 14(5) of UK GDPR provides a number of exceptions to providing privacy information to individuals where you have collected personal data from a third party. The majority of these are unlikely to be relevant in the political campaigning context. However two of these may be relevant, depending on the particular circ*mstances:

• the individual already has the information; or
• providing the information to the individual would involve a disproportionate effort.

If you are considering relying on the individual already having the information, you must be able to demonstrate and verify what information the individual has already been provided with. It is not sufficient to simply rely on assurances from the third party. You should do your own due diligence and request evidence, if appropriate. You must ensure that they have been provided with all of the information that is listed in Article 14 – if you are unsure what they have been given or if anything is missing you must provide this to the individual.

If you want to rely on the disproportionate effort exception not to tell people about your processing, you must assess this fully on a case by case basis. The ICO recognises that the unique circ*mstances of political campaigning may sometimes present situations where disproportionate effort may apply, particularly with regards to electoral register data. However, you must fully assess and document whether there’s a proportionate balance between the effort involved for you to give privacy information and the effect of the processing on the individual. If the processing has a minor effect on the individual then your assessment might find that it is not proportionate to put large resources into informing individuals. However, the more significant the effect on the individual, the less likely it is that you can rely on this exception.

It is difficult to argue disproportionate effort if you are contacting the individual as part of your processing. This includes all direct marketing by any means, including the freepost electoral address. Unless you are certain the individual has already been provided with privacy information, you should provide it as part of your communication.

If you determine that providing privacy information to individuals does involve a disproportionate effort, you must still publish the privacy information, for example on your website. You must also carry out a DPIA as the processing is considered to be “invisible processing”. See the section on DPIAs for further information.

Can we use data collected from third parties such as data brokers or other companies providing marketing data services?

Many organisations including political parties buy or rent data from data brokers or other companies to use for direct marketing purposes. In political campaigning these can be split into three broad categories:

• buying or renting a list of contact details;
• buying additional factual personal data to undertake analysis in-house and draw out inferences, such as dates of birth, number of children or car ownership; or
• buying inferred data directly from the individual or from other sources, to append to names and addresses obtained from the electoral register, such as likely interests and characteristics.

Contact details

Buying or renting additional contact details in most instances is likely to be unfair without the consent of the individual. For example, buying phone numbers or email addresses to add to the address details that you already hold. This is likely be true no matter how clearly you explain in your privacy information that you might seek out further contact details from third parties. This is because individuals don’t reasonably expect you to contact them using details they never gave you or they were never required to give in their electoral registrations. In many cases, if you contact them, this is also likely to be a breach of PECR.

If an individual has consented via a third party for you to have their contact details to use for political campaigning or direct marketing then you can match this to what you already hold about them. However, it is important to be clear that the consent must have named you specifically. It is not sufficient if it referred to you in a general sense, eg ‘selected third parties’, ‘trusted partners’ or ‘for political campaigning purposes’.

Factual personal data

If you buy or rent factual personal data from a data broker or other third party, then you must ensure that the individual has been provided with appropriate privacy information and the type of information is in their reasonable expectations for you to process.

You must comply with the right to be informed and provide people with your own privacy information, detailing anything that they have not already been told. This includes informing them of any change of lawful basis (ie if processing under public task - democratic engagement or otherwise, if different from the lawful basis under which the data was originally obtained).

Inferred data

Whether inferred data is personal data or not depends on whether the individual is identified or identifiable, directly or indirectly, from that data or any other information you hold or are likely to hold. If a data broker or other third party provides you with purely anonymous data, and you don’t process this further in any way that could identify individuals, then this is not personal data. For example, you receive anonymous data that people living in Wilmslow are more likely to read a particular newspaper and you don’t append it to names and addresses.

However, if you receive inferred data against names or addresses or you append it to names and addresses or other identifiable information then this is personal data. You should treat this data in the same way as you treat factual personal data.

Due diligence

It is important to remember that you are responsible for ensuring compliance with the UK GDPR and PECR. Simply accepting a data broker or other third party’s assurances is not enough. You must be able to demonstrate your compliance and be accountable.

You must make rigorous checks to satisfy yourself that:

• the third party obtained the personal data fairly and lawfully;
• the individuals understood their details would be passed on for political campaigning purposes; and
• you have the necessary consent (where this is required) which specifically names you and covers the method of communication that you want to use.

As part of your due diligence you could ask the third party to give you:

• details of who compiled the data or direct marketing list (ie was it the third party or someone else);
• a copy of the privacy information that was used when the details were collected;
• details of how they collected the personal data;
• the dates the list was compiled (ie how old is the data);
• details of how the nature of the third parties who were to receive the data were explained – if they were told ‘third parties’ in general terms this is not enough for the consent to be informed;
• records of the consent (if it is a “consented” list) (ie what the individual consented to, what they were told, when and how they consented);
• if it is claimed that the list has already been checked against the Telephone Preference Service - evidence that this has happened and how recently.

A reputable third party should be able to demonstrate to you that the way they obtained and processed the data for sale or rent complied with data protection law. If they cannot do this, or if you are not satisfied with their explanations, you should not use the data.

As well as relevant data sharing agreements, you may wish to have a written contract confirming the reliability of the data, as well as making your own checks. The contract should give you reasonable control and audit powers. However, it is important to remember that you are still responsible for compliance and such a contract does not remove this responsibility from you.

Once you have obtained the list, you must be prepared to deal with any inaccuracies or complaints arising from its use. If you receive complaints from individuals whose details came from a particular source, this suggests that the source is unreliable and you should not use it.

For more information on using data brokers or other third parties see our guidance on using the marketing services of data brokers.

Can we collect personal data from publicly available sources including social media?

The UK GDPR does not stop you from obtaining and using personal data from publicly available sources for political campaigning. However, you should not assume that data protection law doesn’t apply because the data is publicly available. If you process this data, you become the controller for it, and you must ensure that you comply with the UK GDPR and PECR.

For example, the transparency requirements of the UK GDPR apply. This means you must comply with the right to be informed and ensure that you provide people with privacy information (unless you are relying on an exception).

You also cannot assume that simply because an individual has put their personal data into the public domain, they are agreeing to it being used for political campaigning purposes.

For example, individuals may want as many people as possible to read their social media post, but that does not mean they are agreeing to have that data collected and analysed to profile them to target with political campaigns. Likewise, just because an individual’s social media page has not been made private does not mean that you are free to use their data for political campaigning purposes.

You should carefully consider the use of online campaigning platforms that contain a match function capable of matching data from your databases with social media data from public profiles or other publicly available online sources. These platforms usually act as a processor and could prove a significant risk if you contract them. Of particular concern is if there is no option within the platform to turn off the matching functionality or if it matches individuals on an automatic or blanket basis.

Collecting personal data from online sources on a blanket basis, including social media platforms, is likely to be unfair, as well as lacking transparency and being in breach of the data minimisation principle. If you decide to use these platforms, you must carry out a DPIA to help identify and mitigate against the risks.

Can we collect personal data from our own social media pages?

Many political parties, campaigners and candidates have dedicated pages on social media which individuals can ‘like’ or ‘follow’. These are considered a useful way to engage with members, supporters or potential supporters. Depending on the platform and terms of service, you may have the ability to collect personal data from the individuals’ personal social media profiles. In addition, the social media company is likely to place cookies or similar technologies on the individuals’ devices. If you have a dedicated page on social media, it is important to be aware that you are likely to be a joint controller with the social media company. This is because you both have a role in deciding the manner and the purpose for processing the data.

You both have joint responsibility for complying with data protection laws. In particular, this means that you need to ensure you provide appropriate privacy information for individuals on your page that clearly explains how, by whom, and for what purpose their data is being processed. You must also ensure that you and the social media company are both aware of your obligations. There is further advice on managing the joint controller relationship with social media services later in this guidance.