The Conservative Party website is hosting a survey, but I question whether it complies with data protection and associated laws.
The first principle of the Data Protection Act 1998 (DPA) requires that any processing of personal data be fair (and lawful). If an organisation is collecting data from individuals then the person from whom it is obtained must be told the identity of the data controller, and the purpose or purposes for which the data are intended to be processed. These legal provisions (Schedule 1, DPA) are the source of the privacy notices (sometimes called “fair processing notices”) with which we are all familiar when we, for instance, make purchases, or submit forms, or, indeed, complete online surveys. As the Information Commissioner himself says, in the introduction to the ICO Privacy Notices Code of Practice
As a minimum, a privacy notice should tell people who you are, what you are going to do with their information and who it will be shared with
the Code goes on to stress that
the requirement…is strongest…where the information is sensitive
One of the things that makes personal data “sensitive” is if it consists of information as to a person’s political opinions (section 2(b), DPA) – the reasons for this barely need spelling out, but I would just note that history tells us much about the potential for abuse of information about the political affiliations or inclinations of individuals.
With all this in mind it is concerning to note that the website of the Conservative Party invites people to complete and submit an online survey, which includes, among other things, questions about the political opinions of those completing it, but whose privacy notice consists merely of
By entering your email address you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send. We will not share your details with anyone outside the Conservative Party
in addition to your answers, we collect your Internet Protocol (IP) address…[to] to help validate the results and help prevent multiple entries from individuals
transparent about your use of the individual’s information
Sugging (selling under the guise of market research) …[occurs] when organisations building databases, or generating sales leads, claim to be conducting market research
One does wonder if that is what is going on here, but in the absence of an adequate privacy notice, it is not possible to tell.
Anyway, it seems the ICO is investigating, so watch this space.