Two days ago I wrote about a page on the Labour Party website which was getting considerable social media coverage. It encourages people to submit their date of birth to find out, approximately, of all the births under the NHS, what number they were.
I was concerned that it was grabbing email address without an opt-out option. Since then, I’ve been making a nuisance of myself asking, via twitter, various Labour politicians and activists for their comments. I know I’m an unimportant blogger, and it was the weekend, but only one chose to reply: councillor for Lewisham Mike Harris, who, as campaign director for DontSpyOnUs, I would expect to be concerned, and, indeed, to his credit, he said “You make a fair point, there should be the ability to opt out”. Mike suggested I email Labour’s compliance team.
In the interim I’d noticed that elsewhere on the Labour website there were other examples of emails being grabbed in circumstances where people would not be sure about the collection. For instance: this “calculator” which purports to calculate how much less people would pay under Labour for energy bills, which gives no privacy notice whatsoever. Or even this, on the home page, which similarly gives no information about what will happen with your data
Now, some might say that, if you’re giving your details to “get involved”, then you are consenting to further contact. This is probably true, but it doesn’t mean the practice is properly compliant with data collection laws. And this is not unimportant; as well as potentially contributing to the global spam problem, poor privacy notices/lack of opt-out facilities at the point of collection of email address contribute to the unnecessary amassing of private information, and when it is done by a political party, this can even be dangerous. It should not need pointing out that, historically, and elsewhere in the world, political party lists have often been used by opposition parties and repressive governments to target and oppress activists. Indeed, the presence of one’s email on a party marketing database might well constitute sensitive personal data – as it can be construed as information on one’s political opinions (per section 2 of the Data Protection Act 1998).
So, these are not unimportant issues, and I decided to follow Mike Harris’s suggestion to email Labour’s compliance unit. However, the contact details I found on the overarching privacy policy merely gave a postal address. I did notice though that that page said
If you have any questions about our privacy policy, the information we have collected from you online, the practices of this site or your interaction with this website, please contact us by clicking here
But if I follow the “clicking here” link, it takes me to – wait for it – a contact form which gives no information whatsoever about what will happen if I submit it, other than the rather stalinesque
The Labour Party may contact you using the information you supply
And returning to the overarching privacy policy didn’t assist here – none of the categories on that page fitted the circumstances of someone contacting the party to make a general enquiry.
I see that the mainstream media have been covering the NHS birth page which originally prompted me to look at this issue. Some, like the Metro, and unsurprisingly, the Mirror, are wholly uncritical. The Independent does note that it is a clever way of harvesting emails, but fails to note the questionable legality of the practice. Given that this means that more and more email addresses will be hoovered up, without people fully understanding why, and what will happen with them, I really think that senior party figures, and the Information Commissioner, should start looking at Labour’s online privacy activities.
(By the way, if anyone thinks this is a politically-motivated post by me, I would point out that, until 2010, when I voted tactically (never again), I had only ever voted for one party in my whole life, and that wasn’t the Conservatives or the Lib Dems.)
informationrightsandwrongs 
The other significant issue here of course is that if leading political organisations do not exhibit best – or even good practice, others will think that they don’t need to either.
I notice that the information they provide about cookies is about as minimalist as you can get – with nothing about opting out there also – which I would suggest puts them in breach of PECR.
I also note that they are relying on Safe Harbour to transfer data to the USA – which I find distinctly concerning for a political party.
Yes – spot on!
I’ve had my own issues too. See http://patrick.seurre.com/?p=274.
Note the absolute refusal of the ICO to respond to queries involving the suitability of exporting data to the US.
Very disappointing situation!
We also have Labour MP’s such as Debbie Abrahams (Oldham East and Saddleworth) who hosts her website with “contact me” form on servers in Singapore
(103.26.43.131 – Signetique IT Pte Ltd Singapore)
and Ian Austen (Dudley North) who hosts his in Costa Rica.
190.93.246.205 – CloudFlare Latin America S.R.L Costa Rica.
Safe Harbor?
Pingback: Political attitudes to ePrivacy – this goes deep | informationrightsandwrongs