August 31, 2014 · 10:03 am
Douglas Carswell MP is a data controller.
It says so on the Information Commissioner’s register:
(I hope he remembers to renew the registration when it expires next week it’s a criminal offence to process personal data as a data controller without a registration, unless you have an exemption).
But, more directly, he is a data controller because as an MP he is a person who determines the purposes for which and the manner in which the personal data of his constituents is processed. Sensible guidance for MPs is provided by Parliament itself
A Member is the data controller for all personal data that is handled by their office and they have overall responsibility for ensuring that this is done in accordance with the DPA.
I have already written recently raising some concerns about Carswell’s alleged handling of constituents’ personal data. But this week he decided to leave the Conservative Party, resign his seat, and seek re-election as a member of the UKIP party. James Forsyth, in the Daily Mail, talks about the constituency knowledge Carswell will bring to UKIP, and reports that “one senior Ukip figure purrs: ‘The quality of Douglas’s data is amazing'”.
As a data controller an MP must process constituents’ personal data in accordance with the eight data protection principles
of the Data Protection Act 1998 (DPA). Failure to do so is a contravention of the data controller’s obligation under section 4(4). Data subjects can bring legal claims for compensation for contravention of that obligation, and for serious contraventions the ICO can take enforcement action, including the serving of monetary penalty notices to a maximum of £500,000.
The second data protection principle requires that
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
A person’s political opinions are “sensitive personal data”, afforded even greater protection under the DPA. It is not difficult to understand the historical basis for this, nor, indeed, the current basis for its still being so. Data protection law is in part an expression of and development of rights which were recognised by the drafters of the Universal Declaration of Human Rights and European Convention on Human Rights. Oppression of people on the basis of their politics was and remains distressingly common.
If constituents have given Carswell their details on the basis that it would be processed as part of his constituency work as a Conservative MP
they might rightly be aggrieved if that personal data were then used by him in pursuit of his campaign as a UKIP candidate. As Paul Bernal tweeted
If I gave my data to help the Tories and found it was being used to help UKIP I’d be livid
Such use would also potentially be in breach of the first data protection principle, which requires that personal data be processed fairly and lawfully. It would not be fair to share data with a political party or for the purposes of furthering its aim in circumstances where the data subject was not aware of this, and might very reasonably object. And it would not be lawful if the data were, for instance, disclosed to UKIP in breach of confidence.
An interesting twitter discussion took place this morning
about whether this apparent use of constituents’ data might even engage the criminal law provisions of the DPA. As well as Carswell, there may be other data controllers involved: if some of the data he was in possession of was for instance, being processed by him on behalf of, say, the Conservative Party itself, then the latter would be data controller. Section 55 of the DPA creates, in terms, an offence of unlawfully disclosing personal data without the consent of the data controller. However, as was agreed on twitter, this would be a complex knot to unpick, and it is unlikely, to say the least, that either the ICO or the CPS would want to pursue the matter.
Notwithstanding this, there are serious questions to be asked about the DPA implications of any MP crossing the floor. The use of personal data is likely to be a key battleground in the forthcoming general election, and throw even sharper focus on European data protection reform. I would argue that this is a subject which the ICO needs to get a grip on, and quickly.
UPDATE: Paul Bernal has written a superb piece on the broader ethical issues engaged here.
4 responses to “Data protection implications of MPs crossing the floor”
Pingback: Data and politics… | Paul Bernal's Blog
I can’t imagine it will be hard for the Conservatives to line up a few of their local members to complain about Carswell’s apparent misuse of their data.
Parties have been doing this with data, with varying degrees of sophistication, for years. Indeed, much of the benefit for them is being able to track an individual over the years, combining canvass returns, returns of who actually voted with all their other data to identify voters who need and will respond to their efforts. If voter X always votes, and always votes Tory, then they can effectively be ignored by all the parties (including the Tories). On the other hand if voter Y votes Tory, but only occasionally makes it to the polling station, then the Tories ought to work hard to persuade her to turn out to vote.
They must have been using the same data for all of their work, not just getting Carswell elected but also local and Euro elections, PCCs and so on.
All of which suggests that the Tories’ data must pre-date 2005 when Carswell became an MP, and it’s their data and not his. So while s. 55 may well be engaged, perhaps a productive line of attack for the Tories would be that he’s in breach of their database rights.
Isn’t an issue that people gave information to an MP, irrespective of party. Carswell has ceased being an MP. He should therefore delete the information?
Pingback: You can’t take it with you | informationrightsandwrongs