The Telegraph recently highlighted a rather bizarre incident involving the sending of a letter by the secretary of UKIP’s Dartford branch. The letter purports to be from a Simon Blanchard in his capacity as, or as a representative of UKIP Dartford. It appears that Mr Blanchard had taken offence at what he said was a verbal insult directed at him by the recipient of the letter, a Mr Kemp, and chose to write expressing his annoyance both at this, and also expressing his rather extraordinary interpretation of the effect of European Union laws on the UK. But Mr Blanchard did something else – he sent copies of the letter to Mr Kemp’s neighbours. In doing so it is questionable whether Mr Blanchard, and UKIP Dartford, have complied with their obligations under the Data Protection Act 1998 (DPA).
I am presuming that UKIP Dartford is the local constituency association for UKIP. As such, to the extent that it processes personal data of people of identifiable individuals, and determines the purposes for which and the manner in which the processing occurs, it is a data controller. Constituency associations of political parties are distinct from their national parties (they are often at odds with their national parties) and many Labour and Conservative constituency associations recognise this, by registering their processing with the Information Commissioner’s Office (ICO). Indeed, as data controllers not otherwise exempt, they have a legal obligation (section 18 of the Data Protection Act 1998 (DPA)) to do so, and failing to do so, in circumstances where they are processing personal data and cannot avail themselves of an exemption, is a criminal offence (section 21 DPA). I note that UKIP Dartford don’t have an entry on the ICO’s online register – this (and the broader issue of constituency association registration) might be something the ICO should consider investigating.
Furthermore, if it is a data controller, UKIP Dartford will have a statutory obligation (section 4(4) DPA) to comply with the data protection principles. The first of these is that personal data should be processed “fairly and lawfully”. It is not immediately obvious how Blanchard came to have Mr Kemp’s name and address, but, assuming they were gathered lawfully, the sending of the letter itself may well have been fair and lawful. But where problems would be more likely to emerge, I would suggest, would be in the sending by Blanchard of copies of the letter – containing as it did Mr Kemp’s personal data – to neighbours. “Fairness” in the DPA depends a lot on data subjects’ expectations, and it is hard to believe that the recipient of such a letter would have expected it to be circulated among his neighbours.
It is possible that Mr Blanchard came about the name and address details under regulation 105 of the Representation of the People (England and Wales) Regulations 2001 (as amended), whereby local constituency parties may apply for a copy of the full electoral register. It is important to note, however that, by regulation 105(4), the register can only be used for “electoral purposes or the purposes of electoral registration”. Although one can see that “electoral purposes” might be construed broadly, it is difficult to construct an argument that the sending of the copy-letters, containing the original recipient’s personal data, could possibly have been for electoral purposes. For these reasons, a contravention of the second DPA principle would appear to be likely. That principle restricts further processing of personal data in a manner incompatible with the original purposes.
It may be that there is more to this story than is immediately apparent. Perhaps Mr Blanchard and UKIP Dartford acquired Mr Kemp’s data in a different manner. Perhaps they thought they had consent to send it his neighbours (although given that Mr Kemp’s wife complained – and received the peremptory response “There was no error made on the envelope and hope your neighbours had a good read as well” – this seems unlikely). If more details emerge I will update this post, but in the interim, I can say that the story certainly raises questions about DPA compliance.
The forthcoming general election is likely to see battles fought in many fields (I’ve already drawn attention to the possibility that the legal boundaries of electronic marketing may get pushed to the point of breach on these battlegrounds). One hopes that the ICO will be robust enough to deal with the data protection issues which will emerge, which might include excessive or disproportionate use of people’s personal electoral data.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.