Parties, party leaders and data protection registration

UPDATE 24.03.15 The ICO has confirmed to me that none of George Galloway, the Respect Party and Nigel Farage has an entry on the statutory register of data controllers (section 19 of the Data Protection 1998 refers). Might they, therefore, be committing a criminal offence? Natalie Bennett, not being an elected representative, does not necessarily need to register. END UPDATE

George Galloway, the Respect Party, Nigel Farage and Natalie Bennett all appear not to have an entry in the ICO’s online register of data controllers. Failure to have an entry in the actual register constitutes a criminal offence if no exemption can be claimed.

I’ve written before on the subject of politicians and notification under the Data Protection Act 1998 (DPA). To recap:

Section 17 of the DPA states in broad terms that a data controller (a person who solely or jointly “determines the purposes for which and the manner in which any personal data are, or are to be, processed”) must not process personal data unless “an entry in respect of the data controller is included in the register maintained by the [Information] Commissioner” (IC) or unless a relevant exemption to registration applies. Accordingly (under section 18) a relevant data controller must make a notification to the IC stating (again in broad terms) what data it is processing and for what purposes, and must pay a fee of either £35 or £500 (depending on the size of the organisation which is the controller). Section 19 describes the register itself and also provides that registration lasts for twelve months, after which a renewed notification must be made, with payment of a further fee.

Section 21 creates an offence the elements of which will be made out if a data controller who cannot claim an exemption processes personal data without an entry being made in the register. Thus, if a data controller processes personal data and has not notified the IC either initially or at the point of renewal, that controller will be likely to have committed a criminal offence (there is a defence if the controller can show that he exercised all due diligence to comply with the duty).

Political parties, and members of parliaments process personal data (for instance of their constituents) in the role of data controller, and cannot avail themselves of an exemption. Thus, they have an obligation to register, and thus it is, for example, that the Prime Minister has this entry in the register

and so it is that Stuart Agnew, UKIP Member of the European Parliament, has this entry

and so it is that the Liberal Democrats have this entry

(all the entries have more information in them than those screenshots show).

But, as I have written before, not all politicians appear to comply with these legal obligations under the DPA. And this morning I noticed lawyer Adam Rose tweeting about the fact that neither George Galloway MP, nor his Respect Party appeared to have an entry on the IC register. This certainly seems to be the case, and I took the opportunity to ask Mr Galloway whether it was correct (no response as yet). It is also worth noting that back in 2012 the IC stated that

it appears that the Respect Party has not notified under the DPA at any time since its formation in November 2004….[this has] been brought to the attention of our Non-Notification Team within our Enforcement Department. They will therefore consider what further action is appropriate in the circumstances

It must be born in mind, however, that non-appearance on the online searchable register is not proof of non-appearance on the actual register. The IC says

It is updated daily. However, due to peaks of work it may be some time before new notifications, renewals and amendments appear in the public register. Please note data controllers are deemed notified from the date we receive a valid form and fee. Therefore the fact that an entry does not appear on the public register does not mean that the data controller is committing a criminal offence

Nonetheless, the online register is there for a purpose – it enables data subjects to get reassurance that those who process their personal data do so lawfully. Non-appearance on the online register is at least cause for concern and the need for clarification from the IC and/or the data controller.

And it is not just Mr Galloway and the Respect Party who don’t appear on the online register. I checked for registrations for some of the other main party leaders: David Cameron, Ed(ward) Miliband and Nick Clegg all have registrations, as do Nicola Sturgeon and Peter Robinson, but Nigel Farage, Leader of UKIP and Natalie Bennett, Leader of the Green Party appear not to.

At all times, but especially in the run up to the general election, voters and constituents have a right to have their personal information handled lawfully, and a right to reassurances from politicians that they will do so. For this reason, it would be good to have clarification from Mr Galloway, the Respect Party, Mr Farage and Ms Bennett, as to why they have no entry showing in the IC’s online register. And if they do not have an entry in the register itself, it would be good to have clarification from the IC as to what action might be taken.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.