Canvassing and Elections Guidance - For Campaigners
Principles of Data Protection
Candidates, political parties, and those involved in processing personal data as part of canvassing or campaigning work need to ensure that they comply with their obligations under data protection law. In particular, you should ensure that at all times your use of any personal data you process complies with the principles relating to the processing of personal data. Processing means doing anything with personal data including holding it in a database or any other form. This means you should always:
- Process personal data lawfully, fairly, and in a transparent manner;
- Collect personal data only for one or more specified, explicit, and legitimate purposes, and do not otherwise use it in a way that is incompatible with those purposes;
- Ensure personal data is adequate, relevant and limited to what is necessary for the purpose it is processed;
- Keep personal data accurate and up-to-date and erase or rectify any inaccurate data without delay;
- Where personal data is kept in a way that allows you to identify who the data is about, retain it for no longer than is necessary;
- Keep personal data secure by using appropriate technical and/or organisational security measures;
- Remember that you must be able to demonstrate your compliance with the above principles.
Further, you should consider how you will respond to requests by individuals seeking to exercise their data protection rights (for example the right of access), in a timely and effective manner, taking into account that data subject requests must be responded to without undue delay, and at least within one month.
Political parties contesting elections at a national level will likely be required to have a Data Protection Officer (DPO). The DPO should be at the heart of your data protection compliance efforts and should be kept in the loop on all canvassing and campaigning work entailing the processing of personal data.
Postal Canvassing
You may use the names and addresses of people on the Electoral Register for the purpose of sending postal election leaflets to them, once you have satisfied yourself that you have a legal basis for doing so (taking into account the provisions of both the GDPR and the Data Protection Act 2018), and comply with the principles of data protection. In particular, you must be transparent about such use of constituents’ personal data by providing them with information on: who you are and how you can be contacted; how you obtained their information and what it comprises; who you’ll share it with; how long you’ll keep it; what the legal basis is for processing the personal data (normally performance of a task in the public interest); and what their data protection rights are. This information can be provided by including it in, or with, your canvassing materials.
Door-to-Door Calls
When a canvasser goes door-to-door taking notes of interactions with potential voters (e.g. likelihood to vote, political preference, persuadability, etc.) this is processing of personal data for which the political party or individual running for election is the controller. In other words, the party or individual represented by the canvasser must ensure that this activity respects the requirements of data protection law as outlined above. It doesn’t matter whether or not you expressly told your canvassing team to take any notes, whether the people they meet volunteer this information, or even whether or not you yourself have access to the information collected. What makes this activity a data protection matter is that your canvassers are carrying out work out at your request that entails the collection of personal data.
Therefore, when making door-to-door calls, you must ensure that proper safeguards are in place to accurately record and protect any data collected, including any data revealing political opinions. If you ask constituents for their contact information (e.g. telephone number or email address) make sure they consent to follow-up contact if you plan it. You should also make it clear to constituents that they are not under any obligation to provide you with any information and that you are only collecting it where they consent. You should have a retention period for any information obtained from canvassing and implement procedures for the keeping of personal data for no longer than is necessary.
Lawfulness of Processing
As with all controllers of personal data, campaigners have a responsibility to ensure that any use they make of personal data is ‘lawful’. Some of the personal data which is used by campaigners could be what is known as ‘special category’ personal data, such as data revealing political opinions.
To give an example, political parties and persons running for election are allowed to use information contained on the Register of Electors to communicate with voters, canvass, distribute leaflets and undertake other ordinary electoral activities. The Register of Electors does not contain special category data, as it is simply a list of persons who are entitled to vote. However, if information from the register is combined with information from other sources (e.g. regarding political preferences, likelihood to vote, etc.) to create a proprietary database, then this is likely to be processing of special category data. The difference is that this database can now be used to identify and target individuals based on their political opinions.
Special category data has extra protections under the GDPR. This means, in the context of electoral activities, that for processing to be lawful, it must always have a legal basis under Article 6 GDPR, but also, if it constitutes processing of special category data, fulfil one of the conditions of Article 9(2) GDPR. It is the responsibility of the controller to determine what the legal basis is for a particular processing operation, and this may vary depending on context, such as consent for electronic direct marketing or ‘necessary for the performance of a task carried out in the public interest’ in the case of certain electoral activities. Where relying on consent as a legal basis, it must be freely given, specific, informed and unambiguous.
Transparency
If you collect information directly from individuals, whether in person of otherwise, or from third party sources whether in person or otherwise, you must be transparent about your use of their personal data (in line with Articles 13 and 14 GDPR, respectively). You must provide them with information on: who you are and how you can be contacted; why you’re collecting their data; who you’ll share it with; how long you’ll keep it; what the legal basis for this processing is; and what their data protection rights are. You can, for example, provide this information person-to-person or give individuals a leaflet which sets it out. You can also direct individuals to another way in which they can easily access this information, for example on your website. If you do that or use another indirect method of providing this information, at a minimum you should tell constituents upfront who you are and how you can be contacted, why you’re collecting their information and explain that they have rights (including in relation to the processing of their data).
Online Canvassing
If you operate a website you should ensure that you fulfil your transparency obligations by having an easily accessible, clearly visible and easy to understand privacy statement telling individuals: who you are and how you can be contacted; what personal data you’re collecting/using and why; if you got the data from another source what the source is; the legal basis for processing; who you’ll share it with; how long you’ll keep it; and what their data protection rights are. If your website uses cookies to collect user data, it should clearly explain this, detailing the terms of cookies usage and providing a means of giving or refusing consent to place cookies. If you plan to engage in online political advertising or use third party services for electoral activities, you should ensure that you have a legal basis for sharing any personal data with that third party service or advertising platform (in particular as this may constitute processing of special category data per Article 9 GDPR). Individuals must also be informed of any third parties with whom their personal data will be shared.
Electronic Direct Marketing and Canvassing
You should only use the personal data that you hold on a constituent to send electronic direct marketing canvassing communications (texts, emails, phone calls or faxes) where the person has previously consented to receiving such communications. It is important to keep a record of the consent, as you need to be able to demonstrate that you had consent to use their personal data in this way. When communicating by text, email, phone or fax, the message should always identify that it is being sent by you or on your behalf, and include an easy to use opt-out method so the recipient can exercise their right not to receive any further communications of this kind from you. You should never use contact information you have obtained from third parties for electronic direct marketing canvassing purposes. You must also remember that where you rely on consent as the legal basis for processing someone’s personal data it must be: freely given (the individual must have a real choice as to whether or not to consent); specific (must relate to specific purpose); informed (the individual must have been given enough information to make an informed choice about whether or not to consent); and unambiguous (it must be clear and deliberate –pre-ticked boxes, silence, or inactivity do not constitute consent).
Want to print out a copy?
You can download and print out a PDF version of this guidance on canvassing and elections for campaigners.