Data Protection Commission publishes report on data protection audit of political parties in Ireland
20th December 2021
The Data Protection Commission (DPC) today published a report entitled “Data Protection Audit of Political Parties in Ireland.” The report was compiled following data protection audits conducted this year by the Data Protection Commission in twenty-six registered political parties in Ireland.
In April 2021 reports were published in the media regarding the alleged storing by the political party, Sinn Féin, of personal information of millions of voters on an internal party database. In June 2021 further articles were published in the media with regard to members of some political parties allegedly posing as market researchers in conducting political opinion polling. Conscious of the public interest aroused by these media reports, the DPC decided to carry out data protection audits of all political parties in Ireland with regard to the processing by them of personal data of the electorate.
Purpose of Report
Twenty-six separate audit reports have been produced by the DPC and each political party has been provided with the audit report relevant to the respective party. Drawing from the contents of those twenty-six audit reports, the DPC has decided that, given the public interest in the matters highlighted in the media reports last April and June, it is appropriate to produce and publish this overall audit report to highlight the main findings of its data protection audits and to outline the key recommendations made by the DPC to the political parties concerned. Statutory powers to publish reports of audits carried out are conferred on the DPC under Section 149(4) of the Data Protection Act, 2018.
The DPC audits of political parties examined the following issues:
- The designation of data protection officers
- The use of Registers of Electors and Marked Electoral Registers
- Party membership/volunteers databases
- Databases of electors/voters
- Data Protection Impact Assessments
- Market Research/Opinion Polling
Over eighty recommendations have been made by the DPC to political parties and some of those recommendations have set down specific time limits for implementation. The DPC will continue its engagement with the political parties concerned over the coming months to ensure that the recommendations are fully implemented on time.
For further information, please find below a brief synopsis of key points from within the Report:
Designation of Data Protection Officer
Data controllers are obliged to designate a data protection officer where their core activities consist of processing on a large scale of special categories of personal data, such as data revealing political opinions.
During the course of the audits, the DPC considered the extent to which political parties process, on a large scale, personal data revealing political opinions. As data protection legislation does not prescribe a figure to quantify the term ‘on a large scale’ for such data processing, the DPC has decided to guide where that figure should be set, with the benefit of information obtained from the political parties during the audits.
The DPC has determined that the appropriate threshold that should be met in order for a political party to be considered to process personal data revealing political opinions on a large scale is 30,000 records of data subjects.
Arising from that guidance and based on the information supplied by the political parties to the DPC, it follows that only two political parties, namely Fianna Fáil and Sinn Féin, are required to designate data protection officers. Both have done so.
There is no requirement on the other political parties to designate data protection officers while the level of data processing revealing political opinions remains below the threshold but they may choose to voluntarily designate a data protection officer if they wish.
The audits found that the dominant level of data processing by political parties occurs in respect of the personal data of party members and volunteers as most parties keep and process membership or volunteer records. Accordingly, the majority of the recommendations made in the audit reports related to the processing of those records.
The use of data from the Register of Electors and the Marked Electoral Register, while not widespread across all political parties, attracted some attention in the audits with regard to the need to comply with transparency requirements by updating privacy policies to reflect this data processing activity and the need to set data retention periods to comply with the requirement of the principle of storage limitation.
Chapter Four of the report deals exclusively with Sinn Féin’s Abú database, it being the only political party in Ireland that maintains a database that encompasses electors/voters data from all parties across that State. The audit of Sinn Féin considered in detail the matter of the legal basis for the Abú database and found it was not necessary to make recommendations in that regard. However, one of the main data protection concerns that arose related to transparency and a recommendation was made in particular with regard to drawing attention to the existence of the Abú database by means of canvassing and electioneering literature.
Market Research/Opinion Polling
Only seven political parties were found to have conducted market research or opinion polling through the deployment of their own members, supporters or activists. The DPC was satisfied from the findings of the audits that no personal data was processed during those activities by the political parties concerned and, on that basis, no data protection concerns arose for further consideration by the DPC.
In the case of the seventh party, Aontú, one recommendation was made by the DPC as outlined in the report following its conduct of a survey in an overt manner which involved the processing of personal data of participants.