After a report by Sky News on a possible breach of the GDPR by the Liberal Democrats through mass data processing, we decided to send an FOI.
You can read our email below. We are expected a reply no later than Monday 4th November, and will update here as needed.
Dear Liberal Democrats Data Protection,
It has come to our attention that the Liberal Democrat Party may have fallen foul of the GDPR.
To that end, we would like to raise an FOI in this regard, pointing out the following.
Please reply within the legislated 20 working days to each question in turn.
Note: For the purposes of this FOI, we are requesting it under our grassroots political website name of “myPolitico”, according to guidelines set out by the ICO: “Anyone can make a freedom of information request – they do not have to be UK citizens, or resident in the UK. Freedom of information requests can also be made by organisations, for example a newspaper, a campaign group, or a company.”
In a report by Sky News (accessible at https://news.sky.com/story/the-lib-dems-are-using-data-to-profile-every-voter-in-uk-and-give-you-a-score-11828202), it was reported that the Party is profiling “every voter in the country”.
Can you confirm if this is the case?
If so, what methods are used? Is this a simple regression and poststratification model based on legally-obtained sample data, or are other data mining methods used? What are those?
What input data does the model receive? Where is this obtained from, and how?
The report also states that the model uses “consumer/market research data” which was purchased from a third party.
If possible to disclose, who was this third party? If not able to disclose, why not? Further, what types of information are contained in the dataset? Are there any personally identifiable (PI) datapoints, or rather aggregated data?
The article also states that “party denied that the scoring system was used to target ads on social media”.
If this is the case, does the Party have any plans to use the model and/or data for targetted advertising on social media? If so, what methods and contingencies are in place as a data controller to ensure compliance with the GDPR.
Can you explain why this is? When will a statement be made, and the website updated with this information?
Under the GDPR:
“Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR). The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.”
“Processing shall be lawful only if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
How many of those profiled have consented to data processing?
If this is deemed by yourselves as ‘public interest’, do you consider the Party a public authority which is exempt from data processing in this manner?
Has the Party sought interpretation on the GDPR by any legal authority, or the ICO with regards to the processing of personally identifiable information, either individual or aggregate?
We look forward to a reply in due course.