Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

At a glance

  • You must have a lawful basis for processing personal data. The applicable lawful basis depends on your specific purposes, your powers and the context of the processing.
  • The vast majority of processing for political campaigning purposes falls under three lawful bases: public task (democratic engagement); consent; and legitimate interests. You must evidence your reasoning for choosing a lawful basis.

In more detail

Introduction

In order to process any personal data for any purpose, you must have a lawful basis. UK GDPR Article 6 outlines six lawful bases with further expansion of what these include in DPA Section 8. Which lawful basis applies depends on your specific purposes, your powers and the context of the processing. You should think about why you want to process the data, and consider which lawful basis best fits the circumstances.

Once you have decided which lawful basis applies to each of your purposes, you need to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. There is no standard form for this, as long as you ensure that what you record is sufficient to demonstrate that a lawful basis applies. This helps you comply with accountability obligations, and also when writing your privacy notices.

The vast majority of processing for political campaigning purposes falls under one of the following three lawful bases:                

  • Public task – democratic engagement
  • Consent
  • Legitimate interests

Can we use “public task – democratic engagement” as our lawful basis?

This lawful basis is often misunderstood as an overarching exemption, so it is important that you understand the purpose of the provision.

UK GDPR Article 6(1)(e) gives a lawful basis for processing personal data (only and to the extent that it is) necessary for the performance of a task carried out in the public interest.

DPA Section 8 further specifies that this includes processing of personal data that is:

necessary for … (e) an activity that supports or promotes democratic engagement.”

In addition, UK GDPR Article 6(3) requires that this task must be laid down by domestic or EU law (in addition to the DPA).

What additional law could satisfy Article 6(3)?

For the processing of personal data sourced from the electoral register, most campaigners are able to rely upon electoral law. (Specifically, Representation of the People (England and Wales) Regulations 2001 (SI 2001/341) regulations 103-106 and Schedule 3 of the Representation of the People (England and Wales) (Description of Electoral Registers and Amendment) Regulations 2013 (2013/3198) and equivalent devolved legislation.)

Some campaigners, such as MPs or other elected officials, may also be able to rely on other laws to process additional “non electoral register” data. Such laws do not have to be explicit statutory provisions, as long as the application of the law is clear and foreseeable. This means that it includes clear common law tasks, functions or powers, as well as those set out in statute or statutory guidance. You should obtain specific legal advice if you are unsure what particular laws may apply to your role or organisation to satisfy Article 6(3).

Other campaigners may have an additional law available to them to allow them to process “non- electoral register’” data. However, if they do not have such an additional law available, as long as the processing is necessary for an activity that supports or promotes democratic engagement they are most likely able to rely on “legitimate interests” (see below section).

What does “necessary” mean?

In order to rely on this lawful basis, processing personal data must be necessary for an activity that supports or promotes democratic engagement. This does not mean that processing has to be absolutely essential. However, it must be more than just useful or standard practice. It must be a targeted and proportionate way of achieving your specific purpose. This basis does not apply if you can reasonably achieve your purpose by some other less privacy intrusive means, or by processing less personal data. The key point is that you must be able to justify the necessity of the processing.

What activities support or promote “democratic engagement”?

The Explanatory Notes accompanying the Data Protection Act 2018 explain:

“The term “democratic engagement” is intended to cover a wide range of political activities inside and outside election periods, including but not limited to:
 
 democratic representation;
communicating with electors and interested parties;
surveying and opinion gathering;
campaigning activities;
activities to increase voter turnout;
supporting the work of elected representatives, prospective candidates and official candidates; and
fundraising to support any of these activities.”

Therefore, this lawful basis is designed to apply in the context of many political activities where the processing is supported by additional law, such as electoral law.

When can we use legitimate interests as our lawful basis?

If the public task - democratic engagement lawful basis is not appropriate for your purposes (ie if there is no appropriate law you can rely upon to satisfy Article 6(3)), then you are most likely able to rely on “legitimate interests” for processing personal data that supports or promotes democratic engagement.         

You may also be able to rely on “legitimate interests” where you are processing personal data for activities which do not support or promote democratic engagement but where you have another compelling justification for the processing.

Whether processing in support of democratic engagement or not, in order to rely on the “legitimate interests” lawful basis, you need to carry out and document the results of a three-part assessment. You need to:

  • identify a legitimate interest (either your own or a third party’s, eg democratic engagement);
  • show that the processing is necessary to achieve it (as with public task- democratic engagement); and
  • balance it against the individual’s interests, rights and freedoms. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Example

A charity with no political affiliation who provides general advice and support to older people, (having made clear they would do this in their privacy notice), decides to write to their customers encouraging them to exercise their right to vote. They provide information about how to obtain a postal vote in the upcoming election.

The charity is likely to be able to rely on the “legitimate interests” lawful basis for the processing. They carry out a “legitimate interests test”:

  • they identify their legitimate interest as democratic engagement;
  • they provide justification to show that the processing is necessary; and
  • they balance their democratic engagement interest against the individual’s interests, rights and freedoms.

They find that the processing is within their customers’ reasonable expectations and unlikely to cause unjustified harm.

When can we use consent as our lawful basis?

The lawful basis of consent is in Article 6(1)(a).

Consent is an appropriate basis if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you still process the personal data without consent, asking for consent is misleading and inherently unfair.

It is important to note that consent:    

  • should be obvious and require a positive action to opt in;
  • must be obtained through prominent requests, unbundled from other terms and conditions, concise and easy to understand, and user-friendly;
  • must specifically cover the controller’s name, the purposes of the processing and the types of processing activity;
  • must be recorded. You must keep records to evidence consent – who consented, when, how, and what they were told;
  • can be withdrawn. People have a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time; and
  • has no set time limit. How long it lasts depends on the context. You should review and refresh consent as appropriate.

If you are relying on consent as your lawful basis from an individual, either directly or via a third party, then you cannot change to another lawful basis at a later point as this is likely to be considered unfair to the individual. For example, an individual has given their consent to you processing their personal data and you use that as your lawful basis.  If they withdraw their consent at a later point, or they have no way of contacting you in the future to withdraw their consent, you cannot then decide to continue to process their personal data under the legitimate interests lawful basis. This would be against the individual’s expectations and is likely to breach  the UK GDPR.

If you are processing personal data in order to send individuals direct marketing by electronic means (ie emails, texts, direct messages, automated calls and live calls) then PECR may require you to have consent. Similarly, if you are planning to use cookies to show your users political messaging, whether the cookie is yours or that of a third party, PECR also requires you to have consent. PECR takes its definition of consent from the UK GDPR. If PECR requires consent, then processing personal data for electronic direct marketing purposes or to use cookies is unlawful under the UK GDPR without consent. If you have obtained consent in compliance with PECR, then in practice consent is also the appropriate lawful basis under the UK GDPR.

Further reading

For further information, see our Guide to UK GDPR, our interactive lawful basis guidance tool and detailed guidance on consent and legitimate interests.