Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

At a glance

  • There are various types of particularly sensitive personal data known as special category data. This includes political opinions.
  • In order to process special category data, you need to identify a lawful basis under Article 6 and a separate condition under Article 9 of the UK GDPR. The DPA introduces additional conditions and safeguards.
  • In most circumstances, you should not use special category data, inferred or otherwise, to target individuals with political messaging without the explicit consent of the individual.
  • There is a qualified condition in the DPA for registered political parties to process political opinion data. You must have an “appropriate policy document” in place to rely on this condition.
  • There is another condition for processing special category data belonging to members of not-for-profit bodies with a political, philosophical, religious or trade union aim and those who the bodies regularly contact.
  • There is a further condition of explicit consent that you can also rely upon.

In more detail

What is special category data?

Article 9 of the UK GDPR gives special protection for certain types of personal data which are considered to be particularly sensitive. These are known as “special category data”.

Political opinions are classed as special category data.

Other special category data includes information about an individual’s:

  • race;
  • ethnic origin;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetics;
  • biometrics (where used for ID purposes);
  • health;
  • sex life; or
  • sexual orientation.

In order to lawfully process special category data, in addition to identifying a lawful basis under Article 6, you also need a separate condition for processing special category data under Article 9. The DPA Schedule 1 provides further clarification on the application of some of these conditions.

You must determine your condition for processing special category data before you begin this processing, and you should ensure you document this.

Special category data can be factual or inferred information about an individual.  If you are intentionally processing data to infer details that fall within the special categories of data such as a person’s ethnic origin or political opinions then this is considered special category data. 

You need to comply with Article 9 if you intend to create such inferences. This is because you are processing special category data, regardless of how confident you are as to the accuracy. You also need to be careful that these assumptions about people do not lead to you processing inaccurate, inadequate or irrelevant personal data.

Can special category data be used to target individuals with political messaging?

You should not use special category data, inferred or otherwise, to target individuals with political messaging without the explicit consent of the individual.

Except in very specific circumstances where other conditions may apply (see sections below), there is unlikely to be another condition under Article 9 of UK GDPR that applies to such processing.

Targeting individuals using special category data raises significant questions around fairness. Under Article 5(1)(a) of UK GDPR, personal data must be processed fairly. Using special category data to target individuals is intrusive and could be discriminatory.

In addition, Article 5(1)(c) of UK GDPR is clear that the processing of personal information should be “limited to what is necessary in relation to the purposes for which they are processed”. With the exception of political opinions, it is difficult to see in what circumstances it would be necessary to process special category data for the purposes of targeting political messaging.

Example

A political party wants to send cards to people in a marginal constituency to celebrate a particular religious festival and encourage them to support the party. The party is aware that many people in the constituency do not celebrate the festival. The party does not wish to offend these individuals by sending them a card for a festival that they do not celebrate. They decide to use software to screen the names of constituents and infer a likely ethnic origin and religious belief. They then send cards to those they have identified as likely to celebrate the festival.

In this example, the party is intentionally processing personal data in order to infer the religious beliefs or ethnic origin of constituents. Regardless of how confident the party is about this inference they are still processing special category data. It is unlikely that they would be able to rely on another condition for processing therefore, they should not carry out this processing without the explicit consent of the individuals.

Can political parties process political opinions?

There is a relevant condition under UK GDPR Article 9(2)(g) further clarified by the DPA Schedule 1, Paragraph 22.  This condition is narrowly defined and can only be relied upon by registered political parties, under section 23 of the Political Parties, Elections and Referendums Act 2000.

This condition only applies where:

  • the processing is of personal data revealing political opinions;
  • the processing is necessary for the purposes of the party’s political activities;
  • the processing is not likely to cause substantial damage or substantial distress to a person; and
  • the individual subject to the processing has not given written notice to the party requiring them not to process their personal data.

Personal data revealing political opinions includes data provided by the individual, a third party, or inferred by you or a third party and attributed to an individual.                  

Parties can only rely on this condition if you can demonstrate that it is necessary for the purposes of your political activities. Political activities in this context include, but are not limited to, campaigning, fund-raising, political surveys and casework.

If relying on this condition, you must be able to demonstrate the necessity to process political opinion data specifically. In other words, if you can achieve the same political campaigning purpose without processing data revealing an individual’s political opinions, then you cannot rely on this condition.

You should also ensure that you appropriately assess the likelihood of the processing causing an individual substantial damage or substantial distress. You should include this in your DPIAs.

You must also ensure you have an effective process for recognising and dealing with written notices from individuals to the party requiring you to not process their personal information. The notice must give you a reasonable time period to stop the processing. After this time, you must stop processing the data.

In addition, DPA Schedule 1, Part 4, Paragraph 39 requires you to have an “appropriate policy document” in place if you are relying on this condition. See our guidance on special category data for further information.

You cannot rely on this condition for processing any other special category data aside from political opinions.

Only registered political parties can rely on this condition. If you are not, then you need to rely on the explicit consent of the individual to process political opinions.

Can membership and regular supporter data be processed for political campaigning purposes?

It is worth highlighting Article 9(2)(d), which is another relevant condition for the processing of special category data. You can only rely on this for processing special category data belonging to members or those with whom you have regular contact with.

Article 9(2)(d) permits you to process special category data if:

“processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”.

You can only rely on this condition if you:

  • are a not-for-profit body. Not-for-profit bodies may include charities, clubs, political parties, churches, trade unions and other associations which have a political, philosophical, or religious aim;
  • are processing special category data as part of your legitimate activities. This is fairly broad, and will cover most of what you do, as long as it does not stray outside your established purposes or powers, and is not unlawful or unethical in any way;
  • are only processing the data of members, former members, or other individuals in regular contact with you “in connection with your purposes” (eg partners, supporters or beneficiaries). This condition does not therefore apply to processing the data of prospective members or other individuals who have not had any prior contact with your organisation;
  • have appropriate safeguards in place. This might for example include restricting access to the data, applying shorter retention periods, or providing individuals with an opt-out; and
  • do not disclose this data to a third party without the individual’s consent. You must get explicit consent for any disclosures. If you need to disclose the data to a third party without consent, you need to rely on a different condition for the disclosure.

You do not need to demonstrate that it is necessary to process special category data to rely on this condition. However, this does not mean it is a blanket condition for all processing by not-for-profit bodies. You must still demonstrate how you meet the specific requirements of the condition, and consider your data minimisation obligations.

What is explicit consent?

Article 9(2)(a) provides a condition for processing special category data of all types if the individual subject of the data has provided their explicit consent for the processing.

Explicit consent is not defined in the UK GDPR, but it is not likely to be very different from the usual high standard of consent (see consent lawful basis above). All consent must involve a specific, informed and unambiguous indication of the individual’s wishes. The key difference is likely to be that explicit consent must be expressly confirmed in words which refer to the type of special category data involved, rather than by any other positive action.

If you need to rely on this condition, you should take extra care over the wording. Even in a written context, not all consent will be explicit. You should always use an express statement of consent. You must keep records of these expressions. For further information see our guidance on consent.

Further reading

For further information on special category data, see our Guide to UK GDPR, and detailed guidance on consent.