The ICO exists to empower you through information.

Purpose limitation, data minimisation and storage limitation

Share Download options

Pages

Format

At a glance

  • You may want to use personal data obtained for one purpose in a political campaign, for a different purpose. You must be clear about why you’re processing the data from the start, be able to evidence it and specify it in your privacy information to individuals.  
  • You must ensure the personal data is adequate, relevant and limited to what is necessary for the purposes for which you are processing it.
  • You must not keep personal data for longer than you need it. You need to justify why and how long you are holding personal data and that is linked to the purposes.

In more detail

Can we use personal data collected for another purpose for political campaigning purposes?

Often political campaigners seek to use personal data obtained through petitions, surveys, casework, enquiries and other sources, for more general political campaigning purposes.               

If you are using this data, it is first important to ensure that you have provided individuals with appropriate privacy information on collection (see section on collecting personal information).

It is equally important to comply with the “purpose limitation” principle – UK GDPR Article 5(1)(b).

Article 5(1)(b) states:

“1. Personal data shall be:

...(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes...”

In practice this means you must:

  • be clear from the outset why you are collecting personal data and what you intend to do with it;
  • specify and document your purposes;
  • comply with your transparency obligations to inform individuals about your purposes; and
  • only use this information for political campaigning purposes in two circumstances:
    • where the purpose of political campaigning is compatible with the original purpose; or
    • where you have obtained the individual’s specific consent for processing data.

The UK GDPR says that to decide whether a new purpose is compatible (or as the UK GDPR says, “not incompatible”) with your original purpose you should take into account:

  • any link between your original purpose and the new purpose;
  • the context in which you originally collected the personal data – in particular, your relationship with the individual and what they would reasonably expect;
  • the nature of the personal data (eg is it particularly sensitive);
  • the possible consequences for individuals of the new processing; and
  • whether there are appropriate safeguards (eg encryption or pseudonymisation). See our Guide to UK GDPR for further information on these safeguards.

Example

A local political party association starts a petition for improvements in public transport in their local area. They collect names and addresses to add to the petition before submitting it to the council. They tell individuals that their personal data will be used for the purpose of the petition.

At the next general election, the local political party association supports the national campaign and the campaign to elect their party’s candidate for MP. The party’s national headquarters tells the local association that it has found that people who care about public transport are more likely to support the party’s national leader. The political party uses the names and addresses it obtained from the petition to send these individuals campaigning leaflets.

This is unlikely to be a compatible purpose. The link between the original and new purpose for the processing is tenuous and is unlikely to be within individuals’ reasonable expectations that their data is processed for this new purpose. The party is therefore unable to use this data unless they take further steps to comply, as required by UK GDPR.

Can we use personal data obtained from constituency casework in political campaigns?

In general, you should not use personal data you obtained when carrying out constituency or similar casework for political campaigning purposes. The exception is if you are sure that those constituents would expect you to contact them for political campaigning purposes and would not object. If you believe this is the case, you should document your reasoning and any evidence. If in any doubt, however, you should be cautious and not use the information.

Example

A local councillor receives personal correspondence from local residents raising concerns about the safety of pedestrian crossings on a local residential development. The councillor has spoken directly with these residents about the issue so that the councillor can raise their concerns with those in the council planning office responsible. A local election takes place a couple of months later. The councillor decides to review the residents’ letters received in his capacity as councillor and sends campaigning leaflets targeted to particular residents based on the issues they have contacted him about. The leaflet he sends to those who have raised concerns about pedestrian crossings is targeted so that it outlines the party’s commitment to invest more in pedestrian road safety encouraging the residents to vote for him at the upcoming election.

In this example, although the issue being discussed is broadly the same, the purpose for processing the personal information has changed from representing constituents to political campaigning. It is legitimate for political campaigning leaflets to be sent as part of a general geographic sweep of the local area – such leaflets could include information on issues that they have made representations about on behalf of constituents, for example pedestrian road safety. However, it is unlikely that the residents would expect their councillor to use personal data from their letters to specifically target them for this new political campaigning purpose.

It is worth highlighting that the rules around making automated calls, some live calls and sending electronic communications for political campaigning purposes are different. See the section on PECR. In addition to ensuring that constituents expect this contact, you also need their specific consent before using these communication methods to send them marketing material including campaigning messages. See direct marketing methods section for more information.

How much personal data can we process for political campaigning purposes?

Article 5(1)(c) says:

“1. Personal data shall be:

...(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”

This means you should identify the minimum amount of personal data you need to fulfil your purpose. You should process that information, but no more.

The UK GDPR does not define what “adequate”, “relevant” and “limited to what is necessary” mean. Instead it depends on your purpose and may differ from one individual to another. 

To assess whether you are holding the right amount of personal data, you must first be clear about why you need it. You must not collect or retain personal data on the off-chance that it might be useful in the future. You must be able to justify the necessity of processing the data for your purpose(s). This is particularly important for special category data (see the section on special category data for more information) where there is a greater risk of harm in processing this data, particularly in the event of a personal data breach.

The amount of data you hold may also differ from one individual, or one group of individuals, to another. For example, you are very likely to need to process more personal data for members of a party or campaign group than for members of the public. 

In addition you should consider any specific factors that an individual brings to your attention. For example, as part of an objection, request for rectification of incomplete data, or request for erasure of unnecessary data.

You should periodically review your processing to check that the personal data you hold is still relevant and adequate for your purposes, and delete anything you no longer need. This is closely linked with the storage limitation principle.

How long should we keep personal data for political campaigning purposes?

Article 5(1)(e) says:

“1. Personal data shall be:

...(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed...”

This is known as the storage limitation principle. It does not specify how long you should keep personal data for political campaigning purposes – this is for you to determine as the controller. However it does say that you must not keep personal data for longer than you need it.      

Therefore how long you keep personal data for political campaigning purposes depends on how long you need the data for this purpose. The onus is on you to properly consider why you need to retain personal data and be able to justify why it is necessary for your purpose to keep it.

In order to comply with the accountability principle you need a policy that sets your retention periods. Likewise one of the requirements of the right to be informed is that you state the period you store the personal data for or the criteria you use to determine the period.

If you no longer need the personal data for your purposes, you should erase (delete) it or anonymise it (ie so it is no longer in a form that allows the individual to be identified). You should also keep a log of what you have deleted and when for good records management.

It is important to regularly review the personal data that you hold for political campaigning purposes in order to reduce the risk that it has become irrelevant, excessive or inaccurate.

Example

A political party has stood candidates in a London constituency for decades. The party appoints a new data protection officer (DPO), who decides to review the personal data held on a local party office system. As part of the search they see a spreadsheet called ‘1998 Greater London Authority referendum’. The spreadsheet contains the names of local residents and their likely voting intentions in the referendum.

The DPO is very surprised as the party’s retention policy outlines that data from referendum campaigns is retained for five years post referendum. They ask a local party representative the reasons for keeping this spreadsheet for so long. The representative explains that they are keeping it just in case there is ever another referendum on the issue. The DPO deletes the spreadsheet.

The DPO is right to delete the spreadsheet. Although there may be another referendum in the future, this is not an appropriate justification for keeping the data. Data should not be retained on a ‘just in case’ basis but only as long as is ‘necessary’ for the purpose(s). There are also likely to be data minimisation, purpose limitation, accuracy, fairness and transparency issues with continuing to hold it. In addition, keeping data longer than specified in a retention period is likely to breach accountability requirements.

Further reading

For general guidance on PECR, see our Guide to Privacy and Electronic Communications Regulations.

See the Guide to the UK GDPR for guidance on purpose limitation, data minimisation and storage limitation.