Our Managing Director Gary Baker has previously worked with the Electoral Commission in supervising elections. Here he discusses the implications data protection can put on the running of a democratic election process.
A General Election looms. Tomorrow, the UK will vote to choose a candidate to represent them in the House of Commons.
Everyone in the UK has a local council and an MP who sits in the UK Parliament although depending on where you live, you may also be represented in the Northern Ireland Assembly, Scottish Parliament or the Senedd in Wales.
There may also be a mayor for your area. It seems there are increasing number of different processes and levels each year that require local authority democratic service departments’ attention.
The Elections Act 2022 provided significant updates to the way elections are run and one of the biggest changes is that voters now need to show ID when voting at a polling station. This is intended to improve the administration and conduct of elections, including provision designed to strengthen the integrity of the electoral process
In terms of data protection, it all starts with the keeping and maintenance of the Electoral Register (sometimes called the ‘electoral roll’) in which local authorities record names and addresses of everyone registered to vote. There are two versions of the electoral register – the full version and the ‘open register’; a version that’s available to anyone who wants to buy a copy.
Voters can opt out of the open register, however everyone’s name and address are recorded on the full version and voters cannot opt out. This is the version of the register that’s used for elections and referendums.
The full version of the register can only be used for electoral administration purposes (such as sending out poll cards before elections), campaigning activities (for example, candidates and political parties sending election communications to voters, surveying opinions or fundraising), preventing and detecting crime, checking applications for loans or credit and by courts for jury summoning in England, Wales and Northern Ireland (Scotland has its own arrangements).
Commencing in July each year there is a requirement on local authorities (as ‘data controllers’) to verify with households that the details held on their electoral register are correct. This is called the annual canvas.
This adequately meets their expectations under Article 5(1) (d) that requires that personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data is accurate, having regard to the purposes for which it is processed, erased or rectified without delay (‘accuracy’).
Managing the records of millions of voter details presents significant risk to authorities and imposes additional pressures for them to comply with the GDPR.
They will need to ensure that they handle the register securely by implementing “appropriate technical and organisational measures.”
They need look no further than a recent cyber-attack on the UK Electoral Commission in August 2021 (discovered in October 2022) to appreciate that such huge quantities of personal information are a substantial target, not only for ‘simple’ identity fraud committed by organised crime gangs, but also that the UK’s democratic process and its electoral institutions remain a target for hostile actors online. Somewhat ironically, much of the UK elections process are still based on paper documentation and hand counting at counting venues, but this well organised attack shows that council systems remain a hugely attractive target for those intent on acquiring significant amounts of (up to date) personal data.
Whilst the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to the processing of all personal data, this legislation does not override requirements on local authorities to gather and process information as set out in existing electoral law.
In general, the processing of personal data by local authorities and their appointed officials is likely to fall under the lawful basis of Article 6 (e) – public task. The processing is necessary for local authorities to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law, that it is necessary for the lawful running of an election (i.e. maintaining the register of electors and administering the election).
There are also some considerations for local authorities where they process Special Category data. Electoral legislation requires an individual registering to vote to provide their nationality or, if they are not able to provide that information, the reason they are not able to do so.
As local authorities are required to process such nationality data to determine if the elector is entitled to vote, it is possible that such nationality data may be classed as a special category of personal data because it may reveal an individual’s racial or ethnic origin.
Note the right to object to processing cannot be applied to information where the collection of or the nature of the processing is specified in electoral law. For example, the data subject can object to the processing of their email or telephone contact details in relation to electoral registration, but not to the requirement to provide a recording of their name or home address.
Similarly the right to be forgotten does not apply when processing is required for the performance of a public task (such as the maintaining of electoral registers) or it is necessary for archiving in the public interest. So electors cannot ask the local authority to remove them from old or historical electoral registers because their inclusion on that register was a result of a legal obligation on the local authority.
Additionally the local authority is required to publish notices relating to an election. These notices may include personal information relating to candidates, subscribers and agents. Again, these individuals cannot use the right to be forgotten to require that their details are removed from such a statutory notice.
And for all our PECR fans out there, any email invitations to register must include an unsubscribe option to allow electors to make a request under the right to object to the use of their contact information for this purpose.
Local authority electoral officials, such as their Electoral Registration Officer (ERO) and/or Returning Officer (RO) or Presiding Officers (POs), are responsible for ensuring that they comply with the requirements of current data protection legislation. This should always be in collaboration with their Data Protection Officer (DPO), though in most cases I have experienced at different Councils, very little if any election administration training is given to DPOs.
EROs and ROs have a statutory duty to process certain personal data to maintain the electoral register and/or for the purpose of administering an election.
Advice from the ICO is that all data controllers will need to ensure that they are registered. This means that those officers must be registered separately to your council in your capacity as ERO and/or RO (though usually only under that title not their own name).
However, whilst a public authority is routinely required to appoint a data protection officer, EROs and ROs are not currently included in the definition of a public authority contained in Schedule 1 of the Freedom of Information Act 2000 and are therefore not required to appoint a DPO for the conduct of their duties.
When elections do take place the processing of all this data means additional risk and threat to the security and use of the information within the register.
Each voting location across the country will be managed by a Presiding Officer. Presiding Officers have overall responsibility for their polling station. For example, they are required to ensure that polling booths are set up in such a way that it maintains the privacy of voting for all voters.
Local authorities must provide them with the appropriate part of the electoral register for their polling station and the appropriate absent voting lists. This is a key document which contains the name, elector number and address of eligible voters.
Local authorities and particularly their POs will need to ensure that they maintain the ‘integrity and confidentiality’ of these lists – also known as the GDPR security principle.
Often these lists are on public view and can be seen by all voters as the polling station staff ‘rule off’ their name as having attended.
Whilst most of this personal data may be in the public domain (via available voters lists), those who have chosen to opt out of the open lists may well feel their own privacy is neglected by these processes and PO’s should take care that lists are not exposed for general viewing for longer than is necessary by their staff. POs should always be aware of their responsibilities to maintain measures to ensure the ‘confidentiality, integrity and availability’ of the voters lists in such public environments. Note voters can ask for their details to be checked in private.
Advice for election officials
- Training and Awareness
Local authorities will need to consider again how they process personal data during an election. Processing personal information is an important part of the election process but local authorities must comply with the key principles which lie at the heart of the general data protection regime.
As ever training and awareness are the key foundations to compliance. All local authorities’ employees and election staff should have received appropriate training about their data protection responsibilities. This should be relevant, accurate and up to date and ensure the message is that data protection is integral to all processing relating to elections.
Comprehensive election training and awareness should include training for all staff, including key areas of data protection such as handling the election lists, data sharing with political parties, the need for information security, what to do in the event of any personal data breaches and maintaining the accuracy and integrity of the electoral register.
If you have any DPIAs relating to elections in place, it is wise to undertake a review of them to determine if your processing operations require any further DPIA or alterations.
This will help you to embed the data protection principles in your election duties, and demonstrate compliance
Your Data Protection Officer/Information Officer should be included in all planning and discussions for any election taking place.
- Risk register and planning
Local authorities will undoubtedly have written plans and records for their registration and election plans, and associated risk registers. These should outline processes and safeguards that are in place. These should be accessible and understood by those who are required to follow the plans.
It is advisable to keep these documents under review to ensure data protection remains integral and that they are compliant with current legislation. Such plans and risk registers provide a sound basis for you to meet your obligations as a data processer during the election process.
- Privacy Notice
It is important that your privacy notice is specific to the personal data that you process. There are subtle differences across ERO and RO functions in local authorities. This may be a result of devolution, shared services, differences in software usage and internal structures and processes within each council so it is likely your privacy notice will need to set out how you will use the personal data that is collected relating to your election duties. For example, residents will need to know that their personal data contained in the electoral register will be used to conduct an annual canvas, recorded and maintained in your electoral register (open or edited register) via a voter registration form.
Always ensure your privacy notice is clearly visible on your website and is referenced when communicating with electors and others.
Whilst the General Election is in the final preparation stages ahead of voting tomorrow (4th July), local authorities may already be setting their sights on future elections in their area. If there are any areas of your data protection we can help with, please do get in touch.