Apropos of my previous post on the Tory’s deeply embarrassing data ‘loss’ in Crewe and Nantwich, further investigations have turned up what appear to be a number of unfortunate ‘anomalies’ in key records.
For one thing, its not at all clear exactly who is responsible for this data and whether it was even collected and processed legally before it left the UK.
A search of the Information Commissioner’s Register of Data Controllers shows that Crewe and Nantwich Conservative Association is not registered with the Information Commissioner under the provisions of the Data Protection Act – the upshot of which being that, legally, the kind of information that the Association can legally obtain, hold and process in its own right is very limited, little more than simple mailing lists of names and addresses.
As such, and unless the Association is operating permanently under the umbrella of Conservative Central Office, then the Association cannot legally process sensitive personal information, which includes telephone numbers, information on individuals’ financial status and, particularly, any expressed voting intentions.
And even if it operating under the umbrella of Conservative Central Office then its legal problems may only just be starting due to issues with the Conservative Party’s own registration.
The Isle of Man is well known for several things; its annual Tourist Trophy (TT) event, Manx cats with no tails and its somewhat unusual status as an offshore tax haven, a status that it maintain only by virtue of a somewhat unorthodox semi-detached relationship with both the UK and the EU.
The upshot of all this is that while it enjoys a special trading status with the EU, the Isle of Man is neither a member of the European Union or of the slightly broader European Economic Area…
…all of which would present no great difficulties were it not for the fact the Conservative Party is not registered under the Data Protection Act in such a way as to permit it to legally transfer personal data anywhere outside the EU and EEA.
So the very act of sending this information to a non-EEA area is, itself, unlawful and contrary to the entry of the Register of Data Controllers if, indeed, it is permissible for Crewe and Nantwich Conservative Association to rely on CCHQ’s registration status rather than have to make its own registration.
This also poses thee question of exactly where this information should have gone, rather than where it actually turned up as, again, if its intended destination lies outside the EU & EEA then any such transfer would be unlawful.
Clearly, there are any number of important questions that need to asked about the circumstances leading to the Conservative’s losing the personal data of 8.000 people is such a boneheaded fashion.
Good spot that the Isle of Man is outside the EEA.
Also, being a pedant, I notice that “The Conservative Party” DPA registration seems technically a bit defective in failing to include “The Electorate” as Data Subjects in the “Canvassing Political Support” purpose. Strictly by thier registration they should only be collecting “Political Opinions” data from their “Members or supporters”, “enquirers” or staff (or Relatives etc of such subjects). So they should not be canvassing voting intentions from Labour or LibDem supporters!
I see Labour & the “LIBERAL DEMOCRAT LEADER’S OFFICE” (cannot find a “Liberal Democrat Party” registrations) get this correct by listing “The Electorate” as data subjects.
I don’t suppose the Information Commissioner will get excited by such a technical infringement though.
The Liberal Democrat registration is at:
http://www.ico.gov.uk/ESDWebPages/DoSearch.asp?reg=3796730
Mark, thanks for that “LIBERAL DEMOCRATS” link.
They correctly list “The Electorate” as data subjects for canvassing, like Labour.
But the Liberal Democrats register for “Worldwide” transfers of canvassing data, unlike the Conservatives or Labour, or indeed the “LIBERAL DEMOCRAT LEADER
Imagine you have a survey on your website that asks people about local issues, which party they would vote for etc. Where is that website actually hosted? Even if you host it through a UK firm, there’s quite a high chance that the hard disk resides in another country. Even if the hard disk is in the UK, what about the location of backups? Etc. Having “worldwide” means you’re still legal. I would be surprised if those registered as only storing such data in the UK are really all 100% compliant once you start looking closely at where all there IT services are actually located.
Mark:
There’s a natural degree of sensitivity over registrations covering worldwide data transfers, even if worldwide isn’t quite as broad as some might think, as its unlawful under EU law to transfer data to any non-EU state that fails to meet the ‘safe harbour’ standards.
FWIW, I can’t see any problem with the LD’s registration per se, providing it doesn’t do anything particularly stupid with the data once it has it.
But then what do I know – I was only a registered data controller for five years…