Today the Scottish National Party (SNP) launched a brand new website with the aim of gauging public support for a second referendum on Scottish independence. Of course Scotland had a referendum on this issue a little under two years ago where those who voted did so 55% – 45% in favour of Scotland remaining part of the United Kingdom. In May the Scottish people went to the polls to elect the Scottish Parliament; the Scottish Conservative Party fought that election on a strong pro-union message and had its best electoral success in Scotland in many decades. They pushed Scottish Labour (who the criticisms in this blog equally apply to) into third place to become the official opposition in the Scottish Parliament to the SNP Government (which, incidentally lost its overall majority and is governing, once again, as a minority government).
The policy is extremely short, but the key aspect of the policy for the present purposes is “The SNP may…contact you about issues you may find of interest using any details you have supplied. You can opt out of some or all contact by writing to us.” I shall return to why this is the key aspect in a moment, but for now it’s on with the story.
The Scottish Conservative Party has apparently taken legal advice on the SNP’s National Survey website and written to both the Electoral Commission and the Information Commissioner; the former being irrelevant for present purposes. The Scottish Conservatives state that they considered that the SNP’s website breaches the Data Protection Act 1998 (it does, but more on that in a moment). However, while they are considering the SNP’s National Survey website they might wish to consider their own website.
The relevant part for present purposes is the bit that reads “[b]y entering your contact details you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send or using the contact details at the top of this privacy notice.”
There are problems with both the Privacy Notices above, and they are in fact the same problem. I will come onto the breaches of the Data Protection Act 1998 in a moment; however, I initially want to discuss the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Both the above privacy notices envisage sending information to those who have provided their E-mail address about campaigns that the respective political parties are engaging in. These E-mails will essentially be promoting the aims of the respective political party, either generally or in respect of a specific area of policy. These E-mails will be sent directly to an individual; that makes them direct marketing communications. The law is very strict on when it is legal to send such communications. The relevant regulation is Regulation 22, which covers direct marketing by electronic mail. Regulation 22(2) requires (except in a very limited set of circumstances, not relevant here) that there individuals must give consent to receive such marketing.
Essentially what this means is that any E-mail communication sent by either the Scottish Conservatives or the SNP that amounts to direct marketing (which is likely to be every e-mail) in reliance upon the consent obtained through their respective privacy policies is unlawful.
Now, to the Data Protection Act issues. A data controller (which any political party will be) must only process personal data fairly and lawfully (first data protection principle). For the processing to be lawful a schedule 2 condition must be satisfied (and in the case of sensitive personal data, a schedule 3 condition as well). One of the conditions in Schedules 2 and 3 is essentially processing to which the data subject has consented; however, neither the SNP nor the Scottish Conservatives can wholly rely on consent because they simply do not have that data controllers consent. They wouldn’t be able to satisfy any of the other schedule 2 or 3 conditions to legitimise their sending of direct marketing e-mail communications; they would therefore also breach the first data protection principle when sending those E-mails.
Turning once again to the Scottish Conservatives, they are currently running a petition on their website against the having a second referendum on Scottish independence. They continue to rely on implied consent for general communications about the Scottish conservative Party and are arguably collecting personal data unfairly as well. While the link to their data collection and use policy is clearer, it comes after the “sign up” button and still requires individuals to navigate away from the page that they are no in order to see exactly how their personal data is going to be used by the Scottish Conservatives.
One other issue with the SNP’s National Survey website relates to the third data protection principle which states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.” All of the fields are mandatory and it is unclear as to why information such as the number of children or grandchildren you have under the age of 18 or indeed what your name or E-mail has to do with gauging support for a second independence referendum. This is simply an exercise in gathering personal data and that should be made clear from the website and the survey (otherwise it will only add to the breaches of the first data protection principle). Those fields should, as a very minimum, be made optional.
To conclude, while the Scottish Conservatives have raised legitimate and valid criticisms of the SNP’s National Survey website, they would do well to remember that people in glass houses ought not to throw stones.