Guidance Note for Data Controllers on Keeping Personal Data Obtained From the Electoral Register Up-to-date
The following guidance note has been prepared as an aid to data controllers in the practical application of the obligation to keep personal data up-to-date as it applies to personal data which sourced from the Electoral Register.
Since 2004, registration authorities are required to publish two versions of the Electoral Register – the ‘Full Register’ and the ‘Edited Register.’
- The ‘Full Register’ lists everyone who is entitled to vote and it can only be used for an electoral or other statutory purpose.
- The ‘Edited Register’ contains the names and addresses of persons whose details can be used for a purpose other than an electoral or other statutory purpose, e.g. for direct marketing use by a commercial or other organisation.
It is an offence under Section 13A(3) of the Electoral Act, 1992 (as amended by the Electoral (Amendment) Act, 2001) to use information on the Full Register for non-electoral or non-statutory purposes. Data controllers may only process the details of those persons published on the Edited Register for purposes other than an electoral or other statutory purpose.
Section 2(1)(b) of the Data Protection Acts, 1988 & 2003 places a statutory obligation on data controllers to ensure that personal data kept by them shall be accurate, complete and up-to-date. In that regard, in relation to personal data obtained by data controllers from the Electoral Registers which were published prior to the introduction of the Full Register and the Edited Register in 2004 and which is still being processed, there is a statutory obligation on the data controller to ensure that all personal data held is kept up-to-date.
The Data Protection Commissioner acknowledges that there was a period of adjustment required for data controllers in the marketing sector following the changes introduced to the Electoral Register in 2004. That period of adjustment has long since passed. It is the view of the Data Protection Commissioner that data controllers have had ample time since 2004 to carry out an updating exercise to ensure that individuals whose details have not been published in the Edited Register are removed from databases which are used for non-electoral or non-statutory purposes. Furthermore, the Data Protection Commissioner expects data controllers who process personal data obtained from the Electoral Register to have introduced a system to update their records to take account of the new Edited Register which is published each year.
In addition, individuals whose details have not been published on the Edited Register post 2004 must be presumed not to have consented to their personal data being used for direct marketing purposes. Accordingly, any such use of the personal data of those individuals constitutes a breach of the Data Protection Acts.
In summary, a data controller has a statutory obligation to ensure that any databases which it holds and which are populated by personal data that it gleaned solely from Electoral Registers at any time in the distant or more recent past are updated to ensure that they no longer contain personal data which is not published on the most up-to-date version of the Edited Electoral Register. This obligation requires a data controller to undertake an annual updating exercise.
» Permanent Link