Data Protection Commission

Case study 5

Political database and a charity request, "spamming" of constituents and non co-operation from a County Councillor

During the year, I received two complaints concerning matters relating to political activity which raised important Data Protection issues.

The first related to a political party. It was alleged by the complainant, a member of this party, that another local member of the party who was also a member of a charitable organisation had sent him a fund-raising letter on behalf of the charity which identified him as "an active member of our community within the party". He maintained that his contact details were obtained from the party membership list held locally.

While the appeal for the charity was worthwhile nevertheless once a complaint was received I had to take the matter up with the party's national headquarters. It responded promptly and acknowledged that the local member had used the local party database in sending out an appeal for funds for the charity. While the individual was well-intentioned, the headquarters accepted that the use of data in this way was a contravention of section 2 of the Data Protection Acts, 1988 and 2003 which provides that personal data

(i) " shall have been obtained only for one or more specified , explicit and legitimate purposes"

and

(ii) "shall not be further processed in a manner incompatible with that purpose or those purposes."

Data relating to membership of a political party is sensitive personal data within the meaning of the Acts and such data controllers are required to ensure that appropriate safeguards against disclosure are in place. This is especially important given the provision in section 2B(1)(ix) of the Acts which permits processing of sensitive data without individual consent "by political parties, or candidates for election to, or holders of, elective political office in the course of electoral activities for the purpose of compiling data on people's political opinions?". In the course of concluding this complaint, my Office advised the party on their obligations as a data controller, particularly in regard to informing members processing personal data of the requirements of Data Protection.

The second complaint which was received in late 2003 was about an unsolicited email of a political nature which had been sent by a County Councillor, Jon Rainey, of Fingal County Council. It was alleged that in June 2003 he had "harvested" email addresses from the address line of an email sent by a third party – who was also a County Councillor but of another party. ("Harvesting" refers to the addition to one's own mailing list of any email address received on the "to" or "cc" line of the email). This was in contravention of the provisions of S.I. No. 535 of 2003 (European Communities (Electronic Communications Networks and Services (Data Protection) Regulations 2003) which provides for prior consent for unsolicited emailing of individuals for direct marketing purposes, including political purposes.

I only name Mr. Rainey in my Report as he failed completely to cooperate with my investigations and only acknowledged the facts of the complaint 6 months after I had first raised them and then only when I had to formally issue him with an Information Notice under sections 10 and 12 of the Acts. At that late stage, he confirmed that the details of email addresses "harvested" from another email had been deleted from his system and that no further details had been been obtained in this manner. However, his attitude to my Office was that the matter was of little consequence and he complained that I had "pestered" him.

It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law. In this case, I was concerned that a public representative failed to see the significance of a complaint that he was "spamming" his constituents and equally that a lot of unnecessary correspondence and time could have been spared if a full reply to this matter had been received initially.

That said I am pleased to record that this was an isolated incident as any complaints I have received regarding political activities are responded to in a proper and prompt manner.

used the local political party database in sending out an appeal for funds for a charity. While the individual was well-intentioned it was accepted that the use of data in this way was a contravention of the Data Protection Acts.

a public representative failed to see the significance of a complaint that he was "spamming" his constituents and equally a lot of unnecessary correspondence and time could have been spared if a full reply to this matter had been received initially - an isolated incident as any complaints I have received regarding political activities are responded to in a proper and prompt manner.

 

Appendix 6- SPAM initiative

It is acknowledged that to tackle the international problem of SPAM a combination of technical, legal and educational measures are required and that there has to be international co-operation between the various authorities responsible for tackling this issue. My office participates in meetings of a group made up of EU enforcement authorities which are drawn from the Consumer Protection, Telecommunications Regulation or Data Protection depending on where the responsibility for SPAM enforcement lies. This group has recently agreed on a procedure for co-operation on investigations that involve more than one EU country.

My office has also signed up to the London Action Plan which provides for co-operation and the sharing of experience and knowledge beyond the EU and with private sector organisations.