ICO Report on its Investigation into the Use of Data Analytics in Political Campaigns

November 6, 2018

The full report can be accessed here.

In her introductory message, Elizabeth Denham, the
Information Commissioner, states:

The invisible, ‘behind
the scenes’ use of personal data to target political messages to individuals
must be transparent and lawful if we are to preserve the integrity of our
election process. We may never know whether individuals were unknowingly
influenced to vote a certain way in either the UK EU referendum or the in US
election campaigns. But we do know that personal privacy rights have been
compromised by a number of players and that the digital electoral ecosystem
needs reform. …

Our investigation
uncovered significant issues, negligence and contraventions of the law. Now we
must find the solutions. What can we do to ensure that we preserve the
integrity of elections and campaigns in future, in order to make sure that
voters are truly in control of the outcome?

Executive Summary

The Executive Summary of the Report is as follows:

The Information Commissioner announced in May 2017 that she
was launching a formal investigation into the use of data analytics for
political purposes after allegations were made about the ‘invisible processing’
of people’s personal data and the micro-targeting of political adverts during
the EU Referendum.

The investigation has become the largest investigation of
its type by any Data Protection Authority – involving online social media
platforms, data brokers, analytics firms, academic institutions, political
parties and campaign groups.

This is the summary report of our investigation. It covers
the areas we investigated, our findings and our actions to date. Where we have
taken regulatory action, the full details of our findings are – or will be –
set out in any final regulatory notices we issued to the parties being

A separate report, Democracy
Disrupted? Personal Information and Political Influence
was published in
July 2018, covering the policy recommendations from the investigation.

One of the recommendations arising from this report was that
the Government should introduce a statutory code of practice for the use of
personal data in political campaigns and we have launched a call for views on
this code.

We will continue to pursue any actions still outstanding at
the time of writing. Regulatory action taken to date:

Political parties

  • We sent 11 warning letters requiring action by the main
    political parties, backed by our intention to issue assessment notices for
    audits later this year.

We have concluded that there are risks in relation to the
processing of personal data by many political parties. Particular concerns
include the purchasing of marketing lists and lifestyle information from data
brokers without sufficient due diligence, a lack of fair processing and the use
of third party data analytics companies, with insufficient checks around

Cambridge Analytica and SCLE Elections Limited

  • Cambridge Analytica (CA) is a trading name of SCLE Elections
    Ltd (SCLE) and so the responsibilities of the companies often overlapped. Both
    are subsidiaries of SCLE Group (SCLE). For ease of reading we will be referring
    to all the company entities using Cambridge Analytica.
  • We issued an enforcement notice requiring the company to
    deal properly with Professor David Carroll’s Subject Access Request.
  • Despite the company having entered into administration, we
    are now pursuing a criminal prosecution for failing to properly deal with the
    enforcement notice.
  • While we are still conducting our investigations and
    analysis of the evidence we have recovered so far, we’ve already identified
    serious breaches of data protection principles and would have issued a substantial
    fine if the company was not in administration.
  • We are in the process of referring CA to the Insolvency


  • We issued Facebook with the maximum monetary penalty of
    £500,000 available under the previous data protection law for lack of
    transparency and security issues relating to the harvesting of data. We found
    that Facebook contravened the first and seventh data protection principles
    under the Data Protection Act 1998 (DPA1998).
  • We are in the process of referring other outstanding issues
    about Facebook’s targeting functions and techniques used to monitor
    individuals’ browsing habits, interactions and behaviour across the internet
    and different devices to the Irish Data Protection Commission, as the lead
    supervisory authority for Facebook under the General Data Protection Regulation

Leave.EU and Eldon Insurance

  • We issued a notice of intent to fine both Leave.EU and Eldon
    Insurance (trading as GoSkippy) £60,000 each for serious breaches of the
    Privacy and Electronic Communications Regulations 2003 (PECR), the law which
    governs electronic marketing. More than one million emails were sent to
    Leave.EU subscribers over two separate periods which also included marketing
    for GoSkippy services, without their consent. This was a breach of PECR
    regulation 22.
  • We also issued a notice of intent to fine Leave.EU £15,000
    for a separate, serious breach of PECR regulation 22 after almost 300,000
    emails were sent to Eldon Insurance (trading as GoSkippy) customers containing
    a Leave.EU newsletter.
  • We have issued a preliminary enforcement notice to Eldon
    Insurance under s40 of the DPA1998, requiring the company to take specified
    steps to comply with PECR regulation 22. We will follow this up with an audit
    of the company.
  • We are investigating allegations that Eldon Insurance
    Services Limited shared customer data obtained for insurance purposes with
    Leave.EU. We are still considering the evidence in relation to a breach of
    principle seven of the DPA1998 for the company’s overall handling of personal
    data. A final decision on this will be informed by the findings of our audit of
    the company.

We have also begun a wider piece of audit work to consider
the use of personal data and data sharing in the insurance and financial

Relationship between AggregateIQ, Vote Leave and other leave

  • We issued an Enforcement Notice to AggregateIQ to stop
    processing retained UK citizen data.
  • We established the contractual relationship between
    AggregateIQ and the other related parties. We also investigated their access to
    UK personal data and its legality. And we engaged with our regulatory
    colleagues in Canada, including the federal Office of the Privacy Commissioner
    and the Office of the Information and Privacy Commissioner, British Columbia to
    assist in this work.

Remain campaign

  • We are still looking at how the Remain side of the
    referendum campaign handled personal data, including the electoral roll, and
    will be considering whether there are any breaches of data protection or
    electoral law requiring further action. We investigated the collection and
    sharing of personal data by Britain Stronger in Europe and a linked data
    broker. We specifically looked at inadequate third party consents and the fair
    processing statements used to collect personal data.

Cambridge University

  • We conducted an audit of the Cambridge University
    Psychometric Centre and made recommendations to ensure that the university
    makes improvements to its data protection and information security practices,
    particularly in the context of safeguarding data collected by academics for
  • We also recommended that Universities UK work with all
    universities to consider the risks arising from use of personal data by
    academics. They have convened a working group of higher education stakeholders
    to consider the wider privacy and ethical implications of using social media
    data in research, both within universities and in a private capacity.

Data brokers

  • We issued a monetary penalty in the sum of £140,000 to data
    broker Emma’s Diary (Lifecycle Marketing (Mother and Baby) Limited), for a
    serious breach of the first principle of the Data Protection Act 1998.
  • We issued assessment notices to the three main credit
    reference agencies – Experian, Equifax and Call Credit – and are in the process
    of conducting audits.
  • We have issued assessment notices to data brokers Acxiom
    Ltd, Data Locator Group Ltd and GB Group PLC.
  • We have looked closely at the role of those who buy and sell
    personal datasets in the UK. Our existing investigation into privacy issues
    raised by their services has been expanded to include their activities in
    political campaigns.