James Dipple-Johnstone and Elizabeth Denham (Pic: Parliament TV)
The Information Commissioner Elizabeth Denham has published a report into the the use of data analytics for political purposes at the same time as appearing before the Parliamentary DCMS committee today.
Appearing alongside her deputy commissioner James Dipple-Johnstone, Denham was testifying on "Disinformation and 'fake news'" before the Digital, Culture, Media and Sport Committee (DCMS), chaired by the MP Damian Collins.
The report into data analytics and political campaigning, which runs to 113 pages, is the culmination of "the largest investigation of its type by any Data Protection Authority," the report says. It involved social media platforms, data brokers, analytics firms, academic institutions, political parties and campaign groups.
The report is a summary of its findings – more details will emerge in any regulatory notices which are issued by the Information Commissioner's Office (ICO).
The report recommends the introduction of a statutory code of practice for the use of personal data in political campaigns. The ICO has launched a call for views on this code.
The ICO is taking regulatory action against:
- Political parties – 11 warning letters have been issued to the main political parties which could be followed by audits later in the year.
- Cambridge Analytica and SCLE Elections Limited – the ICO is pursuing a criminal prosecution and has also referred the company to the Insolvency Service.
- Facebook has been fined £500,000, the maximum under the Data Protection Act 1998 and is referring other matters to the Irish Data Protection Comission.
- Leave.EU and Eldon Insurance will be fined £60,000 each for "serious breaches of the Privacy and Electronic Communications Regulations 2003" which governs electronic marketing, and a separate fine of £15,000 will be levied against Leave.EU. The ICO will also audit Eldon’s handling of personal data in relation to principle seven of the DPA1998.
- AggregateIQ has been issued with an enforcement notice to stop processing retained UK citizen data
- Remain campaign and Britain Stronger in Europe – the ICO is still examining how it handled data including the electoral roll.
- The Cambridge University Psychometric Centre has been audited by the ICO which made recommendations for how the university can strengthen its data protection and information security practices. It has also made broader recommendations for how academics should safeguard information collected during research projects.
- Data Brokers – the ICO fined data broker Emma’s Diary £140,000 and is auditing credit references agencies Experian, Equifax and Callcredit. It has also issued assessment notices to data brokers Acxiom Ltd, Data Locator Group Ltd and GB Group PLC.
The ICO has devoted significant resources to the investigation, it said. It has 700 terabytes of data to examine – equivalent to 52.5 billion pages. This is presumably contained in the 85 pieces of equipment, including servers, which it has seized. A total of 40 ICO investigators have been assigned to the investigation, and it has identified 71 witnesses of interest.
During her testimony to the Digital, Culture, Media and Sport Committee, Denham said it would be "very useful" if Facebook boss Mark Zuckerberg were to talk to the committee.
It has also emerged that Aleksandr Kogan, the academic who founded psychometric testing company GSR, was sought out by Cambridge Analytica because it was aware that he had access to data, on a research basis, that it could not legitimately access for commercial purposes.
It is estimated that Kogan had access to the data of up to 87 million people worldwide, including up to one million people in the UK, without their knowledge or consent.
Speaking of the relationship between Kogan and Cambridge Analytica, the ICO wrote: "They [Cambridge Analytica] had insight (and seeming disregard) that they were commercialising data that had not been consented for that purpose and were active in directly controlling the manner and frequency with which that data was harvested from the platform," the report says.
Kogan and others have been invited to attend voluntary interviews under caution, the ICO said, but they had all declined.
Denham said that Facebook, Cambridge Analytica and others showed "a disturbing level of disrespect" for personal data.
She said the time for self-regulation of social media was over. "That ship has sailed," she said.
DCMS committee chair Damian Collins commented: "Elizabeth Denham has identified disturbing disrespect for the data of voters and prospective voters. This report rightly focuses on the lack of concern and the disregard for the privacy and rights of UK voters by Facebook, data brokers and others."