Apropos of my previous post on the Tory’s deeply embarrassing data ‘loss’ in Crewe and Nantwich, further investigations have turned up what appear to be a number of unfortunate ‘anomalies’ in key records.
For one thing, its not at all clear exactly who is responsible for this data and whether it was even collected and processed legally before it left the UK.
A search of the Information Commissioner’s Register of Data Controllers shows that Crewe and Nantwich Conservative Association is not registered with the Information Commissioner under the provisions of the Data Protection Act – the upshot of which being that, legally, the kind of information that the Association can legally obtain, hold and process in its own right is very limited, little more than simple mailing lists of names and addresses.
As such, and unless the Association is operating permanently under the umbrella of Conservative Central Office, then the Association cannot legally process sensitive personal information, which includes telephone numbers, information on individuals’ financial status and, particularly, any expressed voting intentions.
And even if it operating under the umbrella of Conservative Central Office then its legal problems may only just be starting due to issues with the Conservative Party’s own registration.
The Isle of Man is well known for several things; its annual Tourist Trophy (TT) event, Manx cats with no tails and its somewhat unusual status as an offshore tax haven, a status that it maintain only by virtue of a somewhat unorthodox semi-detached relationship with both the UK and the EU.
The upshot of all this is that while it enjoys a special trading status with the EU, the Isle of Man is neither a member of the European Union or of the slightly broader European Economic Area…
…all of which would present no great difficulties were it not for the fact the Conservative Party is not registered under the Data Protection Act in such a way as to permit it to legally transfer personal data anywhere outside the EU and EEA.
So the very act of sending this information to a non-EEA area is, itself, unlawful and contrary to the entry of the Register of Data Controllers if, indeed, it is permissible for Crewe and Nantwich Conservative Association to rely on CCHQ’s registration status rather than have to make its own registration.
This also poses thee question of exactly where this information should have gone, rather than where it actually turned up as, again, if its intended destination lies outside the EU & EEA then any such transfer would be unlawful.
Clearly, there are any number of important questions that need to asked about the circumstances leading to the Conservative’s losing the personal data of 8.000 people is such a boneheaded fashion.