The UK's ruling Conservative Party has been using personal data in a way that spots an individual's likely county of origin, ethnic origin and religion based on their first and last name.
According to an ICO report, the Tory party purchased so-called "estimated onomastic data" and appended it to the records of 10 million voters.
In a report looking at UK political parties' use of personal data for campaigning, the UK's Information Commissioner's Office said the processing of such data should end where no special exemptions apply.
"Where no Article 9 condition can be identified for the processing of special category data such as estimated onomastic data, the processing of this data must cease," said the report Audits of data protection compliance by UK political parties.
The ICO found that the UK's opposition Labour only sourced data from one supplier which used information about individuals aggregated from multiple sources. It had previously also sourced other onomastic data but "they ceased buying this type of data as they could not justify its lawful use following the GDPR and [Data Protection Act] 2018 coming into force," the report said.
For what it's worth, the Liberal Democrats used commercial data that comprised 25 voter attributes.
"The supplier estimated the attributes they obtained, including data implying an individual's age or the likelihood of them reading a newspaper. They used this data to better target the Liberal Democrat's advertising to individuals who may support the party.
The Scottish Nationalist Party, Democratic Unionist Party, Plaid Cymru and UKIP "did not source any commercially available data," the report added.
Information Commissioner Elizabeth Denham said digital engagement in the political process could be positive, but "engagement must be lawful, especially where there are risks of significant privacy intrusion – for instance around invisible profiling activities, use of sensitive categories of data and unwanted and intrusive marketing."
Denham said in the foreword to the report: "The risk to democracy if elections are driven by unfair or opaque digital targeting is too great for us to shift our focus from this area."
Jim Killock, executive director of campaign organisation The Open Rights Group, said: "The Conservatives appear to have been processing personal data unlawfully. It is very unwise and highly unethical to guess people's background from their name and address, which appears to be the main means that parties have created voter profiles."
He called on the ICO to make demands forcefully. "[It] should have taken regulatory action, rather than just issued a report. If parties and other processors only receive advice when they are found to be acting unlawfully, then they have no incentive to get it right the first time. The ICO must regulate. It is not a consultancy."
The UK's enactment of the General Data Protection Directive (GDPR) came into force in May 2018. Chris Combemale, CEO of the Data & Marketing Association, said it was concerning that the ICO was finding issues with political parties' compliance years later.
"The ICO's report analysing political parties' data protection practices highlights a number of compliance issues with current data protection law. While it is good that the parties have made commitments to rectify shortcomings, it has come several years after the GDPR's implementation which is concerning.
"It is the duty of every person within an organisation to know their responsibilities under the GDPR and compliance must be exhibited through all marketing and communication channels, including websites," he said.
The Register has contacted the Conservative Party for comment. ®