The Conservative Party has been fined £10,000 for sending 51 emails in Boris Johnson’s name to people who did not want to receive them. In a breach of data laws the Information Commissioner’s Office (ICO) called “serious”, the emails, which addressed the recipients by name, were sent out over eight days in July 2019 after Mr Johnson became party leader and Prime Minister.
They set out Tory priorities, including issues surrounding Brexit, the NHS, and police officer numbers, and urged those who received the emails to join the party.
“Industrial-scale marketing email exercise”
But the ICO found that, because the party had switched email provider, it had not properly recorded that in 51 cases subscribers had asked to be removed from marketing lists. And while the investigation was ongoing, there was an “industrial-scale marketing email exercise” during the December 2019 election where nearly 23 million emails were sent and a further 95 complaints were raised.
ICO director of investigations Stephen Eckersley said:
The public have rights when it comes to how their personal data is used for marketing. Getting messages to potential voters is important in a healthy democracy, but political parties must follow the law when doing so. The Conservative Party ought to have known this, but failed to comply with the law.
All organisations – be they political parties, businesses or others – should give people clear information and choices about what is being done with their personal data. Direct marketing laws are clear and it is the responsibility of all organisations to ensure they comply.
The sending of nuisance marketing emails is a real concern to the public and the ICO will continue to take action where we find behaviour that puts people’s information rights at risk.
The ICO said of the 1,190,280 marketing emails sent by the party between July 24 and 31 2019, it was not possible to say for certain how many were validly sent “because the party has not been able to provide sufficient or clear evidence as to the extent to which lawful and valid consent was provided for all of those emails”.
And while it was accepted that a proportion would have been sent legitimately, especially to party members, there were 549,030 non-members who received emails where consent would be required. In the case of the 51 complaints received, the commissioner found there was not the necessary consent in place.
It is not the first time concerns have been raised over the Conservative Party’s handling of data, with the ICO highlighting fears in summer 2019.
It’s really concerning that such large-scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations.
A slow response
The ICO also rapped the Conservative Party for its slow response to the investigation. Documents released by the ICO said its probe had taken a long time partly because “the party repeatedly failed to provide responses within time periods set, even when those periods were extended”. The ICO said:
The Commissioner does not consider that this was satisfactory compliance with reasonable requests from the statutory regulator.
The party must pay the £10,000 fine by July 2. A Conservative Party spokesman said:
We have accepted this fine from the ICO. We have since reviewed and improved our processes and are fully compliant with all prevailing data protection and electronic marketing legislation.