Local council campaigns raise data protection questions

Thousands of voters were targeted by unsolicited phone-calls and SMSes during the this month's round of local council elections, held in roughly half of Malta's towns and villages: once again raising questions as to where the candidates/parties had acquired the databases necessary for such campaigns, and whether the practice conforms to the Data Protection Act.

Following widespread reports of dubious data processing by the political parties, MaltaToday asked spokespersons of the three parties for their position on this issue. Both the Labour Party and Alternattiva Demokratika claimed that their own campaigns fell within the acceptable limits laid down by the law: both, however, pointed towards possibly abusive practices by the Office of the Prime Minister, specifically regarding abuse of government databases for purely partisan purposes.

Efforts to contact the Nationalist Party or its electoral office, Elcom, meanwhile proved futile.

"All our communications with the public are in accordance to current data protection laws," Labour's information secretary Kurt Farrugia told MaltaToday. "Any phone calls or SMS communication are either directed to members or else to numbers on public domain or people who would have subscribed to a service."

However, Farrugia expressed concern at the apparent abuse of government databases for political purposes.

"On the other hand, the Labour Party does not have the luxury of using public funds and the Prime Minister's office seal to target specific workers. GonziPN sent out hundreds of letters using the OPM letterhead before the last general election, writing directly to sectors such as Air Malta employees, Enemalta employees and Public Transport workers promising job guarantees."

"Needless to say, such guarantees faded away as soon as GonziPN won the 2008 elections," he added.

AD secretary-general Ralph Cassar likewise pointed towards the increasingly blurred distinction between government and party when it comes to unlawfully accessing and processing government databases.

"We must make a difference between publicly available data, for example the name and address available in the electoral register, and other data obtained from confidential databases," he said, adding that use of the former (public) databases is acceptable practice for any political party.

"The issue of data protection comes in when it goes deeper than this: targeting people using their employment data obtainable only through government departments or agencies. An example is letters sent by the office of the Prime Minister specifically asking me (and others of course) to vote PN last election. The letter was addressed to me as an employee of a pharmaceutical manufacturing firm. Other employees in different sectors received similar letters targeted to their particular profession or type of work. In that case it is clear that either my inland revenue department, social security or ETC database was used - databases on which my place of employment is recorded."

Cassar describes this as "abuse of private data which is given to government for the purposes of taxation, social security contributions, etc., and not for use by the PN".

Political exemption?

Historically, political observers have pointed towards an apparent exemption, provided for by the Data Protection Act, to allow political parties to process information which would be protected in other circumstances.

The wording of the exemption is as follows: "Any body of persons or other entity not being a commercial body or entity, with political, philosophical, religious or trade union objects may, in the course of its legitimate activities and with appropriate guarantees, process sensitive personal data concerning the members of the respective body or entity and such other persons who by reason of the objects of the body or entity have regular contact therewith."

However, this apparent exception is counterbalanced by the specific proviso that: "Sensitive personal data may be processed if the data subject: (a) has given his explicit consent to processing; or (b) has made the data public."

Furthermore, the same law indicates that "personal data is not (to be) processed for any purpose that is incompatible with that for which the information is collected".

The law defines 'processing' as "any operation or set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data".

The principles of data protection

• Personal data is processed fairly and lawfully;
• Personal data is always processed in accordance with good practice;
• Personal data is only collected for specific, explicitly stated and legitimate purposes;
• Personal data is not processed for any purpose that is incompatible with that for which the information is collected;
• Personal data that is processed is adequate and relevant in relation to the purposes of the processing;
• No more personal data is processed than is necessary having regard to the purposes of the processing;
• Personal data that is processed is correct and, if necessary, up to date.
• All reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete or incorrect, having regard to the purposes for which they are processed;
• Personal data is not kept for a period longer than is necessary, having regard to the purposes for which they are processed.