DATA  PROTECTION  ACT  1998 


SUPERVISORY  POWERS  OF  THE  INFORMATION  COMMISSIONER 

ENFORCEMENT  NOTICE 


To:  SCL  Elections  Limited 

Of:  55  New  Oxford  Street 

London 
WC1A  IBS 

1.  SCL  Elections  Limited  is  a  data  controller  as  defined  in  section  1(1)  of 
the  Data  Protection  Act  1998  ("DPA"). 

2.  Section  4(4)  of  the  DPA  provides  that,  subject  to  section  27(1),  it  is 
the  duty  of  a  data  controller  to  comply  with  the  data  protection 
principles  in  relation  to  all  personal  data  with  respect  to  which  he  is  the 
data  controller. 

3.  The  Information  Commissioner  ("Commissioner")  has  considered  a 
request  for  assessment  made  under  section  42  of  the  DPA  by  Professor 
David  Carroll  ("the  complainant"). 

4.  The  request  for  assessment  concerned  the  failure  by  SCL  Elections 
Limited  ("the  data  controller")  to  supply  personal  data  requested  by 
way  of  a  subject  access  request  in  compliance  with  the  requirements 
of  section  7  of  the  DPA. 


1 


5.  The  complainant  made  a  subject  access  request  to  the  data  controller 
on  10  January  2017,  by  completing  an  online  form  at 
https://datareauests.cambridqeanalvtica.org 

6.  The  complainant  received  a  response  from  the  email  address 

data  .com  pliance(a)sclqroup.cc  informing  him  to  submit  a  £10  fee  and 
proof  of  ID  to  SCL  Elections  Ltd,  which  was  said  to  be  Cambridge 
Analytical  agent  for  the  purposes  of  subject  access  requests  under  the 
DPA. 

7.  Having  provided  the  required  information  and  fee,  the  complainant 
received  a  substantive  response  to  his  request  on  27  March  2017 
under  cover  of  a  letter  from  the  SCL  Group,  marked  for  and  behalf  of 
Cambridge  Analytica. 

8.  Under  cover  of  this  letter  the  complainant  was  provided  with  a 
spreadsheet  which  was  said  to  contain  all  of  the  personal  data  to  which 
he  was  entitled  to  under  the  DPA.  The  spreadsheet  contained 
information  under  three  separate  categories: 

(i)  "Core  data",  which  included  the  complainant's  name,  address,  date 
of  birth,  and  voter  ID. 

(ii)  "Election  returns",  which  included  the  complainant's  election 
returns  for  both  primary  and  general  elections  from  2000  to  2014,  and 
in  some  cases  it  is  understood  an  indication  of  the  political  party  to 
which  the  complainant  was  registered  at  the  time. 

(iii)  "Models",  which  included  a  profile  purporting  to  show  the 
complainant's  views  on  ten  issues  including  gun  rights,  education, 
healthcare,  immigration  and  the  environment,  ranking  the  apparent 


2 


importance  of  these  issues  to  the  complainant  between  1  and  10.  It 
also  included  his  likely  partisanship  categorised  by  both  his  registered 
and  unregistered  political  preference  and  likely  propensity  to  vote  in 
the  2016  general  election. 

9.  In  addition  the  data  controller  informed  the  complainant  that  it 
processed  this  data  for  the  purposes  of  "audience  opinion  /  behaviour 
research  and  polling;  statistical  analysis  and  predictive  algorithm 
development;  and  communications  /  outreach  support  services".  It 
explained  that  the  data  was  sourced  "..  through  reputable  data 
vendors"  and  "..  large  scale  research  through  research  partners".  It 
also  provided  a  very  generic  list  of  the  classes  of  recipients  of  the  data, 
including  "political  campaigns,  non-profit  organisations  and  commercial 
entities". 

10.  The  complainant  was  not  satisfied  with  the  response  to  his  subject 
access  request  and  complained  to  the  Commissioner.  Amongst  other 
things,  the  complainant  did  not  consider  that  he  had  been  provided 
with  all  of  the  personal  data  held  about  him  by  the  data  controller,  nor 
an  adequate  explanation  of  where  the  data  had  been  obtained  from  or 
how  it  would  be  used. 

11.  The  Commissioner  wrote  to  the  data  controller  about  this  matter  on  12 
September  2017.  The  data  controller  was  asked  a  number  of 
questions  in  relation  to  the  data  it  held  about  the  complainant,  for 
example  whether  it  had  provided  the  complainant  with  all  of  the 
personal  data  it  held;  what  purposes  it  processed  that  data  for; 
whether  it  had  relied  on  any  exemption  to  the  right  of  subject  access; 
and  further  details  as  to  where  the  data  had  been  obtained  from  and 
to  whom  it  had  been  disclosed. 


3 


12.  The  data  controller  responded  to  the  Commissioner  on  26  September 
2017  asserting  that  as  the  complainant  was  not  a  UK  citizen,  nor 
based  in  the  UK,  he  was  not  entitled  to  make  a  subject  access  request 
or  make  a  request  for  assessment  to  the  Commissioner  under  the  DPA. 
The  data  controller  stated  that  the  complainant  was  no  more  entitled 
to  make  a  subject  access  request  under  the  DPA  than  a  member  of 
the  Taliban  sitting  in  a  cave  in  the  remotest  corner  of  Afghanistan". 

The  data  controller  did  not  respond  to  the  specific  questions  raised  by 
the  Commissioner  in  her  correspondence  about  the  data  it  held  about 
the  complainant. 

13.  The  Commissioner  responded  to  the  data  controller  on  26  October 
2017  providing  a  detailed  explanation  as  to  why  the  complainant  was 
entitled  to  make  a  subject  access  request  under  the  DPA  and  why  her 
office  had  jurisdiction  to  consider  his  complaint.  The  Commissioner 
therefore  asked  for  a  response  to  the  questions  she  had  previously 
asked  the  data  controller  about  the  data  it  processed  about  the 
complainant. 

14.  The  data  controller  replied  to  the  Commissioner  on  2  November  2017. 
It  again  refused  to  accept  that  the  complainant  was  entitled  to  make  a 
subject  access  request  or  a  request  for  assessment  under  the  DPA, 
asserting  that  the  Commissioner  had  no  vires  to  consider  the 
complaint.  The  data  controller  informed  the  Commissioner  that  it  did 
"..  not  expect  to  be  further  harassed  with  this  sort  of  correspondence". 

15.  The  Commissioner  has  considered  the  data  controller's  compliance 
with  the  provisions  of  the  DPA  in  light  of  these  matters.  The  relevant 
provisions  of  the  DPA  are  the  Sixth  Data  Protection  Principle  and 
section  7. 


4 


16.  The  Sixth  Data  Protection  Principle  provides  at  Part  I  of  Schedule  1  to 
the  DPA  that: 

"Personal  data  shall  be  processed  in  accordance  with  the  rights  of  data 
subjects  under  this  Act. " 

17.  Paragraph  8(a)  of  Part  II  of  Schedule  1  to  the  DPA  further  provides 
that: 

"A  person  is  to  be  regarded  as  contravening  the  sixth  principle  if >  but 
only  if,  he  contravenes  section  7  by  failing  to  supply  information  in 
accordance  with  that  section. " 

18.  In  relevant  part,  section  7  of  the  DPA  provides  as  follows: 

(1)  Subject  to  the  following  provisions  of  this  section  and  to  sections  8, 
9  and  9A,  an  individual  is  entitled  - 

(a)  to  be  informed  by  any  data  controller  whether  personal  data 
of  which  that  individual  is  the  data  subject  are  being 
processed  by  or  on  behalf  of  that  data  controller > 

(b)  if  that  is  the  case ,  to  be  given  by  the  data  controller  a 
description  of  - 

(i)  the  personal  data  of  which  that  individual  is  the  subject, 

(ii)  the  purposes  for  which  they  are  being  or  are  to  be 
processed,  and 


5 


(Hi)  the  recipients  or  classes  of  recipients  to  whom  they  are 
or  may  be  disclosed , 

(c)  to  have  communicated  to  him  in  an  intelligible  form  - 

(i)  the  information  constituting  any  personal  data  of  which 
that  individual  is  the  data  subject,  and 

(ii)  any  information  available  to  the  data  controller  as  to  the 
source  of  those  data,  and 

(d)  where  the  processing  by  automatic  means  of  personal  data  of 
which  that  individual  is  the  data  subject  for  the  purpose  of 
evaluating  matters  relating  to  him  such  as,  for  example,  his 
performance  at  work,  his  creditworthiness,  his  reliability  or  his 
conduct,  has  constituted  or  is  likely  to  constitute  the  sole  basis  for 
any  decision  significantly  affecting  him,  to  be  informed  by  the 
data  controller  of  the  logic  involved  in  that  decision-taking. 

(2)  A  data  controller  is  not  obliged  to  supply  any  information  under 
subsection  (1)  unless  he  has  received— 

(a)  a  request  in  writing,  and 

(b)  except  in  prescribed  cases,  such  fee  (not  exceeding  the 
prescribed  maximum)  as  he  may  require. 

(3)  Where  a  data  controller— 

(a)  reasonably  requires  further  information  in  order  to  satisfy 
himself  as  to  the  identity  of  the  person  making  a  request 
under  this  section  and  to  locate  the  information  which  that 
person  seeks,  and 

(b)  has  informed  him  of  that  requirement, 


6 


the  data  controller  Is  not  obliged  to  comply  with  the  request 
unless  he  is  supplied  with  that  further  information. 

(4)  Where  a  data  controller  cannot  comply  with  the  request  without 
disclosing  information  relating  to  another  individual  who  can  be 
identified  from  that  information ,  he  is  not  obliged  to  comply  with  the 
request  unless— 

(a)  the  other  individual  has  consented  to  the  disclosure  of  the 
information  to  the  person  making  the  request ;  or 

(b)  it  is  reasonable  in  all  the  circumstances  to  comply  with  the 
request  without  the  consent  of  the  other  individual. 

(5)  In  subsection  (4)  the  reference  to  information  relating  to  another 
individual  includes  a  reference  to  information  identifying  that 
individual  as  the  source  of  the  information  sought  by  the  request;  and 
that  subsection  is  not  to  be  construed  as  excusing  a  data  controller 
from  communicating  so  much  of  the  information  sought  by  the 
request  as  can  be  communicated  without  disclosing  the  identity  of  the 
other  individual  concerned,  whether  by  the  omission  of  names  or 
other  identifying  particulars  or  otherwise. 

(6)  In  determining  for  the  purposes  of  subsection  (4)(b)  whether  it  is 
reasonable  in  all  the  circumstances  to  comply  with  the  request 
without  the  consent  of  the  other  individual  concerned,  regard  shall  be 
had,  in  particular,  to— 

(a)  any  duty  of  confidentiality  owed  to  the  other  individual, 

(b)  any  steps  taken  by  the  data  controller  with  a  view  to  seeking 
the  consent  of  the  other  individual, 

(c)  whether  the  other  individual  is  capable  of  giving  consent,  and 


7 


(d)  any  express  refusal  of  consent  by  the  other  individual. 

(7)  An  individual  making  a  request  under  this  section  may ,  in  such 
cases  as  may  be  prescribed specify  that  his  request  is  limited  to 
personal  data  of  any  prescribed  description. 

(8)  Subject  to  subsection  (4),  a  data  controller  shall  comply  with  a 
request  under  this  section  promptly  and  in  any  event  before  the  end 
of  the  prescribed  period  beginning  with  the  relevant  day. 

19.  The  data  controller  has  not  cooperated  with  the  Commissioner's 
investigation  of  this  matter,  nor  responded  to  the  specific  enquiries 
made  by  her  in  relation  to  data  processed  about  the  complainant.  In 
the  circumstances,  and  on  the  basis  of  the  evidence  before  her  and  in 
the  public  domain,  the  Commissioner  considers  that  on  the  balance  of 
probabilities  the  data  controller  has  not  fully  complied  with  the 
complainant's  subject  access  request. 

20.  In  particular,  the  Commissioner  considers  that  further  personal  data 
about  the  complainant  must  be  held  in  order  for  the  data  controller  to 
have  generated  the  profile  of  the  complainant  that  is  set  out  in  the 
"Models"  category  of  the  spreadsheet  as  referred  to  in  paragraph  8(iii) 
above.  Furthermore,  the  Commissioner  considers  that  the  description 
of  the  sources  of  personal  data  provided  by  the  data  controller  were 
wholly  inadequate. 


21.  The  Commissioner  is  therefore  of  the  view  that  the  data  controller  has 
contravened  the  Sixth  Data  Protection  Principle. 


22.  The  Commissioner  has  considered,  as  she  is  required  to  do  under 
section  40(2)  of  the  DPA  when  deciding  whether  to  serve  an 
Enforcement  Notice,  whether  any  contravention  has  caused  or  is  likely 
to  cause  any  person  damage  or  distress.  The  Commissioner  takes  the 
view  that  damage  or  distress  to  the  complainant  is  likely  as  a  result  of 
him  being  denied  the  opportunity  of  correcting  inaccurate  personal 
data,  which  may  be  processed  by  the  data  controller,  because  they  are 
unable  to  establish  what  personal  data  are  being  processed  within  the 
statutory  timescale. 

23.  In  view  of  the  matters  referred  to  above  the  Commissioner 
hereby  gives  notice  that,  in  exercise  of  her  powers  under 
section  40  of  the  DPA,  she  requires  that  the  data  controller 
shall  within  30  days  of  the  data  of  this  notice  take  the  following 
steps: 

Provide  the  complainant  with: 

(i)  a  description  of  the  personal  data  processed  by  the  data 
controller  about  the  complainant; 

(ii)  a  description  of  the  purposes  for  which  that  data  are 
being  processed; 

(iii)  a  description  of  the  recipients  or  classes  of  recipients  to 
whom  the  data  are  or  may  be  disclosed; 

(iv)  copies  of  the  information  constituting  personal  data  about 
the  complainant  in  an  intelligible  form  in  accordance  with 
the  requirements  of  section  7  of  the  DPA  and  the  Sixth 
Data  Protection  Principle,  subject  only  to  the  proper 
consideration  and  application  of  any  exemption  from,  or 


9 


modification  to,  section  7  of  the  DPA  provided  for  in  or  by 
virtue  of  Part  IV  of  the  DPA  which  may  apply;  and 
(v)  a  description  as  to  the  source  of  that  personal  data. 

24.  Failure  to  comply  with  this  notice  is  a  criminal  offence. 

25.  There  is  a  right  of  appeal  against  this  Notice  to  the  First-tier  Tribunal 
(Information  Rights).  Information  about  appeals  is  set  out  in  the 
attached  Annex  1. 


Dated  the  4th  day  of  May  2018 


Signed: 


Elizabeth  Denham 

Information  Commissioner 

Information  Commissioner's  Office 

Wycliffe  House 

Water  Lane 

Wilmslow 

Cheshire 

SK9  5AF 


10 


ANNEX  1 


RIGHTS  OF  APPEAL  AGAINST  DECISIONS  OF  THE 
COMMISSIONER 


1.  Section  48  of  the  Data  Protection  Act  1998  gives  any  person 
upon  whom  an  Enforcement  Notice  has  been  served  a  right  of 
appeal  to  the  First-tier  Tribunal  (Information  Rights)  (the 
"Tribunal")  against  the  notice. 

2.  If  you  decide  to  appeal  and  if  the  Tribunal  considers:- 

a)  that  the  notice  against  which  the  appeal  is  brought  is  not 
in  accordance  with  the  law;  or 

b)  to  the  extent  that  the  notice  involved  an  exercise  of 
discretion  by  the  Commissioner,  that  she  ought  to  have 
exercised  her  discretion  differently, 

the  Tribunal  will  allow  the  appeal  or  substitute  such  other 
decision  as  could  have  been  made  by  the  Commissioner.  In  any 
other  case  the  Tribunal  will  dismiss  the  appeal. 

3.  You  may  bring  an  appeal  by  serving  a  notice  of  appeal  on  the 
Tribunal  at  the  following  address: 

GRC  &  GRP  Tribunals 
PO  Box  9300 
Leicester 
LEI  8DJ 

Tel:  0300  1234504 

Fax:  0870  739  5836 

Email:  GRC@hmcts.gsi.gov.uk 

Website:  www.iustice.qov.uk/tribunals/qeneral-requlatorv- 
chamber 


The  notice  of  appeal  should  be  served  on  the  Tribunal  within  28 
days  of  the  date  on  which  the  Enforcement  Notice  was  sent. 


11 


4.  The  statutory  provisions  concerning  appeals  to  the  First-tier 
Tribunal  (Information  Rights)  are  contained  in  sections  48  and 
49  of,  and  Schedule  6  to,  the  Data  Protection  Act  1998,  and 
Tribunal  Procedure  (First-tier  Tribunal)  (General  Regulatory 
Chamber)  Rules  2009  (Statutory  Instrument  2009  No.  1976 
(L.20)). 


12