Post: 8 May 2014
Earlier this week Wokingham Borough Council revealed that it had written to just over 18,000 residents to inform them their names and addresses from the electoral register may have been disclosed in error to third parties for marketing purposes.
The council blamed this error on “a third party software glitch which is currently being investigated”. It did not name the software supplier, but said that some 90 local authorities use the same software.
This follows similar data breaches reported two weeks ago by three Welsh councils. Based on statements from the councils involved (Rhondda Cynon Taf, Caerphilly and Torfaen) those breaches affected a much smaller number of residents.
The electoral register: full vs edited versions
Local authorities maintain two versions of the electoral register: the full version, which can legally be used only for elections, preventing and detecting crime, and checking applications for loans or credit, and the edited version, which is available for general sale and can be used by anyone for any purpose.
The full version includes the names and addresses of all individuals who are registered to vote. However individuals can have their details withheld from the edited version by opting out on the electoral registration form. The recently disclosed data breaches apparently occurred because those opt out decisions were not properly observed.
Sale of data from the electoral register has sometimes been controversial. The Electoral Commission and the Association of Electoral Administrators have called for the abolition of the edited register. The previous Labour government held a public consultation in 2009-10 but did not publish an outcome prior to the General Election. The current government has maintained the existing arrangements.
Councils have sometimes been criticised by the likes of the TaxPayers’ Alliance and its privacy spin-off Big Brother Watch for selling data from the edited electoral register to marketing companies. However in practice the electoral regulations do not give councils much say over who they sell the data to or how it is used.
For more background on this subject see this Commons Library note, this Bevan Brittan LLP briefing, and this post by Tim Turner.
Data protection
Councils are obliged to honour the opt out on the registration form and make sure only the edited electoral register, and not the full version, is made available for general use. Wokingham’s FAQ indicates the council provided the full version to credit reference agencies (such as Experian) without the opt out marker. Those agencies “may have” sold on the details of individuals who opted out to direct marketing companies, and those details “may have” appeared on 192.com. This happened “because of a software error”.
Without knowing the details of the software it’s difficult to judge how much these data breaches are the responsibility of the third-party supplier or whether they could have been avoided through additional checks in the councils’ working processes.
Ultimately local authorities are responsible for protecting the personal data that they hold. However the Wokingham breach closely follows similar breaches disclosed by three other councils. Wokingham has blamed the software and made a point of noting that the same software is used by some 90 other councils. That does suggest the same problem might have occurred or may occur at other councils.
Software supplied by Idox?
Although Wokingham has been circumspect and does not name its software supplier, a job advert from October says the council uses the “Idox Electoral Database System” for processing of data input from registration/application forms.
A report in the South Wales Echo indicates the three Welsh councils also use Idox software.
Idox group is a supplier of software solutions and services, mainly to the UK public sector. Its main registered company is Idox plc. In 2010 Idox acquired Computershare, a provider of electoral management software, and renamed it Strand Electoral Management Services Limited.
Idox markets electoral registration and election management solutions under the name Idox Elections, but that seems to be a brand rather than a separate entity.
Idox plc directors include Tory grandee Peter Lilley and web scientist Professor Dame Wendy Hall.