Voter data protection in Elections – Navigating the rules ahead of the next poll

Maybe it’s just me, but every time the Budget comes around, my mind drifts to general elections. I’m not sure why—it just does. This time, it led me to think about how voter information is used, particularly by political parties.

Barbados has had a Data Protection Act 2019 (DPA) in place for over four years now, and it has been officially proclaimed as law. However, it would be understandable if political parties were not yet fully prepared to comply, given that the law is still in its early stages of implementation. Additionally, I don’t believe we had identified a data protection regulator when the last election took place on January 19, 2022.

With another election cycle on the horizon, I thought it would be useful for citizens to understand their rights and how political parties can legally obtain and use their personal data during campaigns. While our election laws are well established, this article will focus specifically on data protection in the electoral process. Since Barbados has limited precedent in this area, it makes sense to look at how the UK—where data protection laws are more mature—has put mechanisms in place for stakeholders.

For those familiar with the Data Protection Act (DPA), it may be seen as the law that requires organisations to collect personal data only with consent—meaning individuals must agree to having their data collected, stored, and processed. Since Barbados’ DPA 2019 classifies political opinions as sensitive information, any processing of such data requires explicit consent.

However, there are other legal aspects voters should be aware of, particularly the Representation of the People Act 1991. Like UK law, this Act entitles registered political parties, candidates, and campaigners to access certain voter information through official channels. For instance, political parties and candidates are legally entitled to receive copies of the full electoral register, which contains voters’ names and addresses. Additionally, they can access the marked register, which indicates who voted in past elections—though not how they voted.

Any additional use for election-related purposes must be limited to specific, legal, and proportional uses. Any processing must adhere to the principles outlined in the Barbados DPA, including lawfulness, fairness, and transparency.

Data Protection Requirements

Even if political parties or candidates obtain voter information lawfully (e.g., through the Electoral and Boundaries Commission), they are considered data controllers under the DPA and must:

• Process data lawfully, fairly, and transparently.
• Ensure data is collected for a legitimate purpose and used only for that purpose.
• Minimize data collection, limiting it to what is necessary.
• Keep voter data accurate and up to date.
• Store data securely to prevent unauthorized access or misuse.
• Delete data when it is no longer needed.

The Responsible Handling of Voter Data in Political Campaigning

The handling of voter data is a critical aspect of political campaigning, requiring strict compliance with data protection laws to ensure transparency and fairness. In Barbados, political parties must navigate these regulations carefully, particularly when it comes to sharing voter information.

Political parties are prohibited from sharing voter data with unauthorized third parties. Any transfer of data must align with the Barbados Data Protection Act (DPA) 2019. The only exception to this rule applies to data processors, such as third-party campaign consultants, who may handle voter information on behalf of a political entity. Even in these cases, strict contractual terms must be in place to ensure compliance with data protection laws, safeguarding personal information from misuse or unauthorised access.

When processing voter data, political parties must establish a lawful basis for their actions. The DPA outlines specific grounds under which personal data may be processed. One such basis is legal obligation, which applies if electoral laws explicitly permit access to voter information. In some cases, political entities may invoke the public interest argument, particularly when engaging in activities that promote democratic participation. Another potential justification is legitimate interests, where data processing is deemed necessary for political engagement, provided it does not infringe on the rights of individuals.

Alternatively, political parties may rely on consent, requiring voters to provide explicit permission for their data to be used. However, relying on consent may not always be practical, as many voters may not be fully aware of their data protection rights. Additionally, if consent is not obtained in a well-informed and transparent manner, its legitimacy could be questioned, potentially undermining the fairness and lawfulness of the data processing.

Regardless of the legal basis political parties use to engage voters, they need a basic data privacy program and a designated officer to protect voters’ rights. Given the decentralized nature of elections, parties must ensure compliance with the Barbados Data Protection Act (DPA) 2019 when handling voter data.

Voter data use should be minimal, limited to election purposes, and secured against unauthorized access. Transparency is essential—parties must inform voters how their data is collected, used, and stored to maintain public trust.

As elections approach, responsible data handling is vital. While the DPA 2019 sets legal standards, compliance is evolving. Voters have a right to know how their data is used, and political parties must uphold lawfulness, fairness, and transparency. By adopting strong privacy measures and clear communication, parties can build trust and protect democratic integrity in an era where data protection is both a legal duty and an ethical obligation.

steven@dataprivacy.bb