How to collect signatures for a legislative initiative. Fine for the ‘Stop LGBT’ Initiative Committe
The President of the Personal Data Protection Office has imposed a fine of PLN 10,913 on the "Stop LGBT" Legislative Initiative Committee for the way it conducted the collection of signatures. This was because the lists with signatures for the project banning assemblies on LGBT rights were left lying unsecured in the church.
Referring citizens' legislative projects to the Sejm (lower chamber of the Polish Parliament) is becoming more and more common practice. In order to support an initiative, data such as name, surname, personal identification number (PESEL number) and address have to be collected. In addition, each page of the list of support must contain the name of the committee and the initiative itself. This is therefore a set of data on citizens, which may also reveal their political opinions or philosophical beliefs. The controller of this data is the legislative initiative committee and the obligations under the GDPR fall on it.
According to information received by the DPA, the “Stop LGBT” Legislative Initiative Committee, which collected signatures, did so in such a way that the lists of support were not protected. As indicated, in one church the lists were “lying quietly on the side altars, and during the week on the Catholic press table under the choir. (...) Anyone can photograph them and even take them out of the church without the slightest problem. And there is sensitive data there, because they also reveal a particular worldview and religion. People's sensitive data are exposed to unrestricted accessibility (...)”.
The controller confirmed that the described situation took place, but in his opinion there was no breach of the GDPR provisions. However, the proceeding conducted by the President of the DPA revealed a breach of a number of provisions of the GDPR, including those relating to personal data security.
Risk assessment
It is true that the controller conducted a risk analysis, but it did so incorrectly, failing to identify all possible risks and assessing the risks identified as “negligible”.
In particular, it resulted in a lack of supervision over the lists of support from the signature collectors, which allowed bystanders free access to these lists and the personal data on them.
The controller only analysed the risk of loss or destruction of the lists. Thus, it examined the matter from its point of view. It did not take into account the rights of the data subjects and the fact that the data were available to other signatories to the initiative, as well as to bystanders in the local community.
How to collect signatures correctly
In the decision, the President of the Personal Data Protection Office indicates how to act correctly in such a situation. The GDPR does not contain a list of technical recommendations for such cases. However, it says what to take into account in order to correctly protect the entrusted data, especially sensitive data.
Signature collectors must ensure that the data are properly secured. It is necessary to constantly supervise the data already collected and protect it from subsequent signatories by covering the part of the list that is already filled with personal data. It is unacceptable to leave such lists unattended.
Someone who sticks to these GDPR guidelines actually mitigates the risk of problems.
What leads to a bad risk analysis?
In the case of the "Stop LGBT" Legislative Initiative Committee, the risk analysis was conducted, but it did not have a date. The analysis also identified only three situations, the occurrence of which could give rise to a risk of breach to the rights and freedoms of natural persons:
- unauthorised access to the data room,
- unauthorised copying of signature cards,
- and unauthorised transfer of information containing personal data.
The risk for each of the listed vulnerabilities has been determined as ‘negligible’. The risks of someone copying/photographing the list with addresses and PESEL number, or of other signatories seeing who among their neighbours had already signed, were ignored. Not to mention bystanders who could also view those data.
Incorrect risk analysis led to further errors.
The controller assumed that, at low risk, it would be sufficient for the signature cards to be constantly under the supervision of ‘signature collectors’. The collection was also to be controlled by persons of public trust. However, according to the submitted documentation, these rules controller did not implement and did not carry out actual supervision over the signatures.
In its explanation to the Personal Data Protection Office, the controller explained the spontaneity of the civic process: “[...]The Committee is not responsible and cannot be held responsible for all the other persons who, of their own free will and need as individuals, unconnected with the Committee, joined in the collection of signatures”, it was stated.
Thus, it follows that there is no certainty that “after each collection, the signature cards were kept in places inaccessible to the public, mostly in closed rooms, in separate folders, often also in locked desks, cabinets, drawers” and that “the persons collecting signatures were given strict and specific guidelines [...] while the organisers of the collection took care of its proper conduct”.
As the controller did not notice the risks for the data subjects, it did not foresee any risk mitigation measures such as shielding the already collected signatures from the view of further persons also expressing support for the legislative initiative or bystanders.
How to behave in the event of a breach of security of support lists?
An incorrect risk analysis also caused the controller to act inappropriately, failing to notify the breach to the supervisory authority. It does not need to do so if the likelihood of a risk of breach to the rights and freedoms of natural persons is low. This was not the case here. This is, after all, about leaving a list with a huge amount of personal data unattended.
The occurrence of a high risk to the rights or freedoms of individuals requires the data controller to communicate the incident to data subjects . It should explain to them the consequences of the event and indicate the security measures which they can implement themselves to mitigate the risk of consequences.
It is now that the President of the Personal Data Protection Office ordering compliance with this obligation.