Cllr. Josh Coldspring-White

Josh Coldspring-White

This document outlines how Josh Coldspring-White processes and manages personal data and:

  • Identifies the data controller.
  • Explains the lawful basis for processing personal data.
  • Outlines the personal data held and processed.
  • Outlines the scope of the special category personal data held and processed.
  • Outlines the process of Subject Access Requests. 

1. Who am I?

I am one of three local councillors for the Hayes & Coney Hall ward in the London Borough of Bromley.

I belong to the Conservative and Unionist Party, commonly known as the Conservative Party (The Party), and are registered as a political party with the Electoral Commission under registration PP52 and a registered data controller with the Information Commissioner’s Office (ICO) under registration number Z5909711.

This is my privacy notice for the Hayes & Coney Hall ward . The Data Controller is Josh Coldspring-White

This privacy notice has been created to demonstrate my commitment to the protection of your data and to be transparent in how I deal with it. This notice provides the information as required by Articles 13 and 14 UK GDPR.

I will process my data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and related legislation.

This privacy notice was updated on 22nd December 2023.

From time to time I may make amendments to or update this privacy notice.

2. Contacting me about Data Protection

If you have any questions about this notice, or for more information about how I use my data, or if you would like to exercise any of your rights you can contact me at:

c/o Members Room, Bromley Civic Centre, Stockwell Close, Bromley BR1 3UH

E-mail: click here 

Phone:  +44 (0) 7468 885 964.

3. How the law protects my data

How I use my data is protected by law and I am only permitted to process your data where I have an acceptable reason for doing so. The lawful reasons I process my data are:

  • Processing is necessary for the performance of a task carried out in the public interest (public task – democratic engagement), or
  • When it is my legal duty (legal obligation), or
  • When you provide consent (consent), or
  • To protect my vital interests (vital interests), or
  • To fulfil a contract with you (contract), or
  • When I have a legitimate interest (legitimate interest).

Some types of sensitive personal data are given extra protection under the law; information about race, ethnicity, sexual orientation, sex life, religious or philosophical beliefs, criminal record, trade union membership and political opinion are “special category” data under data protection legislation and I will only process this data where I have a lawful reason to do so. The work of the Conservative Party is deemed to be of substantial public interest and therefore I are permitted to process special category personal data relating to your political opinion in so far as it is necessary for the purposes of my political activities.

Where I have identified “legitimate interest” as my lawful reason for processing your data I conduct a balancing test in order to determine whether my legitimate interests to process your data are overridden by your interests, rights and freedoms. For more information about my legitimate interest balancing tests please contact me.

4. How I use your information

I process data with the intention of using it primarily for the broad purpose of my political, campaigning and fundraising activities. 

The tables below illustrate examples of how I commonly use your data, the typical categories of data that I might process and my justification and legal bases for doing so.

4.1 Campaigning and Communications

Purpose

Categories of Data Subject

Typical Data Categories

Legal Basis

Special Category Legal Basis

Canvassing Political Opinions

Electors

Name, Address, Electoral Roll Number, Telephone Number, Political Opinion, Contact Details, Marketing Preferences

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Communicating with you via post about my policies, campaigns, events, fundraising appeals and opportunities to get involved with the party

Electors, Members/Former Members, Donors, Volunteers

Name, Address, Electoral Roll Number, Profiled Data

Public Task (Democratic Engagement)

 

Communicating with you via electronic message or SMS about my policies, campaigns, events, fundraising appeals and opportunities to get involved with the party

Electors, Donors, Volunteers

Name, Address, Contact Details (email, phone, social media etc)

Consent

 

Sending you surveys and processing my responses

Electors

Name, Address, Electoral Roll Number, Political Opinion, National and Local Issue Positions, Incidental Special Category data, Contact Details (email, phone, social media etc), Marketing Preferences

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Article 9(2)(a) UK GDPR – Explicit Consent for collection of incidental special category data

Conducting petitions and presenting the signatories to the specified recipient

Electors

Name, Postcode, Contact Details (email, phone, social media etc), Political Opinion, National and Local Issue Positions

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties

Conducting Online Surveys

Electors

Name, Address, Electoral Roll Number, Political Opinion, National and Local Issue Positions, Incidental Special Category data, Contact Details (email, phone, social media etc), Marketing Preferences

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Article 9(2)(a) UK GDPR – Explicit Consent for collection of incidental special category data

Showing you adverts via social media platforms

Electors, Members/Former Members, Donors, Volunteers

Email Address

Legitimate Interests

Consent

 

Creating custom audiences for advertising on Social Media Platforms using existing supporters’ details, profiled target audiences, and information from my cookies/pixels and using those audiences to create “lookalikes”

Electors, Members/Former Members, Donors, Volunteers, Supporters

Email Address, Address, Political Opinion

Legitimate Interests

Consent

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Registering for a campaign event(s) organised by CCHQ and administering the event

Electors, Members/Former Members, Supporters

Name, Address, Contact Details (email, phone, social media etc), Political Opinion

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Polling Day Activities – e.g. “Knocking up” on the doorstep or via phone and “Telling” at polling stations

Electors

Name, Address, Electoral Roll Number, Polling Day Activity

Public Task (Democratic Engagement)

 

Signing up to Volunteer for the party and us sharing my details with the wider party

Volunteers

Name, Address, Contact Details (email, phone, social media etc), volunteering preferences, Political Opinion

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Maintaining and administering a database to store Electoral Register data, canvassing data, membership data, survey responses etc – including operating a test environment

Members, Donors, Electors, Volunteers, Candidates, Elected representatives, Supporters, Officers and Staff

Name, Contact Details (email, phone, social media etc), Addresses, Political Opinion, Age, Voting History, Relationships, Electoral Roll Information, Issue Positions, Memberships, Donations, Survey Responses, User profile names, Hashed Passwords, IP addresses, User authentication, Usage data and usage history, Free text notes, Titles, Suffixes, Gender, First Language, Positions Held, Location Information, Profiled data, Records of data subject rights requests, constituent record history, Telling and Knocking Up Information.

Public Task (Democratic Engagement)

Legitimate Interests

Legal Obligation (Compliance with Article 24 UK GDPR and S41 Political Parties, Elections and Referendums Act 2000)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Article 9(2)(a) UK GDPR – Explicit Consent for collection of incidental special category data

Providing my VoteSmyce Canvasser Application for doorstep data collection

Members, Donors, Electors, Volunteers, Candidates, Elected representatives, Supporters, Officers and Staff

Name, Address, Electoral Roll Number, Polling District, Political Opinion, Voting History, Contact Details (email, phone, social media etc), Survey Responses, Membership History, Telling and Knocking Up Information, Username, Hashed Password, IP Address, Geolocation, Device information, Usage data and history

Public Task (Democratic Engagement)

Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

4.2 Membership and Donations

Purpose

Categories of Data Subject

Typical Data Categories

Legal Basis

Special Category Legal Basis

Processing my application for membership and administration of my membership

Members

Name, Address, Political Affiliation, Contact Details (email, phone, social media etc), Date of Birth, Payment Information

Contract

Legal Obligation (Compliance with Article 24 UK GDPR and S41 Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Inviting you to renew my membership and/or re-join the party

Members/Former Members

Name, Contact Details (email, phone, social media etc), Address

Legitimate Interests

 

Sharing my membership details with my local Conservative Association

Members

Name, Address, Political Affiliation, Contact Details (email, phone, social media etc), Date of Birth

Contract

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Communicating with you via electronic message about my membership, my policies, campaigns, events, fundraising appeals and opportunities to get involved with the party

Members/Former Members

Name, Address, Contact Details (email, phone, social media etc)

Contract

 

Conducting petitions and presenting the signatories to the specified recipient

Electors

Name, Postcode, Contact Details (email, phone, social media etc), Political Opinion, National and Local Issue Positions

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties

Administering Membership Suspensions and Expulsions

Members/Former Members, Complainants, Witnesses,

Name, Details of Suspension/Expulsion, Contact Details, Address, Ethnicity, Religious or Philosophical Beliefs, Trade Union Membership, Health Data, Criminal Offence Data, Sex Life, Sexual Orientation, Political Opinion – incl Membership of a political party, Age, Social Media Activity (Public and Private), Personal Communications Data, Details of Complaint, Complaint Resolution, Witness Evidence

Contract

Public Interest/Legal Obligation (Compliance with the Equality Act 2010)

Article 9(2)(g) “Substantial Public Interest” – DPA Schedule 1, Part 2, Paragraph 6 – “Statutory Etc and Government Purpose” – there is a substantial public interest to ensure that engagement with politics complies with the Equality Act 2010

Article 9 UK GDPR – Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 – Preventing or detecting unlawful acts

Article 10 UK GDPR – meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 – Preventing or detecting unlawful acts

Process appeals against expulsion and suspension by Party Members

Members/Former Members, Complainants, Witnesses,

Name, Contact Details, Address, Ethnicity, Religious or Philosophical Beliefs, Trade Union Membership, Health Data, Criminal Offence Data, Sex Life, Sexual Orientation, Political Opinion – incl Membership of a political party, Age, Social Media Activity (Public and Private), Personal Communications Data, Details of Complaint, Complaint Resolution, Witness Evidence

Legitimate Interests

Contract

Public Interest/Legal Obligation (Compliance with the Equality Act 2010)

Article 9(2)(g) “Substantial Public Interest” – DPA Schedule 1, Part 2, Paragraph 6 – “Statutory Etc and Government Purpose” – there is a substantial public interest to ensure that engagement with politics complies with the Equality Act 2010

Article 9 UK GDPR – Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 – Preventing or detecting unlawful acts

Article 10 UK GDPR – meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 – Preventing or detecting unlawful acts

Processing my donation or loan and checking my eligibility to donate or loan sums of more than £500

Donors

Name, Address, Electoral Roll Number, Contact Details (email, phone, social media etc), Payment Information, Political Affiliation

Public Task (Democratic Engagement)

Legal Obligation – Compliance with Parts IV and 4A Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Reporting donations and loans to the Electoral Commission

Donors

Name, Address, Donation Amount, Political Affiliation

Legal Obligation – Compliance with Parts IV and 4A Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 6 Statutory and Government Purposes

Maintaining and administering a fundraising database

Members/Former Members, Donors

Name, Address, Political Opinion, Contact Details (email, phone, social media etc), Donation History, Biographical Information, Occupation, Correspondence, Family Connections, Marketing Preferences, Date of Birth

Legitimate Interests

Legal Obligation – Compliance with S41 Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

4.3 Events

Purpose

Categories of Data Subject

Typical Data Categories

Legal Basis

Special Category Legal Basis

Registering for an event(s) organised by CCHQ and administration of the event

Attendees

Name, Address, Contact Details (email, phone, social media etc), Dietary Requirements, Biographical Information, Payment Information

· Contract

· Legal Obligation (Compliance with Article 24 GDPR and S41 Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Providing you with information about the event(s) for which you have registered

Attendees

Name, Contact Details (email, phone, social media etc)

· Contract (for ticketed events)

· Legitimate Interests

 

Hosting Video Conferencing and Virtual Events

Electors, Members/Former Members, Donors, Volunteers, Elected Representatives

Name, Contact Details (email, phone, social media etc), IP Address, Political Opinion, Images and Recorded Images

Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

4.4 Research, Due Diligence and Press

Purpose

Categories of Data Subject

Typical Data Categories

Legal Basis

Special Category Legal Basis

Political research using publicly available smyces

Elected Representatives, Political Staff, Candidates, Members, Activists, Donors

Name, Publicly available information (e.g. occupation, social media posts, directorships, media history, property and financial holdings etc), Misconduct, Publicly available special category information (e.g. political opinion, trade union membership, criminal offences, etc)

Legitimate Interests

· Article 9(2)(e) UK GDPR – Personal data manifestly made public by the data subject

· Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 11 Protecting the public against dishonesty etc.

Due diligence of prospective members, potential appointees, donors and volunteers using publicly available smyces

Members, Donors, Supporters, Volunteers, Potential Appointees

Name, Publicly available information (e.g. occupation, social media posts, directorships, media history, property and financial holdings etc), Misconduct, Publicly available special category information (e.g. political opinion, trade union membership, criminal offences, etc)

Legitimate Interests

· Article 9(2)(d) UK GDPR – processing is carried out in the cmyse of its legitimate activities with appropriate safeguards

· Article 9(2)(e) UK GDPR – Personal data manifestly made public by the data subject

· Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 11 Protecting the public against dishonesty etc.

Communication with media organisations

Elected Representatives, Political Staff, Candidates, Members, Activists, Donors

Name, Publicly available information (e.g. occupation, social media posts, directorships, media history, property and financial holdings etc), Misconduct, Publicly available special category information (e.g. political opinion, trade union membership, criminal offences, etc)

Legitimate Interests

· Article 9(2)(e) UK GDPR – Personal data manifestly made public by the data subject

· Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 11 Protecting the public against dishonesty etc.

4.5 Contacting us or visiting one of my offices

Purpose

Categories of Data Subject

Typical Data Categories

Legal Basis

Special Category Legal Basis

Contacting us by email, post, via one of my Website “contact us” forms or telephone and CCHQ processing and keeping a record of my correspondence

Electors, Members of the public

Name, Contact Details (email, phone, social media etc), Correspondence, Political Opinion, Incidental Special Category Data

Legitimate Interests

· Article 9(2)(a) UK GDPR – Explicit Consent for processing of incidental special category data

· Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Managing security and my safety when you visit one of my offices

Visitors

Name, Time and date of visit, Person you are visiting, Log of my movements within my offices, CCTV Images, Thermal Image (as part of my Covid secure precautions), Details of accidents and/or security incidents

· Legal Obligation (Compliance with Articles 24 and 32 UK GDPR, Health and Safety at Work Act 1974) 

· Legitimate Interests

· Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 1, Paragraph 1 Employment, Social Security and Social Protection

· Article 10 UK GDPR – meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 – Preventing or detecting unlawful acts

Reporting accidents and/or security incidents to relevant healthcare organisation or law enforcement authority

Visitors

Name, Details of accidents and/or security incidents

· Legal Obligation (Compliance with Reporting of Injuries, Diseases and Dangerous Occurrences Regulations) 

· Legitimate Interests

· Vital Interests

 

 

4.6 Voluntary Party Management, Engagement and Outreach

Purpose

Categories of Data Subject

Typical Data Categories

Legal Basis

Special Category Legal Basis

Providing advice, training and support on matters relating to the Constitution and the Voluntary Party

Association Officers, Association Staff, Staff, Members, Activists, Volunteers

Name, Contact Details (email, phone, social media etc), Correspondence

Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Communication with Party Officers at Board, Regional and Association Level and Party Members

Party Officers, Members

Name Name, Contact Details (email, phone, social media etc), Correspondence, Political Opinion, Incidental Special Category Data, Volunteering Interests, Events Interests

Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Providing advice and support on the selection of local government candidates

Association Officers, Association Staff, Candidates

Name, Position, Contact Details (email, phone, social media etc), Correspondence, Candidate CV’s, Political Opinion

Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Providing advice and support on local disciplinary issues

Association Officers, Association Staff, Members, Activists

Name, Details of Disciplinary Case, Correspondence

Legitimate Interests

 

Managing Young Conservative Groups

Members, Students

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Managing Affiliated Groups

Members

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Managing Affiliated Groups

Members

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Managing External Relationships

Members, Community Stakeholders, Candidates, Elected Representatives, Business Owners

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Providing support to Local Councillors and the Conservative Councillors’ Association

Elected Representatives

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

4.7 Code of Conduct and The Social Media Complaints and Opposition Candidacy Rules

     
     

Processing, investigating, and administering breaches of my Social Media Complaints and Opposition Candidacy Rules in accordance with the procedures set out in my Code of Conduct

Complainants, Witnesses, Members of Parliament, Peers, Members of the European Parliament, Members of the Scottish Parliament, Members of the Irish Assembly, Members of the Greater London Assembly, Police & Crime Commissioners, elected Mayors, Councillors and Association, area, regional, and national Party officers

Name, Contact Details, Address, Ethnicity, Religious or Philosophical Beliefs, Trade Union Membership, Health Data, Criminal Offence Data, Sex Life, Sexual Orientation, Political Opinion – incl Membership of a political party, Age, Social Media Activity (Public and Private), Personal Communications Data, Details of Complaint, Complaint Resolution, Witness Evidence

Public Task (Democratic Engagement)

· Article 9(2)(g) “Substantial Public Interest” – DPA Schedule 1, Part 2, Paragraph 6 – “Statutory Etc and Government Purpose” – there is a substantial public interest to ensure that engagement with politics complies with the Equality Act 2010

· Article 9 UK GDPR – Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 – Preventing or detecting unlawful acts

· Article 10 UK GDPR – meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 – Preventing or detecting unlawful acts

4.8 Finance

Purpose

Categories of Data Subject

Typical Data Categories

Legal Basis

Special Category Legal Basis

Processing Payments to Suppliers

Suppliers Staff

Name, Contact Details, Job Title

Contract

 

Processing Payments from donors, members and supporters and keeping a record for accounting purposes

Donors, Members, Supporters

Name, Address, Political Affiliation, Contact Details (email, phone, social media etc), Date of Birth, Payment Information

· Contract

· Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Preparing and Reporting Election Spending Returns to the Electoral Commission

Campaign Staff, Suppliers, Association Officers, Association Staff, Candidates, Election Agents, Volunteers

Name, Address, Expense Details, Job Title, Correspondence (for preparing returns)

Legal Obligation (Compliance with Part V Political Parties, Elections and Referendums Act 2000)

 

4.9 Market Research and Opinion Polling

Purpose

Categories of Data Subject

Typical Data Categories

Legal Basis

Special Category Legal Basis

Performing Market Research to get a sense of political opinion across the UK

Electors

Name, Address, Telephone Number, Constituency, Gender, Age, Profiled data, National and local issue positions, Political Opinion

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Conducting Opinion Polling to get a sense of political opinion across the UK

Electors

Name, Address, Telephone Number, Constituency, Gender, Age, Profiled data, National and local issue positions, Political Opinion

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

The Party also processes personal data in order to implement the findings of the Singh Investigation Report – The full report and all the recommended actions for the party to implement can be found here.

5. Data Analytics and Profiling

I use data analytics to try and understand the people that I seek to represent and make best use of my limited resources.

I use some of the data that I collect about you to make an educated prediction about your lifestyle. I use automated means to analyse this variety of data and collate it (sometimes referred to as “profiling”). I combine personal data about electors (which is provided by local authorities to all political parties under electoral statute) with data from canvassing, the marked register of electors, from external data analytics and research partners, data brokers (such as Experian), opinion polling partners, fulfilment channels such as mail/telephone/Facebook, public bodies such as the Office for National Statistics, etc. This data is then used by CCHQ to inform how and whether I contact you, for example by:

Understanding the matters and issues that are likely to be of relevance and significance to you (e.g. if I think you may have children I may send information about my education policy)

Deciding whether I send you my campaigning materials, or materials about how you can support the Conservative party.

Identifying target audiences for particular issues, social media advertising, and appeals for financial support

Selecting what material I send to you

Evaluating whether I think you are likely to vote and for whom you will likely vote for during an election or a referendum

I also use analytics to perform analysis of individual and aggregated data (for example, I might combine individual data relating to voting intention and details about the constituency) to provide us with competitive insight into the political landscape and general trends, and to allow us to better understand the electorate as a whole.

Examples of categories of data that I typically analyse are: political affiliation, political opinions and preferences, likelihood to vote, attitudes, geodemographic and socio-economic characteristics.

I undertake these analyses as I have a legitimate interest to identify potential Conservative voters and supporters. Indeed, it also allows us to behave accordingly should voters request that I don’t contact them, for example.

Where my profiling processes special category data relating to my political opinion I consider that this is necessary for the purposes of my political activities and therefore permitted in accordance with Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

My analytics and profiling does not replace the direct contact that I make with individuals – these activities supplement my traditional campaigning methods such as canvassing and conducting surveys.

I have determined that this kind of profiling, and any decisions that are based solely on that profiling, is unlikely to create legal or significant affects for you. Where such decisions create legal or similarly significant affects you have the right not to be subject to that decision and you can exercise that right by contacting my Data Protection Officer. You can also contact us at any time and exercise my right to object and ask that I do not process my personal information for this purpose.

6. My Relationship with the wider Conservative Party

The historical nature of the Conservative Party means that rather than being one single organisation I am an interconnected family consisting of the Party Headquarters, local associations, areas and regions of the Party (known as ‘accounting units’ and listed on the Electoral Commission Website) elected representatives, candidates, members, volunteers and party officers.  I are all united by my common Conservative identity. One of CCHQ’s primary roles is to provide professional support to my family of volunteers who help to run the party across the UK.

Much of the work of the Party is conducted by the wider Conservative Party. For this reason I have a legitimate interest to share and make available certain personal information with the wider Party when it is necessary for my campaigns or other activities and vice versa via my Electoral Management Database, Field Campaigning Teams and Voluntary Party Managers. Sharing may also be necessary in the public interest, as being an activity that supports or promotes democratic engagement. Some examples of such data sharing include:

If a local association conducts a survey, or other campaigning activity, the results may be shared with CCHQ.

If a local association receives a donation or a loan of more than £500 this information will be shared with CCHQ so that it can be recorded and reported by the Party’s Registered Treasurer as per Parts IV and 4A Political Parties, Elections and Referendums Act 2000.

Details of party supporters and volunteers may be supplied to local Conservative candidates and local Associations for the purposes of their election campaign.

If you contact me about a complaint or an issue then it may be shared with CCHQ so that my Voluntary Party Managers can provide professional assistance in resolving the matter.

If a complaint is made under my Code of Conduct then details may be shared with relevant sections of the wider party in order to assist my investigation.

Details may routinely be shared between the Party and the Wider Party as part of a restructuring process – for example when constituency boundaries change following a statutory boundary review.

7. Where I collect personal data from

I collect personal data from a variety of sources:

  • Provided by you (Directly):
  • In person when you speak to me or one of my representatives or volunteers
  • Through a telephone call, either where you call us, or I call you
  • On paper, such as if you return a printed survey, a petition, a reply slip on a leaflet or if you write to us
  • Digitally, such as if you fill in a form on a Website or interact with the Party online via my Websites or social media platforms
  • When you consent to my use of cookies and similar technologies (such as my Facebook Pixel)
  • When you offer or ask about volunteering, or take part in party activities
  • When you enter into a transaction with the Party, such as becoming a member, donating, purchasing a product from my online shop or paying to attend an event
  • When you consent to receiving electronic marketing (I never buy in email addresses)
  • When you attend an event

Third-Party Sources (Indirectly):

  • When data is shared with us from the wider Conservative Party
  • The full electoral register and marked registers to which the Party is legally entitled as per The Representation of the People (England and Wales) (Amendment) Regulations 2002 and the Representation of the People Regulations 2001 in Scotland.  I receive an updated version of these from local authorities every time an update is published, which is usually every month.
  • Social media platforms and other technology providers (for instance, when you click on one of my Facebook ads or watch one of my Instagram or YouTube videos)
  • Publicly available information such as media history, news reports, Ib searches etc
  • Public records or smyces such as Companies House, Land Registry etc
  • CCTV, if you visit Conservative Party Headquarters or one of my regional offices
  • Data brokers and data analytics companies – such as Experian
  • Royal Mail
  • Telephone Preference Service
  • Market research organisations
  • Due diligence and screening organisations


8. Who I share my data with

I will never sell my data but sometimes it is necessary to share my information, either within the wider Conservative Party, or with my service providers, data controllers and data processors. Data is only ever shared where I have a party reason and when the law allows us to do so.

I share data with:

  • The wider Conservative Party
  • Affiliate organisations – such as National Conservative Draws Society or various Conservative “Friends of “ organisations
  • Business associates and professional advisers – for example opinion pollsters or political strategists
  • Suppliers and sub-contractors – for example printing and delivery suppliers
  • Service providers and sub-contractors – for example an Email Marketing Platform or a Cloud Storage provider
  • Organisations providing services for events
  • Social media platforms and other technology providers
  • Data analytics companies
  • Due diligence and screening organisations
  • Financial service organisations – such card payment providers
  • Political organisations
  • Elected representatives
  • Media Organisations
  • Regulatory bodies – such as the Electoral Commission or the Information Commissioner’s Office
  • Market researchers
  • Healthcare and Welfare organisations
  • Law enforcement authorities – for the purposes of prevention of crime
  • Government authorities
  • Third-parties with whom you have requested I share my data
  • Where I use a third-party data processor, in other words an organisation that processes data on my behalf and under my instruction, I ensure that this processing is governed by a legally enforceable data processing agreement which sets out their responsibilities for protecting my data and my rights. Where I share data with a third party controller, an organisation that determines how data will be processed, I ensure that this is governed by a Controller to Controller data sharing agreement.
  • Where I share data with the wider Conservative Party I ensure that the recipient of the data agrees to a terms and conditions that they will use the data only for the purposes for which it was provided and will take necessary measures to ensure its security. Members of the wider Party receive training on data protection.


9. Data processed with
my consent

Where I use consent as my legal basis for processing your data, or process special categories of your data on the basis of your explicit consent, you have the right to withdraw your consent at any time. For further information on when I rely upon consent please see Section 4 “How I use my information”.

There are several ways that you can easily withdraw my consent, you can:

  • Go to www.joshcoldspring-white and select “Stop Mailings”,
  • Press the “Unsubscribe” option contained within my Email communications to you,
  • Let one of my representatives know that you wish to withdraw my consent

I will maintain a record of your withdrawal of consent.

10. Transferring my data outside of the United Kingdom

Some of my service providers are located outside of the UK and therefore it may be necessary to transfer your personal data outside of the UK. Where I do transfer your data outside of the UK I will make sure that it is protected in the same way as if the data was inside the UK.

I will use one of the following appropriate safeguards to ensure this: 

  • Where the UK has issued an adequacy regulation determining that a third country or organisation ensures an adequate level of data protection.
  • A contract is put in place with the recipient of the data obliging them to protect the data to the same standards as the UK.
  • If I am unable to rely on one of the appropriate safeguards when transferring data outside the UK, I may rely on a derogation for specific situations under Article 49 UK GDPR in order to transfer your data outside of the UK. This may be necessary for example to fulfil a contract that I have made with you or if you give me permission to do so.


11. How long
I retain my data for

I retain my information in accordance with the CCHQ Data Retention Policy and Data Retention Schedule. I constantly review the data that I hold and regularly consider its relevance and my need to hold onto it. I use several factors to determine my retention periods. Factors I take into consideration are:

Retention periods as required by law – for example, the Conservative Party is under a statutory duty to retain financial information for a period of 6 years,

  • The purpose for which the data was provided or obtained,
  • My documented business requirement for holding onto my data,
  • Whether holding onto my data will infringe my rights over my data,
  • Legal and regulatory obligations that may require reference to my data,

If you require more detailed information on how long my data will be kept for please contact me.

12. How I protect my data

I take the security of personal data seriously.  I use security technology, including firewalls, password protection and encryption to safeguard information and have procedures in place to ensure that my paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage.  I have processes in place to deal with a data breach in the unlikely event one should occur. 

I only use third party service providers where I am satisfied that they provide adequate security for my personal data.

13. Cookies and similar technologies

I use cookies to provide you with a tailored experience on my Website, and to gather statistics on how are online services are used so that I can improve my services. Some of my cookies may also collect personal data. A cookie is a piece of code that is sent to my internet browser and is stored on my system. I also use ‘similar technologies’ such as pixel tags, clear gif or tracking pixels and I use these for example to track the campaigns emails that I send to learn whether you opened an email and how you interacted with it. 

Please visit my cookie page for more information about how I use cookies and similar technologies on my Websites and services. I always seek my consent to use cookies and/or similar technologies.

14. Your data rights

This section explains about your data subject rights you have. You can exercise any of these rights by contacting my Data Protection Officer or Data Protection Team.

Your Data Rights

Explanation

Right to be informed

You have the right to be informed about the collection and use of my personal data. CCHQ provides this in the form of privacy notices and/or privacy information at the point of collection or within one month of obtaining my data. 

I may not provide privacy information where you either already have such information or it would involve a disproportionate effort to provide such information.

Right of access to my data

You have the right to request a copy of my personal information that I hold. This is commonly known as a Subject Access Request.

Right of rectification of my data

You have the right to request that inaccurate or incomplete information that I hold about you is corrected.

Right to be forgotten

In certain circumstances you can ask for the data I hold about you to be erased from my records. When I do so, I keep the bare minimum of my information in order to continue to respect my wishes when my personal data is next provided to us by a local authority, which is at least annually. There is some data that must be retained by law and other data that I may have a legitimate interest to retain

Right to restriction of processing

You have the right to request that I restrict the processing of my data where you are contesting the accuracy of the data or when the data has been unlawfully processed.

Right to data portability

You have the right to have the data I hold about you transferred to a third-party organisation and you can ask that I provide it in a machine readable format.

Information is only within the scope of the right to data portability if it is personal data that you have provided to us.

Right to object

You have an absolute right to object to my data being used for direct marketing, including profiling for direct marketing purposes – I mark my data clearly with a “no processing” label.

If I process my data on the basis of “legitimate interests” or “a task carried out in the public interest” then you have the right to object to us using my data in that way. This right is not absolute, and I may continue to process my data if I can demonstrate compelling legitimate grounds for the processing.

Automated individual decision-making, including profiling

I may use computer software to make decisions about you or to create a profile about you. You have the right not to be subject to such a decision or to that profiling where it creates legal effects concerning you or where it significantly affects you.

15. Making a complaint

If you are unhappy with the way that I have processed or handled my data, then you have a right to complain to the Information Commissioner’s Office (ICO). The ICO is the supervisory body authorised by the Data Protection Act 2018 to regulate the handling of personal data within the United Kingdom.

The contact details for the Information Commissioner’s Office are:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Telephone: 0303 123 1113

Website:  https://ico.org.uk/make-a-complaint/

22nd December 2023