Although the guidance generally offers a good level of detail, there are specific instances where it does not. As the guidance is titled a code of practice, it should aim to give clear, detailed, worked out examples of recommended practice and implementation where possible. ORG does recognise however the tension inherent in the investigative role of the regulator, and the expectation that those covered under the regulation should take a proactive approach to meeting the guidance. Profiling: The guidance states that if Article 22 of the GDPR (automated processing and legal or similarly significant effect) applies, then organisations must “provide meaningful information about the logic involved and what the likely consequences are for individuals”.[2] It does not, however, give an example of what this should look like. ORG considers it within the scope of the guidance for the ICO to provide examples of what constitutes meaningful information and likely consequences, how it should be formatted, and how this information should be served to individuals. For example, profiling often takes the form of percentage scores or demographic descriptors, of which the ultimate meaning and data sources are opaque. Additionally, this information ought to be proactively provided to individuals. Currently the only method that could provide this information would be a Data Subject Access Request, or the largely untested Data Portability Request. For example, ORG believes that profiling is, de facto, often automated processing. As part of providing meaningful information to citizens, political campaigners should make this clear, and spell out their rights in relations to this. The prominent display of privacy information The guidance notes that Article 13 of GDPR lays out a ‘right to be informed’ – that citizens must be alerted to when their personal data is being collected. Notably, it suggests that this information should be “prominently display” (ed) during various methods of personal data collection such as online surveys.[3] Whilst it gives some collection method specific advice on what constitutes prominent display, the guidance should illustrate this more broadly. It should outline principles for what prominent display looks like in practice and give a detailed examples of best and worst practice. Data controllership of electoral register data The guidance suggests that political campaigners who receive electoral register data become data controllers for that data. Subsequently, it reminds them of their obligations under data protection law.[4] The guidance does not, however, state who is the data controller for electoral register data before it is transferred to political campaigners. The European Commission’s guidance on this suggests “national electoral authorities”, such as the Electoral Commission, are generally data controllers for electoral registers.[5] in UK electoral law, this is a decentralised responsibility and local Returning Officers are the data controllers.[6] There are two points of concern here. Although individuals are able to register to vote anonymously, if political campaigners become data controllers for the electoral register, there is no oversight mechanism to prevent campaigners from effectively de-anonymising anonymous entries on the register through inferential information. The second point is that, whilst the guidance establishes the joint controllership relationship between political campaigners and other actors, it does not spell out whether Returning Officers share a joint controllership role with political campaigners. As it is arguable that Returning Officers play a role in determining the purpose and means of processing in this case, this relationship, and where controllership lies, should be fleshed out in detail. Furthermore, ORG does not consider the democratic engagement opt out sufficient in light of the controllership role of local returning officers. As noted by the European Commission many other European countries, for example Germany, have centralised electoral registers with higher and more stringent conditions of access. It seems unlikely that access to electoral register data is ‘necessary’ for democratic engagement – although it may be ‘necessary’ for electioneering.