Guidance for Returning Officers administering Local Government Elections in England

Data Protection considerations for outsourced work

When appointing a contractor or supplier you must ensure that they can provide sufficient guarantees that the requirements of data protection legislation will be met.

The requirements state that the supplier and any sub-contractors must ensure:

  • the secure destruction of all electoral registration data and related materials at an agreed point
  • the safe/secure storage of all live ballot papers 
  • the secure destruction of all data related to the ballot papers at an agreed point, for example, as soon as possible after polling day

You should ensure that data protection is integral in any tender exercise (documenting your decision-making process) and that specific requirements are met in any contract awarded. You should liaise with your council’s Data Protection/Information Officer to ensure compliance with data protection legislation.

There are specific requirements under data protection legislation where you are using a contractor (i.e. a ‘processor’) to process personal data on your behalf. This would include, for example, where you are sending data to a contractor to election materials such as postal ballot packs or ballot papers.

As RO you are the data controller and you remain ultimately responsible for ensuring that personal data is processed in accordance with data protection legislation. However, if a processor fails to meet any of its obligations, or acts against your instructions, then it may also be liable to pay damages or be subject to fines or other penalties or corrective measures. The ICO has provided guidance on ‘Contracts and liabilities between controllers and processors’ which you should consider in relation to your contracts with data processors. 

Please see our data protection guidance on Using contractors and suppliers for further information.

Last updated: 19 December 2023