Boris Johnson has been referred to the Information Commissioner for multiple alleged breaches of data protection laws that supporters of leadership challenger Jeremy Hunt said amounted to “foul play” in the Conservative leadership contest.
Hunt’s allies told BuzzFeed News they believed the Johnson campaign was systematically abusing mailing lists to contact Tory party members without their consent.
Four examples of the Johnson campaign and his supporters contacting members by email and telephone in apparent breach of new General Data Protection Regulation (GDPR) legislation were cited.
Foreign office minister Harriett Baldwin, who is backing Hunt for leader, has asked the Information Commissioner’s Office (ICO) to determine whether it was legal for the official "Back Boris" campaign to be using what she claimed was "an old email list from a previous campaign" to "spam" her email address.
Baldwin has also asked Tory party chairman Brandon Lewis to look into alleged data breaches by the Back Boris campaign.
ICO guidelines state: "If candidates in internal party elections wish to use member lists to send emails or texts, or make automated calls the candidate must ensure that they have consent from the individuals to use such marketing channels."
Meanwhile, local Conservative Associations are distributing information promoting Johnson’s campaign, including positive polling figures, and dates and times of campaign events.
An email from Nadine Dorries’ local association in Mid Bedfordshire to all local members included a message from the MP repeating a series of Johnson campaign messages and urging them: “Vote for Boris Johnson as our next Prime Minister to deliver Brexit”.
Ministerial aide David Morris, another MP on the Hunt campaign, told BuzzFeed News that the use of a party membership email list to promote Johnson campaign material must be investigated by the ICO.
"It's deeply troubling that foul play may be afoot in this contest. I urge ICO to look into all alleged breaches so that we can be sure the contest is being conducted within the rules," Morris said.
In a third alleged data breach, former Tory MP Ben Howlett said he had complained to the ICO following a "random call" from what he described as Johnson’s "team HQ".
Howlett told BuzzFeed News he had been in touch with the ICO today and would lodge a formal complaint on Wednesday if he did not receive answers from Johnson’s team.
Alleged unsolicited calls have also been reported by at least two Conservative councillors.
In an email seen by BuzzFeed News, one councillor wrote: "I've had an unsolicited call from the Back Boris team. On leaving a mobile number to return the call, it was an automated message telling us to back Boris. It isn’t appropriate to use council resources for party political purposes."
Under new GDPR laws brought in last year, contacting an individual by phone, email, text or letter to promote a political view to gain support is considered "direct marketing" and express consent must be obtained.
Breaches of GDPR rules are dealt with by the ICO, which has the power to conduct criminal investigations and issue fines reaching thousands of pounds.
The ICO is currently conducting an inquiry into potential data sharing between Leave groups during the referendum campaign.
The Johnson campaign insisted it was compliant with GDPR and the Data Protection Act. It said that phone calls from the campaign were only ever made to those who had given the campaign their contact details and their permission to contact them, as well as elected Conservative party officials using publicly available information.
An ICO spokesperson said: ”We are aware of these concerns and will be assessing the information provided.”