Fines of £135,000 have been imposed on Brexit campaign organisation Leave.EU and an insurance company owned by Arron Banks.
They were announced by the Information Commissioner’s Office (ICO) this week after an investigation into breaches of electors’ online privacy.
Leave.EU and Eldon Insurance, trading as GoSkippy, were each hit with £60,000 fines for breaching electronic data laws.
The ICO fined Leave.EU another £15,000 for breaking regulations on email communications in 300,000 messages sent to customers of Eldon Insurance.
Banks was Leave.EU’s major backer during the 2016 EU referendum campaign and is also facing a National Crime Agency investigation over the source of his funds.
The ICO fines were announced on its website and its boss Elizabeth Denham said it had found a “a disturbing disregard for voters’ personal privacy.”
Denham said the data had been used without authorisation for political purposes “by a number of players” and called for reform of the system to prevent a repeat.
She said the investigation involved 71 witnesses, the use of data by 30 organisations was under review and more than 700 terabytes of data were being assessed.
The ICO report added that 11 political parties in the UK have been issued with warning notices calling for action on their data protection processes.
More audits of organisations may be carried out and the work of data specialists Cambridge Analytica under its CEO Alexander Nix was still being investigated.
The company would have been in line for a ‘substantial fine’ had it not gone into administration after the scandal over its harvesting of Facebook users’ data.
Three major data brokers, including credit rating firm Experian, have also been issued with assessment notices.
Other offences which came to light were deemed beyond the ICO’s remit and referred to other law enforcement agencies, the report confirmed.
The investigation began last year after The Observer newspaper revealed a string of alleged data breaches in the run up to the EU referendum.
Computer servers were seized or handed over by various organisations in what the ICO says is ‘the most complex data protection investigation we have ever conducted’.
The report said voters need to better understand how their data is used to target political messages.
The ICO has now called for a statutory code of practice for political parties, data brokers and campaign groups as digital elections are “here to stay.”
One of Arron Banks’ lieutenants, Andy Wigmore, said in a statement that Leave.EU had been “open and transparent with the ICO” during the investigation.
He insisted that the ICO did not consider data protection breaches to be deliberate and that Eldon Insurance and Leave.EU would contest the report’s findings.
Facebook was fined £500,000 by the ICO over the Cambridge Analytica scandal and referred to the Irish data protection commission for its monitoring of user behaviour.
The commission also said it was still looking into methods used by the Remain campaign to buy electoral data from the Liberal Democrat Party.
Denham told a parliamentary committee investigating online disinformation that new GDPR regulations had prompted a 100 per cent rise increase in data complaints.