Arron Banks. Image, BBC.

Senior staff at Arron Banks’s insurance company had access to the personal information of millions of British voters months after the Brexit vote, according to a new whistleblower from inside Banks’s Brexit campaign.

Under UK electoral law, this data should have been securely destroyed after the referendum – and Banks has previously claimed to MPs that there was no data sharing between his insurance business and his Leave.EU campaign.

openDemocracy has already revealed that Banks misled Parliament about how his Brexit campaign was run, and the role played by staff at his Eldon insurance business. He also failed to declare the part played by Eldon staff to the Electoral Commission, as is required by law.

Now further emails seen by openDemocracy reveal for the first time the scale of the data warchest that Banks, Brexit’s largest donor, has built. He has since pledged to use his Leave.EU campaign to unseat anti-Brexit Tories and encourage his supporters to take over the Conservative party.

Damian Collins, chair of the parliamentary inquiry into fake news, said that openDemocracy’s latest revelations about Leave.EU and Eldon “suggest that they were potentially holding data that they knew they shouldn’t have, which would be a clear breach of the law, as well as contradicting, once again, what Arron Banks said to Parliament”.

It is not clear whether the data was used or whether it has now been destroyed. Banks did not respond to questions from openDemocracy.

‘Snake in the grass’

Last month, Arron Banks wrote to every household in Damian Collins’s constituency, calling the MP a “snake in the grass” and a “disgrace” after the chair of the parliamentary inquiry in fake news called for a Mueller-style investigation into Russian meddling in the Brexit referendum.

The National Crime Agency has since announced it is investigating Banks over his £8m Brexit donations, saying there were reasonable grounds to suspect Banks was “not the true source” of the money.

The Information Commissioner’s Office has also told Eldon Insurance and Leave.EU it will fine them £135,000 for “serious breaches” of data laws. In one instance, more than one million emails marketing Banks’s insurance business, Go Skippy, were sent to Leave.EU subscribers.

The ICO is currently investigating whether Eldon Insurance in turn shared the personal information of its customers with Leave.EU, which could be another breach of the law.

Now, new information obtained by openDemocracy suggests that senior Eldon staff had access to far more electoral data from Leave.EU than previously reported.

In the run-up to the Brexit vote, Leave.EU received electoral registers from councils across the UK. The registers contain a wealth of information about voters, includings names, addresses, and postcodes. Registered participants in an upcoming election are allowed to request the registers.

Electoral Commission guidance states that registers “should be securely destroyed… once the purpose for which the register has been supplied has expired”. Failure to do “would ultimately be for the police to investigate”.

But in September 2016, three months after the Brexit referendum, a Leave.EU staffer wrote an email to campaign CEO Liz Bilney and a senior Eldon insurance staffer saying that “the electoral data hasn’t yet been deleted”.

A later response said: “We have deleted that data that Ross used from \\SKIPPY\Electoral Registers$\”. This email was sent by a staffer at Southern Rock, Banks’s Gibraltar-based insurance firm. The file prefix – ‘Skippy’ – is very similar to Go Skippy, the brand name under which Eldon Insurance trades.

Why Southern Rock, a Banks-owned insurance company based in Gibraltar, would have access to personal information about tens of millions of British voters is not clear. Among the email’s recipients are staff with Rock Services email addresses. Banks has said that Rock Services provided the £8m that he gave to the Brexit campaign.

Personal data crunched

Banks has maintained that there was no data sharing between Eldon and Leave.EU, telling Parliament previously that his insurance business had an “exceptionally strong data control culture to prevent any misuse of data”.

Last weekend, openDemocracy reported that Leave.EU received hundreds of electoral registers from across the UK.

In early June, a few weeks before the Brexit vote, Leave.EU CEO Liz Bilney complained that the campaign had collected data on only 14.7 million voters. Around the same time, a small team was created inside Banks’s Bristol HQ to format the electoral registers. “Nobody was told what the point of doing all this was,” someone familiar with the process told openDemocracy

By referendum day, the huge task of formatting all the electoral registers was far from complete. But just days after the unexpected Brexit vote, a small group of Leave.EU employees began processing the rest of the registers at Lysander House, Banks’s Bristol HQ and home to both Eldon Insurance and Leave.EU, openDemocracy has been told.

Pressure was put on staff to process the electoral registers more quickly, even though the campaign was over. “There was a level of urgency with it. People were getting angry emails saying, ‘This must be done.’ I didn’t know what it was for,” the source said.

Once all of the electoral rolls had been formatted, the spreadsheets were sent to a senior Eldon employee, the source claimed. How the formatted registers – which would have contained detailed data about tens of millions of British voters – were then used is not clear.

“We would format the registers and then send them on to a guy at Eldon and he would do whatever they did with them,” a Leave.EU source told openDemocracy. “I asked them why we were still doing this [after the Brexit referendum] but nobody gave me answer.” Arron Banks has declined to answer openDemocracy’s questions.

Banks has previously said that he believes big data is the future of both politics and business. In an email sent on 24 May 2016, an Eldon staffer says that “Arron [Banks] and Liz [Bilney]” want the website of the Go Skippy – the brand used by Eldon Insurance – “fit for purpose in line with the big data project”. There is no evidence that electoral roll information forms part of the “big data project”.

In December 2016, Banks set up a data analytics company, Big Data Dolphins. The following year, Banks told journalists that Eldon was using the same “artificial intelligence experts” that Leave.EU had deployed to target swing voters during the Brexit vote.

‘Mueller-style inquiry’

Commenting on openDemocracy’s story, Labour MP Ben Bradshaw said: "These further explosive revelations need to be examined as part of the ongoing investigations by the Information Commissioner, National Crime Agency and the police.

“It is becoming clearer by the day that multiple crimes were committed by the pro-Brexit campaign and we are only just beginning to understand the extent of these. That is why there are growing calls for a full Mueller-style inquiry like the one going on in the States to get to the bottom of whether the EU referendum was subverted."

Kyle Taylor, of campaign group Fair Vote, said: "The scale of this illegal operation is even larger than perhaps anyone thought likely.

“It also offers yet another example of why there must be an independent public inquiry into the EU referendum. This is much bigger than Brexit. It's about the sanctity of and trust in our democratic system. Our very way of life is at stake."

Banks has so far not responded to openDemocracy’s requests for comment.

Update, 24 September 2019: The National Crime Agency has found no evidence that Arron Banks, Elizabeth Bilney, Better for the Country Ltd or Leave.EU committed a crime under electoral or company law. Its investigation related to a referral from the Electoral Commission on 1 November 2018. For more information see the NCA statement here.