The DPC review, sparked by an Irish Independent investigation, found Sinn Féin had not complied with laws set out in General Data Processing Regulations (GDPR) until details of the system were revealed.
The party was also found to have breached transparency rules by failing to tell voters their information was being secretly recorded on their internal database. It also found Sinn Féin had not carried out a legally required Data Protection Impact Assessment on the database before it was launched in 2019.
The DPC said these were “matters of significant seriousness from a data protection perspective”. The data watchdog said there are no limitations under existing legislation stopping Sinn Féin or any other party from operating database which notes voters perceived voting intentions.
The DPC found there are “no particularly concerning findings” to report from auditing 26 parties but made more than 80 recommendations on how data protection policies could be improved.
Fianna Fáil, Fine Gael and the Green Party were told to update their privacy policies to note their use of electoral registers after the audit. Fianna Fáil were told to regularly contact their non-voting membership to ask if they want their data retained. They were also instructed to update their data retention policies.
The DPC also audited the fake polling activities of several political parties including Fianna Fáil, Fine Gael and Sinn Féin and found no data protection laws were breached by the practice.
However, it added that “it would be inappropriate for the DPC to comment on any other matters relating to the conduct of the market research/opinion polling”.
The DPC investigation into every political party found Sinn Féin is the only organisation with a “bespoke database” combining data from Registers of Electors and Marked Electoral Registers with data obtained from party canvassing activities.
The inspection of the Abú database found around 5.85pc or 203,000 voters had their perceived voting intentions listed inside Sinn Féin’s canvassing system.
The audit noted Sinn Féin was not compliant with GDPR rules on transparency as the party had not notified voters to the existence of the database until details of the Abú system were reported in the Irish Independent in April.
The DPC said a data controller, such as Sinn Féin, is required to tell members of the public who are canvassed at their doorstep that they are recording information about their voting intentions.
The party told the DPC their election material “contains clear signposting” to Sinn Féin’s privacy policies and canvassers and candidates are made aware of this in advance of every campaign.
The DPC examined sample election material from the 2021 Dublin Bay South By-Election and found there was no reference to the Abú database or to the fact that a voters perceived voting intentions may be inputted into the system.
“This should continue as standard practice for as long as the Abú database continues to exist,” it added.
Sinn Féin was also told to introduce “robust and appropriate measures” to detect any unauthorised activity on its database within the first three months of the new year.
They were also instructed to regularly monitor and audit their database and submit regular reports on the system to party management.
The DPC also said Sinn Féin should develop an industry best standard policy for any updates of software development. Sinn Féin were told to remove any fields from the database which they say they are not using.
The audit found no evidence suggesting Sinn Féin has been “using its social media presence, or its activities on social media platforms, to obtain or otherwise process personal data to enrich either the Abú or the party membership databases”.
It was previously revealed that a Sinn Féin internal digital training document for party organisers told them to "engage" with Facebook users to "elicit more specific information" which can then be used to "pinpoint them in the real-world".