What is the practical answer?
Political campaign data security should include unique accounts, strong passwords, multi-factor authentication, limited access, encrypted storage, secure voter-file handling, timely software updates, protected devices, controlled exports, backups, incident procedures, and deletion rules for data that is no longer needed.
On this page
Identify the campaign’s sensitive information
Create an inventory of voter files, supporter identification, volunteer information, donor records, sign and ride requests, public-form submissions, financial records, internal notes, passwords, unpublished plans, and campaign communications.
The campaign cannot protect information it has not identified. Record where each category is stored, who can access it, why it is needed, and when it should be deleted.
Secure campaign accounts
- Use unique individual accounts.
- Require strong unique passwords.
- Enable multi-factor authentication.
- Use a password manager approved by the campaign.
- Remove access when roles change.
- Keep recovery email and phone information current.
- Review administrative accounts regularly.
Limit access by role
Volunteers should receive only the access needed for their assignment. A canvasser may need a specific walklist but not the full voter database. A phone caller may need assigned phone records but not financial information.
Use role-based permissions and time-limited access where possible. Record administrative exceptions and review them after the event or campaign phase ends.
Protect voter-file handling
Upload voter files through approved secure workflows. Avoid sending raw files through personal email or consumer messaging applications. Store originals only as long as necessary for the import and verification process.
Control exports. Every downloaded spreadsheet creates another copy that may be lost, forwarded, or retained after it is no longer needed.
Secure volunteer devices and paper
- Require device passcodes.
- Keep operating systems and browsers updated.
- Avoid saving passwords in shared browsers.
- Do not leave paper lists unattended.
- Number and track sensitive poll kits.
- Collect and securely destroy obsolete paper.
- Provide a process for reporting a lost device or list immediately.
Protect public forms
Use spam protection, validation, secure transmission, and clear privacy language. Limit the information requested to what the campaign actually needs. Ensure submissions reach an assigned person and are not left indefinitely in an unmanaged inbox.
Backups and recovery
Back up critical campaign information and test that it can be restored. Backups should not create uncontrolled copies. Protect them with the same or stronger controls used for the active system.
Document what the campaign will do if an account is compromised, a file is lost, or a website is unavailable. Identify who has authority to reset credentials, contact providers, notify affected people, or suspend access.
Retention and deletion
Decide how long the campaign needs each category of data. Delete raw uploads, temporary exports, expired accounts, duplicate files, and inactive access when they are no longer required. Follow election, finance, privacy, and record-retention rules that apply in the campaign’s jurisdiction.
Security review checklist
- Administrative accounts reviewed.
- Multi-factor authentication confirmed.
- Former users removed.
- Voter-file copies inventoried.
- Public forms tested.
- Backups verified.
- Paper-list controls documented.
- Incident contacts confirmed.
- Deletion schedule reviewed.
What campaign teams should remember
- Use individual accounts instead of shared passwords whenever possible.
- Require multi-factor authentication for important campaign systems.
- Limit voter-file access to people who need it for their role.
- Delete raw uploads and exports when they are no longer operationally required.
- Treat paper lists, personal devices, and public forms as part of the security system.
Common questions about political campaign data security checklist
What campaign data is sensitive?+
Voter files, supporter identification, volunteer information, donor records, ride requests, contact details, internal notes, credentials, and unpublished campaign plans may all require protection.
Should campaigns use shared accounts?+
Avoid shared accounts when possible. Individual accounts make access easier to revoke and create clearer accountability.
How should voter files be stored?+
Store them in approved secure locations with encryption, access controls, logging, backups, and a deletion policy. Avoid uncontrolled email attachments and personal cloud folders.
What should happen when a volunteer leaves?+
Remove access promptly, recover campaign devices or paper, change shared credentials that cannot be avoided, and document the access change.
Editorial reviewReviewed by CampaignGateway Operations Team on 2026-06-17. Campaigns should always verify legal, election, privacy, accessibility, and voter-contact requirements with the appropriate election authority or qualified adviser.