Labour Party repeatedly failed to meet data protection obligations – watchdog
The UK’s data protection watchdog has taken action against the Labour Party for repeatedly failing to respond to people who asked what personal information the organisation held on them.
The Information Commissioner’s Office (ICO) issued a formal reprimand after it was revealed that the party had not complied with its legal obligations.
Under data protection law, anyone can ask an organisation for a copy of the personal information it is using or storing on them, known as subject access requests (SAR). You also have the right to check if your personal information is accurate, or for it to be updated or deleted.
As of November 2022, the Labour Party had received 352 SARs, but 78% did not receive a response within the maximum compulsory time limit of three months, and more than half (56%) were significantly delayed by more than one year.
A cyber attack on the Labour Party in October 2021 is said to be the reason for the backlog, as this resulted in an increase of requests from the public.
The party has since assigned three temporary members of staff to tackle the outstanding requests, allocated extra funding and implemented an action plan, according to the ICO.
Deputy Commissioner at the ICO, Stephen Bonner, said: “Being able to ask an organisation ‘what information do you hold on me?’ and ‘how is it being used?’ is a fundamental right, which provides both transparency and accountability. It is vital that organisations do not underestimate the importance of responding to these requests on time.
“The public need to fully trust that a political party will handle their data correctly and respect their information rights.
“We welcome news that the Labour Party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response going forward.”
The ICO’s investigation followed more than 150 complaints regarding the party’s handling of SARs in the year from November 2021 to November 2022.
During the investigation, the ICO said it was also informed of the existence of a “privacy inbox” that had not been monitored by the party since November 2021.
The inbox contained approximately 646 additional SARs and approximately 597 requests for personal information to be deleted.
The ICO said it was likely that some of these may have been duplications, but that none of the requests had been responded to.