Labour failed to respond on time to people’s requests for their data, says ICO
Labour has been criticised by the UK’s data protection watchdog for failing to respond to people who had formally asked the party for what information it held about them.
The backlog mounted after a cyberattack on the party in October 2021, which led to a flood of requests from the public. The party said it had now cleared its backlog.
More than 350 people experienced long delays when they contacted the party with subject access requests – which anyone can use to ask organisations what personal information is being held about them.
The Information Commissioner’s Office (ICO) said the Labour party had been “repeatedly failing” to respond to the request. It received 352 subject access requests (SARs) in November 2022, but 78% did not receive a response within the maximum compulsory time limit of three months and more than half (56%) were delayed by more than a year.
The investigation was prompted by more than 150 complaints to the ICO regarding the handling of SARs between 2021 and 2022.
During its investigation, the ICO said it uncovered a “privacy inbox” that had not been monitored by the Labour party since November 2021. The inbox contained approximately 646 additional SARs and approximately 597 requests for personal information to be deleted. None of the requests had been responded to.
Stephen Bonner, a deputy commissioner at the ICO, said: “Being able to ask an organisation: ‘What information do you hold on me?’ and: ‘How it is being used?’ is a fundamental right, which provides both transparency and accountability. It is vital that organisations do not underestimate the importance of responding to these requests on time.
“The public need to fully trust that a political party will handle their data correctly and respect their information rights.
“We welcome news that the Labour party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response going forward.”
Labour said it was assigning three temporary members of staff to solely tackle the outstanding requests, allocating extra funds and implementing an action plan.
The ICO has issued the party with a formal reprimand and it has had to ensure it still has adequate staffing in place to respond to SARs on time and ensure future compliance with the law.
A Labour spokesperson said: “The Labour party has engaged fully with the ICO and undertaken comprehensive action to improve our processes in response to its findings.”
The party said that as of April 2024, the backlog of subject access requests and erasures had been fully cleared, and it no longer had any active complaints.
Labour HQ was hit by a “cyber incident” in 2021 that meant that a “significant quantity” of members’ and supporters’ data became inaccessible. It was believed to be a ransomware attack, in which hackers demand money to restore access to data that has been seized and encrypted.
