Open in app

Sign in

Write

Sign in

The data: Labour Party’s chronic and flagrant abuse of the Data Protection Act 1998

Greg Hadfield
7 min readAug 9, 2018

A Freedom of Information request was made to the Information Commissioner’s Office (ICO) on February 13 2018, by a campaigner who supports Labour Party members who have been unjustly suspended or expelled for political reasons. The text of the request is appended.

The data referred to in the ICO response — given on March 13 2018 — can be downloaded here: http://bit.ly/2KFdsoq

It contains a total of 44 complaints: one in 2015–2016; 22 in 2016–2017; 21 in 2017–[March 13] 2018.

My latest blogpost about the Labour Party’s chronic and flagrant breaches of the Data Protection Act 1998 can be found here: http://bit.ly/2vkkNUy

As a result, I was particularly interested in the 32 complaints relating specifically to Subject Access Requests that had not been fulfilled within the 40-calendar-day deadline.

Of which:

  • 18 complaints led to the ICO requiring action from the Labour Party’s data-controller (one in January-March 13 2018; 12 in 2017; and five in 2016);
  • three led to the ICO raising concern with the data-controller;
  • four led to the ICO giving compliance advice to the data-controller;
  • four required a response from the data-controller;
  • two required no action or did not relate to the Data Protection Act

To update the data, I will shortly be submitting a Freedom of Information request of my own to the ICO.

Freedom of Information request to the Information Commissioner’s Office: February 13 2018

Dear Information Commissioner’s Office,

In relation to the UK Labour Party, please could you let me know the total number of complaints made to the Information Commissioners office (ICO) for the periods 2015–2016, 2016-2017, and 2017 to the present date in connection with the Labour Party’s;

1) failure to comply with the statutory 40 day deadline for responding to subject access requests (SAR)

2) the total number of complaints made to the ICO in connection with the accuracy of data retained by the Labour Party in relation to a) members of the Labour Party and b) other data subjects. If the ICO cannot provide a breakdown of a) and b), then please provide the total number of complaints made.

3) the total number of complaints made to the ICO in connection with the length of time data is retained in relation to (a) members of the Labour Party and (b) other data subjects. If the ICO can not provide a breakdown of a) and b) then please provide the total number of complaints made.

4) in relation to any failures, issues or concerns by or about the Labour Party to:

i) comply with the statutory 40 day deadline for SAR
ii) the accuracy of retained data
iii) the length of time data is retained

Please could you let me know:

a) how many information notices requiring the Labour Party to provide the Information Commissioner’s Office with specified information within a certain time period were issued. If none please state none.

b) on how many occasions the ICO issued the Labour Party with
undertakings committing them to a particular course of action in order to improve its compliance. If none, please state none.

c) On how many occasions did the ICO serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring the Labour Party to take (or refrain from taking) specified steps in order to ensure they comply with the law. If none, please state none.

d) How many conduct consensual assessments (audits) have the ICO undertaken to check that the Labour Party are complying. If none, please state none.

c) how many assessment notices have the ICO issued to conduct compulsory audits to assess whether the Labour Partys processing of personal data follows good practice. If none, state none.

d) How many monetary penalty notices, requiring The Labour Party to pay up to £500,000 for serious breaches of the Data Protection Act has the ICO issued. If none, please state none.

e) Have the ICO prosecuted the Labour Party for commiting any criminal offences under the Act.

f) have the ICO reported the Labour Party to Parliament on issues of concern.

Response of the ICO to the Freedom of Information request: March 13 2018

In response to request 1, 2 and 3 please find attached a csv file containing our data protection casework completed for the 2015/16 financial years to present, where the party concerned was the Labour Party and where the nature of the concern raised was ‘subject access’, ‘inaccurate data, or ‘retention of data’. I have added an extra column to identify whether the concerns raised where the nature was ‘subject access’ related to the data controller exceeding the 40 calendar day deadline for responding to subject access requests or if it was in relation to a different ‘subject access’ issue.

The attached dataset contains the following information:

* Our reference number for the work completed;
* the type of work and legislation it falls under;
* the name of the organisation responsible for the processing of personal information;
* the sector the organisation represents;
* the nature of the issues involved;
* the date the work was completed; and
* the outcome following our consideration of the issues.

A description of the case outcomes we use is available here.

We have extracted this data from our electronic casework management system to enable us to respond to your request. We predominantly use this system to track and progress individual cases. We don’t use this data in isolation to decide whether regulatory action is appropriate in any particular case, but we might use it to help identify potential trends or to see the size and progress of our caseload. The data provided reflects the data on the date it was extracted and can be subject to change over time.

Some cases may have more than one outcome, for example where we are given additional evidence which requires us to reopen a case and revise our view. However, all outcomes are recorded as related activities on a single case. You will see that where this has occurred, the duplicate case reference numbers are shown grouped together and in date order so that you can identify which is the final outcome.

In relation to 2 (a) and (b) and 3 (a) and (b), we would only hold this information if it was provided to us by the complainant in the course of their complaint, therefore it is difficult to provide an accurate figure in response to these parts of your requests. However, we have examined the information held on the cases where the nature of the concern is ‘inaccurate data’ or ‘retention of data’ and I have provided figures for cases where the complainant has made clear that they are, or had been, a member of the Labour Party. Of the complaints where the nature of the concern raised was ‘inaccurate data’, three appear to have been raised by members of the Labour Party. Of the complaints where the nature of the concern is ‘retention of data’, one appears to be from a member of the Labour Party.

In relation to part 4 of your request, I have addressed each request in turn below.

4) in relation to any failures, issues or concerns by or about the Labour Party to: (i) comply with the statutory 40 day deadline for SAR, (ii) the accuracy of retained data, (iii) the length of time data is retained, please could you let me know;

1. how many information notices requiring the Labour Party to provide the Information Commissioner’s Office with specified information within a certain time period were issued. If none please state none.

None

2. on how many occasions the ICO issued the Labour Party with undertakings committing them to a particular course of action in order to improve its compliance. If none, please state none.

None

3. On how many occasions did the ICO serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring the Labour Party to take (or refrain from taking) specified steps in order to ensure they comply with the law. If none, please state none.

None — in the period you have specified we have not issued an Enforcement Notice to the Labour Party for failures in relation to failures to comply with the 40 day SAR deadline, accuracy of data or the length of time data is retained. It may interest you to note that we have issued an Enforcement Notice to the Labour Party in relation to breaches of the Privacy and Electronic Communications Regulations (PECR) in 2010. Further details are available here.

4. How many conduct consensual assessments (audits) have the ICO undertaken to check that the Labour Party are complying. If none, please state none.

None

© how many assessment notices have the ICO issued to conduct compulsory audits to assess whether the Labour Partys processing of personal data follows good practice. If none, state none.

None

(d) How many monetary penalty notices, requiring The Labour Party to pay up to £500,000 for serious breaches of the Data Protection Act has the ICO issued. If none, please state none.

None

5. Have the ICO prosecuted the Labour Party for commiting any criminal offences under the Act.

No

(f) have the ICO reported the Labour Party to Parliament on issues of concern.

No

As a matter of further advice and assistance, we do publish information about the work we do on our website. You can find datasets which include the public concerns and organisations self-reported incidents we have dealt with here.

You can filter these datasets by the information you are interested in such as the name of the organisation, the case outcome or the nature of the concern.

Any enforcement action we take is usually published on our website here.

This concludes our response to your request. I hope the information provided is helpful.

Politics
Data Protection
Information Commission
Labour Party
Brighton

--

--

Greg Hadfield

Written by Greg Hadfield

1.3K Followers

Husband, father, grandfather. Writer, classicist. Originally Barnsley, usually Brighton, often Greece. Marathon runner.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams