Chapter 7: The multiple breaches by the Labour Party of the Data Protection Act

The Sunday Times, August 26 2018

This is the seventh chapter of what was always intended to be a single article. A compendium of all nine chapters — written and published since May 4 2019 — can be found together via this link to the single article (which will be regularly revised in the days and weeks after May 14 2020): Iain McNicol: The criminal conspiracy against the Labour Party, its leadership, and its members

Other individual chapters can be found here: Chapter 1; Chapter 2; Chapter 3; Chapter 4; Chapter 5; Chapter 6; Chapter 7; Chapter 8 (to come); Chapter 9.

I have been asked a few times about my use of the word “criminal” relating to the McNicol conspiracy against the Labour Party, its leadership, and its members. It is a good question.

My immediate response is concede that “unlawful” may be a better, more accurate word: criminal relates to an unlawful act that is specifically prohibited by legislation; unlawful relates to an act that is not specifically authorised by legislation (and that is not necessarily in violation of a specific law — for example, a civil offence).

It is a moot point whether or not various breaches of data protection legislation are unlawful and/or criminal; regardless, given what I have written in previous instalments and what is disclosed in the leaked report, it is ironic that some former Labour Party staff named in the report are complaining their privacy has been breached by the leak.

Separately, there is evidence that some acts in the leaked report may have involved crimes akin to hacking and unlawful data-matching.

There is also the issue of an alleged breach of contract between the members of the Labour Party — as an unincorporated association — and the people employed to manage it within the law and in accordance with the Labour Party Rule Book. This is a complicated legal point that came to the fore in relation to challenges concerning the candidacy of Jeremy Corbyn.

Finally, given the evidence in the leaked report of channelling funds to “favoured” candidates, there may even be the issue of the McNicol and his fellow employees regarding legislation about elections, such as the Representation of the People Act 1983 (as amended).

All of the above is beyond my area of expertise — although I am very interested in learning more from learned friends.

Therefore, in this chapter, I propose to address only the chronic and widespread failure of the Labour Party to comply with the Subject Access Request (SAR) requirements initially under Section 7 of the Data Protection Act 1998 (DPA); the most recent legislation is the Data Protection Act 2018 (the United Kingdom’s implementation of the EU General Data Protection Regulation (GDPR).

A statutory requirement is that an SAR should be fulfilled within 40 calendar days.

Mishandling of SARs is the most common complaint to the Information Commissioner’s Office (ICO). In 2018–19, nearly four in 10 (38%) of more than 41,600 data-protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.

In recent years, the Labour Party has been one of the worst high-profile offenders.

A Freedom of Information request was made to the Information Commissioner’s Office (ICO) on February 13 2018, by a campaigner who supported Labour Party members who had been unjustly suspended or expelled for political reasons.

The data referred to in the ICO response — given on March 13 2018 — can be downloaded here:

It contains a total of 44 complaints: one in 2015–2016; 22 in 2016–2017; 21 in 2017–[March 13] 2018.

I was particularly interested in the 32 complaints relating specifically to Subject Access Requests that had not been fulfilled within the 40-calendar-day deadline.

Of which:

  • 18 complaints led to the ICO requiring action from the Labour Party’s data-controller (one in January-March 13 2018; 12 in 2017; and five in 2016);
  • three led to the ICO raising concern with the data-controller;
  • four led to the ICO giving compliance advice to the data-controller;
  • four required a response from the data-controller;
  • two required no action or did not relate to the Data Protection Act

I wrote about this data in an article on August 9 2018, 237 days after I had submitted my third SAR. Which is still unfulfilled at the time of writing, nearly 30 months later.

Let me go back, however, to my first SAR.

It was 6.20pm on Friday, August 12 2016 — just over a month after the “spitting” lies that led to the suspension of the City Party — when I made by first SAR to McNicol, in the hope of discovering evidence that might help inform the Buckingham-led inquiry into the suspension.

I received an apology from Creighton (passim) on September 22 and then a substantive response on Saturday, October 11 — a mere 17 days after the statutory deadline (above left).

On the one hand, I was delighted to have received the response; on the other hand, I was appalled by what I discovered. At 3.20pm on October 11, I tweeted: “Got “subject access” data from @UKLabour Creighton. Suddenly, I feel I’m in a surveillance state rather than a political party”:

The contents were shocking. From April 3 2013 — and the controversy over Kyle’s “open” selection — redacted emails showed individuals making several complaints — untrue; mostly libellous —to Labour Party officials. Not a single complaint had been made known to me, to allow me to rebut and refute.

Crucially, the complaints reached a crescendo shortly after the City Party annual meeting on July 9 2016, at which I and other pro-Corbyn candidates were elected with up to 65% of the 600-plus votes cast.

A fortnight after I received the first SAR bundle, I was suspended by the Labour Party.

The next SAR I was involved with was that submitted by Riad el-Taher, on March 25 2017, shortly after he was unjustly expelled — as outlined in Chapter 4. Apart from an immediate auto-reply from McNicol, Riad never received a response before his death from cancer on November 9 2018.

Having been suspended (for the second time), I submitted my second SAR on April 6 2017 — to Sam Matthews (passim) and to the “Legal Queries” email address.

Progress was not speedy: 60 days after my request — on June 6 2017 — I asked when I could expect a response. The following day, I received an apology. And a promise to provide a substantive response by June 14 2017.

Only July 16 2017, I made a formal complaint to the ICO.

After more chasing up of McNicol, Matthew (passim), “Legal Queries”, and the ICO, I received and apology on Thursday, August 3, from Andrew [Whyte], [director of the [Governance and Legal Unit], saying the necessary documentation had been posted on Monday, July 31; I received it on Friday, August 4.

It contained more of the same sort of material as the previous response, except more of it (117 double-sided pages): in particular, it disclosed complaints that — during my suspension — some anti-Corbyn members felt my influence was too great (for example, in relation to the selection of delegates to the three newly-reinstated CLPs).

Most interestingly, however, it disclosed (redacted) emails that proved I had been suspended in October 2016 just 64 minutes after local anti-Corbyn activists had been told I was to be a member of the steering committee set up following the Buckingham-led inquiry (left; see Chapter 4).

All because Morgan (passim) refused to be in the same room as me!

Notably, some emails between Labour Party officers and Labour members of Brighton & Hove City Council and/or their paid organiser — which had been leaked in full to me over the last 18 months — were not included at all.

Most worryingly, the unsigned cover letter (left) said: “Some information has been withheld, because it relates to advice given under legal professional privilege.”

It was not long before I got a formal response from the Information Commissioner’s Office (ICO) to my complaint about the Labour Party’s failure to fulfil my SAR within 40 calendar days.

Philip Marsh, the ICO’s Lead Case Officer, wrote: “Our assessment decision remains unchanged in that it is likely Labour breached the DPA in its failure to respond within the prescribed period.”

By December 8 2017, I had still not heard anything about the allegations behind my suspension more than a year earlier; nor had I heard when I might be given the opportunity of a hearing. So I made a third SAR.

It was to no avail — as I had expected. And as I disclosed in an article on July 30 2018, some 228 days after my request.

In this article, I explained my pessimism had been well-founded. Not least because repeated email reminders to Jordan Hall, the Labour Party’s Data Protection Officer, had met only with the laughably-worded auto-reponse: “Thank you for your email. We aim to respond to all queries within 10 working days. Please note that it is not always possible and there may be instance where further time is required. If your query is urgent, please call 02077831498 otherwise we will respond in due course. Alternatively, please contact your Regional office.”

Telephone calls to Hall were never returned. I later learned he had been off work — never to return or even to be replaced, as far as I know — because of long-term sickness. Hall does not merit a mention in the leaked report.

Please allow a brief diversion, to the references in the leaked report to SARs and how they were [mis]handled — as the result of incompetence fuelled by conspiracy.

According to Emilie Oldknow, Executive Director (Governance,
Membership and Party Services) in the leaked report, the Labour Party was used to dealing with about 30 SARs a year; by December 14 2016, the number had risen to 297.


Because people like me had been refused information by Matthews (passim) about why they had been suspended:

Separately, however, it is clear there was — quite from when is not clear — a “ Labour’s ‘Subject Access Request’ tool” that made it easy (presumably) to generate the raw [unredacted] material to satisfy SARs:

On July 23 2018, I had some good news! But not from the Labour Party.

The ICO had again ruled “it seemed likely that Labour had breached the Data Protection Act 1998 in its failure to respond to the SAR within the prescribed period”.

Yet again, the ICO had promised “a record will be kept on file and may help inform any future action we consider appropriate in regard to Labour’s handling of personal data”.

Finally, in a letter dated July 23 2018 (left), the Labour Party had been told to respond to my SAR “within the next 14 days” (ie Monday, August 6 2018).

Without the Labour Party having complied in time, I wrote another article on August 25 2018.

More than seven months — 253 days, to be precise — after I submitted a Subject Access Request (SAR) to the Labour Party, I revealed the Information Commissioner’s Office (ICO) had disclosed it has “concerns about Labour’s handling of SARs generally” and was “considering what further action may be necessary in order to improve Labour’s practices”. Read the full text of the letter from Phillip Marsh, the lead case officer.

In the letter dated August 23, in response to my complaint that the Labour Party had (still) not responded to my SAR — submitted on December 8 2017! — within the 40-calendar-day deadline required by the Data Protection Act 1998, Marsh, the ICO’s lead case officer, wrote:

“At this stage, I am unable to advise whether we will decide to take regulatory action in regard to your specific SAR; however I will update you should this be the case.

“In the meantime, I can advise that the Data Protection Act 1998 affords you with the right to enforce your right of access through the courts. Section 7(9) states that where a court determines a data controller has failed to comply with a subject access request, it can compel it to do so. You may therefore wish to seek independent legal advice in this regard. The ICO is unable to assist with taking such matters to court.”

On Saturday, August 25 2018, I was interviewed by The Sunday Times with a view to an article in that weekend’s newspaper. This is what I said:

“I’m a longstanding member of the Labour Party, who was suspended on October 26 2016 — after a still-unspecified allegation from a still-unnamed complainant, without a chance of a hearing to rebut and refute any charge.

“Like many hundreds and possibly thousands of party members, I made a Subject Access Request (SAR) to the Labour Party (on December 8 2017) to get some clues about why I was suspended. It should have responded to my request within 40 days. But I have had no communication whatsoever.

“I am pleased the Information Commissioner’s Officer (ICO) is now investigating the party’s flagrant and chronic abuse of the Data Protection Act 1998. If this fails to provide a satisfactory result, I will take the commissioner’s advice and take legal action.”

Below is what The Sunday Times published.

Despite confirmation from the ICO that the Labour Party had again breached the Data Protection Act and publicity in The Sunday Times, I never did get a substantive response to my third SAR — not before I was finally told (on November 30 2018) that I would get a hearing into the allegations that had resulted in my suspension more than two years earlier.

I guess that’s why I was never told what data the Labour Party held about me. Because the evidence would — maybe still will — prove that I was suspended as a result of the McNicol conspiracy. And for no other reason.

More to follow…..Next:

Chapter 8 (to come): My second suspension by the Labour Party in October 2016 and the subsequent lifting of my suspension at the end of a two-day hearing in February 2019

This is seventh chapter of an article that is related directly or indirectly to the shocking evidence contained in the recent leaked report entitled “The work of the Labour Party’s Governance and Legal Unit in relation to antisemitism, 2014–2019”. [Separately, I have put online some relevant extracts from the report.]

The final complete article will be sent to Martin Forde QC, the chair of the official Labour Party inquiry into the leaked report (even though, strangely but unsurprisingly, its terms of reference do not appear to allow for such democratic engagement).

Please let me know what you think via @GregHadfield; if you have any further information about the individuals or events mentioned, please email

For much more background, see my full list of Medium articles, many of which are linked to throughout this article; I have also published a list of links to the most-viewed articles.

Pro-Corbyn. Elected secretary of Brighton, Hove and District Labour Party; votes annulled by NEC; suspended Oct 2016; re-instated Feb 2019. Ex-Fleet Street.