Party blames overload of SARs and unmonitored inbox for failure to meet deadlines.
The Labour Party has received an Information Commissioner reprimand for failing to comply with data protection laws while in opposition.
After more than 150 people complained to the ICO about the length of time it was taking the Labour Party to respond to subject access requests (SARs) following a cyber-attack in October 2021, the ICO has found party officials had accumulated a backlog of subject access requests.
Spike in Numbers
The ICO said it began an investigation after the Labour Party experienced a spike in the numbers of SARs, which was due to the Labour Party experiencing a cyber-attack in October 2021.
By November 2022, the Labour Party had received 352 SARs that required a response. Of that number, 78% had not received a response within the maximum compulsory time limit of three months, and over half (56%) were significantly delayed by over one year.
Article 12(3) of the GDPR states that the controller shall provide information on action taken on a subject access request within one month of receipt of the request. “That period may be extended by two further months where necessary, taking into account the complexity and number of the requests,” the ICO said.
Significant Number
There were also a significant number of data protection requests found in an unmonitored privacy email inbox, that the Labour Party stopped monitoring in November 2021.
The privacy inbox was originally used to respond to correspondence and requests from individuals affected by a cyber incident the Labour Party experienced. The ICO found that within this unmonitored inbox there were a significant number of subject access requests and erasure requests.
The cyber-attack was a ransomware incident in 2021, on Tangent who supplied Labour’s member system, the party began to develop a backlog of these requests — partially due to a spike in people seeking to know how much of their personal information may have been compromised in the attack.
The ICO’s said it issued the reprimand rather than a fine because of the party’s response to the investigation, explaining that senior members of staff had “devoted considerable time to personally dealing with the subject access request backlog.”
Stephen Bonner, deputy commissioner at the ICO, said: “The public need to fully trust that a political party will handle their data correctly and respect their information rights. We welcome news that the Labour Party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response going forward.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
