ICO (UK) - The Labour Party: Difference between revisions
No edit summary |
No edit summary |
||
Line 61: | Line 61: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=lorea | |Initial_Contributor=lorea.mendi | ||
| | | | ||
}} | }} |
Revision as of 11:31, 4 September 2024
ICO - The Labour Party | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 12(3) UK GDPR Article 15(1) UK GDPR Article 17(1) UK GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | The Labour Party |
National Case Number/Name: | The Labour Party |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | lorea.mendi |
The DPA reprimanded the UK’s Labour Party for failing to adequately respond to access and erasure requests when it was experiencing a backlog of requests after a data breach.
English Summary
Facts
The Labour Party is a British political party. It processes a variety of personal data pertaining to employees and members of the public. In October 2021, it experienced a significant cyber-attack. The controller had subsequently accumulated a backlog of data subject access requests.
Over the course of this investigation, the UK Information Commissioner’s Office (ICO) had discovered a further issue concerning an unmonitored privacy email inbox, with a number of data protection requests that the Labour Party had stopped monitoring in November 2021. The DPA began investigating the Labour Party based on a data subject’s complaint concerning failure to adequately respond to access requests pursuant to Articles 12(3) and 15 UK GDPR.
The investigation revealed that 78% of the pending access requests were more than 3 months old and the controller had failed to respond to approximately 646 access requests. Furthermore, there were also 597 unresponded-to erasure requests.
Holding
The DPA issued a reprimand to the controller for infringements of Article 12(3), 15(1) and 17(1) UK GDPR.
In calculating the fine, the DPA considered the large influx of subject access requests following its data breach which impacted the controller’s backlog. It also noted that the controller had since taken a number of remedial measures which improved their ability to respond to requests, including the assignment of several employees on data protection matters, spending increased funds on responses and providing an update to the Data Protection Notice.
The DPA recommended that the DPA ensure adequate resources and staff in place to adequately guarantee data subject rights and to ensure unused inboxes are deleted.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 2018 AND UK GENERAL DATA PROTECTION REGULATION REPRIMAND TO: The Labour Party OF: 20 Rushworth Street, London, SE1 0SS 1.1 The Information Commissioner (the Commissioner) issues a reprimand to the Labour Party in accordance with Article 58(2)(b) of the UK General Data Protection Regulation in respect of certain infringements of the UK GDPR. Background The Commissioner began an investigation into the Labour Party’s compliance with subject access requests under Article 15 and Article 12(3) of the UK GDPR. This was after the Labour Party had accumulated a backlog of subject access requests after experiencing a spike in the numbers of subject access requests it was receiving. The cause of this spike was due to the Labour Party experiencing a cyber-attack in October 2021. During the course of this investigation, a further issue was identified regarding a recently discovered unmonitored privacy email inbox. It was discovered that there was a significant number of data protection requests found in the privacy inbox that the Labour Party stopped monitoring in November 2021. The privacy inbox was originally used to respond to correspondence and requests from individuals affected by a cyber incident the Labour Party experienced. It was found that within this unmonitored inbox there were a significant number of subject access requests and erasure requests that presented no evidence that the Labour Party had responded to these requests. The reprimand 1.2 The Commissioner has decided to issue a reprimand to the Labour Party in respect of the following infringements of the UK GDPR: • Article 12(3) This states that ‘[t]he controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the 1 request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests’. • Article 15(1) This states that ‘[t]he data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data […]’. • Article 17(1) This states that ‘[t]he data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay […]’. 1.3 The reasons for the Commissioner’s findings are set out below. 1.4 The Labour Party are a British Political Party who process a variety of personal data for both employees of the party and members of the general public/party supporters. 1.5 The Labour Party started to experience a backlog of subject access requests after experiencing a cyber-attack on 29 October 2021. Subsequently, the Commissioner conducted an investigation to assess the extent to which it has complied with the requirements of Article 15 and Article 12(3) of the UK GDPR. 1.6 During the course of the Commissioner’s investigation into the Labour Party’s initial subject access request backlog, the Labour Party advised that a further issue had been identified regarding its subject access compliance. It was discovered that there were a significant number of data protection requests found in a privacy inbox that was no longer used by the Labour Party. This privacy inbox was originally used to respond to any correspondence or requests from individuals affected by a cyber incident the Labour Party experienced. The Labour Party stopped monitoring this inbox in late November 2021 after their efforts to move correspondence related to this cyber incident to the Labour Party’s standard data protection inbox. Article 12(3) 1.7 From the subject access request statistics provided by the Labour Party it was found that in November 2022, a year after the backlog began, the Labour Party had 352 actionable subject access requests. Of these 352 2subject access requests, 82% (289) of the subject access requests were older than one calendar month, and 78% (274) were older than three months. This evidences that at least 78% of the subject access requests the Labour Party had in November 2022 were not responded to in accordance with Article 12(3) of the UK GDPR. 1.8 After the discovery of the unmonitored privacy inbox, a significant number of data protection requests were found in the inbox. Of the requests found within this privacy inbox approximately 646 subject access requests were identified as having no evidence to prove the Labour Party had responded to these requests. And approximately 597 erasure requests were identified as having no evidence to prove the Labour Party had responded to these requests. These recently discovered subject access requests and erasure requests were not responded to, by the Labour Party, in accordance with Article 12(3) of the UK GDPR. It should be noted that these above mentioned subject access request and erasure request figures do not factor in possible duplicate requests. Article 15(1) 1.9 The subject access request statistics provided further demonstrated that 56% (198) of the subject access requests in the Labour Party’s backlog in November 2022 were 12+ months old. This evidences the significant period of time 198 individuals have had to wait to receive the personal data the Labour Party holds in relation to them requested under Article 15(1) of the UK GDPR. 1.10 From the discovery of the subject access requests identified within the unmonitored privacy inbox it was found that the Labour Party had not responded to approximately 646 subject access requests. A number of these subject access request likely date back to 2021. This further evidences that the Labour Party have not been compliant with Article 15(1) of the UK GDPR. 1.11 The findings show that for the period of November 2021 to November 2022 the Information Commissioner’s Office (ICO) received 154 complaints from individuals regarding the Labour Party’s handling of subject access requests. Article 17(1) 1.12 The investigation into the unmonitored privacy inbox found that there were approximately 597 erasure requests where the Labour Party had not responded to these requests. Article 17(1) of the UK GDPR outlines and individuals right to have their personal data erased by a data controller ‘without undue delay’. Although the right to erasure is not an absolute right, a data controller still has the obligation to respond to a data subjects 3erasure request whether they are obligated to erase the data or not. The Labour Party stopped monitoring the specific privacy inbox from November 2021 until October 2023 which has resulted in approximately 597 erasure requests not being responded to during this time period, leading to an undue delay in the handling of these requests. It is the ICO’s expectation that a response is provided to a data subject within a month of receipt of an erasure request regardless of whether there is an obligation to erase or not. Therefore, the ICO are of the view that the Labour Party have not complied with Article 17(1) of the UK GDPR. Mitigating factors 1.13 In the course of the Commissioner’s investigation it has been noted that the Labour Party did start to receive a large increase in subject access requests in November 2021 due to a cyber incident that occurred in October 2021. It is recognised that this increase in subject access requests continued to have an impact on the Labour Party’s subject access request backlog over 12 months later. 1.14 A further mitigating factor is the current decrease in the number of subject access requests within the Labour Partys backlog, along with the reduced number of complaints being received regarding the Labour Party’s handling of subject access requests. From statistics provided on 26 October 2023 it is evident that the Labour Party had made a significant improvement on their subject access request backlog with only four subject access requests remaining outside of the legislative timeframe set out under Article 12(3) of the UK GDPR. A further update was provided, by the Labour Party, on 10 April 2024 confirming that there were zero outstanding subject access requests within their backlog. 1.15 It can also be seen from the statistics of 26 October 2023 that the Labour Party only had four open complaints with the Information Commissioner’s Office. However as of 10 April 2024 the Labour Party have advised there are no open complaints at the national Labour Party level. Remedial steps taken by the Labour Party 1.16 The Commissioner has also considered and welcomes the remedial steps taken by the Labour Party in light of this matter. In particular: 1.16.1 The assigning of three temporary members of staff tasked with solely tackling the subject access request backlog, along with the utilisation of existing staff to further support the successful delivery of the subject access request backlog project. 1.16.2 The recruitment of a senior data protection consultant to project manage the subject access request backlog work 4 between 2022 and 2023, during the recruitment process for a new Data Protection Officer. 1.16.3 Senior members of the Labour Party staff have devoted considerable time to personally dealing with the subject access request backlog. This includes attending regular meetings with the Information Commissioner’s Office, weekly meetings with the Labour Party backlog team to monitor and scrutinise progress, and meeting more regularly with the senior data protection consultant, and subsequently the Data Protection Officer. 1.16.4 The allocation of extra funds to address the subject access request backlog. 1.16.5 Producing a detailed action plan on how the Labour Party plan to further reduce their subject access request backlog. 1.16.6 A new Data Protection Officer was appointed in July 2023 1.16.7 Contacted all 646 data subjects who had sent subject access requests to the Labour Party’s unmonitored privacy inbox. 1.16.8 Have actioned all 597 erasure requests identified within the unmonitored inbox. 1.16.9 Deletion of the unmonitored privacy inbox. 1.16.10 Full data subject request process update 1.16.11 Full Data Protection Notice(s) update Decision to issue a reprimand 1.17 Taking into account all the circumstances of this case, including the mitigating factors and remedial steps taken by the Labour Party, the Commissioner has decided to issue a reprimand to the Labour Party in relation to the infringements of Articles 12(3), 15(1), and 17(1) of the UK GDPR set out above. Further Action Recommended 1.18 The Commissioner has set out below certain recommendations which may assist The Labour Party in rectifying the infringements outlined in this reprimand and ensuring the Labour Party’s future compliance with the UK 5GDPR. Please note that these recommendations do not form part of the reprimand and are not legally binding directions. As such, any decision by the Labour Party to follow these recommendations is voluntary and a commercial decision for the Labour Party. For the avoidance of doubt, the Labour Party is of course required to comply with its obligations under the law. 1.19 If in the future the ICO has grounds to suspect that the Labour Party is not complying with data protection law, any failure by the Labour Party to rectify the infringements set out in this reprimand (which could be done by following the Commissioner’s recommendations or taking alternative appropriate steps) may be taken into account as an aggravating factor in deciding whether to take enforcement action - see page 11 of the Regulatory Action Policy Regulatory Action Policy (ico.org.uk) and Article 83(2)(i) of the UK GDPR. 1.20 The Commissioner recommends that the Labour Party should consider taking certain steps to improve its compliance with UK GDPR. With particular reference to Article 12(3) of the UK GDPR, the following steps are recommended: 1.20.1 In order to ensure compliance with Article 12(3) of the UK GDPR the Labour Party should ensure that it has adequate staff resources in place to process and respond to subject access requests. 1.20.2 The Labour Party should ensure they continue to take the steps outlined in their action plan to ensure that subject access requests are responded to within statutory deadlines in line with Articles 12(3) and 15(1) of the UK GDPR. 1.20.3 Where appropriate, the Labour Party should ensure that any inboxes that are no longer in use are deleted. 6