ICO (UK) - The Labour Party

From GDPRhub
ICO - The Labour Party
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Article 12(3) UK GDPR
Article 15(1) UK GDPR
Article 17(1) UK GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: n/a
Parties: The Labour Party
National Case Number/Name: The Labour Party
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: lorea.mendi

The DPA reprimanded the UK’s Labour Party for failing to adequately respond to access and erasure requests when it was experiencing a backlog of requests after a data breach.

English Summary

Facts

The Labour Party is a British political party. It processes a variety of personal data pertaining to employees and members of the public. In October 2021, it experienced a significant cyber-attack. The controller had subsequently accumulated a backlog of data subject access requests.

Over the course of this investigation, the UK Information Commissioner’s Office (ICO) had discovered a further issue concerning an unmonitored privacy email inbox, with a number of data protection requests that the Labour Party had stopped monitoring in November 2021. The DPA began investigating the Labour Party based on a data subject’s complaint concerning failure to adequately respond to access requests pursuant to Articles 12(3) and 15 UK GDPR.

The investigation revealed that 78% of the pending access requests were more than 3 months old and the controller had failed to respond to approximately 646 access requests. Furthermore, there were also 597 unresponded-to erasure requests.

Holding

The DPA issued a reprimand to the controller for infringements of Article 12(3), 15(1) and 17(1) UK GDPR.

In calculating the fine, the DPA considered the large influx of subject access requests following its data breach which impacted the controller’s backlog. It also noted that the controller had since taken a number of remedial measures which improved their ability to respond to requests, including the assignment of several employees on data protection matters, spending increased funds on responses and providing an update to the Data Protection Notice. Therefore, it decided to only issue a reprimand.

The DPA recommended that the DPA ensure adequate resources and staff in place to adequately guarantee data subject rights and to ensure unused inboxes are deleted.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

DATA PROTECTION ACT 2018 AND UK GENERAL DATA
                      PROTECTION REGULATION


                              REPRIMAND

TO: The Labour Party

OF: 20 Rushworth Street,

     London,
     SE1 0SS



1.1 The Information Commissioner (the Commissioner) issues a reprimand
to the Labour Party in accordance with Article 58(2)(b) of the UK General
Data Protection Regulation in respect of certain infringements of the UK
GDPR.


Background

The Commissioner began an investigation into the Labour Party’s
compliance with subject access requests under Article 15 and Article 12(3)
of the UK GDPR. This was after the Labour Party had accumulated a backlog

of subject access requests after experiencing a spike in the numbers of
subject access requests it was receiving. The cause of this spike was due
to the Labour Party experiencing a cyber-attack in October 2021.


During the course of this investigation, a further issue was identified
regarding a recently discovered unmonitored privacy email inbox. It was
discovered that there was a significant number of data protection requests
found in the privacy inbox that the Labour Party stopped monitoring in
November 2021. The privacy inbox was originally used to respond to

correspondence and requests from individuals affected by a cyber incident
the Labour Party experienced. It was found that within this unmonitored
inbox there were a significant number of subject access requests and
erasure requests that presented no evidence that the Labour Party had
responded to these requests.


The reprimand

1.2 The Commissioner has decided to issue a reprimand to the Labour Party

in respect of the following infringements of the UK GDPR:

   •  Article 12(3)

      This states that ‘[t]he controller shall provide information on action

      taken on a request under Articles 15 to 22 to the data subject without
      undue delay and in any event within one month of receipt of the


                                     1      request. That period may be extended by two further months where
      necessary, taking into account the complexity and number of the
      requests’.


   •  Article 15(1)

      This states that ‘[t]he data subject shall have the right to obtain from
      the controller confirmation as to whether or not personal data

      concerning him or her are being processed, and, where that is the
      case, access to the personal data […]’.

   •  Article 17(1)


      This states that ‘[t]he data subject shall have the right to obtain from
      the controller the erasure of personal data concerning him or her
      without undue delay and the controller shall have the obligation to
      erase personal data without undue delay […]’.


1.3 The reasons for the Commissioner’s findings are set out below.

1.4 The Labour Party are a British Political Party who process a variety of
personal data for both employees of the party and members of the general

public/party supporters.

1.5 The Labour Party started to experience a backlog of subject access
requests   after experiencing   a  cyber-attack   on  29   October   2021.

Subsequently, the Commissioner conducted an investigation to assess the
extent to which it has complied with the requirements of Article 15 and
Article 12(3) of the UK GDPR.

1.6 During the course of the Commissioner’s investigation into the Labour

Party’s initial subject access request backlog, the Labour Party advised that
a further issue had been identified regarding its subject access compliance.
It was discovered that there were a significant number of data protection
requests found in a privacy inbox that was no longer used by the Labour
Party. This privacy inbox was originally used to respond to any

correspondence or requests from individuals affected by a cyber incident
the Labour Party experienced. The Labour Party stopped monitoring this
inbox in late November 2021 after their efforts to move correspondence
related to this cyber incident to the Labour Party’s standard data protection

inbox.

Article 12(3)

1.7 From the subject access request statistics provided by the Labour Party

it was found that in November 2022, a year after the backlog began, the
Labour Party had 352 actionable subject access requests. Of these 352


                                     2subject access requests, 82% (289) of the subject access requests were
older than one calendar month, and 78% (274) were older than three
months. This evidences that at least 78% of the subject access requests

the Labour Party had in November 2022 were not responded to in
accordance with Article 12(3) of the UK GDPR.

1.8 After the discovery of the unmonitored privacy inbox, a significant
number of data protection requests were found in the inbox. Of the requests

found within this privacy inbox approximately 646 subject access requests
were identified as having no evidence to prove the Labour Party had
responded to these requests. And approximately 597 erasure requests were
identified as having no evidence to prove the Labour Party had responded

to these requests. These recently discovered subject access requests and
erasure requests were not responded to, by the Labour Party, in accordance
with Article 12(3) of the UK GDPR. It should be noted that these above
mentioned subject access request and erasure request figures do not factor
in possible duplicate requests.


Article 15(1)

1.9 The subject access request statistics provided further demonstrated
that 56% (198) of the subject access requests in the Labour Party’s backlog

in November 2022 were 12+ months old. This evidences the significant
period of time 198 individuals have had to wait to receive the personal data
the Labour Party holds in relation to them requested under Article 15(1) of
the UK GDPR.


1.10 From the discovery of the subject access requests identified within the
unmonitored privacy inbox it was found that the Labour Party had not
responded to approximately 646 subject access requests. A number of
these subject access request likely date back to 2021. This further

evidences that the Labour Party have not been compliant with Article 15(1)
of the UK GDPR.

1.11 The findings show that for the period of November 2021 to November
2022 the Information Commissioner’s Office (ICO) received 154 complaints

from individuals regarding the Labour Party’s handling of subject access
requests.

Article 17(1)


1.12 The investigation into the unmonitored privacy inbox found that there
were approximately 597 erasure requests where the Labour Party had not
responded to these requests. Article 17(1) of the UK GDPR outlines and
individuals right to have their personal data erased by a data controller

‘without undue delay’. Although the right to erasure is not an absolute right,
a data controller still has the obligation to respond to a data subjects


                                     3erasure request whether they are obligated to erase the data or not. The
Labour Party stopped monitoring the specific privacy inbox from November
2021 until October 2023 which has resulted in approximately 597 erasure

requests not being responded to during this time period, leading to an
undue delay in the handling of these requests. It is the ICO’s expectation
that a response is provided to a data subject within a month of receipt of
an erasure request regardless of whether there is an obligation to erase or
not. Therefore, the ICO are of the view that the Labour Party have not

complied with Article 17(1) of the UK GDPR.

Mitigating factors


1.13 In the course of the Commissioner’s investigation it has been noted
that the Labour Party did start to receive a large increase in subject access
requests in November 2021 due to a cyber incident that occurred in October
2021. It is recognised that this increase in subject access requests
continued to have an impact on the Labour Party’s subject access request

backlog over 12 months later.

1.14 A further mitigating factor is the current decrease in the number of
subject access requests within the Labour Partys backlog, along with the
reduced number of complaints being received regarding the Labour Party’s

handling of subject access requests. From statistics provided on 26 October
2023 it is evident that the Labour Party had made a significant
improvement on their subject access request backlog with only four subject
access requests remaining outside of the legislative timeframe set out

under Article 12(3) of the UK GDPR. A further update was provided, by the
Labour Party, on 10 April 2024 confirming that there were zero outstanding
subject access requests within their backlog.

1.15 It can also be seen from the statistics of 26 October 2023 that the

Labour Party only had four open complaints with the Information
Commissioner’s Office. However as of 10 April 2024 the Labour Party have
advised there are no open complaints at the national Labour Party level.

Remedial steps taken by the Labour Party


1.16 The Commissioner has also considered and welcomes the remedial
steps taken by the Labour Party in light of this matter. In particular:


   1.16.1   The assigning of three temporary members of staff tasked with
            solely tackling the subject access request backlog, along with
            the utilisation of existing staff to further support the successful
            delivery of the subject access request backlog project.


   1.16.2   The recruitment of a senior data protection consultant to
            project manage the subject access request backlog work


                                     4            between 2022 and 2023, during the recruitment process for a
            new Data Protection Officer.


   1.16.3   Senior members of the Labour Party staff have devoted
            considerable time to personally dealing with the subject access
            request backlog. This includes attending regular meetings with
            the Information Commissioner’s Office, weekly meetings with
            the Labour Party backlog team to monitor and scrutinise

            progress, and meeting more regularly with the senior data
            protection consultant, and subsequently the Data Protection
            Officer.


   1.16.4   The allocation of extra funds to address the subject access
            request backlog.

   1.16.5   Producing a detailed action plan on how the Labour Party plan
            to further reduce their subject access request backlog.


   1.16.6   A new Data Protection Officer was appointed in July 2023

   1.16.7   Contacted all 646 data subjects who had sent subject access

            requests to the Labour Party’s unmonitored privacy inbox.

   1.16.8   Have actioned all 597 erasure requests identified within the
            unmonitored inbox.


   1.16.9   Deletion of the unmonitored privacy inbox.

   1.16.10 Full data subject request process update


   1.16.11 Full Data Protection Notice(s) update


Decision to issue a reprimand

1.17 Taking into account all the circumstances of this case, including the
mitigating factors and remedial steps taken by the Labour Party, the

Commissioner has decided to issue a reprimand to the Labour Party in
relation to the infringements of Articles 12(3), 15(1), and 17(1) of the UK
GDPR set out above.



Further Action Recommended

1.18 The Commissioner has set out below certain recommendations which
may assist The Labour Party in rectifying the infringements outlined in this

reprimand and ensuring the Labour Party’s future compliance with the UK


                                    5GDPR. Please note that these recommendations do not form part of the
reprimand and are not legally binding directions. As such, any decision by
the Labour Party to follow these recommendations is voluntary and a

commercial decision for the Labour Party. For the avoidance of doubt, the
Labour Party is of course required to comply with its obligations under the
law.

1.19 If in the future the ICO has grounds to suspect that the Labour Party

is not complying with data protection law, any failure by the Labour Party
to rectify the infringements set out in this reprimand (which could be done
by following the Commissioner’s recommendations or taking alternative
appropriate steps) may be taken into account as an aggravating factor in

deciding whether to take enforcement action - see page 11 of the
Regulatory Action Policy Regulatory Action Policy (ico.org.uk) and Article
83(2)(i) of the UK GDPR.

1.20 The Commissioner recommends that the Labour Party should consider

taking certain steps to improve its compliance with UK GDPR. With
particular reference to Article 12(3) of the UK GDPR, the following steps are
recommended:

   1.20.1   In order to ensure compliance with Article 12(3) of the UK

            GDPR the Labour Party should ensure that it has adequate staff
            resources in place to process and respond to subject access
            requests.


   1.20.2   The Labour Party should ensure they continue to take the steps
            outlined in their action plan to ensure that subject access
            requests are responded to within statutory deadlines in line
            with Articles 12(3) and 15(1) of the UK GDPR.


   1.20.3   Where appropriate, the Labour Party should ensure that any
            inboxes that are no longer in use are deleted.



















                                     6