The Information Commissioner’s Office (ICO) has issued a reprimand to the UK’s Labour Party for repeatedly failing to respond to people who asked what personal information the party held on them – known as a subject access request (SAR).
In November 2022, the Labour Party had received 352 SARs that required a response. Of that number, 78% had not received a response within the maximum compulsory time limit of three months, and over half (56%) were significantly delayed by over one year.
The backlog of SARs developed following a cyber attack on the Labour Party in October 2021, which led to an increase in requests from the public.
The investigation followed over 150 complaints to the ICO regarding the Labour Party’s handling of SARs in the year from November 2021 to November 2022.
Under data protection law, people have the right to ask an organisation if it is using or storing their personal information and receive a copy of any personal information held. They also have the right to ask an organisation to ensure that their personal information is up-to-date and accurate, or in certain cases, deleted.
During its investigation, the ICO was also informed of the existence of a ‘privacy inbox’ that had not been monitored by the Labour Party since November 2021. The inbox contained approximately 646 additional SARs and approximately 597 requests for personal information to be deleted. While some of these may have been duplications, none of the requests had been responded to by the Labour Party.
Readers have their say on Steven Bartlett: Genius or bluffer?
Since engagement with the ICO began, it says the Labour Party has continued to take steps to address its backlog including; assigning three temporary members of staff to solely tackle the outstanding requests, allocating extra funds and implementing an action plan.
Stephen Bonner, Deputy Commissioner at the ICO, said: “Being able to ask an organisation ‘what information do you hold on me?’ and ‘how it is being used?’ is a fundamental right, which provides both transparency and accountability. It is vital that organisations do not underestimate the importance of responding to these requests on time.
“The public need to fully trust that a political party will handle their data correctly and respect their information rights. We welcome news that the Labour Party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response going forward.”
The reprimand details how the Labour Party failed to comply with their legal obligations under data protection law when responding to SARs during this period. The ICO has advised the Labour Party to take the steps outlined in its action plan to make sure they continue to have adequate staffing in place to respond to SARs on time and ensure future compliance with the law.
Organisations must respond to a SAR within one month of receipt of the request. This can be extended by up to two months if the SAR is complex.
BusinessCloud has contacted the Labour Party for comment.