Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Guardian - UK
The Guardian - UK
Politics
Jessica Elgot Deputy political editor

Labour failed to respond on time to people’s requests for their data, says ICO

Keir Starmer speaking at the Labour party conference in 2022.
Keir Starmer speaking at the Labour party conference in 2022. The ICO has issued the party with a formal reprimand. Photograph: James McCauley/Rex/Shutterstock

Labour has been criticised by the UK’s data protection watchdog for failing to respond to people who had formally asked the party for what information it held about them.

The backlog mounted after a cyberattack on the party in October 2021, which led to a flood of requests from the public. The party said it had now cleared its backlog.

More than 350 people experienced long delays when they contacted the party with subject access requests – which anyone can use to ask organisations what personal information is being held about them.

The Information Commissioner’s Office (ICO) said the Labour party had been “repeatedly failing” to respond to the request. It received 352 subject access requests (SARs) in November 2022, but 78% did not receive a response within the maximum compulsory time limit of three months and more than half (56%) were delayed by more than a year.

The investigation was prompted by more than 150 complaints to the ICO regarding the handling of SARs between 2021 and 2022.

During its investigation, the ICO said it uncovered a “privacy inbox” that had not been monitored by the Labour party since November 2021. The inbox contained approximately 646 additional SARs and approximately 597 requests for personal information to be deleted. None of the requests had been responded to.

Stephen Bonner, a deputy commissioner at the ICO, said: “Being able to ask an organisation: ‘What information do you hold on me?’ and: ‘How it is being used?’ is a fundamental right, which provides both transparency and accountability. It is vital that organisations do not underestimate the importance of responding to these requests on time.

“The public need to fully trust that a political party will handle their data correctly and respect their information rights.

“We welcome news that the Labour party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response going forward.”

Labour said it was assigning three temporary members of staff to solely tackle the outstanding requests, allocating extra funds and implementing an action plan.

The ICO has issued the party with a formal reprimand and it has had to ensure it still has adequate staffing in place to respond to SARs on time and ensure future compliance with the law.

A Labour spokesperson said: “The Labour party has engaged fully with the ICO and undertaken comprehensive action to improve our processes in response to its findings.”

The party said that as of April 2024, the backlog of subject access requests and erasures had been fully cleared, and it no longer had any active complaints.

Labour HQ was hit by a “cyber incident” in 2021 that meant that a “significant quantity” of members’ and supporters’ data became inaccessible. It was believed to be a ransomware attack, in which hackers demand money to restore access to data that has been seized and encrypted.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.