ICO reprimands Labour Party over delays in handling subject access requests

The UK Information Commissioner’s Office has issued a reprimand to the Labour Party for repeatedly failing to respond to subject access requests made by people following a cyber attack in October 2021.

 

In October 2021, Tangent, a company that supplied the UK Labour Party’s member system, suffered a ransomware attack following which the party started to develop a backlog of subject access requests (SARs).

 

In a recent press release, the UK Information Commissioner’s Office said that it has received 150 complaints against the Labour Party’s handling of SARs in the year from November 2021 to November 2022.

 

An investigation resulting from the complaints revealed that in "November 2022, the Labour Party had received 352 SARs that required a response. Of that number, 78% had not received a response within the maximum compulsory time limit of three months, and over half (56%) were significantly delayed by over one year.”

 

“During its investigation, we were also informed of the existence of a ‘privacy inbox’ that had not been monitored by the Labour Party since November 2021. The inbox contained approximately 646 additional SARs and approximately 597 requests for personal information to be deleted. While some of these may have been duplications, none of the requests had been responded to by the Labour Party,” ICO said.

 

Following the information watchdog’s findings, the Labour Party has taken steps to address its backlog, including assigning three temporary members of staff to solely tackle the outstanding requests, allocating extra funds and implementing an action plan.

 

The ICO has advised the Labour Party to work according to the action plan and make sure to have adequate staffing in place to respond to SARs on time and ensure future compliance with the law.

 

“Being able to ask an organisation ’what information do you hold on me?’ and ’how it is being used?’ is a fundamental right, which provides both transparency and accountability. It is vital that organisations do not underestimate the importance of responding to these requests on time,” said Stephen Bonner, Deputy Commissioner at the ICO.

 

“The public need to fully trust that a political party will handle their data correctly and respect their information rights. We welcome news that the Labour Party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response going forward.”