As the SKWAWKBOX revealed this morning, a highly-qualified barrister has issued a legal opinion that the provision of Labour members’ data to Gerard Coyne‘s campaign constitutes a likely criminal breach of the Data Protection Act (DPA) that could render the individuals responsible and the Unite union liable for unlimited fines, as well as to potentially thousands of lawsuits from affected Labour members.
Of course, the breach is not just a Unite/Coyne matter. Individuals within the Labour Party passed members’ data to Coyne or his team and the same principle applies – those individuals and Labour could be liable to the same penalties.
But the ramifications within the Labour Party are not limited to criminal sanctions.
Here’s what barrister Duncan Shipley-Dalton said about Labour’s position:
With regard to whether liability would sit with the individuals or with the party, the answer is both. Ultimately the breach of DPA is the responsibility of the Data Controller so it is the Labour Party itself that would be the primary target of enforcement. The Commissioner can issue an enforcement notice on them to rectify the situation under S.40 DPA 1998. It is also possible to issue a monetary penalty under S.55A DPA 1998 but it requires the Information Commissioner to be satisfied that substantial damage or substantial distress has been caused by the breach.
Any monetary penalty in this instance would be imposed on the organisation and be paid by it not the individuals.
The individuals are not off the hook though. Under S.55 it is a crime to obtain or disclose personal data. This means both the individuals in Labour who did this… have in all likelihood committed a criminal offence. There are specific defences listed in S.55 DPA 1998 but from my knowledge of events I think it unlikely any of them could be relied upon. If convicted either summarily or on indictment then they would be liable for a fine.
Additionally, any person who have had their Labour data used by Coyne in breach of the DPA would have a cause of action as a litigant in Court. Under S.13 DPA 1998 you can claim damages for a breach of the data protection principles in relation to your own personal data. The statute requires you show both damage and distress as a consequence of the breach in order to be able to claim damages. However the Court of Appeal in Vidal-Hall v Google  EWCA Civ 311: https://www.judiciary.gov.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf decided that the S.13 DPA requirement to show actual damage as a consequence of a DPA breach was incompatible with EU law and have interpreted the Act so that a claimant now only needs to show distress to recover damages under S.13. They also characterised this kind of claim as being essentially tortious in nature. This case is a bit controversial but Google withdrew their appeal to the Supreme Court so it was not reversed and is still valid law.
In the case of Labour the Party rules also state in Chapter 1 Clause X section 3(M) that the National Executive Committee (NEC) duties and powers shall include issuing guidance and giving rulings to ensure continued compliance with the Party’s legal and financial responsibilities. If there has been a failure to do this and a breach of the DPA then arguably there is also an actionable breach of contract as well by the NEC and its agents.
Where it gets complicated is that a member cannot normally sue an unincorporated association for a tort as you can’t impose a tortious liability on all the other members and there is no principle of vicarious liability in an unincorporated association, unlike an incorporated one.
There have been cases though where tortious liability has been imposed on individual members if they had held themselves out as being expert and responsible for a particular issue. So it might be that whilst a representative tortious action vs Labour would not be possible you could perhaps sue the members of Legal and Governance (compliance) who had failed to prevent it or possibly been actively involved in it. It would depend on the evidential issues and exactly what was done and by whom…
I would say the best result would be identifying specific individuals who did it and then seeking somehow to pressurise the authorities to have them prosecuted under S.55.
If convicted then it should be grounds for, in the case of staff, a gross misconduct charge and summary dismissal. In the case of a Labour party member or officer then such a conviction would also seem like grounds for expulsion under Labour rules in Chapter 2 if deemed a serious offence or alternately could ground a charge of bringing the party into serious disrepute or prejudice that would be referred to the NCC.
As the SKWAWKBOX showed this morning, the penalties for a criminal breach of the DPA include unlimited fines.
Like Coyne and Unite, Labour and the individuals involved in the breach could be liable for millions of pounds in penalties, as well as up to over 500,000 lawsuits. This could, of course, result in the unacceptable situation of members’ money being used to pay fines incurred by the actions of employees or officials illegally passing information to Coyne for the specific purpose of toppling the party leader elected by those members with an overwhelming majority.
The same members who have been the victims of the DPA breach in the first place.
It would of course also have the potential to bankrupt or seriously damage the finances of the party.
As Dalton observed, the safest bet for Labour is to identify the individuals involved and hang them out to dry – and if found guilty, they would be liable to dismissal if employed and expulsion from the party if a member.
As those involved in the breach are quite possibly very senior employees or members of the NEC, this could result in a complete reconstitution of the NEC.
As the barrister also points out, if Labour does not hang the culprits out to dry, the whole NEC could be held liable.
In that event, the whole NEC may have to resign and either be replaced wholesale or stand for re-election. In either of those scenarios, there could be a huge ‘silver lining‘ for Labour members.
Because all those responsible would by definition be opponents of Labour leader Jeremy Corbyn, if the party puts the finger on those individuals it would mean some of the worst obstructive elements in the party’s hierarchy being removed – and any elections would, without question, result in their replacement by far more suitable pro-Corbyn people.
And if Labour does not identify the individuals and the whole NEC carries the can, then any subsequent elections would definitely mean a wipe-out of the right-wing NEC members who have hobbled and hampered the party for a year and a half.
This blog suggests that all Labour members start documenting their anger and distress caused by the leaking of their data to a campaign designed to damage their interests – and reporting the same to the ICO (Information Commissioner’s Office) to underscore the scale of the breach and its consequences.
The SKWAWKBOX is provided free of charge but depends on the generosity of its readers to be viable. If you found this information helpful and can afford to, please do click here to arrange a one-off or modest monthly donation via PayPal. Thanks for your support so this blog can keep bringing you information the Establishment would prefer you not to know about.