Barrister: Labour’s DPA breach could cost £mns – and remake its NEC

As the SKWAWKBOX revealed this morning, a highly-qualified barrister has issued a legal opinion that the provision of Labour members’ data to Gerard Coyne‘s campaign constitutes a likely criminal breach of the Data Protection Act (DPA) that could render the individuals responsible and the Unite union liable for unlimited fines, as well as to potentially thousands of lawsuits from affected Labour members.

Of course, the breach is not just a Unite/Coyne matter. Individuals within the Labour Party passed members’ data to Coyne or his team and the same principle applies – those individuals and Labour could be liable to the same penalties.

But the ramifications within the Labour Party are not limited to criminal sanctions.

sawing branch
Has Labour’s right-wing faction sawn off the branch it’s sitting on?

Here’s what barrister Duncan Shipley-Dalton said about Labour’s position:

With regard to whether liability would sit with the individuals or with the party, the answer is both. Ultimately the breach of DPA is the responsibility of the Data Controller so it is the Labour Party itself that would be the primary target of enforcement. The Commissioner can issue an enforcement notice on them to rectify the situation under S.40 DPA 1998. It is also possible to issue a monetary penalty under S.55A DPA 1998 but it requires the Information Commissioner to be satisfied that substantial damage or substantial distress has been caused by the breach.
Any monetary penalty in this instance would be imposed on the organisation and be paid by it not the individuals.
The individuals are not off the hook though. Under S.55 it is a crime to obtain or disclose personal data. This means both the individuals in Labour who did this… have in all likelihood committed a criminal offence. There are specific defences listed in S.55 DPA 1998 but from my knowledge of events I think it unlikely any of them could be relied upon. If convicted either summarily or on indictment then they would be liable for a fine.
Additionally, any person who have had their Labour data used by Coyne in breach of the DPA would have a cause of action as a litigant in Court. Under S.13 DPA 1998 you can claim damages for a breach of the data protection principles in relation to your own personal data. The statute requires you show both damage and distress as a consequence of the breach in order to be able to claim damages. However the Court of Appeal in Vidal-Hall v Google [2015] EWCA Civ 311: https://www.judiciary.gov.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf  decided that the S.13 DPA requirement to show actual damage as a consequence of a DPA breach was incompatible with EU law and have interpreted the Act so that a claimant now only needs to show distress to recover damages under S.13. They also characterised this kind of claim as being essentially tortious in nature. This case is a bit controversial but Google withdrew their appeal to the Supreme Court so it was not reversed and is still valid law.
In the case of Labour the Party rules also state in Chapter 1 Clause X section 3(M) that the National Executive Committee (NEC) duties and powers shall include issuing guidance and giving rulings to ensure continued compliance with the Party’s legal and financial responsibilities. If there has been a failure to do this and a breach of the DPA then arguably there is also an actionable breach of contract as well by the NEC and its agents.
Where it gets complicated is that a member cannot normally sue an unincorporated association for a tort as you can’t impose a tortious liability on all the other members and there is no principle of vicarious liability in an unincorporated association, unlike an incorporated one.

There have been cases though where tortious liability has been imposed on individual members if they had held themselves out as being expert and responsible for a particular issue. So it might be that whilst a representative tortious action vs Labour would not be possible you could perhaps sue the members of Legal and Governance (compliance) who had failed to prevent it or possibly been actively involved in it. It would depend on the evidential issues and exactly what was done and by whom…
I would say the best result would be identifying specific individuals who did it and then seeking somehow to pressurise the authorities to have them prosecuted under S.55.

If convicted then it should be grounds for, in the case of staff, a gross misconduct charge and summary dismissal. In the case of a Labour party member or officer then such a conviction would also seem like grounds for expulsion under Labour rules in Chapter 2 if deemed a serious offence or alternately could ground a charge of bringing the party into serious disrepute or prejudice that would be referred to the NCC.

As the SKWAWKBOX showed this morning, the penalties for a criminal breach of the DPA include unlimited fines.

Like Coyne and Unite, Labour and the individuals involved in the breach could be liable for millions of pounds in penalties, as well as up to over 500,000 lawsuits. This could, of course, result in the unacceptable situation of members’ money being used to pay fines incurred by the actions of employees or officials illegally passing information to Coyne for the specific purpose of toppling the party leader elected by those members with an overwhelming majority.

The same members who have been the victims of the DPA breach in the first place.

It would of course also have the potential to bankrupt or seriously damage the finances of the party.

As Dalton observed, the safest bet for Labour is to identify the individuals involved and hang them out to dry – and if found guilty, they would be liable to dismissal if employed and expulsion from the party if a member.

As those involved in the breach are quite possibly very senior employees or members of the NEC, this could result in a complete reconstitution of the NEC.

As the barrister also points out, if Labour does not hang the culprits out to dry, the whole NEC could be held liable.

In that event, the whole NEC may have to resign and either be replaced wholesale or stand for re-election. In either of those scenarios, there could be a hugesilver lining‘ for Labour members.

Because all those responsible would by definition be opponents of Labour leader Jeremy Corbyn, if the party puts the finger on those individuals it would mean some of the worst obstructive elements in the party’s hierarchy being removed – and any elections would, without question, result in their replacement by far more suitable pro-Corbyn people.

And if Labour does not identify the individuals and the whole NEC carries the can, then any subsequent elections would definitely mean a wipe-out of the right-wing NEC members who have hobbled and hampered the party for a year and a half.

This blog suggests that all Labour members start documenting their anger and distress caused by the leaking of their data to a campaign designed to damage their interests – and reporting the same to the ICO (Information Commissioner’s Office) to underscore the scale of the breach and its consequences.

The SKWAWKBOX is provided free of charge but depends on the generosity of its readers to be viable. If you found this information helpful and can afford to, please do click here to arrange a one-off or modest monthly donation via PayPal. Thanks for your support so this blog can keep bringing you information the Establishment would prefer you not to know about.


  1. I consider this implicitly distressing for every member of the labour party with any integrity and credibility – this is a stain on the party and has resulted in bringing the party into disrepute. That right there, especially when done or permitted (at the very least by lacking in due care) by senior members and or employees. I do not see how this could have been carried out without those involved breaking the very heart and soul of what the labour party is expected to be about. I was not directly affected but it has caused me distress.

  2. Call me stupid, but I read in the article that somehow Unite could be held in some way liable, how so? Unites rules are clear that anyone standing for an elected position must do so as a private individual and without Unite The Union’s backing or other involvement.

    1. I admit I am not as familiar with the Unite rules as Labour rules but I had a quick look through the Unite Rule book and I didn’t spot a provision that stated that. Can you give me a reference to that rule so I can check it properly?

    2. Unite could be if their rules weren’t clear in separating them from his actions. Happily, according to their statement this evening it seems the rules are clear.

  3. It is not feasible that a junior member of staff released Labour Party email lists without the explicit authorisation of either Iain McNichol or associates of Iain McNicol on the NEC.

    It is most probable that the junior member of staff who was instructed to commit this criminal act was not made explicitly aware that they were committing a criminal offence. It is likely that it was implied to them that they were merely sailing close to the wind and that they would be protected by the party hierarchy if their actions became public.

    Iain McNicol recently defended those he described as the “the brightest and the best” in the party machinery.

    He is now in the process of throwing the brightest and best under the bus.

    That is the sum of the man. He has no integrity, he has no honour.

    The member of staff who committed this criminal act would be well advised to tell the full truth about which senior Labour official incited them to breach the Data Protection Act.

    It is their only hope to avoid serving jail time on behalf of Iain McNicol.

    They will have to accept that their career working for the party is over. The best case scenario for them is to come clean to avoid being sent to prison for what is essentially another person’s crime.

    It is becoming increasingly clear that the right wing of the Labour Party has now crossed the rubicon from bullying, to smearing, to poll rigging to criminal behaviour.

    This is where it was always going to end for the plotters. Prison is always the inevitable destination for thieves and traitors.

    1. Unfortunately there is no custodial penalty for an offence under S.55 DPA 1998. The penalty is a fine.

      1. You will have to forgive my rhetorical flourish.

        You are correct, the power to imprison is available but dormant, as the Conservative government has refused to activate the regulations to implement this.

        The reason for that refusal is probably linked to the data harvesting the Tories are currently engaged in, which Skwawkbox has been reporting on.

        Iain McNicol will, however, be in breach of his employment contract with the Labour Party if he has incited a member of staff to release Labour Party email lists.

        As he is responsible for those lists there is nowhere for him to hide this time.

        It’s game over for McNicol.

  4. McNicol will finally get his just deserts!
    Along with all those who embarked on plotting to bring us on the left down!
    I HOPE!
    What goes around comes around!

  5. I’ve not received an email from Coyne but it is worrying to think that my personal data may have been passed on without my permission and is potentially being used against my interests. Is my personal data safe with Coyne? I have no idea. This is disgraceful. If it can be leaked by Labour it can be leaked by Coyne. Where will it end up?

  6. What a load of tosh. To sue with tort is to quantify any pecuniary damage. Loss has to be quantified. So i ask the question ,what monetary loss is there?? The job of the civil court is to put you back in the s same position as before the breach, that is all, not act to punish. That is the job of the criminal court. Gerard Coyne is also entitled to membership list under the DPA 1998 as he is standing for the position of General Secretary. Principle 3 of the DPA 1998 states: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Cannot stand Gerard Coyne but this fake news has to end as it is killing democracy

    1. You appear to have missed the bit where the barrister provided the case law showing that, with DPA cases, demonstrating simple distress is enough.
      As for your point about the member list – again you don’t seem to have read very carefully before commenting. Coyne is entitled to UNITE member info. He is *not* running for GenSec of the Labour Party but he has obtained, illegally, *Labour* member data – including members of Labour who are not and never have been Unite members, which is how the breach came to light. Read a bit more carefully before bandying silly fake-news allegations, please.

  7. If he has obtained membersip details of labour party members and not that of Unite members then i agree, That is a job for the Information Commissioners office

    1. There is no IF about it , this blogger has shown here on other threads investigating this DPA breach , examples of people being contacted by Coyne and not being members of Unite , only Labour party members

Leave a Reply

%d bloggers like this: