Labour’s suspension or expulsion of members – apparently almost exclusively pro-Corbyn members – during the party’s leadership contests is well known. The ‘purge’, as it was known, was largely based on the use of social media comments as grounds for the disciplinary action, but was flawed in its use of innocuous or irrelevant comments.
The vast majority of suspensions were lifted after the elections, although some still remain in place and significant numbers remain expelled.
The purge also breached data protection laws, leading to a reprimand by the ICO (Information Commissioner’s Office) and new guidance issued by the party’s General Secretary Iain McNicol to Labour staff and officers advising them that they could not trawl members’ social media for disciplinary purposes.
Now the latest word from Labour insiders is that HQ believes it has found a way to continue to use members’ social media against them – but the party’s functionaries will not disclose how.
The SKWAWKBOX contacted the ICO for information on how Labour might think it could bypass the ICO’s earlier judgment but the only formal response was:
The ICO expects all organisations processing people’s personal information to comply with the Data Protection Act and to be fair and transparent about how and why they intend to do so. Anybody who is not happy about how their personal data is handled by an organisation can raise a concern with the ICO.
However, sources close to the ICO flagged both how Labour might still choose to try to use social media information against members and the key flaw in the plan.
Labour may try to claim “legitimate interests” to access and use members’ social media feeds against them for disciplinary purposes. According to the ICO’s guidance,
The Data Protection Act recognises that you may have legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with. The “legitimate interests” condition is intended to permit such processing, provided you meet certain requirements.
The first requirement is that you must need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it.
The second requirement, once the first has been established, is that these interests must be balanced against the interests of the individual(s) concerned. The “legitimate interests” condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Your legitimate interests do not need to be in harmony with those of the individual for the condition to be met. However, where there is a serious mismatch between competing interests, the individual’s legitimate interests will come first.
So Labour could try to claim the use of social media data met the legitimate interest test, especially if it claimed to be responding to a specific complaint rather than ‘trawling’. However, it would be hard-pressed to argue that a clear ‘mismatch’ of interests did not result in the interests of the individual taking precedence, when the data use might result in the suspension of expulsion of the ‘data subject’.
An even bigger obstacle, however, is inherent in the mere fact that Labour HQ is refusing to tell members how it intends to use their data. DPA experts flagged a lack of transparency to this blog as the largest probable obstacle for Labour HQ if it chooses to pursue the use of social media feeds for disciplinaries.
The ICO website stresses the importance of transparency if data is to be processed lawfully:
Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice.
Labour updated its privacy notice (archived in its current form here) immediately after the SKWAWKBOX revealed the ICO’s judgment on its data processing and McNicol’s guidance – however, there is no detail in the privacy notice about how social media data will be used.
In fact, social media does not receive a single mention in the privacy notice.
This means that Labour’s failure to provide information on how it will use members’ social media information is likely a fatal flaw in any plan to ‘process’ social media feeds for disciplinary purposes. So far, the party has not provided any such guidance, let alone clear, transparent, easily accessible information.
This – to date – is the only statement Labour has been willing to make on the subject:
The Labour Party’s rules and procedures are compliant with all areas of UK law, including the Data Protection Act.
Even the most generous interpretation of that statement could not include the terms ‘transparent’ or ‘easily accessible’, let alone be considered to advise ‘how’.
There are other serious weaknesses in any renewed attempt by the Labour bureaucracy to weaponise social media against its members – weaknesses not related to the DPA – but these will be covered in a separate article.
However, while Labour’s actions may be unlawful, it does appear that the party machine still intends to proceed unless defeated in legal action, so members should exercise caution with the content of their social media, as right-leaning HQ staff have shown a willingness to go beyond any sensible definition of ‘abuse’ in the things they single out as reasons for disciplinary action.
Labour has been asked for comment on the lack of transparency in its handling of members’ social media feeds, but has so far failed to respond.
The SKWAWKBOX needs your support. This blog is provided free of charge but depends on the generosity of its readers to be viable. If you can afford to, please click here to arrange a one-off or modest monthly donation via PayPal. Thanks for your solidarity so this blog can keep bringing you information the Establishment would prefer you not to know about.
I think it’s weird that after being a member for 30+ years and always receiving ballot papers in good time, I joined Momentum this year and have reposted some of their stuff on facebook and I have not had a sniff of a CAC on line ballot …… yet …….
Will the new EU law about to be implemented and of which May has said will be converted into UK Law after brexit stop them dead in there tracks and indeed members can use to revoke there access?
Dear Leon, I know nothing about this, please can you give me a brief outline? Regards
This is a blight on the democracy of the party. The people behind this must be removed from office and the party immediately. Jeremy has to get a grip of these people now. He needs to expel these detractors and show his leadership clout once and for all. You can not keep these people on board. It is a case of them or us.
Just to save folks time trying to find the change in the new website privacy notice, the key addition is:
“The Labour Party and its elected representatives nationally and locally, as well as candidates seeking selection in internal Labour Party contests may contact you using this information. In order to check you maintain the conditions of and help you fulfil the opportunities provided by membership of the Labour Party, we may also use any information which you have made public, caused others to make public or which is already in the public domain.”
Though I am doubtful a privacy notice just on a website, unlikely to be seen by most members, is sufficient to serve as a DPA fair processing notice. I expect we’ll also see this in our renewal letters, joiners info, and perhaps ultimately in the rule book.
The other rather pertinent addition to the privacy notice is:
“Data Controller for the purposes of the Data Protection Act: Mr J. Stolliday”
which is necessary to satisfy item “(b)” of a fair processing notice which requires “if he has nominated a representative for the purposes of this Act, the identity of that representative”.
Looks like legal advice has been taken.
Ah, John Stolliday, the Director of Misgovernance and Illegal for the Labour Party.
Mr Stolliday being appointed as Data Controller completely gives the game away.
Under the DPA, the data controller is the company, or the organisation, it is not an individual. There is no requirement under the DPA to make this appointment.
Mr Stolliday has clearly been appointed for the express purpose of not protecting Labour Party members’ data, but of intentionally abusing his position to breach data regulations.
Indeed, the Labour Party remains the Data Controller – per the party’s registration. They almost certainly meant to write “Data Protection Officer …”. Another exhibition of great competence, not!
Under the new GDPR rules replacing DPA next year, the Data Protection Officer cannot have another role that produces a conflict of interests. So I doubt that Stolliday could continue to be DPO if he also has other compliance roles that require/encourage external data collection.
What action is being taken with the ICO against Labour HQ over the alleged breach of the DPA that gave Coyne members data in the GS election?
> “Labour HQ is refusing to tell members how it intends to use their data”
If an answer to this is really wanted, a way to approach this would be to find someone suitable to make a Data Subject access request, asking for the trawled social media data used, and specifically a detailed and full-some answer to the little known “processing logic” part of a Subject access request:
“where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.” [DPA section 7(1)(d)]
There could be an argument this isn’t done by “automatic means” but by human hand so this sub-section doesn’t, but a counter argument is that a computer in necessarily used, so this isn’t paper records processing, so that is automatic means. It would certainly raise the question in a way that could not be avoided without giving an opportunity for a complaint to be raised with the ICO.
… upon reflection, I think my argument here is not good. It is unlikely that the party is doing the DPA’s notion of “automatic processing”, which is something which acts without human intervention. Unless perhaps it subscribes to a third party service that continually tracks members’ social media contributions and flags suspicious posts – very Orwellian! So quite likely this approach wouldn’t be that useful – though it might be worth further study.
until corbyn gets a grip or will he the greedie ones the Blairites of this party just cant let go they need flushing out before its to late
HOW SURE CAN WE BE, THAT THE CAC ELECTION WILL BE ABOVE BOARD AND TRUE?
THIS THREAD THAT RUNS THROUGH THE RIGHT WING WILL DO ANYTHING, TO PROCURE LEADERSHIP, NO MATTER WHAT!
IT’S A CANCER, THAT NEEDS TREATING, SOONER, RATHER THAN LATER!