Analysis comment

Evans telling victims of Labour’s outsourced data breach not to discuss it

Labour right’s authoritarian streak shows again, telling victims not to discuss what it’s done to them

David Evans

Labour party general secretary – fresh from his gerrymandered confirmation with the help of Unison delegates breaking the party’s own rules – yesterday sent emails to Labour members warning them that a ‘3rd party’ company – to which Labour had sent members’ information apparently without asking them – had allowed a ‘cyber incident’ and leaked their sensitive information to unknown parties.

The incident was so serious that Labour has had to involve the National Crime Agency, National Cyber Security Centre, the Information Commissioner’s Office and Parliamentary Security.

Yet Evans concludes his preamble to the notification by telling the victims of its shoddy processes that they should shut up and not discuss it, even on social media:

I would ask colleagues to refrain from any public commentary (on social media or otherwise) on this matter.

Despite the use of ‘colleagues’, this instruction appears to have been sent to non-staff

Evans clearly wanted to drive home the point, as in a subsequent email he referred back to the notification and repeats his stricture:

One outraged recipient told Skwawkbox:

I’m not a f***ing “colleague” of Evans. He works for us. We pay his wages.

The cyber-incident appears to have been a ‘ransomware’ attack, in which payment is demanded to regain access to data that has been taken or locked by criminals. So a large quantity of members’ personal and sensitive information is now in the hands of criminals – yet we still don’t know even which outsourced data handler had the data, without authorisation by the data subjects, in the first place.

But we shouldn’t be talking about it, according to the Labour regime.

SKWAWKBOX needs your help. The site is provided free of charge but depends on the support of its readers to be viable. If you can afford to without hardship, please click here to arrange a one-off or modest monthly donation via PayPal or here to set up a monthly donation via GoCardless (SKWAWKBOX will contact you to confirm the GoCardless amount). Thanks for your solidarity so SKWAWKBOX can keep bringing you information the Establishment would prefer you not to know about.

If you wish to republish this post for non-commercial use, you are welcome to do so – see here for more.


  1. Thanks to Squawkbox we can discuss the Shenanigans with our data and personal information deliverd to a third party over two years after I left the Labour party alarmingly.I suspect a con here to hide the fact that our infos been given or sold.And why shouldn’t I think this having watched for years Kangaroo courts,vote rigging Corbyn fit up and smeared and even the election of the leader of the Labour party bankrolled by a Israeli Spy and hidden till after the rigged elections.Conference rigged and even reports rigged and Now a Labour party facing bankruptcy and Oblivion.YES I am worried about the third party data scam.!Get the Police into the Labour party because I certainly will.

    1. I suspect a con here to hide the fact that our infos been given or sold.

      Try sold. They’re rather short of moolah, apparently…😙🎶

  2. When I left the party back in January I naively assumed my data would be deleted but I too got the Evan’s email. Does the Party hang on to old member’s data? Why would that be?

    1. Paul, your data should have been deleted by now. I received the letter too but I am officially speaking one month in arrears. Thus, still a member of the Party.
      The fact that you got Evan’s email confirm that the Labour Party is still in breach of GDPR. You left in January hence you are at the very least 10 months in arrears, if you chose like me to cancel your Direct Debit rather than write an email informing the Party..
      Following the Party’s rules after 6 months arrears, membership is cancelled automatically and the Party should have mechanism in place to advice it that a member has left and instruct the relevant administrator to delete the personal data of such member.

      1. My offspring were both still members of the party a year after having left and done all the resignations by letter (several times) and face to face, as well as stop the DD. You’re still a member at the moment Maria – as far as being counted in the membership figures is concerned. The Labour Party IS Hotel California.

      2. JoeRobson, I love it Hotel California indeed!! For now I am going to use the metaphor.
        I wonder if the Hotel California is going to avoid bankruptcy, despite its high levels of occupancy, it appears that many of its guest aren’t paying.
        Can you imagine if people in Paul’s position contact the ICO with the email he has just received from the Hotel when he shouldn’t have?.I wonder how many millions Hotel California will have to pay as a fine.

      3. It seems they are talking to the ransom ware warriors. They don’t come cheap! Are they nice criminals who promise not to sell on the data to scammers? What redress do we have if as a result our data is misused? Nb the letter to me doesn’t mention ‘colleague’, just ‘Dear Sir or Madam’. There seem to be quite a few different versions; is that a clue as to how they classify our status?

      4. Officially I have not been a member since November 2017. I requested a Subject Access Request which, because the party refused to give it me, took two years until November 2019 to resolve. This, despite the ICO instructing them four times to give me what I was entitled to in law.

        Data held by Labour is more than emails, bank details etc. It’s also the defamatory crap they have dug out to accuse members and have them removed.

      5. I forgot to say, I have had the email

        So why have Labour kept this information for two years after my dispute with them over releasing my data was resolved?

    2. FWIW
      I just sent this in response to this email

      In relation to this data incident please
      1) Let me know what personal data you hold on me and why you need it.

      2) Provide me with your policy documenting your standard retention periods.

      3) Provide your policies describing how you regularly review any personal data and how it is erased or anonymised when you no longer need it.

      4) Clearly identify any of my personal data that you are keeping for public interest archiving, scientific or historical research, or statistical purposes.

      1. I sent this response
        I resigned my membership when labour proved itself to be antidemocratic and abtisocialist, led by a bunch of dishonest charlatans
        Why do you still have my data
        Please destroy it immediately and notify me when this has been done

        I didn’t think of the points you made can you please let me know of the response you get (but sadly might not knowing this crooked lot)

    3. I was wondering the same thing as I received the email today.

      I left in February 2020, notifying my branch secretary by email and cancelling my DD there and then — although I still received an email in June/July 2020 warning my membership was about to expire!

      When I looked at their Privacy Policy this it what it says:

      Some examples of how long we retain your data are as follows:

      Names, addresses and values of donations given to the Labour Party–
      Indefinitely where we believe you may leave a legacy to the Labour Party. 7 years (from tax year of transaction) for all other financial data.

      Call notes and correspondence: indefinitely where we believe you may leave a legacy to the Labour Party. 10 years for all other data.

      Electoral Register data: we will retain this for a period of 15 years (subject to any updates we receive around a change of address);

      Profiled data: any data subject to profiling is retained for a maximum of 7 years.

      Interview notes: retained for 6 months and then securely destroyed.

      So it looks like they can keep Electoral Register data if nothing else. Perhaps someone else can shed some light on this.

      1. PW thanks for the info. However, the guidelines don’t appear to allow for former members to be contacted by the “Hotel California” at will.
        At to leave a legacy it really sounds like an excuse.

      2. Some interesting information here, thank you. How does the Labour Party decide that an ex member MIGHT leave a legacy? I imagine it simply decides that anybody COULD leave a legacy and therefore they keep the data of all ex members until death removes them from the electoral register? I stopped my DD in January 2021 but haven’t had any communication with them since and no ‘reminders’ of arrears yet they retain my email and password details as well as my bank details. WHO now has that information? it’s remarkable they won’t say. There should be full disclosure of the 3rd party; are they criminals or political organisations (or both!)? Did they sell the information knowing the grief that could result? Are they aware that the 3rd Party has used the data? Is that how they ‘discovered’ the breach? How can we cut the shackles they have put us in? I for one want nothing more to do with them.

      3. I cancelled my DD in January 2020 not 2021; my error. I haven’t had any communication with them since eg no reminders of me being in arrears. I imagine I’m still counted as a Member? It’s one way of covering up the huge loss of Members.

      4. Great info you tracked down. GDPR does not require instant deletion of old customer/membership data, but requires the org to explicitly justify a retention period, and importantly almost always have a written “policy setting standard retention periods wherever possible”. ICO have a webpage on it saying:

        “UK GDPR does not set specific time limits for different types of data. This is up to you, and will depend on how long you need the data for your specified purposes.”

        They give examples of “keep some personal data about a previous customer so that they can deal with any complaints the customer might make about the services they provided”. and “You may need to keep some information so that you can confirm that the relationship existed – and that it has ended – as well as some of its details.”

        The main thrust is you have to explicitly justify and periodically review retention of data, and I’d guess they’d expect you to trim it back to essential data – ie forget bank details and the ilk in retained data. The long read is at:

      5. PW, The ICO website has this guidance for data protection officers –

        “Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR.

        You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.

        You must provide privacy information to individuals at the time you collect their personal data from them.

        If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month”.

        Note clauses 3 and 4.

        The Labour party have been data scraping members social media for at least the last five years, obtaining information without their knowledge or permission. From the information in my Subject Access Request, it’s obvious that some data the party held on me possibly with the intention to use, was kept back from me. So breaching clause 3 and probably 4.

        Anecdotally, I have heard of members getting into a disciplinary meeting, to be confronted with “new” evidence. This was to place members on the back foot making them less able to defend themselves and more likely to incriminate themselves.

      6. Thanks for the feedback people, very much appreciated. Will be looking into this further.

    4. Data is literally worth more than gold…they obviously have already sold it or were going to do something with it. Who was ‘looking’ after it?

      1. This is clearly illegal. People should shout it from the rooftops. What right does that hideous bastard have to tell people what to do on social media. This, colleagues, rubbish started with the CBI and NALGO,plus a few other superior unions. They hate the very concept of comrade because they have no idea of what is involved in being one.

  3. We actually do not know WHAT data is stored about us do we?

    Given the new Israeli spying systems they could have alll sorts
    stored away.

    Good for the US – in banning it ..

    1. @Grorge Peel

      I’m just surprised he didn’t use the term ‘customers’ or to give the illusion of appearing professional: ‘clients’

      But I guess it won’t be long…

  4. The use of the word “colleagues” confused me as to why this would be included in an email sent to members. Which has already been pointed out are not colleagues, but members of a club that some circumstances Evans would dearly like to be rid of.

    I have re-read the email I received and the word colleague doesn’t appear. Perhaps the inclusion of a privacy email link has been used instead to try and stop members from publicly questioning how this has happened and who these third parties are.

  5. Hackers probably trying to access the Forde report but not sufficiently skilled to get to all the really top secret stuff only able to find trivial stuff like details of our bank accounts.

  6. And as for the photo of the oaf… He looks like he’s followed through – for the third time this morning.

    1. Toffee, thought he was the leader of the free world again. Just chatting to Papa in the Vatican. I feel for his poor, ever patient carer. X

  7. “I would ask colleagues to refrain from any public commentary (on social media or otherwise) on this matter”

    Of course he would. He works for us and is responsible – or at least accountable – for the ‘security breach’ by an unspecified third party (of a (different? third party?).

    Accountable. Sackable. Responsible.

    The man’s English is clumsy and his logic unsound.

  8. Who the hell is Evans to tell the victims of his incompetence no to discuss it?. I shall talk about anything I chose to anyone I see fit.

    The man needs to be reminded that in the real world outside of the Labour Party he counts for absolutely nothing.

  9. So we can’t discuss certain international issues, we cannot discuss internal rule breaking by Keir and his gang, we can’t discuss data loss to a third party provider.

    I’m getting the feeling Dave & Keir doesn’t want us to discuss anything.🧐

  10. Why does this Cesspit of a party have my Data on there servers evenh though I duped this corpse ofa party back in 2017 – 2018? After being accused of being an anti-semite and having to deal with threatening phone calls from the Gnasher lot. |I don’t believe a word of anything coming out of this right wing garbage bin! I also thing they’ve broken the law and it need pursuing.

    1. No, I suspect he had taken the medication so he could have the colonoscopy the following day and found that he was at some distance from where he needed to be.

      1. Goldbach there is a little known medical condition that happens when a medical procedure can’t be completed. It happens when the specialist instruments find the job that they are meant to do so revolting they are forced to strike. It’s called colonoscopy rejection. Very messy, but at least the technicians deal only with the more attractive part of the patient. Cheers.

  11. I have never been a member in my life, but I still received an email about this. Presumably all secretly blacklisted, potential subversives were contacted in the interests of being fair and inclusive.

    1. Frightening!!

      One of the data-breaching ‘third parties’ might be the NSA (or one of the sixteen other US spy-agency subsidiaries)?

  12. My response.
    “I do not understand why you still have any personal and private information about me to lose?
    You excluded me well over two years ago and I have never and would never return.
    I instructed you to delete all my private information from your database/s so how is it that you can still contact me?
    You have some serious explaining to do for my lawyer to read.
    And do not ever tell me what to do.”

      1. Wirral – If you are concerned then why don’t you exercise your right to ask them what data they hold about you.

      2. Well we will find out soon enough, thousands of ex members are furious on Twitter and FB about their data being kept after expressly telling them to remove it after they left!

        There’s little to choose in the corruption of both main parties at this time!

      3. Wirral – Please keep us informed. I’ll look forward to hearing the next instalment.

  13. Advice here from two data protection professionals:

    1. “Put a subject access request in and ask them what they hold on you, who they got it from, how long had it and what it’s been used for or who shared with. See what they say. Happy to have a look at what they say as I’ve had previous run ins with their data protection people!”

    2 “Do a focussed DSAR asking for (ref art 15)

    * the purposes of the processing;
    * the recipients or categories of recipient to whom the personal data have been or will be disclosed
    * where the personal data are not collected from the data subject, any available information as to their source…”

Leave a Reply

%d bloggers like this: