Analysis of Labour’s attempt to minimise the significance of its huge loss of data to criminals exposes the party’s disregard for data protection laws and the dishonesty of responses to ex-members who asked for their data to be erased in accordance with the law
This article was written after consultation with GDPR professionals.
An email from Labour in which the party tries to excuse its retention and loss of data on members and ex-members has opened a further window on the extent and variety of ways in which the party under Keir Starmer and David Evans have been disregarding ‘GDPR’ data protection laws.
The email tells members that Labour has been keeping data even on people who have resigned their membership:
The Labour Party retains a minimal amount of information on an indefinite basis for members, affiliated and registered supporters and former members and supporters. This is to administer our internal governance, as well as to apply our membership rules.
This appears to code for ‘we need to know who we’ve expelled and who owes us money’ – those who left via the arrears/lapse process. But under GDPR neither warrants holding the data indefinitely and the party should have a deletion policy.
We also retain your name and address from the electoral register, as we have a legitimate interest in continuing to process this data. This also helps to facilitate the fundamental role political parties play in engaging with voters as part of the democratic process.
According to regular users of it, Labour’s membership system does not hold electoral registration data. It has a ‘flag’ which does not appear to be regularly audited against the electoral roll. The party is entitled to hold addresses to ‘engage with voters’ – but unless it checks regularly for facts where the ER is their sole source, Labour is in breach as it has a duty to ensure that data is accurate.
‘Legitimate interest’ is the most qualified and conditional of lawful purposes and excludes legal minors.
Under GDPR A6 1.f, processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
We do however minimise the personal data we hold and ensure that unnecessary information is deleted once it is no longer required. Where someone is no longer a member or supporter, we restrict the processing of this information in such a way to ensure that the Labour Party does not contact you again.”
So Labour keeps data but ‘restricts the processing’? There’s no room for that under GDPR – data is either held or it is not and the party has previously confirmed to ex-members who asked for confirmation that it had erased their data from its systems.
And the deletion of data under law is not simply to ‘ensure that the Labour Party does not contact you again’, but also to ensure that the data can’t subsequently be misused, either by Labour as the ‘data processor’ or by its loss to criminals or other third parties – which is precisely what has happened.
In addition, Labour is unclear how it distinguishes between those it thinks it is entitled to keep and those it has a duty to delete. The law prohibits the storage and processing of private data unless it conforms with the GDPR & Data Protection Act 2018 (DPA) – and the fact it relates to Labour, a political party, makes it ‘special data’ on which there are more restrictions, not less.
But perhaps most crucially, Labour’s website tells those who provide the party with their details that it will never do what it has already admitted it routinely did. The party’s contact page states that ‘we will never pass your information on to any third parties:
Every person providing their personal data to the party therefore had an absolute right to expect that Labour would never give their data to anyone else – yet Labour’s original admission of the data breach is clear that the data was given to a third party.
Labour lied to those it assured that their data had been erased – and it lied when it said their data would never be shared, obtaining individuals’ private information under false pretences.
Labour’s latest and rather blasé email to members whom it has wronged appears to suggest that the data breach is not such a big deal worth worrying about. But in fact, the email and the circumstances surrounding it simply confirm hat the scale of the party’s misuse of personal data and abuse of data protection laws has gone even wider and deeper than what was already known about the breach.
SKWAWKBOX needs your help. The site is provided free of charge but depends on the support of its readers to be viable. If you can afford to without hardship, please click here to arrange a one-off or modest monthly donation via PayPal or here to set up a monthly donation via GoCardless (SKWAWKBOX will contact you to confirm the GoCardless amount). Thanks for your solidarity so SKWAWKBOX can keep bringing you information the Establishment would prefer you not to know about.
If you wish to republish this post for non-commercial use, you are welcome to do so – see here for more.