I resigned from the Labour Party in February 2020. Twenty months later, on 3 November 2021, I received an email from the Party which said ...
We are writing to you to let you know that a third party that handles data on our behalf has been subject to a cyber incident. While the Party’s investigation remains ongoing, we wanted to make you aware of this incident and the measures which we have taken in response. We have also provided details of precautionary steps you may consider taking to help protect yourself.
What happened? On 29 October 2021, we were informed of the cyber incident by the third party. The third party told us that the incident had resulted in a significant quantity of Party data being rendered inaccessible on their systems. As soon as the Party was notified of these matters, we engaged third-party experts and the incident was immediately reported to the relevant authorities, including the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). The Party continues to work closely with each of these authorities. The Party is also working closely and on an urgent basis with the third party in order to understand the full nature, circumstances and impact of the incident. The Party’s own data systems were unaffected by this incident.
What information was involved? We understand that the data includes information provided to the Party by its members, registered and affiliated supporters, and other individuals who have provided their information to the Party. The full scope and impact of the incident is being urgently investigated.
What are the Labour Party doing? The Party takes the security of all personal information for which it is responsible very seriously. It is doing everything within its power to investigate and address this incident in close liaison with law enforcement, the Information Commissioner’s Office and the affected third party.
What you can do With incidents of this nature becoming increasingly common, it is more important than ever to remain vigilant against suspicious activity. As an immediate precaution, and in line with National Cyber Security Centre guidance, we recommend you take the following steps to protect yourself:
Be especially vigilant against suspicious activity, including suspicious emails, phone calls or text messages. The National Cyber Security Centre has published advice regarding suspicious emails on its website: https://ncsc.gov.uk/guidance/suspicious-email-actions
If you have received an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS) via report@phishing.gov.uk.
You can also implement two-factor authentication (2FA) where possible to protect your online accounts from unauthorised access as described in the following publication on the National Cyber Security Centre’s website: https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa
Additional guidance about what to watch out for online can be found here: https://www.ncsc.gov.uk/guidance/data-breaches
For more information If you have any questions or queries in relation to this incident, please direct them to privacy@labour.org.uk. We will also provide updates on our website in respect of this incident in line with guidance received from relevant law enforcement authorities.
Kind regards,
The Labour Party
This was my reply…
TO: The Labour Party
I am seeking more detail about your breach of data given that you should have deleted it when I left the party over 18 months ago. Consider this an SAR request under article 15 of the UK GDPR.
1. Provide me with greater clarity about the third party you gave my details to including their name, reason for giving it,, when you gave it and the exact details you gave to the third party.
2. Provide me with the names of all parties you have shared my data with, again with reasons for sharing, times and dates and the exact details that were shared,
3. Provide me with details of when and to what extent I granted you permission to give my details to any third party,
4. Provide me with all information you hold on record about me.
5. Provide me with an explanation as to why you did not delete my personal data when I left the Labour Party.
6. You suggested what I should do even though the responsibility for this data breach is yours, not mine. Provide me with details as to what measures you have put in place to ensure there is no repetition of a similar breach.
7. Provide assurances that all third parties you have shared my details with have deleted my personal data. Please inform me when you have deleted my personal data except for this email address.
Please be aware that you should respond without delay and within one month of this request.
Regards
David Wilson
and this is their reply to me:
Hello
Thank
you for making a subject access request (otherwise known as a “SAR”).
We will respond to your query as quickly as we can, as we are
currently receiving a large volume of enquiries. If you have not
already provided the below, please send that to
dataprotection@labour.org.uk
If
we do not receive your ID, we will assume you do not wish to progress
your SAR.
What do you need from me?
Provide us with your ID. We ask for a copy of photo ID (e.g. driving licence, passport) from requesters to guard against unauthorised or unwarranted attempts to access your confidential information. This is in line with guidance provided by the Information Commissioner’s Office. On verifying your identity, copies of any documents you provide will not be retained, and will be securely and permanently deleted.
Limit the scope of your request (if you have not done so already). It is likely your request will be returned much sooner if you limit the scope of your request. This could include providing the following:
-Date
range – e.g. any emails between June 2015 and March 2016
-Specific
search terms – e.g. where “Doncaster North CLP” has been
mentioned alongside my name
-Specific conversations/email trails
between named individuals
-Only related to a certain event –
e.g. only about the complaint I raised/the dispute I was involved in
Provide us with your postcode and membership number. This ensures we can locate you on our systems.
Thank
you if you have already specified the scope of your request in your
original correspondence to us.
What information will I
obtain from a SAR?
A Subject Access Request will provide
the personal data the Labour Party is processing about you. There are
however exemptions which apply to the disclosure of this data.
The
Labour Party will apply limited redactions in line with the
provisions given under the Data Protection Act 2018 (Schedule 2, Part
3 Para 16). It is therefore important to note that 3rd party personal
data, as well as any information provided to us in a 3rd party
capacity (e.g. complaints made to the Party which mention your name)
are likely to be redacted, or removed entirely, before the
information is disclosed to you. This reflects the need to also
respect the privacy rights of the 3rd party and is in line with the
ICO’s detailed guidance on SARs, which you can find here.
The
Labour Party will also include the following information as part of
your request:
•Any profiling carried out using your
personal data
•Personal data transfers internationally
•Other
rights available to you under the GDPR
•Retention
periods
•Your right to complain to the regulator
In
accordance with the provisions of the General Data Protection
Regulation and the Data Protection Act 2018, we will respond to your
subject access request within 30 calendar days of date of receipt.
You should be aware that there are provisions which allow us to
extend the timeframe for response by a further two months where we
determine that a request is either excessive or complex. I will
confirm whether the party intends to apply this extension once we
have conducted our initial searches.
Yours sincerely,
Data
Protection Team| The Labour Party
So no apology for this "incident", which is a major breach of data protection, but a lengthy explanation of what steps I must take to protect myself from data abuse. Then a request for detailed information about myself, my membership number and emails, search terms and so on. When I resigned I binned my membership card and since the LP has me on their records – that is why I received the initial email from them – why must I give them further details? My personal data should have been deleted from Labour Party files when I resigned my membership instead of which they now want MORE information about me. This is beyond crazy.