The Labour Party has been criticised by Britain's data protection watchdog for failing to answer people who formally asked the party what information it holds about them.
The backlog had grown after the party was hit by a cyber attack in October 2021 and was inundated with requests from the public. The party announced that it had already cleared the backlog.
More than 350 people contacted the party with access to personal information requests (which allow anyone to ask an organisation what has happened to their personal information) but experienced long wait times.
The Information Commissioner's Office (ICO) said Labour had “repeatedly failed to respond” to requests. In November 2022, Labour received 352 Privacy Requests (SARs), of which 78% were not responded to within the maximum three-month time limit, and more than half (56%) were delayed by more than a year.
The investigation comes after the ICO received more than 150 complaints about its handling of SARs in 2021-2022.
The ICO said during its investigation it discovered a “privacy inbox” that had not been monitored by the Labour Party since November 2021. The inbox contained approximately 646 additional SARs and approximately 597 requests to delete personal information. None of the requests received a response.
ICO Deputy Commissioner Stephen Bonner said: “Being able to ask organisations 'What information do they have about me?' and 'How is it being used?' is a fundamental right that brings both transparency and accountability. It is vital not to underestimate the importance of organisations complying with these requests in a timely manner.”
“Citizens need to have full trust that political parties will handle their data correctly and respect their information rights.
“We welcome the news that Labor has put in place further measures to clear the SAR backlog and ensure people receive a fast response in future.”
Labour said it would appoint three temporary staff members to focus on outstanding requests, allocate extra funding and implement the action plan.
The ICO has taken formal disciplinary action against the party, requiring it to respond to SARs in a timely manner and ensure it has sufficient staffing to comply with the law in the future.
A Labour spokesman said: “Labour has co-operated fully with the ICO and has taken comprehensive steps to improve our processes following its findings.”
The party said that as of April 2024, the backlog of requests to access and delete personal information had been completely cleared and that no complaints were currently being received.
Labour Party headquarters suffered a “cyber incident” in 2021 which left it unable to access a “significant amount” of data belonging to members and supporters, in what is believed to be a ransomware attack in which hackers demanded money to restore access to data they had seized and encrypted.
