We have issued a reprimand to the Labour Party for repeatedly failing to respond to people who asked what personal information the party held on them – known as a subject access request (SAR).
In November 2022, the Labour Party had received 352 SARs that required a response. Of that number, 78% had not received a response within the maximum compulsory time limit of three months, and over half (56%) were significantly delayed by over one year.
The backlog of SARs developed following a cyber-attack on the Labour Party in October 2021, which led to an increase in requests from the public.
The investigation followed over 150 complaints to us regarding the Labour Party’s handling of SARs in the year from November 2021 to November 2022.
Under data protection law, people have the right to ask an organisation if it is using or storing their personal information and receive a copy of any personal information held. They also have the right to ask an organisation to ensure that their personal information is up-to-date and accurate, or in certain cases, deleted.
During its investigation, we were also informed of the existence of a ‘privacy inbox’ that had not been monitored by the Labour Party since November 2021. The inbox contained approximately 646 additional SARs and approximately 597 requests for personal information to be deleted. While some of these may have been duplications, none of the requests had been responded to by the Labour Party.
Since engagement with the ICO began, the Labour Party has continued to take steps to address its backlog, including assigning three temporary members of staff to solely tackle the outstanding requests, allocating extra funds and implementing an action plan.
“Being able to ask an organisation 'what information do you hold on me?' and 'how it is being used?' is a fundamental right, which provides both transparency and accountability. It is vital that organisations do not underestimate the importance of responding to these requests on time.
“The public need to fully trust that a political party will handle their data correctly and respect their information rights. We welcome news that the Labour Party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response going forward.”
- Stephen Bonner, Deputy Commissioner at the ICO
The reprimand details how the Labour Party failed to comply with their legal obligations under data protection law when responding to SARs during this period. We have advised the Labour Party to take the steps outlined in its action plan to make sure they continue to have adequate staffing in place to respond to SARs on time and ensure future compliance with the law.
Organisations must respond to a SAR within one month of receipt of the request. This can be extended by up to two months if the SAR is complex.
We have a wealth of information on our website to help organisations respond to SARs, including guidance for employers, as well as to assist people looking to make one.
Note to editors
- The Labour Party made the ICO aware of the cyber attack that impacted the party in October 2021. Following an investigation, the case was closed with no enforcement action taken.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to Make a complaint.