The Labour Party has become the latest organisation to incur the wrath of the Information Commissioner’s Office after being issued a reprimand for repeatedly failing to respond to subject access requests about what information it holds on individuals.
In November 2022, Labour had received 352 SARs that required a response. Of that number, 78% had not received a response within the maximum compulsory time limit of three months, and over half (56%) were significantly delayed by over one year.
Organisations must respond to a SAR within one month of receipt of the request. This can be extended by up to two months if the SAR is complex.
The backlog of SARs developed following a cyber-attack on the Labour Party in October 2021, which led to an increase in requests from the public.
The ICO investigation followed over 150 complaints regarding the party’s handling of SARs in the year from November 2021 to November 2022.
During the investigation, the ICO was also informed of the existence of a ‘privacy inbox’ that had not been monitored by the party since November 2021. The inbox contained approximately 646 additional SARs and approximately 597 requests for personal information to be deleted. While some of these may have been duplications, none of the requests had been responded to by the party.
Since engagement with the ICO began, the Labour Party has continued to take steps to address its backlog, including assigning three temporary members of staff to solely tackle the outstanding requests, allocating extra funds and implementing an action plan.
ICO deputy commissioner Stephen Bonner said: “Being able to ask an organisation ‘what information do you hold on me?’ and ‘how it is being used?’ is a fundamental right, which provides both transparency and accountability. It is vital that organisations do not underestimate the importance of responding to these requests on time.
“The public need to fully trust that a political party will handle their data correctly and respect their information rights. We welcome news that the Labour Party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response going forward.”
The reprimand details how the Labour Party failed to comply with their legal obligations under data protection law when responding to SARs during this period. The ICO has advised the organisation to take the steps outlined in its action plan to make sure it continues to have adequate staffing in place to respond to SARs on time and ensure future compliance with the law.
Related stories
MoJ gets final warning over huge data request backlog
Firms rocked by barrage of ‘weaponised’ data requests
Brexit Party pummelled over backlog of data requests
Firms accused of handing out personal data willy-nilly
Met farce fuels data access request warning to brands
‘I don’t believe it’…young make most GDPR complaints
