UK Labour Party reprimanded over cyberattack backlog by privacy regulator

The United Kingdom’s Labour Party was reprimanded on Wednesday by the country’s privacy regulator for failing to comply with data protection laws while in opposition.

More than 150 people complained to the Information Commissioner’s Office (ICO) about the length of time it was taking the Labour Party to respond to subject access requests (SARs) following a cyberattack in October 2021.

An SAR, under Britain’s privacy laws, gives people the right to ask an organization that is using or storing their personal information to provide them with a copy of that information, as well as the right to ensure the information is up-to-date and accurate, and in some cases deleted.

Organizations holding personal information are required to comply with an SAR “without undue delay and at the latest within one month of receiving the request,” according to the regulator, although this period can be extended by two months if the request is particularly complex.

Following a ransomware attack in 2021 on a company called Tangent supplying Labour’s member system, the party began to develop a backlog of these requests — partially due to a spike in people seeking to know how much of their personal information may have been compromised in the attack.

KP Law, a firm specializing in data breach group action cases, subsequently launched a claim against the Labour Party complaining that the party was “refusing to tell members what data has been exposed.”

“Our early investigations, combined with the Party’s refusal to be accountable and honest following the hack, suggests that Labour’s data protection processes are nothing short of shambolic,” the firm stated.

During the course of the ICO’s investigation into this backlog, the party disclosed that it had found an inbox that was no longer being monitored but had received hundreds of SARs that the party had missed, more than half of which ended up being significantly delayed by over one year.

The watchdog issued the Labour Party with a reprimand rather than a fine because of the party’s response to the investigation, explaining that senior members of staff had “devoted considerable time to personally dealing with the subject access request backlog.”

Stephen Bonner, the ICO’s deputy commissioner, said: “Being able to ask an organization 'what information do you hold on me?' and 'how it is being used?' is a fundamental right, which provides both transparency and accountability. It is vital that organizations do not underestimate the importance of responding to these requests on time.

“The public need to fully trust that a political party will handle their data correctly and respect their information rights. We welcome news that the Labour Party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response going forward.”