Thursday 11 November 2021

Labour Party's topsy turvy world



I resigned from the Labour Party in February 2020. Twenty months later, on 3 November 2021, I received an email from the Party which said ...

We are writing to you to let you know that a third party that handles data on our behalf has been subject to a cyber incident. While the Party’s investigation remains ongoing, we wanted to make you aware of this incident and the measures which we have taken in response. We have also provided details of precautionary steps you may consider taking to help protect yourself.

What happened? On 29 October 2021, we were informed of the cyber incident by the third party. The third party told us that the incident had resulted in a significant quantity of Party data being rendered inaccessible on their systems. As soon as the Party was notified of these matters, we engaged third-party experts and the incident was immediately reported to the relevant authorities, including the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). The Party continues to work closely with each of these authorities. The Party is also working closely and on an urgent basis with the third party in order to understand the full nature, circumstances and impact of the incident. The Party’s own data systems were unaffected by this incident.

What information was involved? We understand that the data includes information provided to the Party by its members, registered and affiliated supporters, and other individuals who have provided their information to the Party. The full scope and impact of the incident is being urgently investigated.

What are the Labour Party doing? The Party takes the security of all personal information for which it is responsible very seriously. It is doing everything within its power to investigate and address this incident in close liaison with law enforcement, the Information Commissioner’s Office and the affected third party.

What you can do With incidents of this nature becoming increasingly common, it is more important than ever to remain vigilant against suspicious activity. As an immediate precaution, and in line with National Cyber Security Centre guidance, we recommend you take the following steps to protect yourself:

Be especially vigilant against suspicious activity, including suspicious emails, phone calls or text messages. The National Cyber Security Centre has published advice regarding suspicious emails on its website:

For more information If you have any questions or queries in relation to this incident, please direct them to We will also provide updates on our website in respect of this incident in line with guidance received from relevant law enforcement authorities.

Kind regards,

The Labour Party

This was my reply…


TO: The Labour Party

I am seeking more detail about your breach of data given that you should have deleted it when I left the party over 18 months ago. Consider this an SAR request under article 15 of the UK GDPR.

1. Provide me with greater clarity about the third party you gave my details to including their name, reason for giving it,, when you gave it and the exact details you gave to the third party.

2. Provide me with the names of all parties you have shared my data with, again with reasons for sharing, times and dates and the exact details that were shared,

3. Provide me with details of when and to what extent I granted you permission to give my details to any third party,

4. Provide me with all information you hold on record about me.

5. Provide me with an explanation as to why you did not delete my personal data when I left the Labour Party.

6. You suggested what I should do even though the responsibility for this data breach is yours, not mine. Provide me with details as to what measures you have put in place to ensure there is no repetition of a similar breach.

7. Provide assurances that all third parties you have shared my details with have deleted my personal data. Please inform me when you have deleted my personal data except for this email address.

Please be aware that you should respond without delay and within one month of this request.


David Wilson

and this is their reply to me:


Thank you for making a subject access request (otherwise known as a “SAR”). We will respond to your query as quickly as we can, as we are currently receiving a large volume of enquiries. If you have not already provided the below, please send that to
If we do not receive your ID, we will assume you do not wish to progress your SAR.
What do you need from me?

  • Provide us with your ID. We ask for a copy of photo ID (e.g. driving licence, passport) from requesters to guard against unauthorised or unwarranted attempts to access your confidential information. This is in line with guidance provided by the Information Commissioner’s Office. On verifying your identity, copies of any documents you provide will not be retained, and will be securely and permanently deleted.

  • Limit the scope of your request (if you have not done so already). It is likely your request will be returned much sooner if you limit the scope of your request. This could include providing the following:

-Date range – e.g. any emails between June 2015 and March 2016
-Specific search terms – e.g. where “Doncaster North CLP” has been mentioned alongside my name
-Specific conversations/email trails between named individuals
-Only related to a certain event – e.g. only about the complaint I raised/the dispute I was involved in

  • Provide us with your postcode and membership number. This ensures we can locate you on our systems.

Thank you if you have already specified the scope of your request in your original correspondence to us.
What information will I obtain from a SAR?
A Subject Access Request will provide the personal data the Labour Party is processing about you. There are however exemptions which apply to the disclosure of this data.
The Labour Party will apply limited redactions in line with the provisions given under the Data Protection Act 2018 (Schedule 2, Part 3 Para 16). It is therefore important to note that 3rd party personal data, as well as any information provided to us in a 3rd party capacity (e.g. complaints made to the Party which mention your name) are likely to be redacted, or removed entirely, before the information is disclosed to you. This reflects the need to also respect the privacy rights of the 3rd party and is in line with the ICO’s detailed guidance on SARs, which you can find here.
The Labour Party will also include the following information as part of your request:

•Any profiling carried out using your personal data
•Personal data transfers internationally
•Other rights available to you under the GDPR
•Retention periods
•Your right to complain to the regulator

In accordance with the provisions of the General Data Protection Regulation and the Data Protection Act 2018, we will respond to your subject access request within 30 calendar days of date of receipt. You should be aware that there are provisions which allow us to extend the timeframe for response by a further two months where we determine that a request is either excessive or complex. I will confirm whether the party intends to apply this extension once we have conducted our initial searches.
Yours sincerely,
Data Protection Team| The Labour Party

So no apology for this "incident", which is a major breach of data protection, but a lengthy explanation of what steps I must take to protect myself from data abuse. Then a request for detailed information about myself, my membership number and emails, search terms and so on. When I resigned I binned my membership card and since the LP has me on their records – that is why I received the initial email from them – why must I give them further details? My personal data should have been deleted from Labour Party files when I resigned my membership instead of which they now want MORE information about me. This is beyond crazy.