Labour reports data breach to the ICO after MPs join The Independent Group

Image of the Labour Party website

The Labour Party has reported an alleged data breach to the Information Commissioner's Office (ICO) over fears the personal data of party members was improperly accessed following the resignation of several MPs this week.

It is understood the party has accused at least one of the eight former Labour MP who left to join The Independent Group (TIG) of improperly accessing party systems to contact members after their resignation.

The ICO confirmed it had received a complaint from the Labour Party ahead of a full report being made in the near future, with a spokesperson telling IT Pro: "We have received an initial report of a data breach from the Labour Party and will be making enquiries."

The MP accused has not been officially named either by Labour or the ICO, but it is understood the party's concerns relate to an individual whose resignation was widely reported on Tuesday evening.

Seven MPs, including Chuka Umunna MP, Chris Leslie MP and Luciana Berger MP resigned together on Monday morning, with a ninth, Ian Austin MP, announcing his departure on Friday morning. Only Joan Ryan MP, the eighth, resigned on Tuesday.

The Guardian challenged Ryan over suggestions she had violated data protection rules by improperly accessing Labour members' personal data, but the Enfield North MP strongly denied the claims.

"The Labour Party became aware of attempts to access personal data held on the Party's systems for unauthorised use," a party spokesperson said. "Personal data the Party holds about individuals is protected by law, under the GDPR and Data Protection Act 2018.

"We are aware that the Information Commissioner is taking an increasingly serious view of misuse of personal data and requires a data controller to take reasonable and proportionate steps to ensure the security of data held on its systems. The Labour Party takes our data protection obligations extremely seriously."

The party's general secretary Jennie Formby became aware of attempts to access Labour members' personal data this week, which led to the party temporarily shutting down both its main campaigning systems Contact Creator and Organise, according to the Guardian.

In a message addressed to staff members, Formby said "data held by the party, including data within Contact Creator and other systems used for election or other campaigning work, may only be accessed by individuals who are authorised to access it, and may be used only for purposes authorised by the party as data controller".

"Much of the data held on our systems tends to reveal individuals' political opinions and is therefore 'special category' data, benefiting from enhanced protection under the legislation," she added.

Under the EU's General Data Protection Regulation (GDPR), and the UK's equivalent Data Protection Act 2018, special category data such as that indicating political leaning, must satisfy additional requirements against demands for processing standard variants of personal data.

The notion of disgruntled ex-employees making away with data from previous employers is hardly novel, and has in the past led to organisations facing potential fines for not implementing sufficient safeguards to protect customers' personal data.

Health firm Bupa was fined 175,000 by the ICO last year after one of its employees tried to sell the records of 574,000 Bupa Global customers on the dark web.

The employee in question accessed the data via the firm's CRM system, which the ICO charged Bupa with not adequately monitoring. The company was only made aware of the incident several months after the sale of this personal data took place.

A former Morrisons employee similarly stole the data of 100,000 of his colleagues in 2014, with a judge's ruling in October 2018 paving the way for 5,518 members of staff to claim compensation from the supermarket giant.

IT Pro approached the Conservative Party to ask whether they have similar concerns about members' personal data being improperly accessed, following the departure of three MPs this week and rumours of further defections. The Independent Group was also approached but neither organisation responded at the time of writing

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.