As students across the country return to school after the Summer holidays, the Labour Party has received a “Must try harder” from the UK's data regulator, the Information Commissioner's Office ("ICO").
The ICO has issued a reprimand to the Labour Party for accumulating a huge backlog of data subject access requests ("SARs") following a cyber attack in October 2021.
SARs allow individuals whose personal data is processed by organisations to request access to their data and related information within one month from the date of the request (which can be extended up to 3 months if the request is deemed “complex”).
Following the 2021 cyber attack, the Labour Party received an influx of individuals requesting access to, and information about, their personal data. By November 2022, the Labour Party had received 352 SARs, 78% of which were not answered within the maximum timeframe of 3 months, and over half were delayed by over one year.
After receiving in excess of 150 complaints from individuals, the ICO launched an investigation and found alongside these figures that a privacy inbox set up by the Labour Party to deal with correspondence or requests following the cyber attack had not been monitored since late November 2021, at which point the party used its standard data protection inbox. Within this ghost inbox over 600 SARs were found without evidence of any response from the Labour Party, in addition to almost 600 requests from individuals to erase their personal data from its systems.
Mitigating factors were taken into account by the Information Commissioner, including the large increase in SARs received by the Labour Party, as well as their recent improvement in dealing with the backlog. The Labour Party's “action plan” of remedial steps, including hiring and training additional staff, contacting affected individuals and actioning the backlog of requests meant enforcement was the public reprimand and no financial penalty in this instance, but we can expect the Information Commissioner to be keeping an eye on the situation.
The ICO's recommended actions would be useful for any organisation that processes personal data, i.e. ensuring you have appropriate resources in place to deal with SARs (including being prepared for a large influx in SARs following a data security incident) and deleting any inboxes that are no longer in use would be a good way to demonstrate your compliance. If you have any questions about SARs or how to streamline your processes to meet the tight deadlines in a more cost efficient way please do get in touch with your usual LS contact.