Labour pains

Saving Labour is a new organisation dedicated to replacing Jeremy Corbyn as leader of the Labour Party. It may quickly need to be saved from itself. An extract from a document that appears to be from Saving Labour is being circulated on Twitter by Corbyn supporters, annoyed about what it contains. The documents contains advice on how to obtain personal data of lapsed members who are likely to be anti-Corbyn because they left the party when around the time he became leader. The document then advocates contacting them for support.

Two things: I do not know the provenance of the document, and the allegation that it comes from Saving Labour or Progress may be untrue. This may be the work of a rogue individual, and so Saving Labour may not be responsible. If this is the case, they should make this clear, urgently and ensure that data is not obtained or processed in their name.

Second thing: I am a member of the Labour Party, and I do not support Jeremy Corbyn. I’m not even one of those ‘Corbyn can’t win’ people; if he could win, I wouldn’t want him to. Nevertheless, there is a strong likelihood that the Data Protection Act is being breached, and I think this needs to be addressed.

If Saving Labour (or rogue individuals) are attempting to recruit Labour members back into Labour, then the processing of data is likely to be a breach of Data Protection’s fairness requirements. If Saving Labour are trying to recruit members to Saving Labour’s mailing list or retaining data for its purposes, it’s potentially a lot worse. The most important thing here is that Saving Labour is not a faction of Labour; it is a separate Data Controller with its own Data Protection notification. If Saving Labour are obtaining data or getting others to obtain it on their behalf and for their purposes without Labour’s knowledge, it’s at least a civil breach of Data Protection.

Section 55 of the Data Protection Act makes it a criminal offence to obtain, disclose or procure the disclosure of personal data without the authorisation of the Data Controller. It’s not a criminal offence to obtain and disclose personal data without consent. The crucial element of S55 is the procuring or disclosing personal data without the authorisation of the Data Controller. The Data Controller isn’t an individual person (a common misconception) but it is the organisation as a whole. Nevertheless, if an individual who is clearly entitled to make decisions on the organisation’s behalf approved the disclosure, it’s not a criminal offence. If this data is being obtained and processing on behalf of  Saving Labour, there are specific defences that can be used, but these should be tested.

Of course, if the data has been obtained without Saving Labour’s knowledge and is being used for purposes that have not be authorised by the Labour Party, the individuals responsible for harvesting and processing the data could themselves be potentially in the frame for S55 offence, rather than Saving Labour.

Even if a senior Labour Party official gave explicit approval for someone to harvest personal data and use it, the likelihood of a Data Protection breach is still high. Unless the Labour Party told members that that their data would be shared with another organisation or processed after their membership had lapsed for marketing purposes, then the disclosure / processing would be a breach of the First Data Protection principle, which requires all processing of personal data to be fair. The chief element of fairness is that the person is told about how their data will be processed.

Though it’s possible that Labour told members that their information might be passed to affiliated organisations (which is relevant if Saving Labour receive the information or it is used on their behalf), it’s exceptionally unlikely that Labour would told members that their data would be processed after their membership had lapsed. Regardless of whether Saving Labour receive the data, processing it after the membership has lapsed is likely to breach the First principle unless Labour can demonstrate that members were told explicitly.

Of course, if Labour approved this, then Saving Labour could be considered to be a Data Processor carrying out a recruitment drive on the party’s behalf. If this is the case, unless Saving Labour is covered by a legally binding contract, this is a breach of the Seventh Principle.

It doesn’t end there. The document encourages MPs and councillors to “call” lapsed members to encourage them to join. As I blogged only yesterday, every part of the Data Protection system has made clear that calls made for the purposes of political campaigning are marketing – so if the callers do not screen any telephone numbers against the Telephone Preference Service, it would be a breach of the Privacy and Electronic Communications Regulations. If they send emails or texts without explicit consent from the person, it would be a breach of PECR. It’s extremely hard to imagine that any consent given to the Labour Party could survive a lapsed membership, and Saving Labour would not have that consent in the first place. Let me emphasise for new readers: there is no political exemption from PECR, there is no ‘we can call our members / ex-members’ exemption.

The ICO has already shown itself willing to enforce on political campaigning by issuing Enforcement Notices in the last decade against the SNP, the Labour Party, the Conservatives and the Liberal Democrats, and by issuing a monetary penalty for unsolicited texts against Leave.EU a few months ago, Last year, I blogged wearily about Labour’s idiotic and unfair purge of registered supporters. I and others have constantly pointed out their terrible marketing practices. And here we are again; another mess, another possible misuse of data, and at some point, the ICO dragged into it all over again to sort out another family dispute.

 

Comments

  1. Colin O Driscoll says:

    Dear Tim,

    This information was forwarded to me by a friend who had signed up to a Labour First mailing list. Since then Progress has published exactly the same information on their Facebook page. This is definitely not a spoof or a forgery. The link is:

    https://www.facebook.com/ProgressLabour/?fref=ts

    I have taken a screenshot, which I am happy to send, together with the original PDF, that accompanied the mailing.

    Colin O Driscoll

  2. If you want to convince yourself of where this email is coming from, sign up to the Saving Labour e-mail list on their website. Then you can view the archive via the “view your preferences” link at the bottom of the e-mail, sent via MailChimp, and you will read exactly the e-mail you are talking about. The same details have also since been republished on the Facebook page of Progress (as funded by Lord Sainsbury).

  3. “Though it’s possible that Labour told members that their information might be passed to affiliated organisations” – if they did, but I think this is not the case; but if Labour did this, in Labour Party terms “affiliated organisations” would clearly be expected to only refer to Labour-affiliated organisations such as trade unions or the ‘affiliated socialist societies’.

  4. I can confirm the source of the information doing the rounds as I also received that same email from Labour First.

  5. Clarence says:

    It is from Progress, it’s on their website so definitely from the Progress part of Labour, Labour First/Saving Labour although not clear how all these groups fit together with one another within Labour as a whole.

    http://www.progressonline.org.uk/content/uploads/2016/07/Seven-days-to-save-Labour.pdf

  6. Reblogged this on nearlydead.

  7. I Crawford says:

    Is this potentially a breach of this act as well?
    As it looks like unauthorised use of data.
    https://en.wikipedia.org/wiki/Computer_Misuse_Act_1990

  8. The document appears to be advising people who already have access to membership records on how they can get the contact details of lapsed members so they (MPs and councillors) can encourage them to sign up as registered supporters. If the information is only being obtained by people who have permission to access the data and is used for permitted purposes (recruiting supporters) and not being passed on to Labour First, this isn’t a data protection breach is it?

    • Even if explicitly approved by the Labour Party, it’s probably still a DP breach because it’s unfair – none of the T&Cs I have seen refers to this purpose. The involvement of another data controller only muddies the water further.

      • Thanks. I’m a member with similar views to you, and if DP law is being breached I will be furious.

      • How is it unfair? Surely as this is being advertised in save labour led by Labour members and is on membersnet then any member of the labour party can access it including the corbyn campaign.

  9. Alan Fairclough says:

    When I joined Labour I started to get many emails and phone calls from “organisations” who were technically not “Labour” but were campaigning or canvassing for an organisation or cause close to Labour in some way.

    Last year I was called, emailed and snail-mailed by most of the candidates for the leadership election, more recently I’ve been getting calls, texts, emails and snail-mail from people acting on behalf of various City Region Mayoral candidates.

    I see no difference in any of them “processing my data” to help them win their campaigns and any Labour-reLabour-related campaign group doing it now.

    What I am more concerned about it the hysterical mess the Labour Party has become which, regardless of the outcome of the leadership election, is the biggest threat to my continued membership of the party and, what should be more worrying, even my vote at the next general election.

    Stop repeating the mistakes of the 80s. Please.

    • Presumably none of these organsiations should be doing this unless there is an explicit notification at the time you join, or a request that you agree to the use of your data in this way.

  10. Friendly reminder: comments that are not about the blog will not be published, so if you want to vent your spleen about the future of the Labour Party from either perspective, this isn’t the place.

  11. I too am a DP professional. Great work.

    This starts from the lack of granularity of consents held by the Labour Party. The LP can’t tell the difference between those that want the minimum contact, dunning letters and how to participate in the internal affairs of the Party, though the begging letters, pleas to volunteer and requests to vote for people.

    I question if the LP should have personal data on lapsed members at all. I think we can assume that consent has been withdrawn. It is one of the principles that data should be deleted when no longer required. There may be an argument that those who are lapsed due to having an arrears should be recorded and retained as having a debt, but I don’t think they should be allowed to vote by paying £25 if their debt is larger.

    Shami Chakrabarti in her inquiry stated that the Labour Party can’t run a safe disciplinary process; it lacks the legal skills. It is clear it lacks the IT security skills which become mandatory under the GDPR.

    I agree obtaining or passing on membership data for purposes other than those approved by the Labour Party and consented by the data subject is an offence. There is an argument recruiting people back to the Labour Party is an approved activity.

    I am a member of the Labour Party, the GMB, the Fabian Society & Momentum. I voted for Jeremy Corbyn last year.

    Dave
    CISSP & FBCS CITP

  12. rwendland says:

    BTW Saving Labour are also breeching their notification by exporting personal data outside the EEA. They are using Mailchimp hosted in the USA to deliver their emails, but in their notification (Registration Number: ZA191849) they promised:

    “Transfers: It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA).”

    A common problem I know, but on top of the solicitations (seemingly by Progress’ Deputy Director it seems) to access Labour’s membership database, not helpful to their case.

Trackbacks

  1. […] Commissoner’s Office response, which it seems is to write a stern letter. Tim Turner looks at the Law, here, and I comment on his thread, repeating what I said in my post, Compliance, that the Chakrabarti […]

  2. […] Source: Labour pains […]

%d bloggers like this: