The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.

Virgin Berth

If there could be anything worse than the provenance and target of a Wallasey brick spawning an industry of conspiracy theorists, then it’s probably the Burning Question of whether Virgin Trains East Coast’s release of CCTV images of Jeremy Corbyn spurning unoccupied seats to enjoy the proletarian solidarity of the vestibule floor breached Data Protection laws. If I get through today without reading The Canary’s take on the matter, I will be a happy man.

Of course, the only sensible answer to the question is “It doesn’t matter“. But let’s ignore that obvious fact in favour of the following.

First, if Virgin Trains released unpixelated images of other passengers, this would be a breach of the first Data Protection principle on the basis that it would be unfair. There is no legitimate interest in doing so, and it is plainly unfair to publish images of ordinary passengers minding their own business. There is NO CHANCE ON EARTH than the Information Commissioner will take any action against Virgin for this as there is no harm to the passengers concerned, and harm is a vital threshold for any enforcement action. Individual passengers could sue, but again, they would have to demonstrate at least distress. I went from London to Edinburgh on Virgin East Coast once so I have some sympathy with this argument.

Of course, nobody would give a toss about this if it were not for the perceived slight to JC, so let’s get to that.

The first Data Protection principle requires that personal data should be processed fairly, lawfully and according to a set of conditions. Virgin’s disclosure must clear all three hurdles.

Fair – in the general sense of the word, I believe that the processing of Corbyn’s data was fair. Presumably without the company’s consent, Corbyn filmed a publicity stunt about the state of their trains. Even if the content was true, I believe Corbyn opened the door for Virgin to reply about the state of the train that Corbyn was on. Fairness does have a separate, specific meaning, which requires the organisation to tell the Data Subject who they are, what purposes the data is being used for, and anything else necessary to make the processing fair.

I can’t find the privacy notice for Virgin Trains East (if it’s not on the trains, that’s a breach), but Virgin Trains West Coast has a detailed policy on its website that includes improving customer service, monitoring operational incidents and verifying claims. If something similar is on the East Coast trains, I don’t think Corbyn has much room for complaint. I think that responding to an unauthorised publicity stunt on one of their trains is probably compatible with verifying claims and monitoring operational incidents. And besides, the Information Commissioner’s Office has invented and long tolerated a notion of ‘reasonable expectations’ – that you can do anything with personal data that the person would reasonably expect you to do. If Corbyn didn’t expect Virgin to look at their CCTV to verify his claim that the train was ‘ram-packed‘ (or even ‘rammed’ or ‘jam-packed’), he’s an idiot.

There is the nugget of an issue here – the public perception of CCTV is that it is used solely as a means of detecting and investigating crime. It isn’t – it’s used for a variety of civil, disciplinary and publicity purposes and there’s nothing in the Data Protection Act to prevent this. However, companies like the West and East Virgins tend to stress security and crime over all things when dealing with CCTV, and this creates an expectation of its own. Everything depends on the information available on the train that JC travelled on.

There is one exemption that might come to Virgin’s aid – Section 32 renders all of the First Principle void (and most of the others) if a disclosure is made for ‘journalistic purposes’ and the public interest in publication is incompatible with compliance with the principles. The language is important – one does not need to be a journalist, only to be processing for the purposes of journalism. This opens the door to widespread and enthusiastic flouting of DPA by all sorts of corporate interests, but I find it hard to dismiss the possibility altogether.

Lawful – I believe that the disclosure was lawful. A train is not a private place (except in the toilets and this probably not the time for me to raise the urban myth about CCTV in train toilets), and Corbyn’s personal data in this context is not confidential or private. I can see no other law that disclosing this data would breach, so I think they’re in the clear.

Condition – Schedule 6(2) of the Data Protection Act states that data can be processed (in this context, disclosed) if it is necessary for the purposes of a legitimate interest, as long as the processing does not prejudice the rights, freedoms or legitimate interests of the subject. Corbin made a claim about the conditions he found on a particular train – I believe that Virgin unquestionably have a legitimate interest in disclosing Corbyn’s personal data in order to comment on the accuracy of his claim. If Virgin released images of Corbyn unprompted, legitimate interests are out of the window. But Corbyn started the ball rolling, and I cannot see how the use of overt CCTV for this purpose prejudices his interests. Of course, if the images were used in a misleading way, again, legitimate interests is dead, but frankly, that’s a much bigger problem.

Other conditions might be engaged but unless Virgin have actively defamed Corbyn by photoshopping them to look like the train had seats when it didn’t (which is what I presume The Canary’s take is), I believe that the use of images was adequate, relevant, and not excessive (principle 3), and accurate (principle 4). One might question how long the images have been retained for (principle 5), but there is no statutory time period – Virgin simply have to justify that the retention period matches the purposes outlined under the first principle.

At its absolute worst, the release of Corbyn’s images might be unfair if the privacy notices on the train do not reasonably envisage the possibility of something like this happening. If Mr Corbyn was damaged in some way by this, the seriousness of the breach is increased, but not by much. It would be unlawful, but I see no public interest in taking action. Politics is a dirty business. Corbyn’s party breaches Data Protection all the time, so if he wants to take this up, he should do some digging in his own backyard.

And reserve a bloody seat next time.

UPDATE (24/8/16): The Information Commissioner has stated that they are “making enquiries” into Virgin’s disclosure of the CCTV images. The two possible enforcement routes available are a monetary penalty or an enforcement notice. The penalty requires the ICO to establish that there has been a serious breach of the Data Protection Act, likely to cause substantial damage or distress, and the data controller (Virgin Trains East Coast) either deliberately set out to breach the DPA, or knew (or ought to have known) that the breach would occur, and that the damage / distress would follow as a consequence. If you think that this incident meets that threshold, would you be interested in buying a used car?

The alternative is an enforcement notice. The enforcement notice can only apply if there is an ongoing breach that the data controller cannot or will not remedy. In other words, if Virgin promised never to disclose CCTV for publicity purposes again, it would be very difficult for the ICO to issue an enforcement notice. It would be disproportionate to take such significant action if it was clear that Virgin would not do the same thing again.

All this may be disappointing to those who wish to see Virgin, and its bearded figurehead, chastised for their assault on the integrity of JC, but this is not a serious breach. The NHS ignored opt-outs from the sharing of medical data for thousands of people over a prolonged period of time, and the worst that happened is that they were asked to sign an undertaking (an unenforceable public promise to behave better) at a time which best suited them in publicity terms. If you think that embarrassing Corbyn is worse than that, you ought to be ashamed of yourself.

The one good thing is that I don’t think the Labour Leader of Stockport Council, who moonlights as a Group Manager at the ICO, will end up dealing with the case. But who knows?

Labour pains

Saving Labour is a new organisation dedicated to replacing Jeremy Corbyn as leader of the Labour Party. It may quickly need to be saved from itself. An extract from a document that appears to be from Saving Labour is being circulated on Twitter by Corbyn supporters, annoyed about what it contains. The documents contains advice on how to obtain personal data of lapsed members who are likely to be anti-Corbyn because they left the party when around the time he became leader. The document then advocates contacting them for support.

Two things: I do not know the provenance of the document, and the allegation that it comes from Saving Labour or Progress may be untrue. This may be the work of a rogue individual, and so Saving Labour may not be responsible. If this is the case, they should make this clear, urgently and ensure that data is not obtained or processed in their name.

Second thing: I am a member of the Labour Party, and I do not support Jeremy Corbyn. I’m not even one of those ‘Corbyn can’t win’ people; if he could win, I wouldn’t want him to. Nevertheless, there is a strong likelihood that the Data Protection Act is being breached, and I think this needs to be addressed.

If Saving Labour (or rogue individuals) are attempting to recruit Labour members back into Labour, then the processing of data is likely to be a breach of Data Protection’s fairness requirements. If Saving Labour are trying to recruit members to Saving Labour’s mailing list or retaining data for its purposes, it’s potentially a lot worse. The most important thing here is that Saving Labour is not a faction of Labour; it is a separate Data Controller with its own Data Protection notification. If Saving Labour are obtaining data or getting others to obtain it on their behalf and for their purposes without Labour’s knowledge, it’s at least a civil breach of Data Protection.

Section 55 of the Data Protection Act makes it a criminal offence to obtain, disclose or procure the disclosure of personal data without the authorisation of the Data Controller. It’s not a criminal offence to obtain and disclose personal data without consent. The crucial element of S55 is the procuring or disclosing personal data without the authorisation of the Data Controller. The Data Controller isn’t an individual person (a common misconception) but it is the organisation as a whole. Nevertheless, if an individual who is clearly entitled to make decisions on the organisation’s behalf approved the disclosure, it’s not a criminal offence. If this data is being obtained and processing on behalf of  Saving Labour, there are specific defences that can be used, but these should be tested.

Of course, if the data has been obtained without Saving Labour’s knowledge and is being used for purposes that have not be authorised by the Labour Party, the individuals responsible for harvesting and processing the data could themselves be potentially in the frame for S55 offence, rather than Saving Labour.

Even if a senior Labour Party official gave explicit approval for someone to harvest personal data and use it, the likelihood of a Data Protection breach is still high. Unless the Labour Party told members that that their data would be shared with another organisation or processed after their membership had lapsed for marketing purposes, then the disclosure / processing would be a breach of the First Data Protection principle, which requires all processing of personal data to be fair. The chief element of fairness is that the person is told about how their data will be processed.

Though it’s possible that Labour told members that their information might be passed to affiliated organisations (which is relevant if Saving Labour receive the information or it is used on their behalf), it’s exceptionally unlikely that Labour would told members that their data would be processed after their membership had lapsed. Regardless of whether Saving Labour receive the data, processing it after the membership has lapsed is likely to breach the First principle unless Labour can demonstrate that members were told explicitly.

Of course, if Labour approved this, then Saving Labour could be considered to be a Data Processor carrying out a recruitment drive on the party’s behalf. If this is the case, unless Saving Labour is covered by a legally binding contract, this is a breach of the Seventh Principle.

It doesn’t end there. The document encourages MPs and councillors to “call” lapsed members to encourage them to join. As I blogged only yesterday, every part of the Data Protection system has made clear that calls made for the purposes of political campaigning are marketing – so if the callers do not screen any telephone numbers against the Telephone Preference Service, it would be a breach of the Privacy and Electronic Communications Regulations. If they send emails or texts without explicit consent from the person, it would be a breach of PECR. It’s extremely hard to imagine that any consent given to the Labour Party could survive a lapsed membership, and Saving Labour would not have that consent in the first place. Let me emphasise for new readers: there is no political exemption from PECR, there is no ‘we can call our members / ex-members’ exemption.

The ICO has already shown itself willing to enforce on political campaigning by issuing Enforcement Notices in the last decade against the SNP, the Labour Party, the Conservatives and the Liberal Democrats, and by issuing a monetary penalty for unsolicited texts against Leave.EU a few months ago, Last year, I blogged wearily about Labour’s idiotic and unfair purge of registered supporters. I and others have constantly pointed out their terrible marketing practices. And here we are again; another mess, another possible misuse of data, and at some point, the ICO dragged into it all over again to sort out another family dispute.

 

Here’s what you could have won

The worst experience for many data protection officers (apart from conversations which include the question ‘was it encrypted?’) is when their employer has spent a large amount of time and money developing some amazing, world-changing initiative involving personal data without asking them about it. A finger hovers metaphorically or sometimes literally over the start button, and somebody finally says ‘Hey, shouldn’t we ask DP guy about this?’. And so DP guy trudges from whatever mouldy corner of the organisation they have been exiled to after the last time this happened, and they are asked something along these lines. “This is all fine, ISN’T IT?”

And they are obliged to say no. Sometimes it’s just a bloody stupid idea, but most of the time, the project is at the very least achievable in some form, but asking at the end of the process means that the easiest, cheapest and most convenient solutions are lost because they needed to be included in the design of the process. The organisation has the unattractive choice of breaching the DPA or bolting on expensive and unwieldy solutions to the problem. Different organisations react in different ways, but DP guy is usually blamed. The way to avoid the above problem is to carry out a privacy impact assessment – as early as possible, the people designing the new amazing thing look at what they’re planning to do, think deeply (and with as many views as they can find) about what might go wrong from a data protection and privacy perspective, and then build the solutions into the design of the project. Alternatively, they decide to leave the thing as it is, but knowing what risks they are running, rather than living in denial.

There are three problems with the PIA approach, First, you have to be willing to do one. Second, you have to be willing to imagine what might go wrong with your new amazing thing. Third, you must be willing to change your new amazing thing if the risks are sufficiently great. And thus, we return for my fourth blog on the Labour leadership election, if you can call it that.

I am certain that Labour has breached the the Data Protection Act in a variety of different ways, and yet all of it could have been avoided had they done a PIA. Here are some of the possible breaches:

  • Labour did not informed those registering as supporters that their data would be obtained from a variety of formal and informal sources, and their social media accounts would searched. This is particularly true for information like canvass data, which was obtained for a separate purpose This is a breach of principle 1, which requires data subjects to be informed how their data will be used. This could easily have been prevented by developing a clear set of criteria in advance and explaining this and the vetting process when supporters signed up.
  • Labour did not obtain Twitter names and other social media information from supporters, so the data obtained was not adequate for the purpose – this in turn is likely to lead to data being inaccurate. This is a breach of principle 3 and 4. This could have been prevented by realising that a vetting process would be required, and would need to be robust and fair, requiring more than the sparse details that were actually requested.
  • Registered supporters cannot appeal their decision properly, which means that data is not be processed fairly (principle 1), or adequately (principle 3). As above, clear criteria would have allowed such appeals.
  • Data is being obtained and shared from a wide variety of sources, and shared across different locations. Harriet Harman has said that vetting is going on in constituencies as well as Labour’s offices in Newcastle. Unless the data (which is sensitive personal data about political beliefs) is shared and stored securely, Labour will have breached the 7th principle, which requires appropriate technical and organisational security measures.
  • Data Protection requires an organisation to justify its use of personal data from a list of conditions set out in the Act. The only two possible conditions for the vetting are consent and legitimate interests. Consent must be freely given, specific and informed – supporters cannot be assumed to have consented to a process that they were not told about. There is no such thing as ‘implied’ or ‘assumed’ consent. An organisation can infer consent from a person’s actions – tell me that you want to do a blood test and I willingly offer you my arm, you can reasonably infer that I am consenting to the test. But by taking my £3 and offering me a vote, you cannot pretend that I have consented to a bargain-bin witch-hunt that you didn’t mention. What remains for Labour is the legitimate interests condition, which only applies when there is no unwarranted harm to the rights of the data subject. They could have relied on that, but only with a proper process. Without a right of appeal, based on hearsay and Tweets possibly taken out of context, done in a rush, and with no clarity about the criteria or even the people doing it, this condition is not made out. I do not believe that the party has a legal basis to do what it is doing because of the way it is doing it.

An election is not just an important political process; it is a massive exercise in the processing of personal data, and Data Protection applies to it. There is no exemption, and for a party election no legal obligation to allow Labour to skate around the tricky bits. Equally, a vetting exercise is not just a necessary step to deny Matthew Parris’s Llamas a vote – it is another massive instance of processing that requires a sensitive and intelligent approach. I suspect Labour has panicked and made the process up as it went along (no doubt partially in a doomed attempt to prevent a Corbyn win), and in the process breached most of the DP principles.

Supporters should have been told exactly who would be excluded and why. Labour should have asked for enough data to be certain that they were looking at the right people. The process for vetting should have been open, transparent, consistent and with a right of appeal. PIAs are evolving, living processes, so when all of these problems started to surface, Labour should have reacted, either by dropping the vetting altogether because they couldn’t do it legally at this stage, or perhaps pausing or extending the election to allow something more watertight to go ahead.

But here we have the second and third problems with PIAs. Politicians and political people are peculiarly incapable of thinking that things might go wrong. Everything has to be presented as wonderful, inspirational, positive. Even if the risks had occurred to them, I suspect Labour’s leaders would have been unwilling to present the kind of strict rules that a compliant process would have required. They wanted to welcome people, to have a summer of vibrant inclusive debate. We all know what the British summer is like: stormy and disappointing. They should have anticipated these storms and brought an umbrella. They went out in shorts.

My experience of all political parties is that they are incapable of complying with Data Protection and Privacy law: I’ve already written about the rampant direct marketing breaches, and I’ve heard about worse. It’s pointless to expect them to do it any differently. Instead, let this rolling disaster be a lesson to others, for any organisation trying something new. Think about what you’re doing, and how you want to achieve it. Think about what might go wrong. Put measures in place to manage the risks. Whoever wins this election will inherit a smouldering mess; how much better would it have been not to set it on fire in the first place?

The Purge

Throughout the campaign for the Labour leadership, various people applying to be registered supporters have had their applications rejected. The list is varied, from the film director Ken Loach and the comedian Mark Steel, through to the human equivalent of genital herpes, Toby Young. Those registering to be supporters must agree that they support the aims and ideals of the Labour Party: Loach and Steel have explicitly and recently advocated voting for other parties, while Young is a high-profile Conservative. I’m not going to lose any sleep, frankly. However, in the past couple of days, a substantial number of less well-known people have received similar missives – some were recently candidates for other parties so Labour’s ban may have some merit. But others are just ordinary people on the left. Some of them are critics of austerity, some may have said that they are voting for the Greens or the Trades Union and Socialist Coalition, or just slagged off the Labour leadership online. I think Tony Blair is a war criminal and have said so often, so I still wonder if my vote yesterday counts. Is that acceptable for Labour High Command in the current climate?

The Data Protection problem for Labour is that when we signed up to be registered supporters, there was no clear fair processing information explaining that we would be vetted or how this would be done. Some form of vetting has clearly happened – I’ve even seen copies of emails and Facebook posts that suggest a full-on witch-hunt for anyone who isn’t an uncritical supporter of the party. I’m not sure whether these are real, but there are a lot of them.

As I have previously written, Labour does not need consent to look at websites and Twitter accounts. Even though the stuff on Twitter is sensitive personal data as it relates to political opinions, Data Protection allows for sensitive data to be used if it has been put into the public domain by the data subject. Furthermore, I agree that Labour has a legitimate interest in preventing full-on Tories from voting. This means that they can rely on the ‘legitimate interest’ justification to use personal data. However, they are required not to cause unwarranted prejudice to the rights and freedoms of data subjects when doing so. This is all part of the first Data Protection principle. I believe that legitimate interest requires the vetting process to be carried out objectively and accurately. Without some form of appeal, I think the rights and freedoms of the data subjects have been prejudiced.

More fundamentally, Labour must also process data fairly. The blurb for registered supporters was thin, so as someone who signed up, I have no idea what process was gone through. Even if you are one of those (wrong) people who thinks that trawling Twitter doesn’t engage Data Protection, receiving and acting on tip-offs and reports isn’t just disturbingly McCarthyite, it would be a breach of the Data Protection Act unless registered supporters were told. There are in fact a host of potential problems (accuracy, relevance, security), but the fairness one is enough because it is insurmountable. We should have been told – we weren’t.

Even if you think such a process would be legitimate, there is no exemption from the Data Protection Act, nothing that allows Labour to do these things secretly. The exemptions in Data Protection cover legal proceedings, criminal investigations, cases referred to regulators – situations where handling personal data secretly can be justified. None of the exemptions applies to the kind of process currently at work in the Labour Party. The foundation stone of Data Protection is fairness and transparency – letting people know how their data is used, so that they can ensure it is used properly. Not for the first time, the Labour Party is acting secretively, and so I have not faith in the vetting process. I suspect it breaches the first Data Protection principle.

Data Protection gives every person a right of subject access, a right to request copies of their personal data held by any organisation. In this case, the data on which the decision was made to ban a person from voting in the leadership election will undoubtedly be personal data. Admittedly, Labour could claim that no data was recorded, but this would reveal that process to be slapdash in the extreme.

Therefore, my advice to anyone rejected by the Labour Party is as follows: make a subject access request. Find out what it was that made Labour reject you, and then publicise that. Expose this process, and dig it over. Labour did not want this to be a transparent process, but they cannot stop you from finding out what happened in your case.

To make a subject access request, you need three things:

  1. A written request, setting out your name, address and the email address you registered with as a supporter
  2. Proof of your ID. Send a copy of a passport or driving license and ask them to destroy it when they have validated your request. They can refuse to deal with your request without proof of ID, so don’t give them the opportunity to delay by asking for it
  3. A cheque for £10. Having already lost the £3 supporter fee, this will be annoying, but I doubt Labour will accept a subject access request without the statutory fee, and they can refuse to process the request without it. If you want to know what happened (or find out that it was a flawed process), you will have to sacrifice the tenner. If they are feeling generous, they won’t cash the cheque. The Information Commissioner cannot order them to waive the fee, so don’t waste your time asking them.

You may well want to send this by recorded or registered post, which ratchets up your costs even more. If you are throwing your hands up in despair at spending another £12, I’m sorry. I didn’t say you would like my advice. Explain clearly and simply that you want all of the personal data held about you as a registered supporter, including any and all information that was used to ban you from voting. You are entitled to a permanent copy of the data. It is unlikely they will tell you the names of those involved in the decision, but the reasons you have been banned must be made available. It doesn’t matter of hundreds of Labour supporters make a subject access request at once – there is no provision to refuse vexatious requests, and the Information Commissioner’s Code of Practice on Subject Access makes clear to organisations that they must be prepared to respond to peaks in demand.

Subject Access is an imperfect tool: organisations sometimes don’t record the information you expect them to. But Labour took their supporters’ money and then denied many of them a vote. Either they have to account for these decisions, or admit that they have not done so fairly. Those calling for the election to be halted to avoid a Corbyn victory should be full-throated in their demands that the banned should either get a proper explanation as required by Data Protection, or the vote should instead be halted until a proper process is undergone.

The address Labour publish to contact their Data Protection Officer is

Compliance Unit, Labour Party, One Brewer’s Green, London, SW1H 0RH

If you go for it, good luck. Drop me a line and let me know how you get on.