The Labour Party has sent out a reminder about its GDPR obligations after warning that unauthorized users have been trying to access personal data on its systems.
In an email to MPs subsequently leaked on Twitter, general secretary, Jennie Formby, reminded recipients that “data within Contact Creator and other systems used for election or other campaigning work, may only be accessed by individuals who are authorized to access it, and may be used only for purposes authorized by the party as data controller.”
The email was sent in the same week as eight Labour MPs left the party over its Brexit stance and alleged antisemitism to start their own centrist “Independent Group.”
Some reports claimed that one of these MPs, Enfield North’s Joan Ryan, has already been reported by the party to the Information Commissioner’s Office (ICO) and that its campaigning tools Contact Creator and Organise were shut down on Wednesday while it investigated.
However, Ryan denied any claims she or her team accessed Labour party data since resigning the whip and party membership. It has been suggested that the party may be deliberately seeking to discredit its former MPs.
Joseph Carson, chief security scientist at Thycotic, argued that if any former Labour MPs did in fact get access to party data, the blame also falls on the data controller.
“When roles change, such as the situation in which members of the UK Labour party leave, they immediately should no longer have access to the sensitive data of citizens without proper consent,” he said.
“This means that the UK Labour party failed to control access and apply the principle of least privilege in this incident which leaves them jointly liable for this data breach. It is clear that while a high priority, when it relates to controlling access to both privileged accounts and privileged data, most are still failing to implement and put important access controls in place.”