Cyber Incident Frequently Asked Questions

On 3 November 2021, the Labour Party gave notification that a third party who handles data on our behalf had been subject to a cyber incident.

This page sets out answers to frequently asked questions regarding the incident and how the Labour Party processes personal data.

What happened and how did the Labour Party respond?

On 29 October 2021, we were informed of the cyber incident by the third party. The third party told us that the incident had resulted in a significant quantity of Labour Party data being rendered inaccessible on their systems. As soon as the Labour Party was notified of these matters, we engaged third-party experts and the incident was immediately reported to the relevant authorities, including the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). The Labour Party worked closely with the relevant law enforcement authorities and the ICO in response to the incident. The ICO has since closed its investigation into this matter.

What personal data is held by the Labour Party?

The Labour Party processes a range of personal data in order to support our key functions as a membership organisation and to further our democratic engagement with voters. That personal data includes:

· contact, financial and eligibility information to allow us to process membership applications and to service the contract we have with our existing members and enforce the Labour Party’s rules;

· information from the electoral register to which the Labour Party has a legal entitlement;

· information about the political views of voters provided to Labour Party representatives on the doorstep, by telephone or in response to survey questions;

· contact information for supporters and donors in order that we can communicate with them about events, Labour Party activities and other opportunities to get involved; and

· information that is either publicly or commercially available, such as census information and election results.

More information about the personal data the Labour Party holds and processes is available in our privacy policy: https://labourarchive.wpengine.com/privacy-policy/.

How long does the Labour Party retain data for?

In relation to retention of your personal data, please be assured that apart from specific circumstances, personal data is not retained for longer than six years after the data was collected. Where the Labour Party does retain personal data on Labour Party systems beyond this period, this will only occur when there is a genuine and valid reason for doing so namely:

· to the extent that we are required to do so by law;

· if we believe that the information may be relevant to any ongoing or prospective legal proceedings;

· in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk), and;

· to support the ongoing operational purposes of the Labour Party as a membership and campaigning organisation, with due consideration for an individual’s privacy rights and freedoms.

In circumstances where someone is no longer a member or supporter of the Labour Party, we restrict the processing of this information in such a way to ensure that the Labour Party does not contact them again unless authorised by law, which may include one piece of addressed mailing during a General Election and unaddressed communications such as leaflets promoting Labour Party work which does not include personal data.

For more information on how we currently use your personal data and retention timescales for processing this data, please refer to our privacy policy which can be found here: https://labourarchive.wpengine.com/privacy-policy/.

What third party was affected by the breach?

The third party affected by the breach was a supplier called Tangent.

What data was affected by the breach?

We now understand that the only personal data that may have been affected is the names of individuals who were members in 2014. Therefore, if you were not a member at that time, we do not believe that any of your personal data was affected.

What agreement was in place with the third party affected by the breach?

Appropriate agreements were in place with the third party.

When and what data was shared and with who?

In accordance with our privacy policy, the Labour Party may disclose personal data to any of our employees, officers, insurers, professional advisers, agents, suppliers or subcontractors insofar as is reasonably necessary for the purposes set out in that policy. Summary information about the personal data shared with the supplier (Tangent) was provided in the original notification.

Why was there a delay in informing data subjects?

The Labour Party promptly notified all potentially affected data subjects following preliminary investigations and extensive engagement with the relevant law enforcement authorities and ICO. We now believe that it is only those individuals who were members in 2014 who may have been affected by this incident.

What measures were put in place to protect my data?

The Labour Party is committed to processing and retaining data within established technological and physical controls in a transparent manner, as well as promoting and safeguarding the information rights of data subjects.

The Labour Party has established procedures to ensure that technological and physical controls are in place that guarantee the privacy of data subjects, the security of data held on technological systems and that all data held by the Labour Party is processed according to an established lawful processing condition. Any such procedures will be reviewed as necessary and updated to ensure their effectiveness in line with advances in technology.

The Labour Party’s own data systems were unaffected by this incident.

Was any financial data affected?

We now understand that the only personal data that may have been affected is the names of individuals who were members in 2014. Accordingly, we understand no financial data was compromised by this cyber incident.

How did you get my data if I’m not a member of the Labour Party?

The Labour Party acquires personal data from a range of sources, including the following:

· the full electoral register to which the Labour Party has a legal entitlement;

· commercially available data from suppliers that have provided appropriate privacy information regarding data being shared with the Labour Party;

· publicly available information from sources such as the census; and

· information provided directly by you, for example in response to a survey or following a conversation with a Labour Party representative on the doorstep or by telephone.

More information about the sources of personal data the Labour Party processes is available in our privacy policy: https://labourarchive.wpengine.com/privacy-policy/.

Page updated 26 January 2023

For more information

If you have any questions or queries in relation to this incident, please direct them to [email protected]. We will also provide updates on our website in respect of this incident in line with guidance received from relevant law enforcement authorities.

You can also fill in the form below: