Reading the Information Governance Policy
The Data Controller and their responsibilities
The Data Protection Officer and their responsibilities
Labour Party Data – an overview
Labour Party data and the lawful conditions of processing
Data Processing at National Level units of the Labour Party
Data Processing at Local Level units of the Labour Party
Data Subject Rights
The need to maintain an Information Asset Register
The Labour Party’s commitment to implementing Privacy by Design
The Labour Party and Data Breaches
1.1 The Labour Party collects, processes and retains data for use in political campaigning and associated activities. The Labour Party also retains and processes data that is necessary for the administration of its own internal governance and membership systems. The Labour Party takes its responsibilities around Data Protection seriously, and as such is committed to implementing and maintaining an effective Information Governance framework that is operational at all levels of the organisation.
1.2 When handling personal data the Labour Party is obliged to ensure that the following principles are met:
- that we process data lawfully, fairly and in a transparent manner in relation to individuals;
- that we ensure that data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- that data held by the Labour Party is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- that any data held by the Labour Party is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- that such data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- we ensure that data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
1.3 The purpose of this policy is to provide clear guidance to all levels of the organisation to ensure compliance with these obligations. It also makes clear the responsibilities of the Data Controller under the Data Protection Act 2018, the General Data Protection Regulation and any associated legislation.
1.4 This document also sets out a series of policy principles which are designed to underpin procedures and controls that that create and maintain a robust Information Governance System.
2.1 The Registered Data Controller for the Labour Party is the Director of the Governance and Legal Unit. The Data Controller is legally responsible for determining the purposes for which and the manner in which any personal data are, or are to be processed.
2.2 The Data Controller must ensure that adequate physical, policy based and technological internal controls are in place to ensure organisational compliance with data protection legislation. The Data Controller must also ensure that all data processing is based on an established lawful processing condition.
2.3 In addition, the Labour Party must have provision in place to ensure that the relevant registration fee is paid promptly and that the Information Commissioner’s Office is informed of any change in Data Controller in a timely manner.
2.4 Each CLP or LCF must also register with the Information Commissioner’s Office (ICO) and ensure it has renewed its annual notification with the Information Commissioner as a ‘data’. CLPs do not need to notify the ICO to use the data provided nationally in MembersCentre or Contact.Creator (as the national Data Controller is responsible for this), but, the vast majority of CLPs will need to notify if:
- the CLP process any other computerised data on members; process data on electors, e.g. in locally held mailing lists etc.
- makes use of their entitlement to a free copy of the electronic version of the full electoral register,
- hold any relevant manual filing systems that are structured either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
2.5 Those holding public office are not included under the national Data Controller’s registration for any data they collect and process by virtue of the activities associated with their office. Therefore all public office holders shall be responsible for their own ICO registration.
The Data Protection Officer and their responsibilities
3.1 Because the Labour Party processes special category data the Labour Party must appoint a Data Protection Officer in addition to appointing a Data Controller.
3.2 The Labour Party must officially designate a Data Protection Officer (DPO) from amongst staff to fulfil the statutory duties associated with this role. In appointing the Data Protection Officer, the Labour Party must ensure that the prospective DPO is sufficiently independent from any processing activities to ensure that there are no conflicts of interest.
3.3 The DPO will be responsible for the monitoring of organisational compliance with data protection legislation. In addition the DPO will be available to inform and advise the Data Controller on matters relating to data protection, legislative compliance around the holding and processing of data and promote awareness of good information governance practices.
3.4 The DPO will exercise these responsibilities through access to adequate resources provided by the Data Controller and by having direct communicative access to Labour Party senior management. The DPO will act as the main point of contact for the Labour Party with the ICO and assist the ICO in their work with the Labour Party.
4.1 The Labour Party processes personal, sensitive data as well as special category data. The Labour Party is committed to processing and retaining data within established technological and physical controls in a transparent manner, as well as promoting and safeguarding the information rights of data subjects.
4.2 The Labour Party will have established procedures to ensure that technological and physical controls are in place that guarantee the privacy of data subjects, the security of data held on both on technological systems and that all data held by the Labour Party is processed according to an established lawful processing condition. Any such procedures will be reviewed as necessary and updated to ensure their effectiveness in line with advances in technology.
5.1 Where the Labour Party political opinion data
5.1.2 During the course of its electoral activities, the Labour Party may compile personal data on people’s political opinions by virtue of it being a political party.
5.1.3 When compiling political opinion data, the Labour Party will be transparent with Data Subjects as to the intended purposes of collection and inform them of any relevant privacy information
5.1.4 When processing this data, the Labour Party will do so because it is within the public interest and will ensure that any processing of such data is within lawfully established safeguards.
5.2 Where Consent is the lawful condition of processing
5.2.1 Where data is held by virtue of consent, the Labour Party must be able to demonstrate the date at which consent was given and that the consent model used at the time of collecting the data.
5.2.2 When collecting data where it is intended that consent will be the only lawful condition of processing, the consent model used must be compliant with the standard as set by the General Data Protection Regulation.
5.3 Where Legitimate Interest is the lawful condition of processing
5.3.1 Where data is processed under a legitimate interest condition, the Labour Party’s Data Controller will be able to demonstrate that the processing of such data is necessary for the performance of tasks that are genuinely in the interests of the Labour Party.
5.3.2 When assessing the extent of the Labour Party’s legitimate interest, the Data Controller must show that they have balanced the Labour Party’s own interests against the interests, rights and freedoms of the data subjects concerned and be able to demonstrate that it is reasonable to suggest that data subjects would expect their data to be processed in such a way. The Data Controller must be able to evidence that these factors have been considered by completing a Legitimate Interest Assessment for each legitimate interest case.
5.3.3 The Labour Party will maintain a Legitimate Interests Assessment Register, in which the Labour Party will formally record the results of the balancing assessments for each processing activity or data set where legitimate interest is the processing condition. The Labour Party will also include reference to its legitimate interests in its privacy statement.
5.4 The processing of Membership data
5.4.1 Where the Labour Party processes and holds data because doing so is necessary for the performance of a contract to which the member is party, the Labour Party maintains the right to continue to process such data where there is contractual interest in doing so.
5.4.2 Furthermore, where the Labour Party processes the data of Labour Party members it does so as because such processing is carried out in the course of its legitimate activities and is in the its interest as a political party and membership organisation.
6.1 All members of staff must ensure that when collecting, processing and retaining data they do so according to the provisions laid out in this policy, any associated policies and procedures and any instructions given by the Data Controller.
6.2 All data assets will have a recorded Information Asset Owner who will be responsible for day to day compliance with this policy and legislative requirements for associated processing activities. Data Protection training must be included in all new staffs’ induction.
6.3 In addition, staff must undergo refresher training in data protection every two years to ensure that there is a culture of awareness and responsibility around the use of data throughout all sections of the organisation.
7.1 Executive officers of all local Labour Party units must promote good information governance practices within their unit.
7.2 Secretaries of any sub-unit of the Labour Party should act as the Data Protection champion for their unit and be the main point of contact with the National Data Controller on Data Protection issues.
7.3 Executive Committee members and all members who process information at a local level must ensure that they undertake any training offered by the Labour Party on data protection best practice.
7.4 When handling and using data, all members must do so according to any instruction or guidance document issued by the national Data Controller and in line with the CLP Data Protection Code of conduct.
7.5 Any members of the Labour Party when collecting, processing and retaining data should do so according to the provisions laid out in this policy, any associated policies and procedures and any instructions given by the Data Controller.
8.1 Data must only be used for purposes which correspond with the associated lawful processing condition for that data.
8.2 Data sharing must not occur unless there is a legal obligation or sound lawful purpose for such sharing. The justification for any intended sharing of data must be assessed by the Data Controller and Data Protection Officer. This assessment must take into account any relevant consent models or processing conditions associated with the data and any intended sharing must be compliant with the organisation’s privacy statement.
8.3 Where the Data Controller has deemed that there is a lawful basis for the sharing of data, a data sharing agreement must be put in place between the Labour Party and the third party organisation.
8.4 In all circumstances the unlawful and unauthorised sharing of Labour Party data is expressly prohibited. Any unauthorised sharing of Labour Party data will be classified as a data breach and be reported to the ICO according to the provisions around Data breach reporting detailed in this policy.
9.1 The Labour Party shall have a Records Management Policy which shall detail the Data Controller’s instructions around retention of data. The Records Management Policy will set out the justification for the continued processing of data and will be closely aligned to the Labour Party activities in maintaining the IAR.
9.2 The Labour Party must maintain accurate data retention schedules for all datasets under the control of the Labour Party’s Data Controller.
10.1 The right to be informed
10.1.1 Data subjects have the right to be informed about how the Labour Party collects and uses of their personal data.
10.1.2 Upon request, the Labour Party will provide Data Subjects with relevant privacy information including
- the purposes for which the Labour Party is processing their personal data,
- the Labour Party retention periods for their personal data, and any instances where their data is actively shared.
10.1.3 The Labour Party will provide privacy information to data subjects at the any point where the Labour Party seeks to capture personal data.
10.1.4 The Labour Party will ensure that Privacy information is placed on an easily accessible page on the Labour Party website to ensure that all data subjects can be reasonably be informed if the organisations activities in this regard.
10.1.5 The Labour Party will ensure that any privacy information it issues will be concise, transparent, intelligible, easily accessible, and that it is communicated in clear and plain language.
10.1.6 The Data Controller, in collaboration with the Data Protection Officer will regularly review, and where necessary, update the Labour Party privacy information.
10.2 The right of access
10.2.1 Data subjects may request confirmation that their data is being processed as well as access to their personal data (commonly reference to as requesting an SAR) by being provided copies of information that relates to them.
10.2.2 The Labour Party will also, on request, provide other supplementary information to the data subject regarding how the Labour Party is processing information – this largely corresponds to the information provided by the Labour Party’s privacy notice.
10.2.3 Where the Labour Party receives a Data Subject access request, the Data Controller will provide the Data Subject with any relevant information no later than 30 days after the request has been received, unless there is cause to extend this period by virtue of another section of this policy.
10.2.4 Any Data Subject Access requests where the Data Subject is or has been involved in a contentious issue (such as a selection appeal, disciplinary investigation or where the Data Subject is contemplating or actively involved in litigation against the Labour Party) will be classified as a complex request This is due to the likelihood that a data subject’s information may also contain information relating to third parties, information where release would affect the vital interests of a third party or information that would fall under the doctrine of legal professional privilege.
10.2.5 Where a request is deemed to be complex, the time for complying with the request may be extended by up to two months as necessary. The Labour Party will inform the data subject of this extension within one month of receiving the request and will endeavour to provide the Data Subject with a full response without undue delay.
10.2.6 The Labour Party considers blanket requests and/or where a response contains more than the average number of discrete data for similar SARs to be excessive. As such the Labour Party will charge a reasonable fee for complying with such requests.
10.2.7 The reasonable fee for such processing will be set according to ICO advice or be limited by ministerial order.
10.2.8 Where the decision is made to charge a reasonable fee for processing a request, the data subject must be informed of the total cost of processing their request before any processing begins, as well as the reasoning behind the decision to apply the fee provision. The data subject will receive this information within 30 days of their request. In addition, the data subject should also be given the opportunity to clarify or further refine their request, in order to either reduce the fee or remove the need to charge a fee by reducing the average number of discrete data to below the average or below.
10.2.9 It is envisaged that some requests will be classified as both excessive and complex and in such circumstances the Labour Party will inform the Data Subject without undue delay and no later than one month from receiving the request of this assessment, alongside any relevant advice normally given in response to these classifications.
10.2.10 Where the request is repetitive (in that there has been more than one request from the same Data Subject within a 6 month period and that there has be no significant change in the volume of data or manner of processing of the data subjects data) the Labour Party will not comply with the request. In such circumstances the Labour Party will inform the data subject that their request is repetitive and will outline the reasoning as to why their request has been classified as such.
10.2.11 In exceptional circumstances, the Labour Party may choose not to comply with a request. Where this is the case, the Data Controller must consider the rights of the data subject in accessing their own data against any factors that would result in withholding data. The Data Controller should do so only after seeking legal advice on the matter. Once a decision has been made, this should be communicated to Data Subject as soon as is practicable, alongside the justification for refusal and the right of the data subject to seek judicial remedy.
10.2.12 Where providing information or copies of documents to a data subject would negatively affect the rights and freedoms of a third party, the Labour Party may wholly or partly restrict the provision of such information to the Data subject. In so doing, the Labour Party will balance the data subject’s rights of access to their own information with the rights of the third parties concerned. Any such reasoning will be recorded by the Labour Party’s Data Controller. On the completion of their request, the data subject will be informed as to the reasons behind any such restriction, the nature of the data that has been restricted, their right to complain to the Information Commissioner’s Office and their right to apply to a Court for its release.
10.2.13 Any supply of information referencing a Data Subject which is subject to legal professional privilege will also be restricted and the Data Subject similarly informed.
10.3 Right of Erasure and restrictions on processing
10.3.1 Data subjects can request the deletion or removal of any personal data held by the Labour Party where there is no compelling reason or lawful processing condition for its continued processing or retention.
10.3.2 Data Subjects may also request that restrictions are put in place on any form of processing of their data by the organisation at any level of the Labour Party. The Labour Party will continue to hold and process personal data to which it is legally entitled by virtue of other legislation (such as information derived from the Electoral Register) or for which there is another lawful right to continue its processing (such as information relating to an individual’s previous or continued Labour Party membership or information.
10.3.3 In order to make a deletion or restriction request, the Data subject must contact the Labour Party’s Data Controller, define what data they wish to be deleted or describe the processing they wish to restrict.
10.3.4 The Labour Party will confirm receipt of the request and comply without undue delay and no later than one month from receipt of the request. If needed, the Data Controller may seek further clarification from the Data Subject if the request is not sufficiently clear.
10.3.5 The Data Controller will inform the data subject of the completion of their request and detail the degree to which the Labour Party has complied with the request.
10.3.6 Should such a request be partially applied (due to there being a lawful condition for data’s continued processing or retention), the Data Controller will explain what data has been retained, remains unrestricted or continues to be processed and the legal basis for such continued processing or retention. The data subject will also be informed of their right to seek judicial remedy in such circumstances.
10.3.7 Where the data is held and processed by virtue of the Data Subject’s consent, the Data subject can withdraw their consent and either request the deletion of this data or place a restriction on its continued processing.
10.4 Right to Correction
10.4.1 Data Subjects may request the correction of any of their data which they believe is held incorrectly by the Labour Party.
10.4.2 In exercising this right, the Data Subject must provide evidence of the correct information to the satisfaction of the Data Controller. Once the veracity of the request has been established, the Data Controller must ensure that the data has been corrected at all levels of the Labour Party within one month of receiving the request.
10.4.3 On completion of the request, the data subject must be informed.
10.5 Verification and information rights requests
10.5.1 Before processing any form of information rights request, the Data Controller must verify the identity of the data subject making the request and the veracity of any information supplied to the Data Controller as part of that request.
10.5.2 Data subjects must provide such information that the Data Controller requires to confirm the Data Subject’s identity or evidence information that is supplied as part of a request.
11.1 The Data Controller will maintain an accurate Information Asset Register (IAR) of all information assets under Labour Party control.
11.2 The Information Asset Register will the detail of all processing tasks associated with each Information Asset, the lawful processing conditions associated with each data set, the Information Asset Owner of each dataset and if relevant, links to related Data Protection Impact Assessments.
11.3 The Information Asset Register will therefore serve as the Labour Party’s Processing Register.
11.4 Where any new technology is procured, any new processing activity considered or any substantial change to any existing processing or systems the Data Protection Officer must be consulted. The Data Protection Officer may then require a Data Protection Impact Assessment to be conducted in order to identify and mitigate any new associated risks.
11.5 Where a DPIA identifies a high risk to Data Subjects rights, and the Labour Party cannot take any measures to reduce that risk, the Data Controller must consult the ICO. The Labour Party will not proceed with any associated processing until the ICO has responded and any resulting or required action taken by the organisation.
11.6 All Data Protection Impact Assessment will be annually reviewed for existing technological systems and processing activities as part of a wider Annual Information Governance Review programme.
12.1 Privacy by design and New or Amended Processing Activities
12.1.1 When an Information Asset Owner is considering a change in any of their associated processing tasks detailed in the Information Asset Register, or is considering designing and implementing a new data processing activity, they must first contact the Data Protection Officer to discuss the intended purpose of the processing activities.
12.1.2 Where the amended or new process has a substantial effect on data subjects, the Data Protection Officer will require the Information Asset Owner to complete a Data Protection Impact Assessment.
12.1.3 Where a Data Protection Impact Assessment has been conducted, any identified risks which cannot be mitigated to the extent where a data subject’s rights and freedoms would continue to be affected, the Information Asset Owner will refrain from implementing the processing in question.
12.2 Privacy by design and Procurement of new technologies or contracting with data processors
12.2.1 Data Protection standards must be embedded in the contract tendering processes where new technologies are procured or where a contractor is engaged to process Labour Party Data.
12.2.2 When contracting with third parties to provide new technological systems to the Labour Party, the Data Protection Officer must be informed and a Data Protection Impact Assessment completed under the supervision of the IT Programme Board.
12.2.3 Where a contract requires a third party to process Labour Party data, the rights and responsibilities over the data of both the Labour Party’s Data Controller and the third party as a Data Processor must be outlined as an SLA model. This should be as part of a warranty under the commercial contract or by virtue of a separate data processing that is co-lateral to the commercial contract.
12.2.4 The Head of Procurement in conjunction with the Information Asset Owner must ensure the ongoing compliance of third party processors with the data protection provisions stipulated within such contractual agreements. Both officers must be able to demonstrate that due diligence has been exercised both during the procurement process as well as throughout the term of the contract.
12.2.5 The DPO will work with the Head of Procurement as part of the Annual Governance review programme in order to seek assurance that third parties processor actively cooperate with the Labour Party in its due diligence activities around Data Protection.
13.1 Staff members, members of the Labour Party and members of the general public may make report a data breach to the Data Protection Officer.
13.2 The Data Protection Officer must ensure that the breach reporting mechanism is widely publicised amongst staff, members of the party and the general public.
13.3 The Labour Party considered a data breach to be a breach of security which has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. A data breach can be categorised in following forms:
- “Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data.
- “Integrity breach” – where there is an unauthorised or accidental alteration of personal data.
- “Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
13.4 The Data Controller, on the advice of the Data Protection Officer must assess if the potential breach is likely to result in a risk to the rights and freedoms of data subjects. If such a result is likely, the Data Protection Officer must report the potential breach to the Information Commissioners Office within 72 hours of the Data Controller being made aware of the breach.
13.5 Where a breach is deemed reportable, the Labour Party must provide the Information Commissioner’s Office with all the necessary details of the breach. However, a lack of detail should not delay the reporting of such breaches
13.6 Where a breach has been reported to the Information Commissioner’s Office, the Data Protection Officer will take immediate steps with the Data Controller to minimise the breach’s impact or damage on the rights of the data subjects concerned. These actions will be recorded. Where there has been a serious breach (in that there is a high risk to a Data Subject) the Data Controller will contact the Data Subjects concerned informing them of, as a minimum
- a description of the nature of the breach;
- the name and contact details of the data protection officer or other contact point;
- a description of the likely consequences of the breach; and
- a description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
13.7 The Data Controller, in collaboration with the Data Protection Officer will assist the Information Commissioner’s Office in the exercise of its statutory powers concerning reportable data breaches and will consider any advice given by them around the management of the data breach.
13.8 Where the breach is not reportable, it should be classified as a ‘near miss breach’.
13.9 A log of all potential breaches, reportable as well as near misses, must be maintained by the Data Controller as well as a record of all actions and decisions made by the Data Controller or the Data Protection Officer.
13.10 The Labour Party will have a procedure in place to record, report and robustly investigate data breaches in accordance with this policy and any best practice as issued by the Information Commissioner’s Office.
13.11 The Data Protection Officer will investigate all breaches and provide a report on to the Data Controller. This report will detail any data protection risks identified as part of the Data Protection Officer’s breach investigation work and make recommendations on any remedial work around the mitigation of these risks through internal controls.
13.12 If during the course of their investigations, the Data Protection Officer uncovers further information that changes the nature of a near miss breach so that the breach becomes reportable, they must inform the Information Commissioners Office of the breach without
13.13 Where a data breach is the result of a cyberattack, the Labour Party’s Cyber Security Incident Plan will be implemented by the relevant IAO as the first act of risk mitigation and the DPO informed accordingly.