How do we protect your personal data?
We implement appropriate technical, organisational and contractual security measures to protect the personal data we hold about you. This is to protect it from unauthorised disclosure, use, alteration or destruction. We will always keep these under review to make sure that the measures we have implemented remain appropriate.
Data protection risk assessments, often called Data Protection Impact Assessments (DPIAs) are conducted where we find there could be a high risk in how we propose to use your personal data. These are conducted at the point they can be most effective so we can design security protections into everything we do with any personal data, especially where we use people’s political opinion.
All Labour Party staff are required to attend or undertake data protection training at least once every two years and all new starters are required to attend a live data protection training session as part of their induction.
We have also created guides for best practice secure use of personal data for our local Labour groups and branch offices as well as provide online training modules for all Labour Members as a requirement for any use of personal data they may have.
We regularly run internal security exercises such as security penetration testing and phishing exercises and each supplier we use must demonstrate proficiency in security measures and controls to us. We run ad hoc desk based security scenarios with senior management and also attend security meetings and conferences to keep up to date with the latest technologies for security planning.
Labour maintains a set of data protection & information security policies and our technical security estate is continually improving with state of the art technology for monitoring, threat detection and prevention purposes. Our technology stack underpins regular password updates and access control measures for our network and physical locations which require physical passes for all staff.
All sensitive information that is sent to us or needs to be printed is either scanned and held behind a firewall or placed into one of multiple onsite and secure shredding facilities. Where personal data is printed for campaign purposes this is physically held by a responsible individual who will mark this data against information people are discovering from conversations with you.
The responsible individual is briefed to only pass their campaign sheets to the most senior individual at the end of a campaign session who then scans or uploads the information via a secure portal before placing the paper into our secure destruction receptacles.
Our website has security measures in place to protect against the loss, misuse or alteration of the information under our control. Our servers are located in a locked, secure environment, with a guard posted 24 hours a day. When you donate online, we use a secure server to protect your credit card number and other personal information during transmission. The details are transmitted using encrypted mechanisms to ensure absolute security.
If you think your, or anyone else’s personal data has been unlawfully disclosed or shared and may be part of a ‘data incident’ you can report this to us by completing a form which you can access by clicking here. The Data Protection Team review all data incident reports and will be able to pass this information on to the Data Protection Officer or the Director of Information Security & Technology.
Only the Data Protection Officer or a senior member of Labour’s Governance and Legal Unit can confirm if a data incident is a personal data breach. At such a time, Labour will take all necessary and immediate steps to mitigate the impact to you or anyone else whose data may have been breached.
Where there is a report of a data incident, especially where is becomes classified as a data breach, we are legally obliged use your personal data for our investigation, analysis, recording, monitoring, reporting and any remedial actions we need to take.
The lawful bases we rely upon for this use of your personal data are UK GDPR Article 6.1(c) and Article 9.2(g), within an obligation to the Data Protection Act 2018 to respond to data incidents and breaches appropriately, and when any special category personal data is used it will be necessary for reasons of ‘substantial public interest’ including preventing or detecting unlawful acts; protecting the public; and other regulatory and legal requirements, respectively.