This week’s missive contains as Ben Elton used to say, “a little bit of politics..”
It seems you can’t get away from the deluge of political commentary at present and we apologise if we appear to be adding to the general maelstrom of opinion. It’s not our intention, it’s just that a current political story happens to highlight a relevant data protection issue worthy of further discussion.
At the time of writing, there is an accusation from The Labour Party, that one of its ex Labour MPs accessed their membership databases and campaign related systems. As they were (possibly) no longer serving as an MP under Labour auspices then the access is being deemed an unauthorised one. It’s going to be very interesting watching this story unfold, if they did make unauthorised access it should be big news. What this has done though is throw up some nice and juicy Data Protection Act 2018 compliance points.
Firstly, The Labour Party, are in this case the ‘Data Controller’, DPA Compliance means that they need documented policies and procedures in place in order to prohibit unauthorised access to data subject’s information held on their systems. This should include immediate revoking of ex-employee system privileges, normally detailed within and actioned via a clear and concise employee exit procedure. If this wasn’t in place or has been shown to fail in some way, then this is a breach that needs to be referred to the ICO within 72hrs of discovery.
Secondly, if it does transpire that the MP or indeed anyone else accessed Labour databases in an unauthorised fashion then they could well be facing a criminal charge. Wishy washy protestations saying “it was all a bit confusing” or “sorry, I accidentally downloaded a load of personal data, including some special category” really shouldn’t cut it. When you think about it, it’s not that different from, let’s say, a recruitment consultant who steals the candidate database from his old firm to take to his new one. Or indeed like the car industry worker who sold customer data to phone scammers resulting in a six-month prison sentence, demonstrating that the ICO will step outside the borders of DPA legislation and use, in this case, The Computer Misuse act to get a prosecution.
Of course, and in the spirit of balance we should make it clear that this isn’t something that just Labour or ex-Labour folk are susceptible to, for example who can forget Nadine Dorries happily announcing that she shared her user credentials with all and sundry? And anyone who criticised her was just, according to Ms Dorries, “computer nerdy types”
What we’ve talked about applies to all of us, if your company stores, processes or transmits personal data then the law applies to you as much as it does to The Labour Party, The Tory Party or even Abigail’s Party.
OK, not Abigail’s Party.