Labour Party could be fined up to £15m by the ICO after leadership contender is reported over alleged data breach
The Labour Party could be fined up to £15 million by the Information Commissioner's Office (ICO) after one of the contenders in the leadership race was accused of a breach of data protection laws.
The campaign of Sir Keir Starmer, widely regarded as the front-runner, was formally referred to the ICO by Labour Party general secretary Jennie Formby over claims that two members of his team wrongly used membership data, held by the party, in their campaign.
However, Starmer's campaign team dismissed the allegation as "nonsense". On Monday, the ICO told Sky News that it was "making enquiries" into the claims.
The formal referral by Formby will mean an investigation by the ICO, with the incident coming under the General Data Protection Regulation (GDPR), rather than the milder Data Protection Act 1998. Breaches of personal data under GDPR are subject to the highest tier of fines, which could hit the Party with a liability of up to €20 million (around £15m), rather than £500,000 - the previous maximum under the Data Protection Act.
It is not the first allegation of misuse of membership data in the current leadership race with Starmer's main rival, Rebecca Long-Bailey, also accused of exploiting a loophole in the same system to canvass Party members directly.
She blamed the Party for failing to restrict access to the organisation's membership database after the general election. "The accessibility of members' data stemmed from a failure to close Dialogue [the Party's membership system] at the end of the general election campaign," a campaign spokesperson said.
However, Long-Bailey's campaign was not reported to the ICO over the reports that it had shared links to Dialogue with volunteers campaigning on Long-Bailey's behalf. That also ran counter to the Party's own leadership election rules against leadership contenders canvassing Party members.
In under two years, GDPR has claimed fines of at least €114 million across the UK and EU, according to recent research - but that doesn't take into account the massive fines the ICO proposed last year for both British Airways (£183m) and Marriott Hotels (£99m).
See also: Why BA and Marriott were hit with massive GDPR fines - and how you can avoid one