Lib Dems come clean to ICO over breach of voter data

The Liberal Democrats are believed to be the first political party to report themselves to the Information Commissioner’s Office since GDPR came into force just over a fortnight ago, after a privacy cock-up exposed the personal information of thousands of voters.
The data, which includes dates of birth, mobile and home telephone numbers, was provided to party activists, alongside a phone script, in the run-up to this week’s Lewisham East by-election, where is aiming to overturn a 21,123 Labour majority.
The information should have been secured behind a password-protected login page and accessible only by registered Lib Dem activists. But the direct link was shared on a Facebook page used to co-ordinate the party’s campaigning activities, meaning anyone with the link could access the data without verifying their identity.
A spokeswoman for the party confirmed to the PoliticsHome website that the Lib Dems had alterted the ICO to the blunder, although the regulator has yet to decide whether to launch a formal investigation.
“We have been made aware of this incident through a self-reported personal data breach notification”, an ICO spokesperson said. “We are assessing the information provided and considering next steps.”
Information gathered through the party’s canvassing operations was also made available through the site open to anyone who had the correct link.
Voters were identified by tags indicating their political leanings, such as “Yellow Labour” and “Weak Lib Dem”. In some cases, the information was available for entire families.
The Lib Dems said: “As soon as we were made aware of the issue we immediately took action and closed access. We are urgently investigating how this happened and have taken steps to ensure it will not again.”
Under GDPR, organisations must notify the ICO within 72 hours of becoming aware of serious personal data breaches.

Share with friends and colleagues

Related Articles