The Liberal Democrats are believed to be the first political party to report themselves to the Information Commissioner’s Office since GDPR came into force just over a fortnight ago, after a privacy cock-up exposed the personal information of thousands of voters.
The data, which includes dates of birth, mobile and home telephone numbers, was provided to party activists, alongside a phone script, in the run-up to this week’s Lewisham East by-election, where is aiming to overturn a 21,123 Labour majority.
The information should have been secured behind a password-protected login page and accessible only by registered Lib Dem activists. But the direct link was shared on a Facebook page used to co-ordinate the party’s campaigning activities, meaning anyone with the link could access the data without verifying their identity.
A spokeswoman for the party confirmed to the PoliticsHome website that the Lib Dems had alterted the ICO to the blunder, although the regulator has yet to decide whether to launch a formal investigation.
“We have been made aware of this incident through a self-reported personal data breach notification”, an ICO spokesperson said. “We are assessing the information provided and considering next steps.”
Information gathered through the party’s canvassing operations was also made available through the site open to anyone who had the correct link.
Voters were identified by tags indicating their political leanings, such as “Yellow Labour” and “Weak Lib Dem”. In some cases, the information was available for entire families.
The Lib Dems said: “As soon as we were made aware of the issue we immediately took action and closed access. We are urgently investigating how this happened and have taken steps to ensure it will not again.”
Under GDPR, organisations must notify the ICO within 72 hours of becoming aware of serious personal data breaches.
Even God’s disciples can’t escape the ICO or a huge fine
GDPR zero hour: Now the hard work begins say experts
Scammers access Virgin Media data for phishing attack
TalkTalk fined £100,000 over India call centre failings
25 million UK adults in the dark over theft of their data
Stephen Fry on alert as toffs’ data is stolen from club
Uber faces long arm of the law over 64m data breach
Finance firms face sustained attack on their data vaults
FCA launches investigation into Equifax breach farce
Millions of Instagram users hit by major hack attack
Data breach at games giant CeX hits 2m customers
Data breaches ‘hit shares, sales and growth for years’