As the pandemic takes hold, an unwelcome distraction comes with news that an internal Labour Party report into how it dealt with antisemitism has been leaked, showing up in the hands of some of the dumbest people in left-wing politics. The document was unredacted, and contains the personal data of multiple complainants to the party. Some of them have already reported that as result, their data is being circulated in the most unpleasant corners of the internet and Comrade Leaker might have put them at direct risk. The new leadership team of Sir Keir Starmer and Angela Rayner have announced an investigation into how the report came to commissioned, how it came to be leaked and other related matters. It is embarrassing that the Socialist Campaign Group of Labour MPs have signed a statement demanding that the report is published “in full”, meaning that the former Shadow Justice Secretary and former Shadow Home Secretary among many other Labour MPs want the confidentiality of complainants to be breached solely to facilitate internal faction fighting. As a humble Labour Party member, I call upon the Campaign Group to withdraw their knuckle-headed demand, acknowledge that what they’re asking for would be a breach of GDPR and confidentiality, and apologise to the innocent people they wanted to throw under the bus.
The MP and Campaign Group member Lloyd Russell-Moyle tweeted on Sunday that those interested in the Data Protection aspects of the leak were missing the point, preferring to concentrate on the political implications. In any case, he pointed to the public interest defence available in the GDPR for the circulation of such data. He has since deleted that tweet, and has now admitted sharing a link to the unredacted report with a private Facebook group of party members. Mr Russell-Moyle’s (albeit temporary) confidence in the public interest nature of disclosure caught my eye, especially as his depiction of how the law works in this context was a bit of a dog’s breakfast.
All things being equal, GDPR would have something to say about the unauthorised dissemination of personal data, but despite Mr Russell-Moyle’s claim, it does not contain an explicit public interest defence, and in any case is not the most relevant law. The Data Protection Act 2018 contains a series of offences covering the misuse of personal data, retaining what was criminal under the DPA 1998 but adding some new ones. The offences aren’t strictly required to comply with the GDPR and go further than what it requires. However, they allow the Information Commissioner’s Office to pursue individuals who deliberately or recklessly misuse data more neatly than GDPR does. I spend a lot of time kicking the ICO, so it is only right that I say that this prosecution work is one of those things that they generally do well and for the right reasons.
Section 170 of the DPA 2018 makes it an offence knowingly or recklessly to obtain or disclose personal data without the consent of the data controller, to procure such a disclosure to another person, or to retain data without the controller’s consent. Selling or offering to sell unlawfully obtained data is also an offence. Incidents that lead to ICO prosecutions are often connected with employment – the person gets legitimate access to data as part of their job, and then they look at records they have no reason to, or they share data with others, or they sell it. My favourite recent prosecution is the spectacular case where a senior council manager declared an interest in a recruitment exercise in which his wife was a candidate. Despite this, he then gave her data about the other candidates. After she got the job, the incident was discovered; she lost the job, her husband was sacked and he was subsequently prosecuted. It took a global pandemic to make me essentially unemployed, so I admire someone with the determination to do it to themselves with such panache. The crucial issue isn’t necessarily how you got access, it’s whether what you did with the data was authorised by the controller. People often make the mistake of thinking that the person who has to authorise the use is the data subject, but the law is clear. If I as the controller deliberately give you the data – even if I do so insecurely or without proper transparency – it’s not an offence (it might be a GDPR infringement). If you take a copy and share or sell it without the controller’s permission, the offences may be in play.
There can be tension over who gets the blame – years ago, one of my former employers discovered that an ex-member of staff had sent data about multiple staff members to their personal email account. While it was obviously disclosed without my employer’s authorisation, the ICO case officer who investigated asked us a lot of smart questions about security and access arrangements in the team where the culprit worked. It was plain to me that they were trying to work out whether it would be better to pursue the individual for copying the data, or my employer for not better preventing them from doing so. Fortunately for us, a splendid team manager was able to satisfy the ICO that we’d done everything one could reasonably expect. For Labour, this could be a problem. It’s impossible to know where the report was obtained from or how it came to be leaked, but if Wilmslow investigates this (and in my opinion, they have to), it will be just as legitimate to for them to probe Labour’s internal data management as the actions of the leaker. It must, however, be both.
Although he thought it was in the GDPR, Russell-Moyle was right that the public interest can be a defence for otherwise unlawful misuses of data. The person accused of an offence can put forward a defence of prevention or detection of crime, a legal obligation or statutory requirement to use the data or they can seek to prove in the particular circumstances that obtaining, disclosing, procuring or retaining was justified as being in the public interest. They can also try to prove that they reasonably believed that they had a right to use the data, that had they asked, the controller would have agreed, or finally, in using the data for the special purposes (which include journalism), “in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.”
It’s worth thinking carefully about that group of defences. Under the old 1998 Act, they were drafted differently, allowing a person to argue that they had a ‘reasonable belief’ that their actions were justified in the public interest. The ‘reasonable belief’ element is gone – the defence only works if the person can prove objectively that the disclosure was in the public interest, rather than that they thought it was. There’s an excellent and detailed explanation of this change in Shepherd vs ICO, a data misuse case that the ICO lost a year or so ago. More importantly, all of this applies to the personal data itself, not to a document in which it might be found. Russell-Moyle’s deleted claim was that “there’s a public interest defence which will be strong in this case“, but is that true? There might be a public interest in disclosing the document or whatever revelations can be gleaned from it, either for journalistic purposes or the wider public interest. But is there really a public interest in the disclosure of the complainants’ personal data? I doubt it and it seems that Russell-Moyle now agrees, having acknowledged that “I wanted to make it clear that the report that has been leaked contains important information but it also contains the personal details of minors and those who deserve confidentiality after they made complaints“. If a person seeks to defend themselves from an allegation of a criminal disclosure of personal data, the public interest in revealing internal party machinations is irrelevant. What matters is whether disclosure or retention of the specific personal data is in the public interest.
Anyone who copied and disclosed an unredacted copy of the report without clear permission from the Labour Party may have committed an offence under S170. Anyone who similarly possesses a copy of it may also have committed an offence. This latter issue might be of particular interest to the ICO as the retention offence is new, and I’m sure there will be some in Wilmslow who want to show that it has teeth. This is especially the case after the ICO investigated the retention of notebooks by ex-Met Police officers and found that they couldn’t taken action because retention wasn’t an offence under the 1998 Act.
The public interest has been badly served here. By redacting the data of complainants, whoever obtained and leaked this data could have built the foundations of a solid public interest defence, and more importantly, shown some care for people who do not deserve to be victims of Labour’s interminable civil war. The leakers could have protected those caught up in this mess, and whatever internecine battles Labour’s factions want to fight could have played out without collateral damage. But whoever these idiots are, they didn’t care about the damage their actions might cause. Blameless individuals have been put at further risk having already suffered abuses and indignities at the party’s hands. The Campaign Group’s moronic statement and Russell-Moyle’s humiliating climbdown from confident defence to mealy-mouthed apology are hallmarks of the thoughtlessness that underpins this sorry episode, but the real blame should be directed towards the snakes who circulated the unredacted report. It is a betrayal of everything that Labour ought to stand for, and a line must be drawn. Between Labour’s internal investigation and what should be the ICO’s inevitable involvement, the people responsible for this leak should face nothing less than the same public exposure as their victims, with a punishment to match.