The UK's data protection regulator, the Information Commissioner's Office, has recently reprimanded the Labour Party for its failure to respond on time to individuals exercising their data subject rights under data protection law. This particular reprimand provides a salutary reminder to all organisations of the risks of failing to delete privacy inboxes that are no longer being monitored.
In this instance, the Labour Party had set up a dedicated inbox to deal with communications with individuals who had been affected by a cyber-security attack in October 2021. In November that year, the Party moved all correspondence related to the cyber incident to its standard data protection email inbox. Crucially, however, the dedicated inbox was not closed down and it was no longer monitored.
In October of 2023, during the course of a separate investigation into the Party's handling of Data Subject Access Requests (which related to the handling of the original cyber-attack), the ICO uncovered the dedicated email inbox, which had not been monitored since November 2021. They discovered that the inbox contained approximately 646 additional Subject Access Requests and 597 requests for erasure of people's personal data.
Understanding Data Subject Rights and Data Subject Access Requests
Under the UK GDPR, individuals have certain rights if their personal data is used in any way (referred to under the relevant legislation as "processing") by organisations. These rights include rights of access to, and erasure of, the personal data held by the organisation in question.
The best known right is the right of data subject access which is exercised through a "Data Subject Access Request" or "DSAR". This right allows individuals to request access to the personal data that an organisation holds about them. When a DSAR is made, an organisation is required to respond promptly in most instances within a month of the original request. The response should include a copy of the personal data that is held about the particular individual and provide them with information about how and why the data is being processed.
In this instance the Labour Party failed to comply with its statutory duty to respond to the various DSARs and the exercise by individuals of other relevant rights, most notably the right to erasure of their personal data because it had forgotten about the redundant inbox and e-mails to it remained unopened.
The ICOs Reprimand
The ICO's reprimand followed complaints from individuals who had submitted DSARs and other data subject requests through the redundant inbox but received no response. The ICO found that the Labour Party had failed to respond to these requests within the statutory time frame and, in a large majority of cases, they had not been considered for a period of over a year. This failure to properly respond to these DSARs and other requests, breached Articles 12, 15 and 17 of the UK GDPR.
Lessons to be Learned
There are a number of key takeaways.
If you create dedicated inboxes – particularly ones to which time sensitive correspondence might be sent – then you need to monitor them. It is also highly advisable to keep a central list of all dedicated e-mail addresses that are created and to keep that up to date. Make a particular function responsible for the maintenance and monitoring of these addresses. If they are subject to an auto-forward, then make sure that the address to which the auto-forward goes itself is live and monitored.
Where you do wish to consolidate correspondence from one inbox with another, then always remember to delete the inbox that is no longer being used or alternatively to re-route incoming emails to the inbox that is monitored. This applies not only to dedicated inboxes of the type here but also to employee inboxes.
Where inboxes are being deleted they should be appropriately examined to ensure there are no outstanding DSARs or data subject rights requests (or, indeed, anything else important) that has not been properly dealt with.
These lessons should be incorporated into organisations' internal policies and procedures relating to the creation, consolidation and deletion of email inboxes.
Contact
If you wish to discuss the lessons learned from this reprimand in any further detail, please get in touch with Grant Campbell, Calum Lavery or your usual Brodies contact.
Contributors
Partner
Senior Solicitor