Labour Party supplier ransomware attack: Who holds ex-members' data and on what legal basis? Mystery surrounds the Labour Party ransomware attack, with former party members who left years ago saying their data was caught up in the hack – while official sources refuse to say what really happened. Yesterday, after Prime Minister's Question Time in Parliament, the political grouping once referred to as the Official …
>While the Labour Party is primarily responsible for data it collects, that doesn't excuse third-party data processors from obeying the law.
It does not, but GDPR is notable in that the requirement to disclose the breach to the data subject falls entirely on the data controller (i.e. the Labour party). The processor, acting on the controller's behalf, is only required to disclose breaches to the parent controller and not the end data subject (who they are generally prohibited from contacting anyway).
Knowing that a breach has occurred but not which supplier it happened with is, for better or worse, standard practice. What's unusual is Labour have made a point of explaining that this has hit a third party. Smells like an attempt to shift the perception problem to someone else - the legal problems, such as they are, cannot be shifted. The buck stops with the controller, not the processor.
Holding data for 10 or more years is not unusual, particularly if they're minimal records for the purposes of recording erasure or subject to a legal/statutory hold. Labour's privacy policy details how long they keep different classes of records, and there are at least two categories of data that are held for 10 or more years, neither of which strike this data protection wonk as particularly unreasonable.
"The processor, acting on the controller's behalf, is only required to disclose breaches to the parent controller and not the end data subject (who they are generally prohibited from contacting anyway"
Correct - but you are assuming the 3rd party was a processor. It's possible they were another controller, though that wouldn't explain the radio silence unless there is a dispute between the LP and the Third Party over which category they fall into, and the contracts haven't been updated for GDPR to be clear on that point.
Good digging on the Deletion Policy though - that was going to be my next question.
>Correct - but you are assuming the 3rd party was a processor. It's possible they were another controller...
Afraid not. While an organisation can and usually is both a controller and processor in some capacity, when it comes to the specific data handling in question you are exclusively *the* controller or *a* processor. For a given data item and activity you cannot be both and the disclosure responsibility is solely the controller's.
Re AC
"Afraid not. While an organisation can and usually is both a controller and processor in some capacity, when it comes to the specific data handling in question you are exclusively *the* controller or *a* processor. For a given data item and activity you cannot be both and the disclosure responsibility is solely the controller's."
Not quite correct as the same data can be used for different purposes and its the Purpose that defines Controller/Processor i.e. what they say they are doing with the data. It's possible that someone can be a controller and processor for fundamentally the same data, but with different Purposes. In practise though this doesn't happen very often if only to keep each parties sanity, but can happen in big corporates where the left hand isn't speaking to the right hand on either side.
The bit where you try to translate legal purposes to business processes and the into data processing and storage is where Data Privacy legislation breaks down imo, because fundamentally you are trying to translate something abstract and legalistic into IT systems, and the end result is usually a fudge/risk acceptance that doesn't suit anyone perfectly to but is the pragmatic response to avoid getting trapped in a blizzard of edge cases.
"who they are generally prohibited from contacting anyway"
There is no prohibition on a data subject approaching a processor. The processor has an obligation to forward any such approach to the data controller.
Article 82 states "A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller" so a processor the spills your data accidentally is indeed individually liable.
Other way round gov. The processor has no duty to contact the data subject; that's the controller's job. And unless they're engaged for the purposes of communicating with the data subject on the controller's behalf they're probably not permitted to do so. And of course given it's them that's likely ballsed up they've got no incentive whatsoever to come clean, so no processor with even a hint of sense will or should attempt to contact the data subjects.
Transfer of liability to the processor* is probably subject to SCCs and horse trading, so ultimately it's still on the processor to get it all sorted out.
*That's assuming they did break the law or violate a SCC - it's possible to be breached without violating GDPR, e.g. if attacked by a very-high-level state actor/persistent threat or similar that would have required commercially unreasonable efforts to protect against, while otherwise following current best practices. Hence this being a matter of perception rather than liability, which I'd imagine the supplier are none too happy about, hence them not being named.
In this particular case probably yes. But in many B2B industiries where there are multiple middle men then its possibly to be a join controller.
The travel industry is a good example. You might have a travel agent, a website/aggregator, the service or content owner all interacting and adding value to fundamentally the same customer data in different ways. Joint Controllership is very common.
As I understand it, every Israeli has to do national service. His was in an intelligence unit.
That doesn't really make it much more or less likely he is doing dastardly things in his subsequent employment by the Labour Party - which seems to be for social media crap.
Any actual allegations? Or, better still, evidence for involvement in this data protection cock-up?
Yes, Israelis have to do national service for 2 1/2 years - he was in a cyber warfare unit for 5 years (and there's nothing to say that is his sole time in military service) so I think that says 'career military' rather than 'conscript'. That doesn't imply that he's a malicious actor, unless one is predisposed to regard any Israeli military volunteer as malicious.
That said, I'd be deeply suspicious of any foreign national with a military intelligence background embedding themselves into the administration of another country's major political party, especially where they could potentially have unfettered access to membership details, emails, etc. Employing such seems a bit careless to me.
I've passed over job applications from similar when I was working in the telco/ISP arena. "You what? You hired an ex-spy from another country to work on core telecommunications systems and you didn't think that might be a problem?" Yeah, best to dodge the inherent risks with that one.
One of the companies I worked with during that time was Finnish. Over there it's a legal requirement for telco employees to be vetted by the Finnish Secret Police. Might seem a bit extreme, but I can see the logic in it. One hopes that the Finnish Secret Police were pursuing a security angle rather than looking for people they could subvert; I wish I could say that I thought MI5 would be that honourable in similar circumstances.
> he was in a cyber warfare unit for 5 years
Do you have anything to say he wasn't just a janitor? Or worked physical security at the door? Or wasn't a techie that re-imaged their desktop computers when someone fubared it?
Working for a cyberwarfare unit or even an intelligence unit does not equate to 'spy'.
I'm not saying he wasn't, but the burden of proof is on the one who puts forward a theory - that he was a spy.
I see that, at last count there were seven who downvoted my previous comment. And zero who provided any evidence whatsoever to show that the Israeli in question was:
1. Actually a spy
2. In any way connected to the problem
3. Didn’t do the job for which he was hired by the Labour Oarty
4. Guilty of anything other than being Jewish
You have it backwards, the only thing that's not a hard pass about his background and suitability for the role is him being Jewish.
The rest is a shocker - Served in the army of an occupying power helping to repress a civilian population.
That's quite enough - unlikely to be able to treat people from that background with impartiality at the very least.
It's of little consequence his faith, his possible involvement in the crimes against humanity are more in the foreground.
If you are seriously pushing the idea, that perhaps as a conscript, he was "only following orders", then I offer you the example of the https://www.aljazeera.com/news/2021/9/16/asylum-appeal-of-anti-zionist-jewish-israeli-who-refuse Or perhaps, he was "present but not involved" https://www.theguardian.com/world/2014/sep/12/israel-unit-8200-refuseniks-transcript-interview
Oh and as for the implied smear - can I introduce you to China - https://www.theregister.com/2020/09/04/fcc_huawei_zte_replacement/
Spooky ex MI guy in Political party = no bueno
"evidence of any wrongdoing on his part"
: In 2003 [during the second intifada] there was this general routine for the IDF to bomb buildings at night as a response to terrorist attacks or to pass a message or … whatever you like. After an especially bad terrorist attack in south Tel Aviv by the old bus station there was a decision that the response had to be more harsh this time.The action that was decided upon was to destroy from the air a building belonging to Fatah, which wasn’t the organisation that was responsible for the terrorist attack. And the building wasn’t related in any way to military activity. It was some kind of welfare centre where they were giving out pay cheques.
Unlike previous times, an essential part [of the operation] was that building wouldn’t be empty and there would be people there, no matter who. Someone had to be there in order to die. The role of our unit was to give the green light for this attack. To say when the building isn’t empty. So this lieutenant – whose name wasn’t published – refused.
At first he tried to get the action cancelled. And then he spoke with his commanders but still found himself in real time being asked for that information. And even when he knew that now the building is not empty and was supposed to give the green light he said: “I’m refusing, I’m not doing it.” He got the operation cancelled.
The response of all the senior commanders – in the unit and in the military – was to be shocked by him daring to refuse a direct order that he had received. That was the only kind of inquiry that was taken into the matter. There were some reports – just days after the incident, in the Israeli media – but they were wrong. They changed the goal of the operation and said the goal was a targeted killing of …
https://www.theguardian.com/world/2014/sep/12/israel-unit-8200-refuseniks-transcript-interview
"...I'd be deeply suspicious of any foreign national with a military intelligence background..."
To be fair, I would expect any 'real' spy-type person to be a tad more inconspicuous than that but then I don't know much about how the spy world works.
That's exactly it. A bloke who was a spy and has something to hide is unlikely to declare anything of that nature in a job application. Instead there will be some mundane-but-applicable fake job in the place of all the Jason Bourne shit.
https://www.theguardian.com/world/2014/sep/12/israel-unit-8200-refuseniks-transcript-interview
https://www.btselem.org/publications/fulltext/202101_this_is_apartheid
The evidence of apartheid directed at a civilian population, and the direct involvement of this person make them unsuitable for a position in a democratic political party.
The abhorrent behavior rising to crimes against humanity is well documented. People find it unacceptable in Palestine, as in South Africa.
A few years ago I heard one Labour official/politician boasting in a radio interview that they (I think possibly referring in particular to his constituency party) knew how everyone voted as they had "canvass records going back for decades".
Yet another good reason why current DCMS proposals to reduce the specificity and formality of the current GDPR accountability obligations should be resisted. Responses close on 19th November, so there's still time, and there's absolutely no reason why you must use the massive online response form (c. 170 cunningly loaded questions). Free form submissions to the email address on page 143 may or may not make DCMS happy, but they're pretty much obliged to consider them. Although this consultation is aimed at 'experts' it's time for the public to get involved and have their interests recognised.
Putting all the obvious GDPR, data breach shennigans aside for a sec. I'm appalled that they went to an American firm to design their website!
We always bought local with public money, sometimes casting the net wider if local industry didn't have the skills but always in the UK. It's WordPress for fcuk sake, you could throw a piece of paper (unfolded) and hit any number of designer and developers for WordPress.
"Where personal data is provided to us by a third party, we will make sure that these third parties have provided you with appropriate privacy information on the sharing of this data with the Labour Party and that they have a clear lawful reason for sharing this data."
I never received it. I'm fairly sure other members never received that.
I never knew that after the disappointment of Starmer being appointed as leader, that the party could cause me further disappointment. That's my own fault though, expecting too much of the "worker's" party.
""Under GDPR they certainly can't hold it. If there's no ongoing reason to have hold of it, I would say after 10 years why do they still need that data?" said Culverhouse, adding that the fact the data was captured and stored long before GDPR and the Data Protection Act 2018 came into force doesn't matter."
Not only that, but the data retention rules under the previous 1998 act were broadly similar IIRC.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
