>While the Labour Party is primarily responsible for data it collects, that doesn't excuse third-party data processors from obeying the law.
It does not, but GDPR is notable in that the requirement to disclose the breach to the data subject falls entirely on the data controller (i.e. the Labour party). The processor, acting on the controller's behalf, is only required to disclose breaches to the parent controller and not the end data subject (who they are generally prohibited from contacting anyway).
Knowing that a breach has occurred but not which supplier it happened with is, for better or worse, standard practice. What's unusual is Labour have made a point of explaining that this has hit a third party. Smells like an attempt to shift the perception problem to someone else - the legal problems, such as they are, cannot be shifted. The buck stops with the controller, not the processor.
Holding data for 10 or more years is not unusual, particularly if they're minimal records for the purposes of recording erasure or subject to a legal/statutory hold. Labour's privacy policy details how long they keep different classes of records, and there are at least two categories of data that are held for 10 or more years, neither of which strike this data protection wonk as particularly unreasonable.
Biting the hand that feeds IT
