The Labour Party can’t issue the ballots for their internal elections; they claim it’s a consequence of the cyber-breach last October.
The Party seems to have attempted to create a replacement membership database by updating its mail manager system and presumably adjusting the feeds although much of the functionality previously offered is no longer available and the feed from the financial system is now days or weeks out of date. We should note that the membership self administration tool is also now not available. The mail manager is obviously from observation slowly dying. It is known to be inaccurate; there are errors in terms of who it considers to be a member, their addresses, and their payment status.
The Party plans to replace this recovered system with an off the shelf package from Microsoft. At the moment we are advised that it is unlikely that local party role holders will get access to this until next year.
Until then we have to use a known to be inaccurate database. From observing, presumably NEC authorised actions, it seems to be considered accurate enough to select councillor candidates and run trigger ballots. Procedure Secretaries have been told that they may not override the membership system even when variances are well known and provable. I question that this is legal in it breaches the duty to be accurate and not to automatically profile people.
What seems to be forgotten that is data protection rests on seven principles, Lawfulness, fairness and transparency · Purpose limitation · Data minimisation · Accuracy · Storage limitation · Integrity and confidentiality. Often too much or too little attention is paid to integrity and confidentiality and issues such as lawfulness, fairness, transparency and accuracy are forgotten.
They are running selections and triggers on data known to be inaccurate. This isn’t right.
This has taken 9 months to get here. While culpability for the breach may be questionable, not having a recovery plan and or not funding it is the fault of the Labour Party and thus its NEC. CEO’s have been fired for less.
Why was there no recovery plan? Did they do vendor due diligence on the member centre hosting provider, did they keep it up to date? Is there a risk register? Has the NEC or the risk committee approved the mitigations? In fact, what is the NEC doing about IT Risk? Is there a DPIA on reusing the mail system? Is there a DPIA on reusing the SAR Tool? Is there a DPIA on using the social media scanners they use? When will we get a data protection capability that protects members data from bad actors rather than from themselves?
Nine months failing to recover is shameful and unprofessional. NEC members should be asking why it has come to this and determine if they, through their inaction, are in fact culpable.
Originally published at https://davelevy.info on July 24, 2022.