The following is a letter that I have just sent to Tom Watson MP.
For those who want to use it as a template feel free to do so.
Dear Mr Watson
I write further to your public statements of last week. In particular I refer to the statement attributed to you in The Guardian article cited in the endnotes where the article states that you said “Watson said he and his team would now be “logging and monitoring all complaints” so he could raise them himself with the leadership and with the NEC.”
Public reference has also been made to statements alluding to you and ‘your teams’ monitoring of complaints relating, specifically at this time I understand, anti-semitism and sexual harassment.
Background to this correspondence
I am not a member of the Labour Party but a member of the public. In my role I deal with, daily, matters relating to advising and representing employees in disputes with employers, including representation, submission of cases / statements and advocacy up to and including employment tribunals.
As part of this role, and indeed an expanding area of my work, is the need to be cognisant of the Data Protection Act 1998 and the 2018 GDPR that sets out very clear and strict statutory advice to employers, employees, public bodies and those who have to deal with personal data and the rights of data subjects.
In my role I am fully aware of the rights of individuals who have had allegations or complaints made against them or, in the alternative, have submitted complaints against an individual/individuals/their employers for a variety of reasons to long to set out in full here.
However, as a basic principle of GDPR/DPA1998 an individual against whom a complaint has been served or who has served a complaint, can expect to, by law, and by contract, enjoy certain rights:
That their complaint or the complaint against them will be dealt with under a procedure
That the procedure complies fully with the DPA98/GDPR
That all parties to the complaint can expect to enjoy full confidentiality as to undermine said confidentiality would be a breach of the DPA/GDPR
That to disclose or breach the process would undermine the principles and protocols of the complaints policy and make the process potentially unfair
Supplementary, and most seriously, such interventions or attempts to intervene would breach the employers or the organisation in questions statutory duties to manage the personal data (which in any such complaint given the personal data that need to be used eg name, gender, address, contact details etc., would be sensitive and subject to specific and more onerous restrictions on their use), would undermine the organisations duties and responsibilities as the ‘data controller’ as defined in and under DPA98/GDPR.
This list is not exhaustive.
Steps I have taken
On Friday morning, 1 March, I contacted the Labour Party given my concerns over what appeared to be (as reported) a flagrant or potentially flagrant breach of the rights of members of the Labour Party (and possibly other individuals), as an organisation arising from your public statement.
An additional concern is that I understand from previous acts that you have been involved with and still are, I believe, you yourself would be fully cognisant with the specific and statutory requirements of DPA98/GDPR given your role in the organisation known as ‘Hacked Off’. Part of Hacked Off’s work related to unlawful press intrusion into the lives of people which included, very clearly, breaches of their data protection rights.
As a supplementary issue, I have noted from the Guardian Article that you also mention your ‘team’ that would be involved in such monitoring and storage of the personal data of people who may have had complaints made against them. Clearly, and in relation to both you and ‘your team’ (which I understand from previous public information and which will be the subject of further correspondence between myself and your office), by establishing or seeking to establish a dual and/or parallel system of monitoring, you will need to ensure that your new organisation – if that is indeed what you are establishing – complies with the requirements of the GDPR and DPA98. This would include gaining the formal consent of those who may be subject to a complaint made against them to agree to your processing of their DPA98/GDPR data subject rights.
My first question would therefore be, by logic, how would you seek to do this?
My second related question would be that if you sought to do this what if the individual who has had a complaint made against them as a Labour Party member refused to accept your new organisations jurisdiction over their personal data? You, of all people (given your background in media law and Hacked Off), would be fully aware that to hold such information without consent as well as being unlawful in terms of DPA98/GDPR as you would not be the data controller responsible for the management of such data and information, is also a potential breach of criminal law.
My third question relates to your ‘team’. My understanding, if correct, is that staff under your employment are, in full or part, funded by or were part funded by a £500k (in full or part), donation by Max Moseley . It is unclear as to how this ‘team’ would be in a position to manage the persona data of Labour Party members given that the data controller for such processing would be the Labour Party itself under its statutory DPA98/GDPR obligations. Clarification on this important matter would be appreciated.
As I have set out on the morning of 1 March and as a concerned citizen (concerned as in the fact that an MP paid by the taxpayer and subject to strict Parliamentary Codes of Practice, the Nolan Principles and various statutory constraints eg DPA98/GDPR), I contacted the Labour Party to seek guidance on how to set out a complaint to that organisation given the apparent clear direction of undermining the rights of data subjects which you were setting out and placing in the public domain. I did this after I had consulted the ICO who advised that I was correct in this approach.
I will be setting out this complaint to the Chief Whip and the Governance and Legal Team of the Labour Party shortly.
I am also now aware that there has been an exchange between the General Secretariat of the Labour Party and yourself and your ‘team’ in this matter. That matter, from what I understand from the press reports and what is available in the media, has focused on essentially the same concerns that I raised on Friday 1 March and on the clear breaches of Labour Party policy and its duties as a data controller in these specific issues. If these reported facts are indeed correct then the Labour Party General Secretariat is taking the right approach.
However, my approach is different given that I am not a member but a concerned citizen.
Response – Required from You
1. Please conform to me within the next 48 hours that you have withdrawn your threat to undermine the GDPR/DPA98 rights of data subjects which you are proposing?
2. In the alternative please set out to me how you believe that your actions and the actions of your ‘team’ comply with the GDPR/DPA98 rights of those members of the Labour Party (and possibly others) in which you will intervene?
3. Please explain and clarify, following your proposed interventions, how you will monitor this information consistent with and compliant with GDPR and DPA98?
4. Please clarify how you will handle the DPA98/GDPR rights of those individuals who are subject to the intervention of you and your ‘team’ and who refuse all authority for you to process, in any form (including holding that personal data), their personal data?
5. Please explain how you will hold this personal data consistent with and in compliance with the DPA98/GDPR and the sensitive and personal data under which such complaints would be held under?
6. Please confirm and clarify how you and your ‘team’ will manage this personal data and information consistent with the statutory and legal responsibilities of the Labour Party as the data controller of the membership and sensitive personal data of its members?
7. Please clarify how you see these interventions by you and ‘your team’ as being consistent with not breaching and violating the DPA98/GDPR rights of Labour Party members and possibly others against whom complaints are made?
8. Please clarify and advise how the management of such personal data by you and ‘your team’ is consistent with the Complaints Policy or, in the alternative, Investigation Procedures of the Labour Party?
9. Please clarify and / or advise as to how the data that you and ‘your team’ will hold will be stored and under what procedures and process?
10. Please clarify and / or advise as to how individuals who may not have consented to you and ‘your team’ having access to, and holding/storing such personal and sensitive data will have access to seeking removal of their personal data from the still to be described storage and holding of their data by you and ‘your team’?
11. Please advise and / or clarify who is the data controller for the holding and processing of such personal data by you and ‘your team’?
12. Pleased provide the process and contact details of those individuals from ‘your team’ so that they can seek information as to how their personal information can be removed from you and ‘your team’ holding such information?
13. Please advise as to how you and ‘your teams’ data controller can be contacted in respect of any complaints under GDPR/DPA98 that individuals may have against or with you and ‘your team’ holding such personal and private / sensitive personal data?
14. Please advise where the certificate or legal documentation can be viewed in respect of the authority of you and ‘your teams’ data controller and its right to hold and process such data consistent with the rights and obligations of individual data subjects under GDPR/DPA98.
I require a response to this email/letter within 48 hours setting out responses to the questions. Note that if I do not receive a response, as well as advising the Labour Party of this letter I will advise the relevant statutory authorities, up to and including those dealing with the possible criminal impact of the storage and holding of sensitive and private personal data contra to Statute.
Note via this website https://labour.org.uk/members/my-welfare/my-rights-and-responsibilities/labour.org.uk/members/my-welfare/my-rights-and-responsibilities/