The Labour Party could be fined up to £15m for failing to protect members' data after reporting Sir Keir Starmer's campaign to the information watchdog.

This weekend Labour's general secretary Jennie Formby, a leading ally of Jeremy Corbyn, made a formal referral to the Information Commissioner's Office over an alleged breach of data protection rules by members of the frontrunner's campaign team.

It was seen by allies of Sir Keir as an attempt to undermine his campaign.

Image: Sir Keir Starmer's campaign was reported to the information watchdog

However, the move could backfire after the ICO confirmed the Labour Party itself would be the focus of any investigation, since it is legally responsible for securing members' information as the "data controller".

The potential fines for data protection failings have significantly increased as a result of changes to the Data Protection Act last year, which enacted the European General Data Protection Regulations (GDPR) in UK law.


Although there are a range of sanctions the ICO is able to issue for data protection failures, the maximum fine the party could face if it were found to have failed to secure the data could be more than £15m.

The regulations stipulate that infringements of the principles for processing personal data are subject to the highest tier of GDPR administrative fines, which are set at the equivalent of €20m, or 4% of an organisation's total worldwide annual turnover if that is higher.

On Monday, Mr Starmer's leadership rival Rebecca Long-Bailey appeared to suggest the party was to blame for not restricting access to a membership database after the general election.

"The investigation into Keir Starmer's campaign over an alleged data breach should not be allowed to distract from a moment of significant importance in determining the future direction of our party," a spokesperson said.

"As Rebecca's campaign has said previously, the accessibility of members' data stemmed from a failure to close Dialogue at the end of the general election campaign."

The allegation reported to the ICO suggested two members of Sir Keir's leadership campaign staff may have improperly accessed membership data via the "Dialogue" database.

Image: Rebecca Long-Bailey appeared to suggest the party was to blame for not restricting access to a membership database

The Starmer campaign rejected the allegations as "nonsense" and urged the party to withdraw the accusation.

It is understood the Starmer campaign was attempting to demonstrate Ms Long-Bailey's campaign had breached rules by sharing a link to the Dialogue database with her supporters, a claim her team denies.

The ICO is making enquiries into the issue following the referral from the Labour Party but has not yet confirmed whether a full investigation is to be launched.

Last year the ICO issued a record fine of £183m to British Airways for failing to sufficiently protect personal data, saying poor security arrangements had allowed passenger login, payment card, address and booking information to be compromised.

Ahead of the general election the ICO published guidelines for political parties setting out their responsibilities for handling data.

Ardi Kolah, editor of the Journal of Data Protection and Privacy, told Sky News that concern over the use of data in politics meant it was crucial that parties ensured their data protection procedures were robust.

"If you are a data controller it is not enough to simply report a breach, it is also incumbent on you to demonstrate and verify you have done all you can to protect against a personal information breach in the first place.

:: Listen to Sophy Ridge on Sunday on Apple podcasts, Google podcasts, Spotify, Spreaker

"The fines for failing to secure the data you have collected are tough for a reason.

"Political parties should take this very seriously, and that applies to Labour in particular because numerically it has the largest number of members of any political party in the UK".

A Labour Party spokesperson said: "The Labour Party takes its legal responsibilities for data protection - and the security and integrity of its data and systems - extremely seriously."

The spokesperson went on to say that any suggestion the party's referral to the ICO would result in a fine was "misleading and disingenuous", adding that "the party has a statutory obligation to report suspected data breaches to the ICO within 72 hours, and we could be liable for further fines and other sanctions if we didn't report it".