It was inevitable that someone in Medway politics would screw up in this brave new GDPR world.
Politicians sharing reports and images from the campaign trail is standard practice at this point. Barely a weekend can go by without local activists telling us about the ‘fantastic response on the doorstep’ that they achieved. So it would have been easy to glance at the below image shared by Medway Conservative candidate for Luton and Wayfield Robbie Lammas and not think much of it.
Unless you care about data protection, anyway.
Zooming in on the original image, we were easily able to identify names, addresses, electoral roll numbers, and postal vote statuses for at least five voters in Lammas’ photo.
To be clear, we have used a smaller version here where it is impossible to extract much data, but the original image made this data incredibly easy to read.
The way that political parties are granted access to full electoral register data already raises issues about data protection, particularly in this post GDPR environment. The right to have personal data protected is ever stronger, with substantial potential penalties now in place for companies and organisations that breach the rules.
Recent events have demonstrated that political parties may not be living up to the rules of GDPR, such as the recent security flaw in the Conservative Party conference app.
Happy to see that @RobbieLammas has deleted his spectacular data protection breach. We trust @TMBCToryGroup will take this just as seriously and follow the correct legal process for when these breaches occur. pic.twitter.com/xC0F8dzxwy
— The Political Medway (@MedwayPolitics) November 10, 2018
Upon this clear breach of data protection rules being highlighted to Lammas, he did immediately delete the tweet and replace it with another, which was obviously the right thing to do. However, no apology was offered for the error, Lammas seemed to believe deleting the tweet alone resolves the issue, and we were labelled ‘nasty and viscous’ (sic) for having the temerity to highlight his reckless mistake.
As per the Information Commissioner’s rules, all personal data breaches need to be reported to the ICO within 72 hours.
As of writing, that deadline is a little over 12 hours away, and we have not received any confirmation from either Lammas or the relevant Conservative association that this action has or will be taken.
This does not give a perception that either Lammas, as a candidate, or local Conservatives take this matter particularly seriously.
Will Lammas or the Conservatives report this data breach as per their legal requirement? Should parties have access to this level of personal data, if candidates and activists are so blasé about how they protect it? What sanctions should Lammas face for his actions? As usual, let us know in the comments or on social media.