Breaches, Subject Rights Requests and Opt Outs

UK GDPR and the UK Data Protection Act apply higher standards over how we respond to breaches and complaints, while greatly reinforcing the Rights that individuals have over their data. 

Breaches

If you suspect there has been any breach of personal data, including, then you MUST report to data.protection@libdems.org.uk immediately.

The Members' Data Protection Rules, included in the Party Constitution, require suspected breaches to be reported to the Party's Data Protection Officer, within 24 hours. The Party has only an additional 48 hours to report any breaches, which on review, meet the Information Commissioner's Office (ICO) reporting threshold.

Breaches include, but not restricted to:

  • Data being accessed by someone who is not a member of the Party and has not signed a Data Protection Agreement (DPA) or Non Discolsure Agreement (NDA) with us
  • Data being exposed on websites
  • Hacking of any databases or systems you use
  • Emails being sent reveling recipients personal email addresses in the To: or Cc: field (n/a if the individuals are in agreement)
  • Sending email attachments that are not encrypted
  • Uisng Party data for an un-authorised purpose 
  • Any loss of data, for example:
    • Loss of CDs, disks or drives with data
    • Loss of laptops with data
    • Loss of devices with data and / or MiniVAN
    • Loss of paper records
    • Loss of canvass sheets

Members are required in the Members' Data Protection Rules to report any breaches or face disciplinary procedures. Whilst the Federal Party is legally liable for any breaches under the legislation, our constitution allows for any fines to be shared with local parties if they are found to be responsible. 

Subject Rights Requests

Individuals have a range of data protection rights:

  1. The right to be informed
  2. The right of access (Subject Access Request)
  3. The right to rectification
  4. The right to erasure (Right to be Forgotten / Erasure)
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object (Opt Out / Unsubscribe)
  8. Rights in relation to automated decision making and profiling

Details can be found at ICO - Individual Rights

If an individual makes a request that can be interpreted as falling under these rights, then they should only be handled legally by the Federal Party. There are specific requirements about how these requests are handled, for example, requiring proof of ID, and the formatting of the request and the reply. There are also situations in which we can refuse the request, or limit its scope. Therefore you should always pass these request on to the Federal Party.

Rights requests may take the form of any questions similar, but not restricted to:

  • What data do you hold on me?
  • Delete me / my data from your database
  • Stop processing my data
  • I want a download of data you have on me
  • The data you hold is wrong
  • Stop profiling me

If you receive any request of this nature, then you MUST report to data.protection@libdems.org.uk immediately.

Opt Outs (Unsunscribe)

Opt outs must be processed within 1 month of being received.

You can find out more about where Consent is required and recording Consent at Data Gathering and Consent.

Granularity of Consent

The new legislation requires that Consent be granular. To that end, we are treating all of our emailing lists as separate. Consent for emailing should be managed within the bulk mailing tool you are using eg: Targeted Email. Opting into a local party mailing list does not imply that they want to opt into the Federal Party mailing list. Opting out of a local mailing list need only be reflected in that mailing list.

If you receive an opt-in for a Local Party, then you can add that email to a Ward or Branch specific email list. However you cannot do the opposite. An email addresses added to a Branch or Ward list should not be added to a Local Party list. In general opt-ins can flow down through the party structure, but not up.

Opt outs on the Federal Website at Federal Opt Out page will be reflected down to local party databases.

Handling Opt Outs

Online opt-ins should be processed directly into your Bulk Mail tool. If you have collected consent via a paper form, then this should be recorded in Connect, following the guidelines in Data Gathering and Consent.

If you receive an online opt-out, that should be driven from links generated by your email tool, so that the opt-out is reflected directly in the relevant mailing list. If you receive an opt-out to a Local Party list and you have also added the email to a Branch or Ward list, then you should reflect that opt-out into those lists as well.

If you receive an opt out via a letter or physical paper form, then you must record the removal of the opt in consent in Connect by answering No to the relevant consent question with the date the opt out request was received. The details can be found in Connect Quick Sheet 2.at Connect Quick Sheets. 

This website uses cookies

Like most websites, this site uses cookies. Some are required to make it work, while others are used for statistical or marketing purposes. If you choose not to allow cookies some features may not be available, such as content from other websites. Please read our Cookie Policy for more information.

Essential cookies enable basic functions and are necessary for the website to function properly.
Statistics cookies collect information anonymously. This information helps us to understand how our visitors use our website.
Marketing cookies are used by third parties or publishers to display personalized advertisements. They do this by tracking visitors across websites.