For Everyone

For Members

Join from £15/year

About Us

What we stand for

Our Networks

Data Breaches, Subject Rights Requests & Managing Opt Outs

UK GDPR and the UK Data Protection Act (DPA) apply high standards over how organisations respond to breaches and handle requests from individuals exercising their legal data rights. 

Data Breaches

If you suspect there has been any breach of personal data, you MUST report this to data.protection@libdems.org.uk immediately

In your email to us, please provide a summary of:

What happened, when it happened (date & time), what types of personal data were involved, how many individuals are affected and if any immediate mitigation has already been taken.

The Members' Data Protection Rules, included in the Party Constitution, require suspected breaches to be reported to the Party's Data Protection Officer, within 24 hours. The Party has only an additional 48 hours to report any breaches, which on review, meet the Information Commissioner's Office (ICO) reporting threshold.

Breaches include, but not restricted to:

  • Data being accessed by someone who is not a member of the Party and has not signed a Data Protection Agreement (DPA) or Non Discolsure Agreement (NDA) with us
  • Data being exposed on websites or social media platforms
  • Hacking of any databases or systems you use
  • Emails being sent revealing recipients personal email addresses in the To: or Cc: field (n/a if the individuals are in agreement)
  • Sending email attachments that are not encrypted (and the content is personal or confidential/sensitive data)
  • Using Party data for an un-authorised purpose or accessed by an un-authorised person
  • Any loss of data, for example:
    • Loss of access to drives with data
    • Loss of laptops with data
    • Loss of devices with data and / or MiniVAN
    • Loss of paper records
    • Loss of canvass sheets

Members are required in the Members' Data Protection Rules to report any breaches or face disciplinary procedures. Whilst the Federal Party is legally liable for any breaches under the legislation, our constitution allows for any fines to be shared with local parties if they are found to be responsible. 

Subject Rights Requests

Individuals have 8 fundamental data protection rights:

  1. The right to be informed
  2. The right of access (Subject Access Request)
  3. The right to rectification
  4. The right to erasure (Right to be Forgotten / Erasure)
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object (Opt Out / Unsubscribe)
  8. Rights in relation to automated decision making and profiling

Details can be found at ICO - Individual Rights

If an individual makes a request that can be interpreted as falling under these rights, then they should only be handled legally by the Federal Party. There are specific requirements about how these requests are handled, for example, requiring proof of ID, and the formatting of the request and the reply. There are also situations in which we can refuse the request, or limit its scope. Therefore you should always pass these request on to the Federal Party.

Rights requests may take the form of any questions similar, but not restricted to:

  • What data do you hold on me?
  • Delete me / my data from your database
  • Stop processing my data
  • I want a download of data you have on me
  • The data you hold is wrong
  • Stop profiling me

If you receive any request of this nature, you MUST report to data.protection@libdems.org.uk immediately. We have one calendar month in which to respond to a request.

Opt Outs (Unsubscribe)

Opt outs must be processed within one calendar month of being received.

You can find out more about where Consent is required and recording Consent at Data Gathering and Consent.

Granularity of Consent

UK GDPR requires that Consent be granular. To that end, we treat all of our emailing lists as separate. Consent for emailing should be managed within the bulk mailing tool you are using eg: Targeted Email. Opting into a local party mailing list does not imply that they want to opt into the Federal Party mailing list. Opting out of a local mailing list need only be reflected in that mailing list.

If you receive an opt-in for a Local Party, then you can add that email to a Ward or Branch specific email list. However you cannot do the opposite. An email address added to a Branch or Ward list should not be added to a Local Party list. In general opt-ins can flow down through the party structure, but not up. Therefore, if the request is an Opt-In to all levels of the Party, the request will need to be passed to data.protection@libdems.org.uk for action.

Opt outs on the Federal Website at Federal Opt Out page will be reflected down to local party databases.

Handling Opt Ins & Opt Outs

Online opt-ins should be processed directly into your Bulk Mail tool. If you have collected consent via a paper form, then this should be recorded in Connect, following the guidelines in Data Gathering and Consent.

If you receive an online opt-out, that should be driven from links generated by your email tool, so that the opt-out is reflected directly in the relevant mailing list. If you receive an opt-out to a Local Party list and you have also added the email to a Branch or Ward list, then you should reflect that opt-out into those lists as well.

If you receive an opt out via a letter or physical paper form, then you must record the removal of the opt in consent in Connect by answering No to the relevant consent question with the date the opt out request was received. The details can be found in Connect Quick Sheet 2.at Connect Quick Sheets. 

This website uses cookies

Please select the types of cookies you want to allow.