ICO orders Brexit Party to respond to subject-access requests dating back to May

Brexit Party claims it has been the target of a concerted campaign by activists

The Brexit Party has been ordered by the Information Commissioner's Office (ICO) to respond to subject-access requests dating back to May by the end of the week.

A subject-access request (SAR) enables individuals to demand from organisations details of the data they are keeping on them. Under GDPR, organisations have just 30 days to respond to such requests.

A spokesperson for the party said it had received a "flood" of requests around the time of the European Elections in May, and suggested that the organisation had been targeted by anti-Brexit campaigners.

"During the European elections, there was a coordinated attempt by campaigners to flood the Brexit Party with Subject Access Requests," a Brexit Party spokesperson said.

"All political parties are allowed access to the electoral register so they can send literature to voters. However, inaccurate claims circulated on social media, claiming we had acquired people's addresses improperly, leading to the written requests asking for access to information."

https://twitter.com/DanRealityBites/status/1126169067835023360?ref\\_src=twsrc%5Etfw

The ICO has given the Brexit Party until 22 November to answer the data requests, according to Sky News.

"We have responded to the vast majority of letters," the Brexit Party spokesperson said. "Around 0.2 per cent are currently being dealt with and we will meet the deadline agreed with the ICO."

In a statement, an ICO spokesperson said: "As a public body the ICO has to consider its responsibilities during the pre-election period. Our regulatory work continues as usual but we will not be commenting publicly on every issue raised during the General Election.

"We will however, be closely monitoring how personal data is being used during political campaigning and making sure that all parties and campaigns are aware of their responsibilities under data protection and direct marketing laws."

When GDPR was passed, some lawyers and experts warned that it could be used by activists to harass targeted organisations, especially major organisations that might struggle to collate all the information in time - one calendar month from the date of receipt of the request.

A cursory trawl of Twitter indicates a number of pro-EU accounts urging followers to bombard the Brexit Party with subject-access requests during the election in May.