In August, after yet another data loss scandal engulfed the Government, the leader of the Liberal Democrats, Nick Clegg said,
"I'm just gobsmacked, like everyone else is, that the government can be so systematically incompetent in failing to keep our data safe. Frankly the Keystone Cops would do a better job running the Home Office and keeping our data safe than this government, and if this government cannot keep the data of thousands of guilty people safe, why on earth should we give them the data of millions of innocent people in an ID card database?""Absolutely Cleggy!" you might think, but the important thing to remember here is that whilst the Government have been shown to be incompetent at protecting data on numerous occassions, the Liberal Democrats have instead actively breached privacy rules and data protection responsibilities.
Some may remember that back in September they were told they would face prosecution by the Information Commissioner after their decision to use so called "robocalling" to contact 250,000 people with unsolicted direct marketing and play a recorded message from Nick Clegg. I can also reveal that the Liberal Democrats are playing loose and fast with their own members data too.
The independent Lib Dem Voice blog has been given a form of access to the Liberal Democrats membership list in order to allow them to authenticate genuine Lib Dems for their "members only forum". To register for the forum the site requires full name, postcode and party membership number, and it then has query access to the Lib Dem membership list in order to confirm if the person registering is a member or not. The site says,
this information is passed into a piece of software provided by the Liberal Democrats that responds simply to say whether or not you are currently a member of the party, and this will be used to permit or deny you access to the forum. Lib Dem Voice is not given access to the party’s membership records and is not provided with any information from them other than “is a member” or “is not a member”.Now you see, it doesn't matter whether Lib Dem Voice have or have not got "access to the party’s membership records" the key here is that they, as an independent third party, are given a response by the Liberal Democrats which discloses someone's personal information in the form of their membership. I ran this by the Information Commissioners office and there was little doubt from them that this would constitute a breach of data protection.
It's a bit like if I rang a bank and gave them someone's full name, postcode and their account number and asked them to confirm that the details were valid. They would not disclose that information and be quite clear that it ould breach the data protection laws for them to do so, and they would be quite right too. This not so with the Liberal Democrats it seems.
The only people the Liberal Democrats should be disclosing this information to are legitimate requesters, and legitimate requesters most certainly do not include an independent website with a discussion forum. A legitimate requester would be, according to the ICO, someone like the police carrying out an investigation.
It doesn't just end there though, once someone is a member of the LDV forum they are sent personalised surveys each month which ask questions such as "Who did you vote for in the leadership?", "do you regret your decision?" and "who do you intend to vote for as the next President of the Party?".
These are questions about what someone has done or intends to do in an "officially" secret ballot. Responses which can then be cross-referenced against membership IDs meaning that LDV is profiling its forum members in quite extensive detail. It's probably worth noting at this point as well that one of Lib Dem Voice's primary contributers is Mark Pack, Head of Innovations for the Liberal Democrats at Cowley Street.
So not only do we have the Liberal Democrats breaching data protection by disclosing whether someone is a member to an illegitimate third party. We also have a website that is profiling members of the Lib Dems on matters such as their secret ballot decisions and that information could quite easily be fed back into the Party HQ.
Such information could thus potentially be used for malign purposes like identifying the "bad eggs" for example, and/or helping to rig ballots etc etc. The Liberal Democrats and Lib Dem Voice have quite a lot of explaining because of these two information security issues I'd say.
Firstly, why is Cowley Street confirming to a third party whether someone is or is not a member (the other two main parties do not and would not do this (I checked))? Secondly, why is the independent Lib Dem Voice blog gathering secret ballot data that can be cross-referenced for profiling purposes and can so easily find its way on to a desk in Cowley Street?
Now I'm guessing that some may respond to this suggesting that this is not really that bad, they're not disclosing names and addresses after all. However, what one needs to remember is that by confirming a name, postcode and membership status (essentially reverse searching) they are in fact disclosing those three things and they should not be.
Data protection is not just about whether you give details out directly, it's also about whether you unwittingly confirm details when requested to do so. As I said above, a bank would not confirm if someone was a customer of theirs if you just happened to walk in and gave them a name, postcode and account number.