EXCL Lib Dems forced to report themselves to data watchdog after major privacy blunder
The Liberal Democrats have been forced to report themselves to the UK's data watchdog after exposing sensitive voter information in a major privacy blunder.
The party admitted it had self-reported to the Information Commissioner’s Office after it left the personal details of voters in Lewisham East exposed online in an astonishing data breach.
The embarrassing development comes just days ahead of a by-election in the ultra pro-Remain seat, at which the party hopes to eat into the solid Labour vote.
Dates of birth, mobile and home telephone numbers were provided to party activists alongside a phone script to help them get out their vote on Thursday.
But the data was inadvertently left accessible to the general public due to a security foul-up exposed by PoliticsHome.
A spokesperson for the party confirmed to this website that the Lib Dems had alterted the Information Commissioner to the blunder.
The ICO said it had received the report but is yet to decide whether to launch a formal investigation.
“We have been made aware of this incident through a self-reported personal data breach notification”, an ICO spokesperson said.
“We are assessing the information provided and considering next steps."
Information gathered through the party's canvassing operations was also made available through the site open to anyone who had the correct link.
Voters were identified by tags indicating their political leanings, such as “Yellow Labour” and “Weak Lib Dem”. In some cases, the information was available for entire families.
In a statement last week, a Lib Dem spokesperson said: “As soon as we were made aware of the issue we immediately took action and closed access.
"We are urgently investigating how this happened and have taken steps to ensure it will not again.”
The data should have been secured behind a password-protected login page and accessible only by registered Liberal Democrat activists.
But a blunder saw the direct link shared on a Facebook page used to co-ordinate the party's campaigning activities.
It meant anyone with the link could access the data without verifying their identity.
The loophole was closed once the party was made aware of the breach, but it is possible that the data was openly accessible for several days.
The blunder comes soon after the introduction of General Data Protection Regulation laws aimed at tightening up the rules on the use of personal data by organisations.
Under the new regulations, organisations must notify the ICO within 72 hours of becoming aware of certain types of personal data breach.
If they believe the breach does not warrant reporting the reasoning must be formally documented.