Scottish National Party data breach highlights risks of mass mailing

The Scottish National Party has referred itself to the Information Commissioner’s Office and could face a hefty fine following a mass data breach.

How did the Scottish National Party data breach occur?

As part of its campaign for the upcoming European Parliament elections, the Scottish National Party (SNP) posted around 400,000 campaign leaflets to constituents. SNP leader, Nicola Sturgeon, signed the letters. Constituents’ addresses are stored on the Electoral Register, which political parties then use to contact voters. However, the SNP sent a number of these letters to incorrect addresses. It is reported that tens of thousands of people may be affected.  Scottish voters got in touch with the SNP after receiving letters addressed to strangers or neighbours. 

The SNP therefore referred itself to the Information Commissioner’s Office (ICO) for the data breach. 

When does the GDPR require notification of breaches?

The GDPR defines data breaches widely. A data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Controllers must refer themselves to a supervisory authority (in the UK this is the ICO) if they are responsible for data breaches which pose a “risk to individuals' rights and freedoms”. 

They must also notify individuals affected by the breach if there is a “high risk to individuals' rights and freedoms”. This is a higher bar than for notifying the ICO.

In deciding whether to notify, the controller needs to consider the specific circumstances of the breach, including the likelihood, severity and potential impact of the risk. It must keep a record of the breach, including the facts relating to the breach, the effects of the breach and any remedial action taken in response. If the controller decides not to notify the breach, it must keep a record of that decision. 

What will be the impact of the Scottish National Party data breach?

This incident shows how easy it is for simple errors to have serious data privacy ramifications. While the specifics around the breach are unknown, the SNP has put the breach down to a “clerical error”. The Electoral Registration Office has confirmed that it is confident the error was due to the SNP and not errors within the Electoral Register. 

While emails going to wrong recipients are more common, this breach shows that the same risks exist for letters and hard copy communications. Simple clerical errors can have huge consequences for organisations and for the individuals affected by the breach. Controllers need to ensure they have secure systems in place to minimise the risk of breaches and, where breaches occur, a contingency plan to minimise the impact. 

We await the ICO’s findings with interest.