In recent weeks, Dr Jolyon ‘I used to be a KC’ Maugham FRCPCH has been following up his one-man boycott of Gail’s bakeries with a barrage of data subject access requests to the Conservative Party and what he calls “their client journalists in the gutter press”. And now his (Not Very) Good Law Project have launched a campaign to “defend democracy from data dark arts”, by enabling supporters to send a data subject access request, via the GLP, to one (or more) of five political parties.

Yes, all the political parties are profiling and targeting you! But you have the power to stop them! And, if they ignore you, there will be consequences: “together we can take them to court”! Rock ‘n’ roll!

However, somewhat hilariously, once you’ve clicked to select one of the five political parties, you find that the GLP is campaigning to stop the five parties collecting and using your personal data by … collecting and using your personal data!

If you take action on this page, we’ll forward your data request to the [selected political party] via email. We’ll also collect your information and may use this to further develop the campaign. For more information about how we process your data, please see our privacy notice.

And the GLP’s privacy notice states:

We may collect the following information about you:

Name, address, phone number, post code, voting intentions, general information like which companies you use, comprehensive demographic data, annual household income, age, IP address.

The information collected may include special category of data, which include health information, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, genetic and biometric data.

Which got me wondering: why can’t we play the same game? Jolyon, stop targeting me!

So, today I’ve made a data subject access request to the GLP, via the ‘contact‘ page in their privacy notice. And – if you’re not put off by the prospect of Jolyon turning up on your doorstep at 4am with his famous baseball bat – you can do so too, using the template beneath Captain Mainwaring and the U-Boat captain, below. (Note that the GLP may respond by asking you to confirm your identity by sending e.g. a copy of your driving licence, as they are entitled to do, and as the Conservative Party has been doing in response to SARs submitted via the GLP.)

[Update: On 28 June, the GLP finally acknowledged the data SAR that I sent them on 5 June, by … asking me to verify my identity. I replied with a photo of my driving licence.]

[Further update: On 1 July, the GLP emailed me, acknowledging receipt of my proof of ID, but stating that my data SAR is “complex” because “much of your personal data which we are processing is likely to be covered by exemptions to Article 15 GDPR. Consequently we regret that we require a further two months to respond to your request, in accordance with Article 12(3) GDPR. We will therefore respond to your request by 5 September 2024.” And, after I requested clarification, on 2 July the GLP replied, stating: “Our response to your SAR is complex because it involves us filtering for matters which are confidential and/or benefit from legal privilege.”]

[Further update: On 28 August, the GLP responded to my SAR, stating: “In preparing this response, we have relied on Article 15(4) GDPR which prevents us from providing copies of personal data where to do so would adversely affect the rights of others”.

The response consists of two documents, the first of which simply contains the bank details that I submitted to the GLP when making small donations to two of their online crowdfunders in December 2023 and early January 2024, to test whether the crowdfunders were live (one was incomplete, appears to have been posted online in error, and was later deleted by the GLP, but not before it had accepted my £6.66 donation).

The second, four-page document contains 26 short and undated extracts – many of them heavily redacted but each containing my name – from clearly more extensive conversations between unidentified GLP staff via email, Slack, WhatsApp or SMS text. One of these extracts defames me as a “transphobe”:

However, under the GDPR, ‘personal data’ means anything which relates to me, or from which I can be identified. In other words, the GLP should provide me with more than just a single extract, containing my name, from each internal conversation that is about me. But the GLP appears to have applied the Article 15(4) exemption, in blanket fashion, to everything they hold that is about me, but does not contain my actual name. And it is far from clear why providing me with copies of such ‘personal data’ would “adversely affect the rights of others”. Accordingly, on 10 September I wrote to the GLP, setting out my dissatisfaction with their response and requesting reconsideration of my SAR.]

[Further update: On 16 September, the GLP responded, rejecting my request for reconsideration of my SAR and stating:

“We consider that our initial response to your SAR was fully compliant with the UK GDPR. There is no requirement to explain in detail how exemptions have been applied or how a balance has been struck between the data subject’s rights and those of others.

However in response to your request for reconsideration and in the spirit of cooperation, we can inform you that we withheld three documents from our response. Two of those documents are legally privileged and one contains sensitive personal information about a third party. They are therefore exempt from disclosure as part of our response under Article 15(4) UK GDPR and s15 and para 19 to Schedule 2 of the Data Protection Act 2018.

We note your stated intention to make a complaint to the ICO. We consider such a complaint to be unnecessary but will of course cooperate fully with any investigation by the ICO which results from that complaint.”]

Subject: Subject access request and objection to processing

Dear Good Law Project,

I am writing to you to exercise my rights of access, objection and restriction in relation to my personal data under Articles 15, 18 and 21 of the UK GDPR. I refer to recital 63 of the same, which stresses the importance of a data subject being able to be aware of, and verify the lawfulness of, the processing of their personal data.

My details for the purposes of identifying me and handling my data subject access request are:

Full name: [insert name]

Address: [insert full address]

Email address: [insert email address]

I believe that you are, or may be, processing my personal data.

You will be aware that, under Article 21 of the UK GDPR, following an objection request, you must no longer process my personal data unless you demonstrate compelling legitimate grounds for the processing, which overrides my own interests, rights and freedoms, and, until you can demonstrate compelling grounds, you must, under Article 18, restrict the processing of my personal data.

Please respond to the above requests as soon as possible and in any event within one month of receipt.

All of my other rights are reserved.

Yours sincerely,

[insert name]