Reform Wales faces data breach questions after Tory members receive party emails

Emily Price

Serious concerns have been raised over a potential data breach involving Reform Wales after individuals subscribed to a Welsh Conservative Party mailing list began receiving press releases from the party’s Senedd group.

Several Conservative Party members, along with journalists previously excluded from Reform UK’s media distribution lists, say they have recently started receiving emails carrying the party’s logo and distinctive turquoise branding.

It comes after several former Welsh Conservative staff members joined Reform’s Senedd operation following the May 7 election.

One email received by Conservative Party members last week was signed off by a Reform staffer who previously worked for the Tories in Cardiff Bay.

The message stated: “Please find attached a letter addressed to Darren Millar from Llyr Powell MS, responding to yesterday’s debate.”

The attached letter, written by Mr Powell, stated: “Dear Darren, I hope you are well, given your absence from the chamber yesterday.

“I write to you in relation to your party’s decision to vote with Plaid Cymru to delete our opposition debate motion on childcare, where we hoped to encourage the Welsh Government to publish the full costings and implementation timetable for Plaid’s flagship childcare policy.

“I recall members of your group expressing concerns over the lack of detail and potential cost in delivering the policy.

“Natasha Asghar outlined her concerns on ITV’s Sharp End.

“I note your spokesperson, Sam Rowlands, said in the debate: ‘If a policy is genuinely affordable, then publishing those full costings should strengthen confidence in it, not weaken it’.

“Given your willingness to ‘recognise the Welsh Government’s commitment to provide an update on the initial costings and phasing for the expansion of the universal childcare on their terms’ is it now Welsh Conservative policy to give the Plaid government a blank check on the implementation of all of their policies?

“Can the Welsh Conservatives produce the costings that have assured them that there is no risk to the taxpayer, the NHS, education or farming budgets as a result of the policy?”

Barred

Nation.Cymru approached the Welsh Conservatives to ask whether the party was aware of any potential data breach involving Reform’s apparent use of a Conservative Party mailing list.

The party declined to comment.

Several journalists and media organisations previously barred from receiving Reform UK press releases have also reported receiving recent correspondence from the party.

One recipient was a former volunteer at a small local media outlet who had requested that their personal email address be added to the Welsh Conservative Party’s media mailing list some time ago.

Although the individual no longer works in the media and have never provided their contact details to Reform UK, they say they have recently begun receiving the party’s press releases.

Data protection

While many email addresses on political mailing lists are publicly available, concerns over a potential data breach centre on private email addresses supplied directly by individual journalists and media workers and Conservative Party members.

The sharing of such personal contact details between separate legal entities without the explicit consent of those concerned could constitute a breach of data protection legislation.

Nation.Cymru raised the matter with Reform UK’s data protection department.

However, a response from the party stated that it was not appropriate for the issue to be raised with that department.

Nation.Cymru also contacted Reform UK’s media teams in Wales and Westminster, asking whether the party had instructed any former Welsh Conservative staff member or politician to obtain or use Tory data without permission.

We did not receive a response.

To complain about a GDPR breach, an individual must first formally complain to the offending organisation.

If they do not resolve the issue within one month, the matter can be escalated to the Information Commissioner’s Office, which acts as the UK’s independent data privacy regulator.