Tuesday, 11 September 2018

Cyngor #Gwynedd Council's Report Into Their #Data Breach 2018

I emailed Morwena Edwards, Corporate Director of Social Services, on the 19th March, 2018.

"We are also concerned that you have been aware of a Data Breach by your Department for nearly a year and no-one from the Council has been in contact with us. The Investigator has been provided with evidence of the Data Breach and she says so in her Report".

On the 29th March, we attended a meeting with an Information Manager at Gwynedd Council regarding us being given the names of children receiving services from the Council and Youth Justice team and to find out who censored our personal information (SAR) and whether the redactions were legal.
Copies of the names and local school that had been released by the department were presented to the Manager.

On the 22nd May, we had to return for another meeting as the Manager did not answer the questions in her initial Report and also misrepresented the physical and oral evidence we provided. There was also an issue with the Manager failing to respond to our emails but an apology was given for this.

The second meeting was attended by a Janet Roberts, who introduced herself as Corporate Support for the council. Mrs Roberts said very little during the meeting but did take note of the questions we wished to be answered by the person in the Children and Families Department who carried out the redactions to our personal information.

Now these questions were asked as part of our Stage 2 complaint first raised with the council in May, 2017 and was to have been answered by the Independent Investigator. 
Gwynedd council reported that the officer responsible for processing our SAR and for the redactions had left the Council and so was unable to be interviewed.

At this second meeting, Mrs Roberts informed us that the person who processed our SAR had indeed left the council but was then re-employed by the council and was NOW our named person within the Customer Care department dealing with another complaint.

Oh forgot to mention that the Investigation of the Data Breach was upheld. The release of the names of children receiving services should not have happened and the Report, June 2018, is as follows -
                                                                  *****************


I write with reference to your complaint to the Council and in particular part 6 which relates to data and information.

The outcomes from the independent investigators report was that:

The complainants seek an explanation for the censoring of their own information and whether or not it is legal to do so. They seek an explanation from Melvin Panther as to how he thought it in any way appropriate or professional to speak about them in such a derogatory manner to another professional working with the family. In relation to the information containing other children’s details, they wish for this to be dealt with via the Council’s information/data protection security policy and procedure.

I will treat these matters in turn:

1.      Censoring of information and redacted and unredacted emails.

Email dated 5th of April 2016 10:48

You note that this had been provided to you in redacted and unredacted form and wish to know why it had been redacted.

The department have informed me that it was redacted because it was not thought appropriate to disclose at the time.

In my opinion this part of the email is your personal data since it relates to you and you can be identified by the information. There was no particular reason for it to be withheld and it should have been provided without redaction.

Email dated 27th of June 2016 at 16:45

I have examined the part of this email which has been redacted.

I am satisfied that this part of the email has been redacted appropriately. Under the right of subject access, an individual is entitled only to their own personal data, and not to information relating to other people.
This part of the email relates to information relating to a third party, namely a social worker. Under section 7(4) of the Act an authority does not have to comply with a request if to do so would mean disclosing information about another individual who can be identified from that information except where the individual has consented or it is reasonable in all the circumstances to comply with the request without that consent.
There was no consent in this case nor was it reasonable to comply without consent.

Email dated 5th of July 2016 at 13:30

I have examined the part of the email which has been redacted.

As above, this information does not relate to you but to a social worker. It therefore does not constitute your personal data. As such, it was appropriate for the information to be withheld in accordance with the reasoning outlined above.

Email dated 13th of July 2016 at 10:14

I have examined the part of the email which has been redacted.

I believe that this email should have been provided to you as it relates to you and is therefore your personal data.

2.   An explanation from Mel Panther

As noted in previous correspondence, it is not within my remit to comment on the actions of another member of staff.

3.      Emails containing other children’s details

I have examined the emails you provided me in this respect.

In a series of emails between two members of staff in January 2016 the names of children appear in the subject headings.

For a data breach to occur, the information in question must be personal data i.e. it must relate to an individual and allow them to be identified from the information.

In this case, it is not clear that a surname together with the name of a school would enable identification of an individual. However, the information confirms that the child is a child a need, which is sensitive information in itself.

It should also be noted that the name of this child had been redacted from the main text of an email in one instance and therefore there was a recognition that this was indeed third party personal data.

The name of another child also appears in the subject line of the same series of emails. This time there is a name and surname, which makes identification more likely. Again the information confirms that the child is a child in need, which is sensitive information in itself.

Having further considered the Information Commissioner’s Office guidance on determining what is personal data, which notes that someone can be identified from information we hold or ‘the means that could be used by a sufficiently determined and interested person’, I have concluded that on the balance of probabilities, this was personal data and therefore did constitute a data breach.

Therefore, the names should have been removed from the subject line of the emails before being disclosed to you as part of the subject access request.

At our meeting on the 23rd of May 2018, you asked some further questions which have been addressed below:

4.         Who made the decision to redact both emails?
In her role as the Information Officer, Angharad Hywel would in cases such as this routinely meet with her line manager at the time, Margaret Kenealy Jones to check the information which was to be shared. If she felt that some details noted within the information should be redacted, these  would be identified and advice would be sought from her line manager. In this specific case, she met with her line manager to read through the information which was to be disclosed. During this meeting they discussed some documents which were deemed to contain information which could be misinterpreted or could impact the working relationship between the family and the Service. The officer received guidance in relation to redacting these documents.

5.         Who asked for them to be redacted?
A decision was made between the Officer and the line manager at the time to redact the sentences in the email dated 5th April 2016 and the email dated 13th of July 2016.

6.         Did they consult with anybody?
No other officers were consulted.

7.         What were the reasons for the redaction?
Having read the redacted sentences in the emails dated 5 April 2016 and 13th July 2016, the Officer was of the opinion that these statements were the personal opinion about the family and that disclosing them could undermine the attempts to maintain a working relationship between the Service and the family. At the time of this Subject Access Request, and particularly during the timeframe in which this decision was taken, the Service had responded to a number of complaints and many of these were related to difficulties in the working relationship between the family and Mel Panther. It was imperative at this time, and in fact continues to be the case, that efforts were made to maintain a good working relationship between the Service and the family as the Service was focused on trying to ensure that *child* was provided with an assessment of his needs to ensure the best outcome for him.

Moving on to other points made in your email dated the 8th of June 2018, I would note that no procedures have been broken in terms of the redactions made. The usual procedure for dealing with a subject access request had been followed, ie, information was collated, advice was sought regarding redaction, redaction was carried out and information that was disclosable was disclosed.
It is noted that a breach did occur, but this was due to an oversight, and was low risk in terms of the amount of personal information disclosed.   

  As I stated during our meeting, the question regarding the legality of the redactions is not one I can answer. The redactions were carried out in good faith for the reasons given above. Redacting information is necessarily a subjective task and does, and indeed, can vary from person to person.

In terms of a data breach, the matter will be dealt with via the usual procedure, which is that a report is prepared for the Council’s SIRO (Senior Information Risk Owner) Group.

I will remind the departments regarding the need to take particular care at all times with future subject access requests.

I am sorry that I am unable to add anything further regarding this matter – if you wish to take the matter further you may contact the ICO, whose details are noted below:

https://ico.org.uk/concerns/ or ring them on 0303 123 1113.

                                                          ********************

Anyone else spot the contradictions ?
 
More worryingly, the report states it was the two information officers alone who made the decision to redact but goes on to state the "question regarding the legality of the redactions is not one I can answer."

An Official Report, written by an Information Manager, aided by Corporate Support with access to the entire Legal department at Gwynedd council can not answer to the legality of their Officers actions.
Hmm.

The SAR also reveals that one manager within the council would like to blame us for not reporting the Data Breach earlier.

The Data Breach was part of my complaint first raised with the council on the 25th May, 2017.
How did the council respond ?

See post - https://gwyneddsfailingcouncil.blogspot.com/2017/05/gwynedd-council-respond-to-my-complaint.html

They were all on holiday.





























































No comments: