I emailed Morwena Edwards, Corporate Director of Social Services, on the 19th March, 2018.
"We are also concerned that you have been aware of a Data Breach by your Department for nearly a year and no-one from the Council has been in contact with us. The Investigator has been provided with evidence of the Data Breach and she says so in her Report".
On the 29th March, we attended a meeting with an Information Manager at Gwynedd Council regarding us being given the names of children receiving services from the Council and Youth Justice team and to find out who censored our personal information (SAR) and whether the redactions were legal.
Copies of the names and local school that had been released by the department were presented to the Manager.
On the 22nd May, we had to return for another meeting as the Manager did not answer the questions in her initial Report and also misrepresented the physical and oral evidence we provided. There was also an issue with the Manager failing to respond to our emails but an apology was given for this.
The second meeting was attended by a Janet Roberts, who introduced herself as Corporate Support for the council. Mrs Roberts said very little during the meeting but did take note of the questions we wished to be answered by the person in the Children and Families Department who carried out the redactions to our personal information.
Now these questions were asked as part of our Stage 2 complaint first raised with the council in May, 2017 and was to have been answered by the Independent Investigator.
Gwynedd council reported that the officer responsible for processing our SAR and for the redactions had left the Council and so was unable to be interviewed.
At this second meeting, Mrs Roberts informed us that the person who processed our SAR had indeed left the council but was then re-employed by the council and was NOW our named person within the Customer Care department dealing with another complaint.
Oh forgot to mention that the Investigation of the Data Breach was upheld. The release of the names of children receiving services should not have happened and the Report, June 2018, is as follows -
*****************
********************
Anyone else spot the contradictions ?
More worryingly, the report states it was the two information officers alone who made the decision to redact but goes on to state the "question regarding the legality of the redactions is not one I can answer."
An Official Report, written by an Information Manager, aided by Corporate Support with access to the entire Legal department at Gwynedd council can not answer to the legality of their Officers actions.
Hmm.
The SAR also reveals that one manager within the council would like to blame us for not reporting the Data Breach earlier.
The Data Breach was part of my complaint first raised with the council on the 25th May, 2017.
How did the council respond ?
See post - https://gwyneddsfailingcouncil.blogspot.com/2017/05/gwynedd-council-respond-to-my-complaint.html
They were all on holiday.
"We are also concerned that you have been aware of a Data Breach by your Department for nearly a year and no-one from the Council has been in contact with us. The Investigator has been provided with evidence of the Data Breach and she says so in her Report".
On the 29th March, we attended a meeting with an Information Manager at Gwynedd Council regarding us being given the names of children receiving services from the Council and Youth Justice team and to find out who censored our personal information (SAR) and whether the redactions were legal.
Copies of the names and local school that had been released by the department were presented to the Manager.
On the 22nd May, we had to return for another meeting as the Manager did not answer the questions in her initial Report and also misrepresented the physical and oral evidence we provided. There was also an issue with the Manager failing to respond to our emails but an apology was given for this.
The second meeting was attended by a Janet Roberts, who introduced herself as Corporate Support for the council. Mrs Roberts said very little during the meeting but did take note of the questions we wished to be answered by the person in the Children and Families Department who carried out the redactions to our personal information.
Now these questions were asked as part of our Stage 2 complaint first raised with the council in May, 2017 and was to have been answered by the Independent Investigator.
Gwynedd council reported that the officer responsible for processing our SAR and for the redactions had left the Council and so was unable to be interviewed.
At this second meeting, Mrs Roberts informed us that the person who processed our SAR had indeed left the council but was then re-employed by the council and was NOW our named person within the Customer Care department dealing with another complaint.
Oh forgot to mention that the Investigation of the Data Breach was upheld. The release of the names of children receiving services should not have happened and the Report, June 2018, is as follows -
*****************
I
write with reference to your complaint to the Council and in particular part 6
which relates to data and information.
The
outcomes from the independent investigators report was that:
The complainants seek
an explanation for the censoring of their own information and whether or not it
is legal to do so. They seek an explanation from Melvin Panther as to how he
thought it in any way appropriate or professional to speak about them in such a
derogatory manner to another professional working with the family. In relation
to the information containing other children’s details, they wish for this to
be dealt with via the Council’s information/data protection security policy and
procedure.
I
will treat these matters in turn:
1. Censoring of information and redacted and unredacted
emails.
Email dated 5th
of April 2016 10:48
You
note that this had been provided to you in redacted and unredacted form and
wish to know why it had been redacted.
The
department have informed me that it was redacted because it was not thought
appropriate to disclose at the time.
In
my opinion this part of the email is your personal data since it relates to you
and you can be identified by the information. There was no particular reason
for it to be withheld and it should have been provided without redaction.
Email dated 27th
of June 2016 at 16:45
I
have examined the part of this email which has been redacted.
I
am satisfied that this part of the email has been redacted appropriately. Under the right of
subject access, an individual is entitled only to their own personal data, and
not to information relating to other people.
This
part of the email relates to information relating to a third party, namely a
social worker. Under section 7(4) of the Act an authority does not have to
comply with a request if to do so would mean disclosing information about
another individual who can be identified from that information except where the
individual has consented or it is reasonable in all the circumstances to comply
with the request without that consent.
There
was no consent in this case nor was it reasonable to comply without consent.
Email dated 5th
of July 2016 at 13:30
I
have examined the part of the email which has been redacted.
As
above, this information does not relate to you but to a social worker. It
therefore does not constitute your personal data. As such, it was appropriate
for the information to be withheld in accordance with the reasoning outlined
above.
Email dated 13th
of July 2016 at 10:14
I
have examined the part of the email which has been redacted.
I
believe that this email should have been provided to you as it relates to you
and is therefore your personal data.
2. An explanation from Mel Panther
As
noted in previous correspondence, it is not within my remit to comment on the
actions of another member of staff.
3. Emails containing other children’s details
I
have examined the emails you provided me in this respect.
In
a series of emails between two members of staff in January 2016 the names of
children appear in the subject headings.
For
a data breach to occur, the information in question must be personal data i.e.
it must relate to an individual and allow them to be identified from the
information.
In
this case, it is not clear that a surname together with the name of a school
would enable identification of an individual. However, the information confirms
that the child is a child a need, which is sensitive information in itself.
It
should also be noted that the name of this child had been redacted from the
main text of an email in one instance and therefore there was a recognition
that this was indeed third party personal data.
The
name of another child also appears in the subject line of the same series of
emails. This time there is a name and surname, which makes identification more
likely. Again the information confirms that the child is a child in need, which
is sensitive information in itself.
Having
further considered the Information Commissioner’s Office guidance on
determining what is personal data, which notes that someone can be identified
from information we hold or ‘the means that could be used by a sufficiently
determined and interested person’, I have concluded that on the balance of
probabilities, this was personal data and therefore did constitute a data breach.
Therefore,
the names should have been removed from the subject line of the emails before
being disclosed to you as part of the subject access request.
At
our meeting on the 23rd of May 2018, you asked some further
questions which have been addressed below:
4.
Who made the decision
to redact both emails?
In her role as the
Information Officer, Angharad Hywel would in cases such as this routinely meet
with her line manager at the time, Margaret Kenealy Jones to check the
information which was to be shared. If she felt that some details noted within
the information should be redacted, these would be identified and advice would be sought
from her line manager. In this specific case, she met with her line manager to
read through the information which was to be disclosed. During this meeting
they discussed some documents which were deemed to contain information which
could be misinterpreted or could impact the working relationship between the
family and the Service. The officer received guidance in relation to redacting
these documents.
5.
Who asked for them to
be redacted?
A decision was made between
the Officer and the line manager at the time to redact the sentences in the email
dated 5th April 2016 and the email dated 13th of July 2016.
6.
Did they consult with
anybody?
No other
officers were consulted.
7.
What were the reasons
for the redaction?
Having read the redacted sentences in the emails
dated 5 April 2016 and 13th July 2016, the Officer was of the
opinion that these statements were the personal opinion about the family and
that disclosing them could undermine the attempts to maintain a working
relationship between the Service and the family. At the time of this Subject
Access Request, and particularly during the timeframe in which this decision
was taken, the Service had responded to a number of complaints and many of
these were related to difficulties in the working relationship between the
family and Mel Panther. It was imperative at this time, and in fact continues
to be the case, that efforts were made to maintain a good working relationship
between the Service and the family as the Service was focused on trying to
ensure that *child* was provided with an assessment of his needs to
ensure the best outcome for him.
Moving on to other points made in your email
dated the 8th of June 2018, I would note that no procedures have
been broken in terms of the redactions made. The usual procedure for dealing
with a subject access request had been followed, ie, information was collated,
advice was sought regarding redaction, redaction was carried out and
information that was disclosable was disclosed.
It is noted that a breach did occur, but this
was due to an oversight, and was low risk in terms of the amount of personal
information disclosed.
As I
stated during our meeting, the question regarding the legality of the
redactions is not one I can answer. The redactions were carried out in good
faith for the reasons given above. Redacting information is necessarily a
subjective task and does, and indeed, can vary from person to person.
In terms of a data breach, the matter will be
dealt with via the usual procedure, which is that a report is prepared for the
Council’s SIRO (Senior Information Risk Owner) Group.
I will remind the departments regarding the
need to take particular care at all times with future subject access requests.
I am sorry that I am unable to add anything
further regarding this matter – if you wish to take the matter further you may contact
the ICO, whose details are noted below:
********************
Anyone else spot the contradictions ?
More worryingly, the report states it was the two information officers alone who made the decision to redact but goes on to state the "question regarding the legality of the redactions is not one I can answer."
An Official Report, written by an Information Manager, aided by Corporate Support with access to the entire Legal department at Gwynedd council can not answer to the legality of their Officers actions.
Hmm.
The SAR also reveals that one manager within the council would like to blame us for not reporting the Data Breach earlier.
The Data Breach was part of my complaint first raised with the council on the 25th May, 2017.
How did the council respond ?
See post - https://gwyneddsfailingcouncil.blogspot.com/2017/05/gwynedd-council-respond-to-my-complaint.html
They were all on holiday.
