Thursday, 10 April 2014

Carmarthenshire council and Data Protection

The BBC reports today that breaches of data protection by Welsh councils has more than doubled this year from last, from 60 to 135. Of interest to us of course is Carmarthenshire. The figures from 2012 are unknown but 2013 records five breaches, including, according to the BBC, going over the 40 day limit and two cases where information should have been released but wasn't.

A closer look at council minutes from November last year reveals further details; a CRB disclosure was sent to the wrong address; a client's personal details, including sensitive medical history was lost and a report concerning a child, prior to 'imminent' court proceedings, was emailed to the home address of a NHS employee to complete, the employee then sent the completed report to the wrong email address.

With regards to the latter, consideration was given whether such highly sensitive material should be sent to home email addresses at all. Probably not.

Another issue which arose after an internal audit in 2012/13 was that over 160 employees emailed information from the office to their own computers when working from home leading to the risk of personal data being potentially accessible to anyone who happened to use the home PC.

Of course, ensuring compliance in such a large organisation, with such an array of devices around these days is not easy and I'm sure the vast majority of staff take great care with personal data, but with a staffing compliment of two dealing with DPA and FOI, compared with a 'team of twenty' in the press office, priorities given to monitoring these issues might be a little skewed.

When the shoe is on the other foot though, and there is anything remotely 'sensitive' in a council meeting, such as public toilets or evangelical churches, the press and public are booted out forthwith. A request to view the register of councillor's gifts and interests involves a very closely supervised appointment in County Hall and for eighteen months all visitors to the public gallery were forced to give their names and addresses and signatures, even children.

'Out!' they said.
Of course, everyone should double check the email address before clicking 'send'. I had an interesting email from Mr James a couple of years ago which was intended for the FOI officer and related to a request for information I had submitted. What was interesting was that the Chief Executive had been involved at all given the subject matter of the request...common practice I expect.

A response from the council to another request made via the What Do They Know site in 2011 included my name and address, it took over two months for the head of administration and law to alert the website and have it removed.

In what I had better describe as 'threatening noises' made to me last year, it was suggested that as a blogger I was in breach of data protection as I was not registered as a data controller with the Information Commissioner and was publishing personal data. This was a little odd as a precedent had already been set in 2011 when an attempt by Barnet Council to attack a local blogger in this way was thrown out by the Information Commissioner.

I'm not sure where covert 'tracking' of councillors' emails fits into all this...but constituents should be aware of this if they should wish to contact their elected representative about any matter, data protection gets a bit blurry and anyone in County Hall could be reading it....

No comments: