Saturday, 4 October 2008

COUNCIL GUILTY OF DATA PROTECTION BREACH

Some people may be interested to hear about a letter of APOLOGY I've received from the council this morning.

Following the publication of the Longton High School closure notice in June, I and many other people in the city (including staff at the school) wrote letters of objection to the council during the given 6 week period. On 13th August, the EMB meeting to discuss these letters of objection and to ratify the legal closure was held. The agenda and papers for this report were posted on the Council website. When I checked out the papers, I was shocked to find that my letter had been scanned and was sitting on the website as a pdf, with all my personal details (and those of every other letter writer) available for the whole world to see.

Now, whilst I am no shrinking violet, and am happy to air my objections, I wasn't really prepared for my personal details to be made available by the council to the whole world. Therefore, I immediately posted a formal complaint to the council, citing a breach of data protection legislation, on behalf of both myself and every other letter writer involved.

Since then, I've received a couple of letters saying my complaint was under investigation by the legal department, but today, I've received a letter of apology, as follows (spelling mistakes are the Council's - not mine):

"Dear Mrs C,
Complaint re: Alledged breach of the Data Protection Act, 1998

Further to my previous correspondence of 18th Sept 2008 regarding the above, I write to inform you that I have now investigated this matter and can inform you of the following:

The Legal Section of the City Council, having been requested to provide advise on this issue have responded by indicating:

1. The information Commissioners Office (ICO) guidance in relation to council meetings is clear in that, whilst "transparency is central to improving public trust in councils and publishing details of public meetings is an important part of this. However Councils must ensure that they safeguard individuals privacy by keeping personal information confidential where appropriate."

2. where data is provided to the Council in connection with a public consultation exercise (such as a planning application) and members of the public are aware that their letters of objection/support will be made available to the public then consequently the expectation of confidentiality is much lower.

3. as appropriate personal data should be properly redacted, ie edited. One approach may be to "sanitise" the data by deleting names and addresses. Sometimes that approach is used in the press where names and addresses are withheld but the letters are accompanied by the comment "detail supplied."

Thus where members of the public were not notified that their names and addresses would be published constitutes a breach of the Data Protection Act.

It is based on this information that I write to apologise for this breach of confidentiality and confirm that I will be writing to the ICO to inform it of the complaint and indicating what steps the council has taken to prevent a re-occurence.

In addition, the Council will be arranging for all report authors to be re-issued with guidelines regarding the publication of personal information. Procedures have also been put in place for the Members Support Division to check all reports which it publishes to ensure that no personal details are included save where expressly provided for.

Once again, I apologise for this breach of Data Protection Act and hope that the actions taken will reassure you that the Council has taken the appropriate steps to prevent a similar situation in the future. I am also sorry that this response has taken longer than anticipated. It was necessary for me to consult with the Director of Children and Young People's Services before writing to you and consequently I had to confirm that, as that Directorate were the report authors and providers of the information that was published, the facts contained in this correspondence were accurate.

Yours faithfully....."

So, my advice to anyone writing letters to the Council is - make sure your details aren't spread all over their website! Hopefully, they will have learned lessons from this, but as there are other consultations and further future school closures to come, it might be something for you all to consider.

I am glad I made the complaint, if only to ensure that this doesn't happen again. Any thoughts anyone?

4 comments:

nita said...

Yes, I was one of those people who wrote a letter of objection. When I went onto the Council web, to view the minutes for the EMB Meeting, I was alarmed to see, that all names and addresses were available for all to see. Not too bad for me, as my name and address is not in the local directory. However, many people's are. Can you imagine the teacher's reaction to see their names and addresses readily available. Its good to see that the Council has investigated this matter, and hopefully this will not happen again.

Hugh said...

Do I detect a smidgen of hypocrisy from the Council? "... transparency is central to improving public trust in councils ...". Funny it seems to work one way but not the other. Try to get any information out of them ... see
http://www.havocinstoke.org.uk/academiescommons1.html#BSF for one example of just how secretive they are.

nita said...

Hugh, thanks for the link. Its all very interesting reading. There seems to be some controversy, of how many Academies the City has to have to gain the funding. Keep us upto date on any replies you get, and we will have to do an article.

Alison said...

UPDATE - As of this afternoon, Sunday 5th October, I have checked on the Council website and the letters are STILL on there, complete with personal details! This is amazing!

I will be making contact with the Information Commissioner's Office in the morning. As stated in the letter I received from the Council, they have to notify the ICO of a data protection breach, and tell them what they are going to do about it. What I want to know is WHEN they are going to do something about it - ie, remove the personal information from their website!

I have been accused on another post (the one about Hanley bus station) of besmirching the council by claiming their incompetence. Whilst I don't think I did it on that particular post, I am going to now. How can they send me a letter of apology and acceptance of the breach, but not put it right? Incompetence is the only description I am afraid.