Data Breach - Censoring Information. Gwynedd Council 2018.
I emailed Morwena Edwards, Corporate Director of Social Services, on the 19th March, 2018. "We are also concerned that you have been aware of a Data Breach by your Department for nearly a year and no-one from the Council has been in contact with us. The Investigator has been provided with evidence of the Data Breach and she says so in her Report". On the 29th March, we attended a meeting with an Information Manager at Gwynedd Council regarding us being given the names of children receiving services from the Council and Youth Justice team and to find out who censored our personal information (SAR) and whether the redactions were legal. Copies of the names and local school that had been released by the department were presented to the Manager. On the 22nd May, we had to return for another meeting as the Manager did not answer the questions in her initial Report and also misrepresented the physical and oral evidence we provided. There was also an issue with the Manager failing to respond to our emails but an apology was given for this. The second meeting was attended by a Janet Roberts, who introduced herself as Corporate Support for the council. Mrs Roberts said very little during the meeting but did take note of the questions we wished to be answered by the person in the Children and Families Department who carried out the redactions to our personal information. Now these questions were asked as part of our Stage 2 complaint first raised with the council in May, 2017 and was to have been answered by the Independent Investigator. Gwynedd council reported that the officer responsible for processing our SAR and for the redactions had left the Council and so was unable to be interviewed. At this second meeting, Mrs Roberts informed us that the person who processed our SAR had indeed left the council but was then re-employed by the council and was NOW our named person within the Customer Care department dealing with another complaint. Oh forgot to mention that the Investigation of the Data Breach was upheld. The release of the names of children receiving services should not have happened and the Report, June 2018, is as follows - *****************
I write with reference to your complaint to the Council and in particular part 6 which relates to data and information.
The outcomes from the independent investigators report was that:
The complainants seek an explanation for the censoring of their own information and whether or not it is legal to do so. They seek an explanation from Melvin Panther as to how he thought it in any way appropriate or professional to speak about them in such a derogatory manner to another professional working with the family. In relation to the information containing other children’s details, they wish for this to be dealt with via the Council’s information/data protection security policy and procedure.
I will treat these matters in turn:
In her role as the Information Officer, Angharad Hywel would in cases such as this routinely meet with her line manager at the time, Margaret Kenealy Jones to check the information which was to be shared. If she felt that some details noted within the information should be redacted, these would be identified and advice would be sought from her line manager. In this specific case, she met with her line manager to read through the information which was to be disclosed. During this meeting they discussed some documents which were deemed to contain information which could be misinterpreted or could impact the working relationship between the family and the Service. The officer received guidance in relation to redacting these documents.
A decision was made between the Officer and the line manager at the time to redact the sentences in the email dated 5th April 2016 and the email dated 13th of July 2016.
No other officers were consulted.
Having read the redacted sentences in the emails dated 5 April 2016 and 13th July 2016, the Officer was of the opinion that these statements were the personal opinion about the family and that disclosing them could undermine the attempts to maintain a working relationship between the Service and the family. At the time of this Subject Access Request, and particularly during the timeframe in which this decision was taken, the Service had responded to a number of complaints and many of these were related to difficulties in the working relationship between the family and Mel Panther. It was imperative at this time, and in fact continues to be the case, that efforts were made to maintain a good working relationship between the Service and the family as the Service was focused on trying to ensure that *child* was provided with an assessment of his needs to ensure the best outcome for him.
Moving on to other points made in your email dated the 8th of June 2018, I would note that no procedures have been broken in terms of the redactions made. The usual procedure for dealing with a subject access request had been followed, ie, information was collated, advice was sought regarding redaction, redaction was carried out and information that was disclosable was disclosed.
It is noted that a breach did occur, but this was due to an oversight, and was low risk in terms of the amount of personal information disclosed.
As I stated during our meeting, the question regarding the legality of the redactions is not one I can answer. The redactions were carried out in good faith for the reasons given above. Redacting information is necessarily a subjective task and does, and indeed, can vary from person to person.
In terms of a data breach, the matter will be dealt with via the usual procedure, which is that a report is prepared for the Council’s SIRO (Senior Information Risk Owner) Group.
I will remind the departments regarding the need to take particular care at all times with future subject access requests.
I am sorry that I am unable to add anything further regarding this matter – if you wish to take the matter further you may contact the ICO, whose details are noted below:
https://ico.org.uk/concerns/ or ring them on 0303 123 1113.
******************** Anyone else spot the contradictions ? More worryingly, the report states it was the two information officers alone who made the decision to redact but goes on to state the "question regarding the legality of the redactions is not one I can answer." An Official Report, written by an Information Manager, aided by Corporate Support with access to the entire Legal department at Gwynedd council can not answer to the legality of their Officers actions. Hmm. The SAR also reveals that one manager within the council would like to blame us for not reporting the Data Breach earlier. The Data Breach was part of my complaint first raised with the council on the 25th May, 2017. How did the council respond ? See post - https://gwyneddsfailingcouncil.blogspot.com/2017/05/gwynedd-council-respond-to-my-complaint.html They were all on holiday.
More - https://gwyneddsfailingcouncil.blogspot.com/