NYCC/CYPS: Serious Data Breach Leaves Kids Vulnerable
- an “In My View” article by NIGEL WARD, reporting on a serious breach of personal data on the part of Pete DWYER’s Children & Young Peoples’ Services department at NYCC.
On 15th April 2016, I emailed NYCC’s Asst. CEO: Legal & Democratic Services and Monitoring Officer Barry KHAN to inform him of a very serious breach of the Data Protection Act 1998 on the part of Children & Young People’s’ Services at the Council, for whom ultimate responsibility resides with the Corporate Director, Pete DWYER.
In a PDF document publish on the NYCC website, the necessary redaction of the names and personal data of members of the public, including children and young people under the age of 18, had proved to be fatally flawed, leaving data easily accessible to internet-users.
This was particularly disturbing because many school children have a presence on social-media – Facebook, Google+, Pinterest, Tumblr, WhatsApp, etc – showing not only their images (as profile pics) but also those of other members of their friendship circles, and often a general narrative of their recent activities, likes/dislikes, favourite meeting-places, etc.
Clearly, this stood to render them and their friends open to targeting by predatory ‘groomers’ who trawl the social-media sites in search of potential victims for sexual abuse.
In the wider context of the reports of inappropriate conduct taking place between teachers and students, this data breach must be viewed very seriously indeed.
To his credit, Barry KHAN arranged for the immediate withdrawal from publication of the inadequately redacted document, thanking me for my assistance in drawing to his attention the exact nature of the technical error.
Only today, 31st May 2016, has NYCC’s Paul ATKINSON confirmed, on behalf of the Council’s Information Governance Manager (identity unknown), that NYCC has since complied with the regulations by reporting itself and the above-mentioned data breach to the Information Commissioner’s Office. I have asked Paul ATKINSON for a copy of the report and any follow-up correspondence between NYCC and the ICO; nothing is thus far forthcoming.
It is not known what has happened to copies of the PDF document sent out by CYPS in email correspondence. One suspects that such copies are now beyond recall, leaving children and young people permanently vulnerable.
Hard-copy documentation bearing the printed URL-link to the document now, of course, directs users to a properly redacted version at the same web-location.
I am awaiting the Council’s response to my Freedom of Information request of 12th May 2016, requesting the following information in an attempt to elicit how many such flawed redactions have emanated from the Council this year alone:
- A) For the calendar months January, February, March & April 2016, how many PDF documents did the Council publish into the public domain – either by way of download-URL links on the Council’s website, or by attachment to outgoing emails?
- B) Of those, how many contained redactions
- C) Of those, how many were redacted using the procedure that I have demonstrated to be useless?
It would be a very serious matter indeed if the Council were to be shown to have ‘leaked’ personal data on a routine basis as a result of similar acts of technical or administrative incompetence, either within Pete DWYER’s own department or elsewhere in the Council.
So now that the Council has complied with its statutory duty to report the data breaches, will the ICO recommend that the Council issues a public announcement (or apology, even), in the interests of the ‘victims’ of their incompetence as well as those of the wider public?
We shall see.
Meanwhile, I hope that Pete DWYER and his colleagues can be relied upon to produce an exhaustive and truthful disclosure of the information that I have requested.
I have collated other documents that have been inadequately redacted by the same method.
So the ‘powers that be’ risk being exposed as deeply dishonest if their FOIA response does not include the examples which I already hold . . .