SBC CEO Job Applicants ‘Potential’ Data Leak
- an Open Letter from NIGEL WARD to Councillor Steve SIDDONS [Lab.], Leader of Scarborough Borough Council, seeking some of his much-vaunted “openness and transparency”.
Cllr. Steve SIDDONS – Leader – Scarborough Borough Council
IN THE PUBLIC INTEREST
You will appreciate, I hope, as you read and digest this Open Letter, that I have exercised considerable patience and forbearance in permitting the concerns herein expressed to remain unaddressed for some considerable time now, in order to allow your fledgling administration to ‘find its feet’.
In the period immediately following the local elections of 2nd May 2019, I became aware of an investigation conducted by SBC seeking to identify the person or persons responsible for ‘leaking’ an astonishingly lax (i.e. unencrypted) distribution to certain Councillors of highly personal data (Curricula Vitae – CVs) belonging to applicants for the position of Chief Executive Officer, Head of Paid Service and Electoral/Returning Officer vacated by the retirement of Mr James McGarvie DILLON.
The most extraordinary element of this case is that I know from my own experience that the Council can and does operate an encryption process in regard to the transmission of sensitive personal data. This begs the question: why was such highly sensitive data transmitted without encryption? Was there, conceivably, an active intention that the data should be susceptible to being ‘leaked’ in an apparently untraceable way – the internal investigation, according to Mr DILLON, has not been able to identify the culprit(s)?
My information included the fact that one Councillor intended to raise the issue in Full Council and had been ‘warned off’ by the outgoing Chief Exec under a veiled threat of legal action. The Mayor was apparently ‘instructed’ by the outgoing CEO to disallow questions on the topic. This is profoundly unacceptable.
So concerned was I by this turn of events that, on 30th May 2019, I wrote to Mr DILLON (using secure ‘channels’ unlikely to have been unlawfully intercepted by rogue Officers) pointing out that even potential data breaches (especially of such sensitivity nature) MUST be reported to the Information Commissioner’s Office.
It is not, perhaps, without a certain significance that not one of these ‘channels’ received any form of acknowledgement or response from Mr DILLON. It may not surprise you to learn that I, too, received neither acknowledgement nor response from Mr DILLON, who would appear to have been ‘running scared’. I can only hope that I receive a response from you.
For your convenience of reference, here follows my letter of 30th May 2019 to the former Chief Exec:
[My thanks to readers who have pointed out the typo at the end of my letter to Mr DILLON, for which I most humbly apologise. Sorry, Jim]
In the event, the meeting of Full Council on 5th June 2019 passed without questions being raised regarding the unencrypted CVs. Clearly , the matter had been ‘deemed’ closed. Buried.
I hope you will agree that his does not sit well with your public utterances promising a new era of “openness and transparency”.
As I have stated elsewhere, it is not my practice or policy to pursue errant public servants once they have retreated into private life; I concern myself solely with their level of performance whilst in my service. This should not be interpreted to mean that I regard the matter as closed, however, since I am aware that it is to be raised with the incoming Chief Exec, Mr Mike GREENE, when he assumes his position at the end of August 2019. I would grateful to you if you would send Mike GREENE a link to this Open Letter. Thank you.
I am now calling upon you to assure me, and the wider public, that this ‘potential’ leak of highly personal data either has been or will now be reported to the Information Commissioner’s Office, in compliance with requirements of the GDPR. You will be aware that failure to do so could attract a fine payable by the Council in the order of anything up to and including hundreds of thousands of pounds of taxpayers’ money. The law also requires that victims of data breaches must be informed within 72 hours, or as soon as the appropriate internal investigation has been completed.
The information Commissioner’s website offers the following example:
Yet Mr DILLON has asserted (on 10th May 2019 – well outside the 72 hour limit) that he had been assured that the internal investigation had been completed without success. Assured by whom? One may wonder why such an investigation was conducted if no ‘potential’ data breach had ever occurred. The stench of cover-up is becoming overpowering.
Please confirm to me, and the wider public, that the ICO has been formally notified. Likewise the victims, including Mr GREENE.
It must be considered highly inappropriate should even one of the CVs appear in the public domain following a failure to notify. It could also render the Council susceptible to legal action on the part of any applicant whose data was permitted to ‘escape’ from the Council due to inadequate security measures (including the failure to encrypt highly sensitive data transmitted by email) that may well be adjudged to have been negligent.
Whilst it would occasion no particular distress on my part should applicants’ CVs appear on social media or elsewhere in the public domain, I can well imagine the reactions of the internal applicants. The successful applicant is also unlikely to be best pleased.
Hopefully, it will never come to that as this, too, could cost the Council (and, therefore, the taxpayer) very dearly. Indeed, some specialist data privacy solicitors offer representation on a Contingency Fee Arrangement (CFA) basis (colloquially, “No-Win-No-Fee”) to those whose data has been compromised.
Surely, we must not allow that to arise? The answer is to do things by the book, Steve, in an “open and transparent” manner.
PS – May I take this opportunity politely to remind you that you assured me of a response to my very sensitive email to you of 23rd May 2019 – five weeks ago?