SBC ‘Data Protection’ Officer
- an “In My View” article by NIGEL WARD, looking ahead to a diligent data breach investigation . . . in the light of past failures.
My thanks go out to the inimitable RANDO – Scarborough Borough and North Yorkshire County Councillor Tony RANDERSON [Lab.] – for his extraordinary non sequitur, delivered during his impassioned defence of Leader Councillor Steve SIDDONS [Lab.] during the recent Vote of No Confidence.
RANDO’s non sequitur – apropos of absolutely nothing – was to the effect that there is an “unwritten law” prohibiting the criticism of Officers.
I commented, in an earlier article:
“One could argue very persuasively – as I believe I do – that the prime function of a body of elected representatives is to instruct, monitor and, where necessary, censure Officers of Paid Service when their performance falls below the standard that the electorate – the rate-paying public – has a right to expect. This article exposes a case in point.”
So does this one.
It is serendipitous that RANDO uttered his preposterous remarks ahead of the forthcoming climax to the matter of the failed investigation into the ARGOS ‘leak’ (which was recently described in detail by Alderman Norman MURPHY in his article “The ARGOS ‘Leak’ Investigation”).
At the heart of the previous SBC ‘investigation’ (utterly unworthy of that title) stood the Council’s Audit & Fraud Manager and Data Protection Officer, Mrs Alison JOHNSON.
RANDO upholds the belief that Officers are above criticism and denies his clear duty (under Article 7 of the Nolan Principles) to challenge wrongdoing wherever he may encounter it.
I take a different view. I do challenge wrongdoing, but the Officers disregard my challenges and the Councillors look the other way.
Let me offer an example:
At 17:15 on 26th July 2019, Alison Johnson wrote to me, using her SBC email account, as follows:
Dear Mr Ward,
I write to you in my capacity as an individual, and not in this instance, as Audit and Fraud Manager/Data Protection Officer for the Council. I am merely using my council email address in the first instance to confirm my identity to you to avoid any lengthy delays. Should you wish to liaise with me in relation to this, please use my personal email of [REDACTED] going forward.
The photograph you have included in your most recent “article” was taken from a Facebook account, and not linked in any way to my capacity as an employee of the Council. I have an ID picture for that.
After lengthy conversations with the ICO this afternoon about this photo being published, they have advised that I need to advise you in the first instance that I intend to complete a formal report to them claiming excessive processing of my personal data for a blog for which the picture is a) not in the public interests nor relevant, b) uplifted and used without my explicit consent c) necessary for a specific purpose (my name and job title would have sufficed), d) used for a purpose for which the individual in the picture has no involvement or employment with SBC, nor has she ever, and e) not processed in accordance with the rights of the individual. They will then investigate further.
You have published a photo of someone who not only isn’t me, with no consent, it is also neither processed fairly or lawfully and I will pursue this personally.
Mobile: 07724 932543
DISCLAIMER This email (and any files transmitted with it) may contain confidential or privileged information and is intended for the addressee only. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or any action taken is prohibited and may be unlawful – you should therefore return the email to the sender and delete it from your system. For information about how we process data please see our Privacy Notice at http://www.scarborough.gov.uk/gdpr Any opinions expressed are those of the author of the email, and do not necessarily reflect those of Scarborough Borough Council. Please note: Incoming and outgoing email messages are routinely monitored for compliance with our policy on the use of electronic communications. This email has been checked for the presence of computer viruses, but please rely on your own virus-checking procedures.
That Disclaimer (in bold type) will demonstrate itself to be hilariously hypocritical, as I set out in my response to Mrs JOHNSON, reproduced below.
Note too, the date – 26th July 2019 – slap bang in the middle of the uproar about the ‘leak’ of ‘HIGHLY CONFIDENTIAL’ paperwork relating to the proposals for the regeneration of the ARGOS building (first published by Enquirer editor Tim THORNE on 15th July 2019, under the title “Not for Publication”), when one might have expected special care to have been exercised in regard to the Data Protection policies and procedures at the Council – but the horse was gone and the stable-door remained unbolted. If only Mrs JOHNSON had considered encrypting the emails carrying the ARGOS paperwork and secured the PDF by password-protecting it.
My response (below) outlines my reasons for believing Mrs JOHNSON entirely and justly worthy of the harshest criticism, to a degree that risks bringing the Council into further disrepute:
——– Original Message ——–
Subject: Re: Data Breach
Date: Mon, 29 Jul 2019 10:10:54 +0100
CC: [my SOLICITOR]
Mrs Alison JOHNSON – Audit & Fraud Manager and Data Protection Officer – Scarborough Borough Council
IN THE PUBLIC INTEREST
I address your email of 17:15 on Friday 26th July 2019, received from your Scarborough Borough Council email address and bearing the SBC Disclaimer. It is now my material, to do with as I please. Thank you.
I shall number my comments for ease of future reference, should any arise.
1) Thank you for confirming that you write using the Council’s corporate email server in your capacity as an private individual and not as Audit & Fraud Manager/Data Protection Officer for Scarborough Borough Council.
Notwithstanding your explanation, to which I will return in due course, your email would appear to be in breach of the Council’s Email Policy (attached) in a number of Articles, not least:
a) you appear to have obtained and used my personal email address from Council data storage for your own private purposes by abusing your high position of trust within the Council. As Data Protection Officer, you – of all people – have a compelling duty to respect the Council’s Email Policy, the Data Protection Act 1998, national and international human rights legislation and the General Data Protection Regulations (GDPR).
b) having unlawfully abused my personal data rights, you have abandoned your corporate Duty of Care to me, an old-age pensioner with several long-term disabilities – a vulnerable person – by seeking to intimidate me with overt threats of “investigation” by the Information Commissioner’s Office.
c) unless and until you are able to show otherwise, you appear to have confirmed that you spent considerable time procuring advice (in your own words: “After lengthy conversations [I note the plural] with the ICO this afternoon . . .” [Friday 26th July 2019]) – in pursuit of what you have confirmed to be a strictly personal grievance against me, using either your own mobile or by accessing the Council’s telephone system for your own use, but, in either case, during work time.
d) you have referred to an article of mine by using inverted commas (quotation marks), thus; “article”. Clearly, you seek to imply that my article is, in some sense, not a real article; rather, merely an ersatz or faux You have sought deliberately to demean me and my voluntary work in the public interest. This is disrespectful to me and does not conform to Lord Nolan’s Seven Principles of Public Life or the standards to which you are bound under the terms of your employment contract.
On these grounds (and perhaps others, which I reserve the right to iterate at a later date, at my own prerogative), you must now report yourself for disciplinary investigation in respect of the foregoing infractions. Please confirm, by email to my solicitors ([REDACTED]), that my Formal Corporate Complaints against you, as set out above, have been acknowledged and logged. Thank you. I trust that you are aware that, taken together, these infractions may amount to the Common Law offence of Misconduct in Public Office. Mrs DIXON, the Council’s top internal solicitor has expressed an opinion on sentencing, etc.
2) You appear to have made a number of false assumptions which, before moving on, it will be useful to correct.
The North Yorks Enquirer, to which I frequently submit articles for publication, is not a ‘blog’; it is an online local news outlet. Its Mission Statement reads:
“The North Yorks Enquirer is an internet news magazine covering local, regional and some national news. It provides a forum for citizen journalists working in the public interest to expose wasteful spending, malpractice and corruption in authorities around North Yorkshire and beyond.”
I am not the Owner/Editor/Webmaster of the North Yorks Enquirer. I am not a Data Controller. I have no professional relationship with the Information Commissioner’s Office (ICO). The articles which I submit are clearly headed as “In My View” articles, signalling unequivocally that everything thereafter contained is an expression of my opinion – my right to which is enshrined in the UDHR, the ECHR and the HRA 98. You may disagree with my opinion if you so wish. Be my guest. Neither you nor the Council may suppress it.
In my article, I reproduced your email to all Councillors, and Mrs DIXON’s, both of Wednesday 26th July 2019, so that readers may evaluate the accuracy of my more critical opinions, amongst which I include my view that both emails are intimidatory, misleading and hypocritical.
I note that you have not attempted to deny, refute or rebut any of these criticisms, thereby acknowledging and accepting their validity. I thank you for that.
3) Turning now to the matter of the image to which you refer:
I am a human being; as such, I am far from infallible. Nevertheless, I always take more than reasonable care to establish my facts. This is why, in ten years of publication, I have never been sued for defamation. In the present case, I sought and received confirmation of your identity from several sources all familiar with you in your rôle as Audit & Fraud Manager/Data Protection Officer for Scarborough Borough Council. Being mindful of the importance of protecting personal data, I reproduce, in redacted form only, one such confirmation from a former colleague of yours at the Council, obtained over Facebook Messenger:
You seem to be asserting that the image is not you. You assert that you have an official Council ID photo of yourself, but you have not provided it, either for comparison with the image which you assert to be ‘wrong’, or to enable the Enquirer to replace the image which you assert to be ‘wrong’. This is remiss; and unhelpful. It suggests that any putative contention over the image is not a principle purpose of your email.
You appear to contend that an image which is not an image of you has been reproduced without your consent. This contention is not coherent. It is frivolous. You appear to be unfamiliar with Facebook’s Terms & Conditions in regard to the sharing of images. You appear to imagine that providing an alternative route to accessing an image of an alleged third party, allegedly not yourself, already widely available on the internet, without your explicit consent, is in some sense improper. This is patently absurd.
You assert that there is something incorrect about the way in which the image has been processed, but you have omitted to acknowledge that the image has been processed in precisely such a way as to redact the image of a third party, not yourself, unconnected with the content of my article, thereby to respect and protect the personal data of that third party. That third party is not you; you assert that the remaining figure in the image is not you. You therefore assert that you have no standing in the matter. Case closed.
4) You assertions (summarised in cursive blue script) are that:
a) it is not in the public interest to have reproduced an image of one of two main protagonists in my article.
This is nonsense; it has been the practice and policy of news media since time immemorial to ‘put a face to the name’ when reporting on politicians and paid public servants. In the case of a paid public servant entrusted with the position of Data Protection Officer at the very apex of responsibility for the Council’s procedures regarding the necessary encryption (or not) of highly sensitive documents known to have been compromised, there is no justification for depriving readers/ratepayers of exactly who it is who has failed them.
b) the image has been “uplifted” without your explicit consent.
I do not intend to insult your intelligence by repeating myself on this point. The image is either of you, or it is not of you. If the former, its inclusion in my article is quite proper; if the latter, you have not made the case for it being any of your concern. Nor has any third party raised any objection;
c) your name and position-title would have sufficed to identify you.
Not in my view, which is the view that prevails when I write my articles. I am not bound to consider your opinion as to what may or may not suffice to illustrate my articles. See a) and b), above.
d) the image has been used for a purpose for which the individual in the picture has no involvement or employment with SBC, etc.
This assertion is incomprehensible to me; I can only refer you once more to a), b) and c), above.
e) the image is not processed according to the rights of the individual.
What processing? What rights? Whose rights? Which individual? Again, if there is a contention here, it is incomprehensible to me.
Taken together, your alphabetically itemised assertions appear confused, poorly set out and motivated by personal resentment at having your professional performance closely scrutinised and found wanting in desperate degree. Your email is nothing other than an aggressive rant intended to intimidate and occasion fear and distress. Your email bears all the hallmarks of having been written rashly, in haste, ‘in a red mist’ and without proper regard to the consequences or to my data rights, or to your (and the Council’s) Duty of Care. Nothing about your email does you credit. You have performed inadequately, as the collander-like properties of the Council’s Data Protection service in recent times clearly demonstrate and, having been exposed, you have sought vindictively to bully me, abusing your powerful position at the Council in an attempt to make ‘trouble’ for me.
I expect a full and unconditional apology, to my approval and satisfaction, for publication at your own expense (not the Council’s) in the Scarborough News and (free of charge) in the North Yorks Enquirer before close-of-play (5:00pm) on Friday 2nd August 2019.
Please note that this email has been submitted for inclusion, and as supporting documentation, in an article bringing this disgraceful (and typical) example of Council bullying to the attention of the wider public.
I conclude by placing you on notice that I regard your email as unsolicited, intimidatory, malicious and offensive, intended to cause alarm and distress. I expressly forbid you to contact me by my personal email address ever again. Any repetition of this conduct will constitute a ‘course of action’ as defined under the terms of the Protection from Harassment Act 1997 and is likely to result in civil action against you, as an individual and/or in your position as Audit & Fraud Manager/Data Protection Officer for Scarborough Borough Council.
You will note that this email has been copied Cc: to my solicitor of record, and Bcc: to selected elected members.
As one Councillor commented at the time, I tore her a new one.
But RANDO, in his infinite wisdom, believes that Mrs Alison JOHNSON should be free to disregard the Council’s protocols and procedures with complete impunity and remain above criticism – and no doubt above the law.
Of course, it goes without saying that I never heard another peep out of the Audit & Fraud Manager and Data Protection Officer, Mrs Alison JOHNSON – much less, an apology. Of course, I heard nothing from the ICO.
And bear in mind that this is the same incompetent Officer ‘outed’ recently by campaigner Andy STRANGEWAY, who quoted one of her emails (from 24th July 2019 – just five days before her email to me) stating that Mrs JOHNSON would like to:
“… remind everyone of their responsibilities when dealing with personal data that is either collected, collated or processed by SBC, either as an organisation or yourselves as individuals on behalf of the Council.”
Incompetence, in spades! ♠ ♠ ♠ ♠
What an utter pranny.
Of course, my Formal Complaint was never acknowledge (or processed) and Mrs JOHNSON got away Scot free with all her failures.
And this is the Officer at the heart of the Council’s previous ‘investigation’ into the ARGOS leak
The investigation may as well have been in the hands of the culprit!