Wednesday 24th April 2024,
North Yorks Enquirer
Spotlight

SBC Info Wars (a “fishing trip”)

November 17, 2021 Scarborough Borough Council

SBC Info Wars (a “fishing trip”)

  • – an “In My View” article by NIGEL WARD, offering an educated opinion on the remarkable incompetence of Scarborough Borough Council’s Data Protection Officers – and an unfortunate member resorting to an apparent abuse of the system to prosecute an on-going grudge.

~~~~~

An internecine Info War has broken out at Scarborough Borough Council.

It may be that not all readers of the North Yorks Enquirer are familiar with the term ‘Subject Access Request’. I quote the website of the Information Commissioner’s Office (ICO):

What is the right of access?

You have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing.

This is called the right of access and is commonly known as making a subject access request or SAR.

Why make a subject access request?

You can make a subject access request to find out:

  • what personal information an organisation holds about you;
  • how they are using it;
  • who they are sharing it with; and
  • where they got your data from.

This information can also help you exercise your other information rights effectively.

Briefly, citizens have the right to obtain, from any individual Data Controller, copies of all ‘personal data’ held in which the Data Subject (the person submitting the SAR) is identified or identifiable. This could be by name, address, email address, likeness, etc., etc., etc.

Article 4 of the General Data Protection Regulations 2018 (GDPR) offers the following definitions:

Art. 4 GDPR Definitions

For the purposes of this Regulation:

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

In a statement to the ICO, a Scarborough Borough Council Officer once asserted that I was on the record stating that my engagement with the Council was for the stated purpose of “disrupting” it. When I submitted a Subject Access Request (for the primary purpose of establishing whether or not the Council could substantiate the Officer’s false assertion), the response (which took a year and a half – not the one calendar month required by law) demonstrated that the Council held no evidence at all to substantiate the Officer’s assertion. Ergo, the Officer had lied. Surprise, surprise!

In fact, I already knew this, because I have never stated that it was/is my purpose to “disrupt” the Council. Quite the reverse; as regular readers will know, my purpose is to improve the Council (futile though my efforts have generally been).

Regular readers will also know that I have often offered to assist the Council, especially in areas where Officers demonstrate a woeful level of incompetence.

In my view, it would be an abuse of the spirit of the Data Protection legislation to engage the SAR process purely on a “fishing trip” – looking for ‘dirt’, wherever it may (or may not) be found.

Now consider the following redacted (by me) email, sent out on Monday 15th November 2021 to 45 Councillors by one of the Council’s Data Protection Officers (DPOs):

Why 45 recipient, when there are 46 Councillors?

As can be seen in the redacted email, above, the Data Subject – the person who submitted this SAR – is a Councillor. In my view, this is a typical example of a “fishing trip”, looking for ‘dirt’, wherever it may (or may not) be found, for personal or party political purposes.

Moreover, there are significant procedural errors in the above email.

1) Scarborough Borough Council is a Data Controller. All 46 Councillors are also Data Controllers. Data Controllers may not share citizens’ ‘personal data’ with other Data Controllers unless there exists between the parties a special form of contractual agreement known as a Service Level Agreement (SLA). This is used when, for example, a Town Council nominally operates a CCTV-system that is physically managed by the Police.

However, in an FOIA response earlier in the year, SBC stated:

Request/Response

·  Could I please make a Freedom of Information request for copies of all current (appropriately redacted) Service Level Agreements between SBC and each of the 46 SBC Councillors? No information is held

In other words, the 45 Councillors who have received the above email, having no Service Level Agreement with the Council, would be breaching the terms of the GDPR if they provided the requested ‘personal data’‘ because they are not authorised to share such ‘personal data’. Clearly, the Data Subject (the requestor) did not know this – and neither does SBC.

2) The Data Protection Officer should have pointed out to members that the SAR could apply only to ‘personal data’ held by the Council. In other words, data received by the Council on behalf of members in their elected capacity as Councillors, via their Council email addresses (or addressed to them individually by post c/o the Town Hall).

Personal data held by members obtained and subsequently held (retained), having been received privately – i.e. via private email address, or through the post addressed in a private capacity (addressed to Mr or Mrs XXX, not addressed to “Councillor XXX”) to the member’s home address – is not subject to SAR any more than are my private emails to and from the private email addresses of members.

This means that only ‘personal data’ belonging to the the Data Subject that is held by the Council itself (not the individual members) could and should be provided to the Data Subject – ‘personal data’ already held on the Council’s system – and there is no circumstance in which members can be required to provide additional material held in their private and personal capacity as ordinary citizens who are not subject to the GDPR. (One does not stop being a private citizen when one is elected).

In short, the above email should not have been sent to members at all.

3) In addition to the above, before any Data Controller may retain or process incoming personal data, it is first necessary to obtain the Data Subject’s “informed consent”. Without obtaining “informed consent” the Data Controller may not retain or share a Data Subject’s ‘personal data’ with another Data Controller – though a private citizen, of course, may do as she/he pleases.

The ICO states:

  • “Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”

The drive towards enhancement of reputation has not been a detectable characteristic of Scarborough Borough Council, particularly under the present administration.

In conclusion, this entire scatter-gun SAR fusillade, as set out above, is nothing more or less than a total waste of Council resources – its sole function, in my opinion, being to grind away at a groundless and imaginary grudge, at considerable cost to ratepayers in terms of Officer-time and resources and what remains of the Council’s repute.

This is not the proper business of a local authority.

One foreseeable outcome of this petty and pointless SAR fishing trip is that one or more of the 45 recipients of the above email may well reciprocate – as if the Council were not toxic enough. Imagine that; 46 SARs flying in all directions. Now that really would “disrupt” the Council – despite my best efforts.

It really is time that the Council Leader, or even the Data Subject’s Group Leader, took the necessary steps to eliminate, or at least marginalise, this ridiculous vendetta. Any further escalation would mosty definitely not be in the public interest.

UPDATE

Within three hours of publication of this article, SBC Deputy Monitoring Officer Carol REHILL emailed members with the following clarification. At last they are trying to get their heads around GDPR. Some way to go, alas . . .

More from the North Yorks Enquirer

Comments are closed.

Recent Posts

CYC/NYC Mayoral Hustings – Whitby

April 23, 2024

An Error of Omission (WTC)

April 19, 2024

Police 7: Community Policing April ’24

April 17, 2024

Accountability: NYC & WTC

April 12, 2024

Missing: Chiefs’ £120K – NYE Proscribed Again

April 10, 2024

Police 7: Community Policing – late March ’24

March 27, 2024

NYP Appeal: Missing Whitby Man

March 23, 2024

WTC: Annual Assembly 25/03/24

March 22, 2024

Emma Caldwell Scandal: A Follow-Up

March 18, 2024

The Emma Caldwell Scandal and NYP

March 10, 2024

NY Enquirer in the National Press

NY Enquirer in the Regional Press

NY Enquirer in Private Eye

NY Enquirer on YouTube

North Yorks Enquirer Archives

About The Enquirer

The North Yorks Enquirer is an internet news magazine covering local, regional and some national news. It provides a forum for citizen journalists working in the public interest to expose wasteful spending, malpractice and corruption in authorities around North Yorkshire and beyond.

Contact The Enquirer

Do you have a story you want to share?

Send it to news@nyenquirer.uk

Complaints

Letters To The Editor

Please include your name and town.

Not all submissions will be published.

Send it to letters@nyenquirer.uk

Disclaimer

North Yorks Enquirer