Thursday 09th December 2021,
North Yorks Enquirer

SBC Info Wars (a “fishing trip”)

SBC Info Wars (a “fishing trip”)

  • – an “In My View” article by NIGEL WARD, offering an educated opinion on the remarkable incompetence of Scarborough Borough Council’s Data Protection Officers – and an unfortunate member resorting to an apparent abuse of the system to prosecute an on-going grudge.

~~~~~

An internecine Info War has broken out at Scarborough Borough Council.

It may be that not all readers of the North Yorks Enquirer are familiar with the term ‘Subject Access Request’. I quote the website of the Information Commissioner’s Office (ICO):

What is the right of access?

You have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing.

This is called the right of access and is commonly known as making a subject access request or SAR.

Why make a subject access request?

You can make a subject access request to find out:

  • what personal information an organisation holds about you;
  • how they are using it;
  • who they are sharing it with; and
  • where they got your data from.

This information can also help you exercise your other information rights effectively.

Briefly, citizens have the right to obtain, from any individual Data Controller, copies of all ‘personal data’ held in which the Data Subject (the person submitting the SAR) is identified or identifiable. This could be by name, address, email address, likeness, etc., etc., etc.

Article 4 of the General Data Protection Regulations 2018 (GDPR) offers the following definitions:

Art. 4 GDPR Definitions

For the purposes of this Regulation:

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

In a statement to the ICO, a Scarborough Borough Council Officer once asserted that I was on the record stating that my engagement with the Council was for the stated purpose of “disrupting” it. When I submitted a Subject Access Request (for the primary purpose of establishing whether or not the Council could substantiate the Officer’s false assertion), the response (which took a year and a half – not the one calendar month required by law) demonstrated that the Council held no evidence at all to substantiate the Officer’s assertion. Ergo, the Officer had lied. Surprise, surprise!

In fact, I already knew this, because I have never stated that it was/is my purpose to “disrupt” the Council. Quite the reverse; as regular readers will know, my purpose is to improve the Council (futile though my efforts have generally been).

Regular readers will also know that I have often offered to assist the Council, especially in areas where Officers demonstrate a woeful level of incompetence.

In my view, it would be an abuse of the spirit of the Data Protection legislation to engage the SAR process purely on a “fishing trip” – looking for ‘dirt’, wherever it may (or may not) be found.

Now consider the following redacted (by me) email, sent out on Monday 15th November 2021 to 45 Councillors by one of the Council’s Data Protection Officers (DPOs):

Why 45 recipient, when there are 46 Councillors?

As can be seen in the redacted email, above, the Data Subject – the person who submitted this SAR – is a Councillor. In my view, this is a typical example of a “fishing trip”, looking for ‘dirt’, wherever it may (or may not) be found, for personal or party political purposes.

Moreover, there are significant procedural errors in the above email.

1) Scarborough Borough Council is a Data Controller. All 46 Councillors are also Data Controllers. Data Controllers may not share citizens’ ‘personal data’ with other Data Controllers unless there exists between the parties a special form of contractual agreement known as a Service Level Agreement (SLA). This is used when, for example, a Town Council nominally operates a CCTV-system that is physically managed by the Police.

However, in an FOIA response earlier in the year, SBC stated:

Request/Response

·  Could I please make a Freedom of Information request for copies of all current (appropriately redacted) Service Level Agreements between SBC and each of the 46 SBC Councillors? No information is held

In other words, the 45 Councillors who have received the above email, having no Service Level Agreement with the Council, would be breaching the terms of the GDPR if they provided the requested ‘personal data’‘ because they are not authorised to share such ‘personal data’. Clearly, the Data Subject (the requestor) did not know this – and neither does SBC.

2) The Data Protection Officer should have pointed out to members that the SAR could apply only to ‘personal data’ held by the Council. In other words, data received by the Council on behalf of members in their elected capacity as Councillors, via their Council email addresses (or addressed to them individually by post c/o the Town Hall).

Personal data held by members obtained and subsequently held (retained), having been received privately – i.e. via private email address, or through the post addressed in a private capacity (addressed to Mr or Mrs XXX, not addressed to “Councillor XXX”) to the member’s home address – is not subject to SAR any more than are my private emails to and from the private email addresses of members.

This means that only ‘personal data’ belonging to the the Data Subject that is held by the Council itself (not the individual members) could and should be provided to the Data Subject – ‘personal data’ already held on the Council’s system – and there is no circumstance in which members can be required to provide additional material held in their private and personal capacity as ordinary citizens who are not subject to the GDPR. (One does not stop being a private citizen when one is elected).

In short, the above email should not have been sent to members at all.

3) In addition to the above, before any Data Controller may retain or process incoming personal data, it is first necessary to obtain the Data Subject’s “informed consent”. Without obtaining “informed consent” the Data Controller may not retain or share a Data Subject’s ‘personal data’ with another Data Controller – though a private citizen, of course, may do as she/he pleases.

The ICO states:

  • “Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”

The drive towards enhancement of reputation has not been a detectable characteristic of Scarborough Borough Council, particularly under the present administration.

In conclusion, this entire scatter-gun SAR fusillade, as set out above, is nothing more or less than a total waste of Council resources – its sole function, in my opinion, being to grind away at a groundless and imaginary grudge, at considerable cost to ratepayers in terms of Officer-time and resources and what remains of the Council’s repute.

This is not the proper business of a local authority.

One foreseeable outcome of this petty and pointless SAR fishing trip is that one or more of the 45 recipients of the above email may well reciprocate – as if the Council were not toxic enough. Imagine that; 46 SARs flying in all directions. Now that really would “disrupt” the Council – despite my best efforts.

It really is time that the Council Leader, or even the Data Subject’s Group Leader, took the necessary steps to eliminate, or at least marginalise, this ridiculous vendetta. Any further escalation would mosty definitely not be in the public interest.


UPDATE

Within three hours of publication of this article, SBC Deputy Monitoring Officer Carol REHILL emailed members with the following clarification. At last they are trying to get their heads around GDPR. Some way to go, alas . . .

Comments are closed.