The Great Expanding CV ‘Leak’ Fiasco

The Great Expanding CV ‘Leak’ Fiasco

• an “In My View” article by NIGEL WARD, updating readers on the intrigue and subterfuge behind a massive breach of highly sensitive personal data.

~~~~~

Since the North Yorks Enquirer published my Open Letter to SBC Leader Councillor Steve SIDDONS [Lab.], “SBC CEO Job Applicants ‘Potential’ Data Leak”, on Sunday 30th June 2019, there have been some significant developments.

Briefly, the Open Letter discloses the panic that reigns in the Town Hall because highly sensitive personal data was distributed without vital security precautions (data encryption – to ensure the privacy of the individuals who applied for the post vacated by outgoing CEO, Jim DILLON). The leaked data comprises the CVs of the applicants, including those of unsuccessful candidates Mr Nick EDWARDS (Finance Director) and Mrs Lisa DIXON (Legal & Governance Director). These two, together with Commercial Director Richard BRADLEY are presently jointly acting as Temporary CEO of the Council. The same old tail wagging a brand new dog.

SBC Leader Councillor Steve SIDDONS [Lab.] has neither acknowledged nor responded to my Open Letter. This is disappointing. Councillor SIDDONS was himself a member of the Appointments Panel and took part in the selection of the successful applicant.

Councillor SIDDONS, it will be remembered, has made much of his new era of “openness and transparency”. Granted, nobody expects public access to the identities and CVs of the applicants; this is not at issue.

What is at issue, however, is that the law requires the Council to report breaches, or even potential breaches, of personal data to the Information Commissioner’s Office (ICO) within 72 hours of any breach or perceived breach taking place. I am assured that this has still not taken place. In the event that these assurances are unfounded and the breach or potential breach has now been reported to the ICO, I would ask Councillor SIDDONS why he has not responded to my request for him to do so, confirming that he has. Or is that a secret in this new era of “openness and transparency”? That the Council has finally complied with the law and reported itself to the ICO? That’s a secret? I despair.

Emails in my possession indicate that the outgoing CEO, following an ‘internal investigation’, unilaterally determined that there was nothing to report to the ICO – even when pressed by Councillors to follow the proper procedure. Of course there was something to report to the ICO – the merest suspicion must be reported. Yet Councillors’ attempts to raise the question in open Council as to why it had not been reported  were prohibited by Mr DILLON – this, too, I have in writing. At Monday’s meeting of Full Council, Mrs DIXON reiterated Mr DILLON’s decision, disallowing a question by Councillor Bill CHATT [CIM]. Under what authority, Mrs DIXON? I suppose you will have to seek external legal advice on that? Joking apart, Pinocchio, former Cabinet Portfolio Holder Councillor Bill CHATT [CIM] told the Enquirer:

“I was aware of a breach of the GDPR following a report in the North Yorks Enquirer. No-one should have known that information outside of the five elected members of the Appointments Committee, who each received the CVs of the applicants for the CEO’s position. Clearly there is the potential for the CVs themselves to have been leaked, too”.

Former Councillor Sandra TURNER [Con.], one of the members of the Appointments Panel, is now in the unfortunate position (having lost her seat [Whitby Streonshalh] in the May elections and, therefore, having returned her Council i-Pad) of being the only Appointments Panel member who no longer has access to the very data that would establish her innocence of having leaked anything. That makes her a prime candidate for the scapegoat role.

Former Councillor TURNER told the Enquirer:

As a member of the appointments panel I had access, in both email and paper format, to the CV’s of applicants for the post of CEO of Scarborough Borough Council. When concerns were first raised by a fellow Councillor that this information may have been “leaked” an internal investigation was held by SBC, I was assured there was no evidence that any malpractice had taken place.

 However, two months on and there is still speculation this very sensitive confidential information may have been passed on. I regard this as a serious situation so I have again spoken to SBC, and again I have been told there is still no evidence so the matter is now closed. 

I would urge that if there is any doubt whatsoever, however small, that this issue is reported to the ICO and a second thorough investigation be carried out without delay.

The law leaves no choice in the matter.

And the angst is ramping up. Several Councillors, independently of one another, have confirmed to me that the successful candidate for the vacant CEO position, Mr Mike GREENE (who is scheduled to take up his position on Wednesday 28th August 2019), was seen entering the Town Hall shortly after the meeting was closed by Deputy Mayor Councillor Roberta SWIERS [Con.].

It is reasonable to assume that, like Mr EDWARDS and Mrs DIXON, Mr GREENE will be horrified to discover that his personal data has been treated with such casual disregard. The CVs went out by email, unencrypted. They could be anywhere in the world by now, in any format.

MIKE GREENE

SBC Chief Exec (in waiting), whose personal data has been compromised

Incidentally, Mayor Councillor Hazel LYNSKEY [Con.] missed the meeting (on holiday) as did Conservative Leader Councillor Derek BASTIMAN [Con.] (on holiday), Independent Leader Councillor Sam CROSS [Ind.] (also on holiday), along with lesser lights, Councillors David CHANCE [Con.], David JEFFELS [Con.] and Peter POPPLE [CIM].

My latest information, which has yet to be formally confirmed, is that the investigation is now back up and running (contrary to the information provided to Sandra TURNER) and, doubly contrariwise, at the specific insistence of Councillor SIDDONS, has been intensified – with the preliminary result that a forensic examination of the electronic ‘paper-trail’ has identified a possible source of the leak – i.e. a ‘culprit’ – or potential scapegoat?) – who seems to have forwarded the data from a Council i-Pad to a private email account.

It goes without saying that we will hear nothing more of this – unless a dismissed member of staff cares to contact the Enquirer.

“Openness and transparency” my bottle and glass!

I can also confirm that at least one member of the Appointments Panel has written to the out-going CEO, expressing an indignant denial of having leaked the applicants’ CVs and insisting upon a full external investigation (emphatically not Mazars, one would hope) in order to clear the names of the ‘innocent’.

What readers will most want to know is:

• WHO leaked the applicants’ CVs?
• HOW could the CVs have been sent out attached to unsecure (i.e. unencrypted) emails?
• WHY were the CVs leaked (to whose benefit – or detriment)?
• TO WHOM were the CVs leaked?
• WHEN will the CVs surface?

At this stage, I could not possibly comment – other than to repeat rumour and speculation along the following lines:

• the ‘leakster’ has a profound interest in literature (fiction), classical music (opera), fine wines, ecology and haute cuisine;
• the ‘leakster’ was motivated by a grudge (personal rather than political);
• the ‘leakster’ has also leaked the fact that the leaked data (leaked before the election) was always intended to find its way to the press. (I am not entirely convinced; I cannot imagine Yorkshire Coast Radio or the Scarborough News touching it with the proverbial bargepole).

Now subject the foregoing hypotheses to a process of permutation and elimination, and take from that who and what you will.

Finally, in a bizarre twist, I have received a tentative enquiry asking how much the leaked CVs would be worth to the North Yorks Enquirer.

The answer to that was: “Nothing”.