IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> GDPR & West Berkshire Council, West Berkshire Council makes GDPR error
Villager
post Aug 12 2019, 01:17 PM
Post #1


Member
**

Group: Members
Posts: 11
Joined: 2-October 10
Member No.: 1,125



According to Newbury Weekly News, West Berkshire Council has fallen foul of the new GDPR (General Data Protection Rules) legislation on data protection.

https://www.newburytoday.co.uk/news/news/27...ata-breach.html

From the news item, I suspect that a council officer pasted the email addresses straight into the ‘To’ box instead of putting them in the Blind Copy box.

One unfortunate person wrote a reply and hit send which meant that her reply went to everyone on the list. This is a dreadful thing to happen.

Releasing email addresses is a release of personal data, not to mention facilitating a reply being distributed to other people who had no right to see it.

This is a very serious offence under GDPR and the penalties can be enormous. British Airways has been fined £183M and Marriot Hotels has been fined £99M by the Information Commissioner.

It is interesting to speculate how big a fine cash strapped West Berkshire Council will be hit for. Expect your council tax to rocket, or services to be cut further because of this incompetence

This is not the first time that West Berkshire Council has been in trouble with data protection issues.

Some years ago, there was problem over memory sticks held by officers. The memory sticks were not encrypted so the council issued all the officers concerned with new encrypted memory sticks. Unfortunately, they did not realise that it would be a good idea to recall all the unencrypted memory sticks, so officers kept them and continued to use them, not understanding the implications.

One of the unencrypted sticks had a whole load of personal data on it, and the council officer left it somewhere. It was recovered by a third party and the information was read.

Because of this breach, the Chief Executive, Nick Carter, was made by the Information Commissioner to sign a document which I seem to remember stated that he would improve data security. It seems that this is not happening.

Most business organisations have given their staff mandatory training on data protection because now under GDPR the penalties can be catastrophic, and enough to destroy a business.

I have worked for major banks for several decades, and mandatory online training for subjects like data protection has had to be done regularly by all staff and consultants (no exceptions). There was also an online test where the pass mark was 80%, which ensured that you had taken the training on board. Banks are extremely worried about reputational damage but West Berkshire Council is not apparently concerned. They do not have to worry about loss of customers.

It looks like GDPR training has not happened at West Berkshire Council, and it is us, the council taxpayers who will have to foot the bill for this incompetence


Go to the top of the page
 
+Quote Post
Andy Capp
post Aug 12 2019, 10:28 PM
Post #2


Advanced Member
***

Group: Members
Posts: 11,878
Joined: 3-September 09
Member No.: 317



It would seem this particular incident didn’t reach the threshold to deserve reporting to the ICO, so I don’t anticipate a huge increase in council tax to pay for this.
Go to the top of the page
 
+Quote Post
Villager
post Aug 13 2019, 08:57 AM
Post #3


Member
**

Group: Members
Posts: 11
Joined: 2-October 10
Member No.: 1,125



Andy

I suggest that you visit the Information Commissioner's website, where you will find that there is no threshold for reporting a breach.

A data breach under GDPR is defined as:

'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'

This definition applies to this incident.
Go to the top of the page
 
+Quote Post
James_Trinder
post Aug 13 2019, 10:13 AM
Post #4


Advanced Member
***

Group: Members
Posts: 216
Joined: 14-May 09
Member No.: 48



QUOTE (Villager @ Aug 13 2019, 09:57 AM) *
Andy

I suggest that you visit the Information Commissioner's website, where you will find that there is no threshold for reporting a breach.

A data breach under GDPR is defined as:

'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'

This definition applies to this incident.


However, the ICO also say this on their website:

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO.

Note the last sentence in particular.
Go to the top of the page
 
+Quote Post
Villager
post Aug 13 2019, 12:52 PM
Post #5


Member
**

Group: Members
Posts: 11
Joined: 2-October 10
Member No.: 1,125



If you read the article in NWN, the email concerned an assisted housing bid and was sent to 30 people. A person replied to the email, probably giving details of the bid that they were making, which was then distributed to the other recipients of the email. They all then knew details of what should have been a confidential bid.

There is also the issue that all the recipients' email addresses have been distributed to each other, and are no longer private.

People have a right to maintain privacy over their data held by third parties, and this has not happened here.

The likelihood and severity of the risk to people’s rights and freedoms, following this breach is actually very strong. How would you feel if you were one of these people whose email address had been released and you suddenly started receiving abusive emails? Even worse, email addresses are often used as login ids on certain websites. Would a recipient try to log in to somewhere as you, and be lucky enough to guess your password, or alternately lock you out?

How would you feel if the bid that you made was no longer confidential, and that any comments that you had made (probably about your personal circumstances) to assist with this bid were now open to other people?
Go to the top of the page
 
+Quote Post
James_Trinder
post Aug 14 2019, 11:34 AM
Post #6


Advanced Member
***

Group: Members
Posts: 216
Joined: 14-May 09
Member No.: 48



QUOTE (Villager @ Aug 13 2019, 01:52 PM) *
If you read the article in NWN, the email concerned an assisted housing bid and was sent to 30 people. A person replied to the email, probably giving details of the bid that they were making, which was then distributed to the other recipients of the email. They all then knew details of what should have been a confidential bid.

There is also the issue that all the recipients' email addresses have been distributed to each other, and are no longer private.

People have a right to maintain privacy over their data held by third parties, and this has not happened here.

The likelihood and severity of the risk to people’s rights and freedoms, following this breach is actually very strong. How would you feel if you were one of these people whose email address had been released and you suddenly started receiving abusive emails? Even worse, email addresses are often used as login ids on certain websites. Would a recipient try to log in to somewhere as you, and be lucky enough to guess your password, or alternately lock you out?

How would you feel if the bid that you made was no longer confidential, and that any comments that you had made (probably about your personal circumstances) to assist with this bid were now open to other people?



I agree that in this case nobody would argue that this is a breach that should not be reported. The more general point that I was trying to make is that although there is no threshold for reporting a breach there is also no requirement for reporting a breach either if in your subjective assessment no serious harm has been done. To be clear, I'm not saying that is the case here but it is a handy get out clause since it relies on the judgment of the individual who is potentially at fault or possibly others within the same organisation who also may not be that keen to expose their own potential failings.
Go to the top of the page
 
+Quote Post
TallDarkAndHands...
post Aug 14 2019, 03:28 PM
Post #7


Advanced Member
***

Group: Members
Posts: 4,018
Joined: 15-May 09
From: Newbury
Member No.: 60



QUOTE (James_Trinder @ Aug 14 2019, 12:34 PM) *
I agree that in this case nobody would argue that this is a breach that should not be reported. The more general point that I was trying to make is that although there is no threshold for reporting a breach there is also no requirement for reporting a breach either if in your subjective assessment no serious harm has been done. To be clear, I'm not saying that is the case here but it is a handy get out clause since it relies on the judgment of the individual who is potentially at fault or possibly others within the same organisation who also may not be that keen to expose their own potential failings.


Hopefully they at least employ some penetration test experts or at least consultants or a business. They hold the details of hundreds of thousands of bank accounts by the civica platform they use....
Go to the top of the page
 
+Quote Post
Andy Capp
post Aug 15 2019, 03:00 AM
Post #8


Advanced Member
***

Group: Members
Posts: 11,878
Joined: 3-September 09
Member No.: 317



QUOTE (Villager @ Aug 13 2019, 01:52 PM) *
If you read the article in NWN, the email concerned an assisted housing bid and was sent to 30 people. A person replied to the email, probably giving details of the bid that they were making, which was then distributed to the other recipients of the email. They all then knew details of what should have been a confidential bid.

There is also the issue that all the recipients' email addresses have been distributed to each other, and are no longer private.

People have a right to maintain privacy over their data held by third parties, and this has not happened here.

The likelihood and severity of the risk to people’s rights and freedoms, following this breach is actually very strong. How would you feel if you were one of these people whose email address had been released and you suddenly started receiving abusive emails? Even worse, email addresses are often used as login ids on certain websites. Would a recipient try to log in to somewhere as you, and be lucky enough to guess your password, or alternately lock you out?

How would you feel if the bid that you made was no longer confidential, and that any comments that you had made (probably about your personal circumstances) to assist with this bid were now open to other people?


If someone “replied to all” as you state, then that’s tantamount to volunteering the information.
Go to the top of the page
 
+Quote Post
MontyPython
post Aug 15 2019, 12:14 PM
Post #9


Advanced Member
***

Group: Members
Posts: 921
Joined: 16-June 12
Member No.: 8,755



QUOTE (Villager @ Aug 12 2019, 02:17 PM) *
............snip

Because of this breach, the Chief Executive, Nick Carter, was made by the Information Commissioner to sign a document which I seem to remember stated that he would improve data security. It seems that this is not happening.

........


Does that mean we can sack Nick Carter? smile.gif

Probably not unfortunately. But I see they are skirting around reporting their failings. WBC always seem reluctant to admit to the mistakes they make!
Go to the top of the page
 
+Quote Post
Strafin
post Aug 16 2019, 08:36 AM
Post #10


Advanced Member
***

Group: Members
Posts: 3,927
Joined: 14-May 09
From: Newbury
Member No.: 55



QUOTE (Andy Capp @ Aug 15 2019, 04:00 AM) *
If someone “replied to all” as you state, then that’s tantamount to volunteering the information.

That part is, however everyone should not have been included in the first place as they could all see the email addresses of the other people.
Go to the top of the page
 
+Quote Post
Andy Capp
post Aug 17 2019, 11:54 AM
Post #11


Advanced Member
***

Group: Members
Posts: 11,878
Joined: 3-September 09
Member No.: 317



It is stunning the mistakes people make where I work; simple things like not putting bulk addresses in BCC, and this is from many people who should know better.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Lo-Fi Version Time is now: 14th November 2019 - 11:40 AM