It's difficult to know what to do when confronted with incompetence of this nature. It's not just the initial breach that's the problem. It's also the attitude that the council decided they could deal with it as an internal matter. Either they didn't know about the GDPR provisions about reporting or simply decided they were too important for that. I'd like to think there was a mechanism for placing them under some sort of adult supervision but where would one find suitable adults? Certainly not in central government.
Blundering London council emails unredacted version of notorious Gangs Matrix to 44 people. Data ends up on Snapchat
Newham Council has been fined £145,000 after an employee sent out a mass email containing an unredacted version of the police database that ranks people's likelihood of gang-related violence. According to the UK's data protection watchdog, some 203 individuals' personal data was shared with 44 people, and screenshots of the …
COMMENTS
-
-
Friday 5th April 2019 11:18 GMT Doctor Syntax
One possible solution occurs to me. A couple of decades ago I had a gig working with material which had similar sensitivity. I and everyone else had to have clearance to S/C. Shouldn't council staff with this exposure also need clearance?
If anything the need should be greater than in my gig as the whole of the database is going to be local to the area from which council staff are likely to be recruited. Without clearance there's an unacceptable probability that a data subject might be known or even related to one of the staff.
A failure like this should then result in the entire command chain losing their clearance and having to be redeployed within the council if they were even able to retain their jobs. This would result in greater awareness of all those involved about their responsibilities and what actions would be permissible.
-
-
Friday 5th April 2019 11:10 GMT andy gibson
How did the gangs get the information?
From what I can see in the article, data went out, but to relevant responsible people tackling gang problems.
So how did it end up in the hands of rival gangs on Snapchat?
Yes, the council employee is wrong for sending the data in the first place. But isn't one of the recipients guilty of re-sharing here?
-
Friday 5th April 2019 18:57 GMT Chris G
Re: How did the gangs get the information?
Once a document gets into a council office, the world, his missus, snot nosed kids and his dog have access, council clerks are locals and are as likely to know some of the 'naughty' boys as anyone else. I have also seen desk tops left on all night to save firing up in the morning so the cleaners or anyone else in there at night could have access.
The best security in a local council is when there is a meeting in the chambers, nobody gets to know what is discussed there.
-
-
-
-
Tuesday 9th April 2019 07:40 GMT Alan Brown
Re: Hopefully a few of the gangs will now dispose of their enemies
"key people are removed and then the two gangs become one larger, more powerful unit"
There _are_ ways to take the wind out of gangs. The prime reason they exist with the power and danger they do isn't "cred", it's _money_ - specifically the insane profitability associated with drugs(*) and trading in stolen goods to pay for them.
(*) A medically pure knockout dose of heroin or cocaine is less than a pound. It's a hell of a lot more on the street and cut with "godknowswhat". Every pence of the difference is why you have gang wars.
-
Friday 5th April 2019 13:15 GMT Anonymous Coward
Re: Hopefully a few of the gangs will now dispose of their enemies
Might be worth remembering that the "enemies" of these gangs - as seen by the gangs - just might not actually be members of other gangs. And even if they are, their murder, as you are apparently "hopeful" of, might be disproportionate. And even then, more murder - even of supposedly worthless gang members - is unlikely to make a positive contribution to the wider public interest. Especially if the "winners" of such a gang war are the most ruthless, violent, and best armed of the lot.
-
-
-
-
Saturday 6th April 2019 18:09 GMT Ommerson
Councils face a real problem when it comes to employing competent - and particularly experienced - IT staff and developers. There's a skills shortage industry-wide, and when you're one of the lower payers, and perceived to be neither competent, nor an exciting place to work, the result is never likely to be great.
The government's clamp down on IR35 in the public sector has made this much, much worse as this is how the skills gap used be filled in many a council.
Councillors rarely have any insight or experience here either. It's hard to imagine them coming to the conclusion that they need to employ more competent people and pay them more in these roles when they're simultaneously contending with year-on-year budget cuts.
Under GDPR there is now individual responsibility and culpability for the data protection officer. Who on earth would do this job?`
-
-
-
Friday 5th April 2019 12:30 GMT Anonymous Coward
Weasel Words, Nothing Will Change
Others on here are making the same point, but it bears being made until it's heard and acted on:
"Newham Council has been fined £145,000" gives the distinct impression that guilty parties working for or elected to the council are in some way being penalised.
They are not, though they should be.
Until those responsible are punished in person, nothing will ever change.
By responsible, I mean all of those formulating and enforcing inadequate security policy and those who make the individual screw-ups.
Feel free to suggest cruel and unusual punishments here, we might as well enjoy the fantasy. I don't expect to see effective measures in my lifetime.
-
Friday 5th April 2019 13:06 GMT adam payne
However, in this case, a staffer within Newham shared both versions, having simply forwarded the email they received from the Met police with the January version of Newham Matrix.
This person has since been retrained.
Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe.
Internal review found nothing, doesn't surprise me.
Cue the usual statement, we take privacy seriously blah blah blah, lesson have been learnt blah blah blah.
-
Tuesday 9th April 2019 07:47 GMT Alan Brown
"Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe."
In some countries, covering up like that results in a multiplier of the fine being applied - and the decision to coverup _IS_ criminal misfeasance.
Of course getting the Met to accept a criminal complaint is impossible because then they'd have to admit culpability too.
-
-
Friday 5th April 2019 13:51 GMT Reality_Cheque
ICO gets 145k. Victims get nothing.
We have seen breach after breach of privacy by phone companies, councils, and other organisations. The ICO gets richer, and the victims get nothing.
In this particular case, I can live with it. A gang member doesn't deserve anything even if his privacy has been breached, but in almost every other case the victims deserve compensation yet receive none at all.
If data is negligently shared then each victim should receive £20 as a MINIMUM as an apology. It's not much, but it will encourage companies to not keep too much data in the same place, don't you think?
-
-
Saturday 6th April 2019 14:45 GMT Anonymous Coward
Re: ICO gets 145k. Victims get nothing.
"A gang member doesn't deserve anything even if his privacy has been breached"
What? Some person, without any judicial process being followed other than a copper's 'through my judgement and experience' that a certain person is a 'gang member' spaffs their personal details to rival gang members, there's a murder of one of them, and they don't deserve any recompense if it turns out the council was responsible?
Are you a complete idiot or something? Do you read the Daily Express? Is you brain broken in some way that excludes a sense of compassion?
-
-
-
Saturday 6th April 2019 18:13 GMT Ommerson
Re: Gov Workers /No Expertise required
A reliable assumption in local government: Anybody without a professional qualification (e.g. borough solicitor, survey, planning officer) is incompetent. Those with a professional qualification may be too - particularly if that skill could be used elsewhere more profitably.
-
-
Saturday 6th April 2019 05:45 GMT MachDiamond
Re: Now, if only someone could propose send the council CEO to prison for these offences
I think that the best you might get is dismissal and a ban from government employment for several years. For the really naughty, loss of pension standing.
The Thieves Code won't allow passing laws with harsh penalties on politicians by another mob of politicians. It smacks too much of cannibalism and why would they pass laws that might put them in prison themselves at some point?
-
-
Saturday 6th April 2019 02:50 GMT Anonymous Coward
Redaction lite
More than once, I've been tasked to publish a "redacted" PDF document on the web.
The authors had employed the "lite" version of redaction: black boxes over existing text.
However, when printed or highlighted with the cursor, the entire text was exposed.
Many people understand privacy, just not how to achieve it.
-
Saturday 6th April 2019 14:43 GMT gcarter
Fine culture
I understand that organisations / companies etc need to be held accountable for when they're are breaches like this one.
Unfortunately nowadays, its becoming almost a cultural thing... fine the hell out of anything, everything and everyone!
Look at all of the companies popping up to cash in on this "fine culture" PPI fines been the most notable.