The latest edition of the Shiptonthorpe Village newsletter was delivered to local residents last week.
There were several comments about social media reports relating to correspondence with the Information Commissioners office so I decided to provide some more facts.
Because the council discussed the report in private without members of the public being present and has not published the document on its website I have decided to publish the correspondence in the interests of good governance and transparency in local democracy
Given that the ICO exists to promote openness and transparency by public bodies. It seems perverse to discuss its findings in confidence without the public being in attendance.
You will note that Chairman Lambert writes:
“the council may not have been compliant with the law”.
In response the ICO stated:
“while you are not able to explicitly confirm that data has been deleted due to the nature of the incident, you believe that the majority of the lost data relates to internal councillor interaction.”
Readers will form their own opinion as to whether Chaiman Lambert provided any facts to support his claim that the former council may not have been compliant.
You may also draw your own conclusions about the real reason chairman Lambert decided to refer the council to the ICO in the first place.
For information the former clerk supported SPC for 12 years without complaint. Her conduct was only questioned after she challenged statements made by Cllr Gough in July 2023. He has never provided any evidence to support his claims about former councillors or the clerk.
Here’s the referral letter:
================================
Information Commissioner’s Office
Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF
22′ September 2023
Dear Sir /Madam,
We write to formally inform yourselves of breaches within the Parish Council.
To inform you of the background the electorate in May 2023 elected eight new councillors and one was re-elected bringing the total to nine. I was duly elected to the role of Chairman and with the existing clerk we started to represent the community as a newly elected Parish Council.
Over the next few months some concern started to develop regarding the actions of the then Parish Clerk/Proper officer. We also found that most systems had not been updated for some considerable time and we started to bring policies such as GORP up to date and line with requirements. The clerk/proper officer robustly stated that all was fully compliant.
It also became clear that we as a council needed to commence investigations into the performance of the Clerk and duly informed them that an investigation would be held. However before this could be commenced the Clerk tendered their resignation serving notice to leave the councils employment. The investigation did not proceed during the notice period.
At the end of the notice period the councils records, Lap top and back up hard disk was returned. After looking at these records it became clear that some files and e mails had been deleted and some records found that showed that Freedom of Information requests had not been complied with.
Another instance was an at least one letter had been sent neither authorised by council and without knowledge of Chairman or Vice Chairman. Also numerous e mails had been sent without knowledge or approval of council.
The Proper Officer had assured the Parish Council was compliant but we wish to advise that the Parish Council may not have been compliant to the law. We want to apologise for the error and it was not the intention of the Parish Council to breach statute and or not meet ICO standards.
Following on from the investigations the Parish Council is developing a data map to ensure that any data noncompliance should not happen again and this has been a lesson learning process to meet obligations in future.
Yours Faithfully
Victor Lambert
Chairman
==================================
Ane here’s the response from the ICO:
From: [email protected]
To: [email protected];
Date Sent: 20/11/2023 15:55
20 November 2023
ICO Reference Number: IC-262502-V2H7
Dear Victor Lambert,
I am writing further to your personal data breach report of 22 September 2023 regarding some concerns about GDPR compliance.
Thank you for the information you have provided in response to my enquiries.
Data security requirements
You are required to have appropriate technical and organisational measures in place to ensure the security of personal data.
Our decision
We have considered the information you have provided and we have determined that no further action by the ICO is necessary on this occasion.
This decision is based on the information we have recorded about the breach. This decisionis based on any potential data breaches which may have occurred within the Parish council.
Your correspondence states that, while you are not able to explicitly confirm that data has been deleted due to the nature of the incident, you believe that the majority of the lost data relates to internal councillor interaction. This suggests a lower likelihood of risk of harm or detriment than if documents or data relating to parishioners or members of the public had been deleted.
You have also detailed the changes you are making to your internal policies and procedures. This includes implementing new data protection policies, a new Freedom of Information policy, a new information security policy and a retention policy. These policies will allow your organisation to collect, store, manage and communicate personal data in a much more efficient and effective manner. In addition to this, you are updating your email and document storage systems to make them more efficient and user friendly. The changes you are making indicate that you are taking reasonable steps to ensure your organisation has appropriate technical and organisational measures in place to process personal data, in line with your GDPR obligations.
However, we recommend that you review the causes of this incident to ensure that you understand how and why it occurred, and what steps you need to take to prevent it from happening again. In particular:
– Ensuring that your training relating to your new policies and procedures gives sufficient practical guidance to staff in how to comply with the legislation.
This training could be role specific, interactive and contain practical examples which are relevant to your organisation.
– Evaluating your internal information retention periods to ensure that personal data is only held if you need it and for as long as you need it. You should periodically review this data and erase or anonymise it when it is no longer legitimately necessary.
– Regularly highlighting the importance of data security to all staff. This should be emphasised within training and could also be reiterated in frequent reminders. For example, posting procedural guidelines in commonly accessed spaces within the office or sending out emails or bulletins at regular intervals.
– Taking steps, where possible, to identify instances where the Council has not complied with it’s information access obligations and attempting to remedy this where possible.
We recognise that your organisation appears to be taking significant steps to remedy the data protection issues that you have identified. If you require any assistance with specific elements of these changes, please feel free to get back in touch with us.
Thank you for reporting the incident.
We now consider this matter to be closed.
Yours sincerely,
Lead Case Officer
Information Commissioner’s Office
You can now share this information via social media, e mail or print.
Quick Links
The Pocklington Bugle