Minutes:
Could the Chairman please tell me what the process is for auditing data protection breaches particularly those reported by a 3rd party, there is nothing documented on the GDPR page of your website which only covers reporting of your own data breach?
Answer
Thank you for your question.
Wokingham takes very seriously all potential data protection breaches whether reported by the public, internally by staff or third party organisations.
The process for internal and third party reported breaches is exactly the same.
Every potential breach is investigated, and where appropriate, improvement actions are implemented. These could include, for example, additional staff training, and/or changes to processes and procedures.
Where the breach meets the threshold set out by the Information Commissioner, a report is made to the Information Commissioner who will consider what further action, if any, is required.
I have confirmed with Officers that there are no breaches by third parties that require or have been reported to the ICO. However, we are aware of an incident just before Christmas where two letters were placed in the same envelope and were opened by a resident, I believe in Winnersh. This is being investigated and we are seeing what changes to processes need to be implemented to make sure this does not happen again.
I will also ask the team to look at the Council’s website to make it clearer how to report any breaches so that there is a much clearer line of reporting and for ease for members of the public.
Supplementary Question:
It seems to go into a black hole if you report something. You do not get any feedback that it has been received by Data Protection people. The latest breach, I have had personal details of at least five in the last year and I do not know whether anything has happened to them. The latest one also included a member of the public ringing Customer Services and being told ‘oh it is a mistake, they happen, bin them.’ What they were told to bin was 12 pages of someone else’s benefits covering 3 years. Those are the originals if a member of staff would like them back.
Supplementary Answer:
What I will say here is that I have been informed of this. I understand that it is due to the manual nature of the envelope stuffing and therefore because it is a manual process, it is more open to mistakes occurring. As I have said, when we identify these risks we look at the processes and we look at if changes can be made. I am expecting a report to come through to tell me what will change, what will happen, whether we can automate the envelope stuffing process to ensure that this does not happen again. As you say you have been aware of five breaches, if you could provide me with the details of the other four, we will go and make sure and try and work out what the root causes were. We will try and work out the root cause and try and change the process to make sure it does not happen but that sort of data should not be going public. It is personal, confidential information and therefore we do want to get to the bottom of this and stop this happening.
Chris Wallace also asked how many other instances there had been where mistakes had been made and people had been told to bin the documents, and if the incidents were being reported.
The Assistant Director Governance responded with the following:
We do have what I would consider to be a reasonable process in terms of receiving, logging and following up on complaints. I must say that it is important for me to look at these specific ones that you have brought here tonight, but through the Chair we will make sure that you get feedback. I would be happy to meet you on a one to one basis.
The Chairman also responded:
All of these seem to be manual emails or a manual intervention. My own firm, when I send an attachment that is not to an internal email, flashes up with a box saying ‘are you sure you want to send this attachment to this person?’ I do not know if that happens in Wokingham emails but those are the sort of interventions that can be implemented relatively easily. We will look at these and from what I can tell, the first 4 were before GDPR became mandatory and the last one is after, but we take them all very, very seriously and need to understand why these are happening.