“I’m busy. I’m in a meeting” were the words of the monitoring officer and Solicitor to Folkestone & Hythe District Council, (FHDC), Amandeep Khroud (pictured) to our public face. It didn’t matter he was trying to inform her about another significant data breach, and that the information had been in the public domain for ten weeks. Her response, we believe, is a reflection of FHDC’s attitude towards peoples personal data.
This time FHDC have released details about people who work at the Council, landlords and tenants too. It’s not just names or amounts either. The information had been in the public domain for approximately ten weeks. The data could be found on the Council’s payment to suppliers webpage
Taken at 07:30 Wednesday 10th April 2019
At 10am on Wednesday 10 April 2019, after the Council had been informed by our public face at 8.40am, the data was finally taken down after being in the public domain for approximately 10 weeks. We understand the Information Commissioner’s Office (ICO) have been informed of the breach.
We reported just at the beginning of April that between 15/12/2016 – 10/01/19 our Council have been involved in 11 personal data breaches as the chart below shows. One can now add a 12th data breach to this list. This means FHDC have a data breach incident once every eight weeks.
One of these data breaches (14/08/2017) included 82 individuals, 55 of the 82 names related to temporary staff, who were supplied by eight agencies. They all had their names and hourly or day rates of pay revealed unnecessarily.
For these breaches below, FHDC will almost certainly be fined £325,000 pounds. We ask though, legitimately we believe: How else could that money have been spent? And how much will this latest breach cost us all?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A data breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours. So FHDC have until Friday 5pm to self report.
Moving on, according to an analysis of the Boundary lines for parish, town and wards of Folkestone & Hythe District, 2,631 properties would appear to be in the wrong location, when one compares the Council’s interactive map and the LGBCE map. We blogged about this on Monday. This would mean that candidates have been handed electoral lists which are incorrect (More probable than not). However, it doesn’t stop there. Candidates have received names and addresses of electors who should not even be in their parish, town, ward and vice versa. This in itself is a massive cock up and another significant data breach too. Another one to report to the Information Commissioner’s Office. The Council have set aside £325,000 for a data breach back in 2017, now they can add the data of the electors, the individuals who worked for them landlords and tenants data to the list when they inform the ICO.
Finally, all the candidates in the election who submitted their candidates form data on had to receive a privacy notice from FHDC.
Now Article 13 of the GDPR is very clear on this matter, it states at 13(1) and 13(2) of the GDPR the following:
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information. [emphasis ours]
The wording is unequivocal “at the time when personal data are obtained” not one week later, not ten days later but “at the time“. We do not know of one candidate who received a privacy notice “at the time” they gave their candidate form data to the elections team. We do however know that every candidate received a candidates pack a week or so after their data was “collected“, which of course does NOT comply with Article 13 of GDPR.
It is clear to the Shepwayvox Team, the Herd of Asses who lead the Council, David Drury Monk, Head of Paid Services Dr Susan Julia Priest and Amandeep Khroud Monitoring Officer & Solicitor to the Council, have no regard to their legal obligations and duties to ensure all our data is safely protected. They do however, have a regard to railroading through Princes Parade and Otterpool Park, whatever the cost. It is clear and evident to us, what comes first on their list of priorities, isn’t our data.
The Shepwayvox Team
Not owned by Barons or Hedgefunds