Dear Worcestershire County Council,

Under the Freedom Of Information Act 2000 i wish to request any information recorded/published on how i can best stop employees of this Council sending out wrong sensitive data belonging to other children as well as myself to wrong addresses other than myself informing the ICO?

I wish to inform i believe this breaks the DPA 1998 S:55,is Maladministration when i have previously raised this several times receiving Apologies both verbal and in writing and i did ask for confirmation this mistake would not happen again but it is still happening and with sensitive data involved.

I believe the letter i received through my door today with my address on there and a child's "full name" half ripped open on receipt is meant for a child in the care system and is not intended for me and i will ensure the letter is given straight to their carer as fortunately i know who this is but may not have done had it been another child like what happened before.

Lastly i would like to inform that the letter has the same address on it as one where i recently received Apologies in writing, informing me that it would now be written on future letters "to be opened by the addressee only" and i was informed my data would now be updated again but it appears to me this cannot be the case.This is extremely concerning how often this is happening and i trust all involved will receive a Written Apology at least?

I await your response.

Yours faithfully,

M M Simmons

Freedom of Information (ChS), Worcestershire County Council

1 Attachment

Dear Ms Simmons

 

Thank you for your Freedom of Information request.  Please find attached
an acknowledgement.

 

Sarah Clarke

Senior Data & Information Officer

Performance Development Team

Children's Services

(  01905 728932

* [1]chs[Worcestershire County Council request email]

 

 

 

show quoted sections

Dear Sarah Clarke,

Thank you for responding so promptly.I am happy for you to release my name to WCC, since this has happened so many times now anyway.

I can confirm the same mistakes have been made concerning a birth child, for which i received written apologies and that this is now the second time this mistake has been made concerning the child in care i speak of in my request recently from speaking with the carer.

Yours sincerely,

M M Simmons

Freedom of Information (ChS), Worcestershire County Council

1 Attachment

Dear Ms Simmons

 

Further to your recent Freedom of Information request, please find
attached our response.

 

Sarah Clarke

Senior Data & Information Officer

Performance Development Team

Children's Services

(  01905 728932

* [1]chs[Worcestershire County Council request email]

 

From: Freedom of Information (ChS)
Sent: 21 August 2013 09:54
To: '[FOI #173831 email]'
Subject: Freedom of Information request 5758010 - Constant Breaches Of
Sensitive Data

 

Dear Ms Simmons

 

Thank you for your Freedom of Information request.  Please find attached
an acknowledgement.

 

Sarah Clarke

Senior Data & Information Officer

Performance Development Team

Children's Services

(  01905 728932

* [2]chs[Worcestershire County Council request email]

 

 

 

show quoted sections

Dear Sarah Clarke,

Thank you for your response. I believe the ones concerned will have copies of where the other breaches have occurred with apologies. I am happy to send you a few photographs of the envelope as described to you in this request. Is there an email address where i can forward them on to you? You have my permission to check with third parties where the rest is concerned i mentioned.

Yours sincerely,

M M Simmons

Freedom of Information (ChS), Worcestershire County Council

1 Attachment

Dear Ms Simmons

 

Thank you for your Freedom of Information request. Please find attached an
acknowledgement.

 

Sarah Clarke

Team Manager – Subject Access Requests

Performance Development Team

Children's Services

(  01905 728932

* [1]chs[Worcestershire County Council request email]

 

show quoted sections

Dear Sarah Clarke,

Following on from speaking with you on the telephone 08.04.14 and you confirming the correct email address for me to forward you the relevant documents, i can now confirm i have forwarded those onto you as promised.

I have titled the email "FAO Ms Sarah Clarke Confidential" and i have sent you a 12 page letter/report and 38 referenced documents to help save you time throughout your investigations.Can you please confirm you have received my email with the 50 said pages attached when you have received it?

Can i ask you to clarify if the HR Procedures you refer to are Human Resource Procedures?

Yours Sincerely,

M M Simmons

M M Simmons left an annotation ()

Just to help keep the public up to date. Here is the link to a similar case~

http://ico.org.uk/news/latest_news/2014/...

M M Simmons

Dear Ms Sarah Clarke,

Thank you for updating me by email 22.04.14 and for claryfying to me that you did not receive all the said documents, to which i re-sent them promptly by email 23.04.14.

I can confirm i am conscience of the status of this request which i have replied to, which has stated it is delayed and i should have received a response promptly and by 14th April 14 and that you confirmed to me by email 25.04.14, you have now received all the documents i have sent you.

Also, in the same email i received from yourself dated 25.04.14, i understand you have wrote "With regards to the date to respond to the Freedom Of Information Request, with the request being 'put on hold' while we waiting for the information to be sent, the new 20 working day deadline would be the 8th May." I realise you are trying your best to respond by this date but note that you said you may not be able to hit this target date.

I hope that as i have sent you the relevant documents to help you save time you are with respect able to meet the target date 08.05.14 and i look forward to a response soon.

Yours Sincerely,
M M Simmons

Freedom of Information (ChS), Worcestershire County Council

1 Attachment

Dear Ms Simmons

 

Further to your Freedom of Information request and our email exchanges,
please find attached our response.

 

Sarah Clarke

Team Manager – Subject Access Requests

Performance Development Team

Children's Services

(  01905 728932

* [1]chs[Worcestershire County Council request email]

 

show quoted sections

Dear Sarah Clarke,

Thank you for your response.

I can confirm that i have just been in contact with the ICO and sought further advice before responding and following me updating the ICO where i was also asked to read what you had sent me.

What i am being advised to bring to your attention is that whilst the information might not be sensitive personal data as defined in the act, the information is still sensitive and that it is personal data and it was incorrect, therefore because of the fact you did not keep the information up to date it is a breach of both Principles 4 and Principle 7 dpa 1998 where good care of it has not been taken or it kept safe.

I was informed by the ICO the female i spoke to, you have still got incorrect personal information and an incorrect address and it's still gone out to the wrong place (several times i told her) then i was advised to write back to you where she further said-

Whilst the information might not be sensitive personal data as defined in the act, the information is still sensitive and it was personal data that went out to an incorrect address, therefore it's still a breach of the act if you've not got correct information if you're not keeping the information correct,and with the address correct. I was informed the fact of the matter is it's up to them to keep their information correct and up to date.

I have been advised that because it has been ongoing so long to give you 14 days to respond being informed this is time plenty enough, as i would like to request you now reconsider my request.

Yours sincerely,

M M Simmons

M M Simmons left an annotation ()

Update- Today i have received a response through my email account, to which i will share here with any followers and since no personal data is shared within it i believe.

Ms MM Simmons

16 May 2014

Ask for:Sarah Clarke

Dear Ms Simmons

FREEDOM OF INFORMATION ACT 2000-BREACHES OF SENSITIVE DATA

I write with reference to your email reply to our response to your Freedom of Information request.

It is noted that your response is not a request for recorded information, and as such cannot be answered under the Freedom of Information Act. However, we can advise the following which is provided to you outside of the Freedom of Information Act.

With regards to the issue of breaches of sensitive data, we have now rectified the problem, as confirmed in our response, sent to you on 7th May. Although we accept that the envelope was incorrectly addressed, the data contained within was not of a sensitive nature.The fact that the letter arrived at your address damaged, i.e. half-opened, this is the Responsibility of Royal Mail, as at the time of posting it, the envelope was fully sealed. We have confirmed to you that "In terms of the specific item (partially opened envelope)we are satisfied that the contents of this envelope did not contain any personal sensitive data.We can confirm that WCC IT systems containing the information you hilighted have been updated and their should be no repeat of the incident whereby correspondence for another individual, although named correctly,was incorrectly addressed/sent to your home address."

As the matter has now been dealt with, we now regard this request as closed.

If you have any queries or concerns then please contact me.

If you have a complaint about the handling of this enquiry you can contact the Information Commissioner at : Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

(I am then provided with the ICO's phone and email address contact details.)

Yours Sincerely

Sarah Clarke
Team Manager-Subject Access Requests

On 7th May 2014 and after first seeking further advice from the ICO and with advice how to best reply to the said FOI, (as can be seen above) i had asked for my request where i had stated "I would like to request you now reconsider my complaint" and within that same reply i had wrote the following-

"What i am being advised to bring to your attention is that whilst
the information might not be sensitive personal data as defined in
the act, the information is still sensitive and that it is personal
data and it was incorrect, therefore because of the fact you did
not keep the information up to date it is a breach of both
Principles 4 and Principle 7 dpa 1998 where good care of it has not
been taken or it kept safe.

I was informed by the ICO the female i spoke to, you have still got
incorrect personal information and an incorrect address and it's
still gone out to the wrong place (several times i told her) then i
was advised to write back to you where she further said-

Whilst the information might not be sensitive personal data as
defined in the act, the information is still sensitive and it was
personal data that went out to an incorrect address, therefore it's
still a breach of the act if you've not got correct information if
you're not keeping the information correct,and with the address
correct. I was informed the fact of the matter is it's up to them
to keep their information correct and up to date."

I replied to my FOI 7th May 2014 after seeking guidance and advice from the ICO who advised me what to write and with the intention now being for my request to be re-considered taking what the ICO advised me to write back in response into account as described here-

"whilst
the information might not be sensitive personal data as defined in
the act, the information is still sensitive and that it is personal
data and it was incorrect"

My first correspondence dated 19th August 2013 states that i am asking for recorded/published information although sadly, this fact has not been acknowledged in my latest response today whereby i requested that my request now be reconsidered taking the advice i wrote given to me by the ICO as written in my response 7th May 2014 into account.

"Dear Worcestershire County Council,

Under the Freedom Of Information Act 2000 i wish to request any
information recorded/published on how i can best stop employees of
this Council sending out wrong sensitive data belonging to other
children as well as myself to wrong addresses other than myself
informing the ICO?"

Further i feel disappointed that on 10th September 2013 i was informed within my FOI request the following-

"Our response:
We can advise that we take reports of data breaches very seriously. We would
ask that if you are aware of a data breach, you forward the precise details to us
as soon as possible. Once we have received this information we will then
implement an investigation and follow the correct HR procedures if appropriate."

Unfortunately because of me not reiterating what i originally already wrote in my latest reply 7th May 2014 in not repeating myself with what is already written on 19th August 2013-

"Under the Freedom Of Information Act 2000 i wish to request any
information recorded/published on how i can best stop employees of
this Council sending out wrong sensitive data belonging to other
children as well as myself to wrong addresses other than myself
informing the ICO?" i feel that what i was informed on 10th September 2013 whereby i was told "Our response:
We can advise that we take reports of data breaches very seriously" is incorrect information.

Today in my response from Ms Sarah Clarke, where it states "With regards to the issue of breaches of sensitive data" (and after the ICO informing me i had misplaced the word sensitive in my FOI request, whereby i updated my FOI request to Ms Sarah Clarke on 7th May, yet my response today is headed "With regards to the issue of breaches of sensitive data") i am of the belief that because i previously misplaced the word "sensitive" as advised by the ICO on 7th May 2014 as described about here-

"What i am being advised to bring to your attention is that whilst
the information might not be sensitive personal data as defined in
the act, the information is still sensitive and that it is personal
data and it was incorrect," This latest newer information told to me by the ICO has not been taken into account and addressed properly in the response i have received today,(and regarding the breaches the ICO informed me of, defining the Principles believed to be breached both Principles 4 and 7) although the fact i did not repeat what was already written 19th August 2013(has been picked up on) acknowledged in my response today,in the sense that- as in i had not repeated what was already written by me already hence where my latest response received today states- "It is noted that your response is not a request for recorded information, and as such cannot be answered under the Freedom of Information Act."

Where it states in my response today i received "With regards to the issue of breaches of sensitive data, we have now dealt with the issue and rectified the problem, as confirmed in our response, sent to you on the 7th May" It seems liability is being accepted here but not with any serious weight to the effects caused to me or with no written apologies as i requested them on 19th August, received to myself (at least)like i requested on 19th August 2013 where i stated-

"This
is extremely concerning how often this is happening and i trust all
involved will receive a Written Apology at least?"

I have not been informed with confirmation there has been breaches of Priniciples 4 and 7 today in my response yet it seems breaches have been admitted.There is no clear definition as to which breaches with which legislation, these fall under from Ms Sarah Clarke.

On 11th April 2014 where i asked the following- (i do not recall the following question being answered either then or today, where i asked)

"Can i ask you to clarify if the HR Procedures you refer to are
Human Resource Procedures?"

I therefore feel i have not been fully updated effectively throughout my FOI.

I have not as far as i believe been sent any evidence that the half ripped envelope is the responsibility of Royal Mail as i am informed today,whereby the evidence i provided for my FOI request consisted of 39 documents which i feel sadly for the most part has not been addressed satisfactorily where mistakes have happened on several occasions regards various other people/children's data (third parties) and where i had further queried the whereabouts of missing and denied documents or data "concerning myself at the very least."

Sadly i feel where it has been stated to me today "As this matter has now been dealt with, we now regard this request as closed." Then where i have read "With regards to the issue of breaches of sensitive data, we have now dealt with the issue and rectified the problem, as confirmed in our response, sent to you on the 7th May."

I believe i am reading that liability has been accepted, although not fully and effectively addressed (as i feel the whole request has not been)and not with a written apology as a whole for the unnecessary stress caused to myself at least and whereby i have not received the recorded/published information i requested on 19th August 2013 neither then or now.

The ICO was interested to deal with all this for me before i made my FOI to WCC (whereby it has been several ones third party data disclosed/misused) and with respect i feel i am now best taking matters back through the ICO, in the hope my concerns will now be addressed fully and with serious weight(as in the concerns with ones data being more important than where my words are placed) and whereby i have not as i recall received the recorded/published information i asked for from the beginning neither then or now.

I feel that whilst i am updated there should be no repeat of the incident, the fact still remains that i have suffered as a consequence as hilighted within my correspondence within my 39 documents i included within the said FOI request whereby these mistakes have already happened not once, but on several occasions whereby i believe i have been able to demonstrate within those that potentially a larger number of peoples (third party data) could have been breached for all we know (Regards missing documentation not reaching it's intended destination) and with third party data pertaining to myself released without confirmation of my prior written consent as requested either.

Yours Sincerely

M M Simmons

M M Simmons left an annotation ()

Update-

Now in the hands of the ICO. I will update the status of my request accordingly once i have sought the guidance from the ICO in how best to update it.

Many thanks to all who are following me for your patience.

M M Simmons

M M Simmons left an annotation ()

Update for the benefit of ones following my request,

After i made a complaint to the ICO 18th May 14, i received a final response on 30th July 14 and this case is now considered closed. The Investigating Case Officer did not uphold my complaint and she herself had my incorrect address on the closing case document which i have raised.

I have since on 2nd August 14 complained back through the ICO about the findings particularly as there are discrepancies in what i was originally told through the ICO and i have sent a recording alongside my complaint verifying i was in fact informed of the two breached Principles both Principle 4 and Principle 7 dpa, occurred as described above.

On 6th August 14 i was surprised to receive a response from the very same Case Officer who had closed the case i was informed of on 30th July 14 as i was advised via their website that i write my email subject: 'complain to the ICO' and it was not a response to the Case Officer's findings so much as a general email anybody could have received within the ICO.

"Thank you for your Complaint Review and Service complaint form.

The matters you raise will be passed to a manager who should send you a detailed response within 28 days. If for some reason the manager is unable to send a full response within that timeframe, he or she will let you know what is happening and when you will receive a full response."

I will update you all as to the outcome when i hear further and hopefully with more details as i have not included everything here, since this is only an annotation to update you all.

I have decided not to update the status of my request yet as i am waiting first for the further outcome.

In the meantime, i thought some of you might be interested to see this following link:-http://www.communitycare.co.uk/2014/02/0...
M M Simmons

M M Simmons left an annotation ()

I have now received a response from the Investigator of the ICO's Line Manager who investigated my concerns re:data breaches.

I had hoped to respond in full to you today however there are a number of points that I would like to look into further before doing so. I will endeavour to provide you with a full response by Thursday 11 September 2014 at the latest.

Thank you for your patience in this matter.

I will update you all once i hear further.

M M Simmons

M M Simmons left an annotation ()

Received 11th September 2014-

(In a nutshell it has been "agreed" these breaches occurred, although the transparency i feel was not made very clear to me i.e: These breaches were not referred to as breaching Principles 4 and 7 dpa throughout the investigation, other than the said information i provided previously as set out above where an ICO Advisor informed me this was the case. What is transparent to me, is legislation is put in place to be followed and can be referred to as "mistakes" and "lessons will be learnt" with a catalogue of apologies made to me [both verbally/written] to me and further breaches made by the ICO Investigator (refer to details re:wrong email address below) and for me i am concerned when it concerns wrongly releasing wrong data to third parties "several times." I would like to see copies of what letters have been sent to Worcestershire CC to feel satisfied these breaches have been fully addressed with preventative measures in place to stop the same "mistakes" been made again. I may well consider asking to see these and add an annotation once i have done so and received a response to update the public in the children concerned, mine and the public's interests to satisfy enough is/has been done) Concerning "the wrong child's name" i was not contacted by the ICO Manager requesting me to provide further evidence. I would be interested to know if there is any legislation in place which can prevent a Council from been fined by the ICO in these circumstances where breaches have occurred [and several times] where these "mistakes" have been admitted) It has not been made clear to me if all (including the children concerned) have received written apologies either like i requested and lastly, i was concerned to see potential breaches concerning a birth child with evidence provided by me, was not addressed by the ICO Manager throughout their investigations when you bear in mind this next piece of legislation: http://www.legislation.gov.uk/ukpga/2000...
16 Duty to provide advice and assistance.

(1)It shall be the duty of a public authority to provide advice and assistance, so far as it would be reasonable to expect the authority to do so, to persons who propose to make, or have made, requests for information to it.

(2)Any public authority which, in relation to the provision of advice or assistance in any case, conforms with the code of practice under section 45 is to be taken to comply with the duty imposed by subsection (1) in relation to that case.[Where i believe this could have been addressed with the new evidence provided by myself even if it meant eradicating relevant information to keep in line with legislation.]) and my full response from the ICO Manager came later than was proposed.

How we consider data protection concerns
We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for.
When someone has been unable to resolve a data protection concern with an organisation they can report it to us, the Information Commissioner’s Office (the ICO). We will then decide if we think there is an opportunity to improve information rights practice in that case or to address a more systemic concern.
We will make this decision in light of the nature of the concern, our understanding of what has happened, the guidance we have produced and our experience of the relevant organisation or industry, among other things.
There are different forms of action we might take. We may simply offer advice to one or both parties. We may make a formal decision under the legislation we deal with, or ask an organisation to commit to an action plan, undertaking or advisory visit. Or we may consider more formal regulatory action.
In any event, we will be open about our work and publish information on our website about the concerns we have received, the actions organisations commit to and the regulatory action we take.
We can’t look into every concern we receive and the law doesn’t say we must. We will put most of our effort into dealing with matters we think give us the best chance of making the biggest difference to information rights practice.
The ICO does not act for either party in a complaint, and we are under no duty to pursue matters further on behalf of the individual who raised concerns with us.
Our case review and service complaints policy
We will not necessarily respond to each of the points you have raised in the course of your complaint. However, we will:
* review the information relating to your data protection concern and consider the points you have raised;
* consider whether the concern was dealt with reasonably; and
* consider whether the matter was handled in line with our casework processes.
The enclosed letter sets our case review response in your case. This is the final stage of the ICO’s casework process and we will not revisit the matter again. Therefore, the enclosed letter is our final response on the matters you have raised in this case.
Your options
It may be the case that you disagree with the views we have expressed to you. Individuals are entitled to take their own cases to court under the DPA, irrespective of our decision. The ICO has no role in individual applications to the court. If you wish to pursue this option, you may wish to seek private legal advice.
If you continue to believe that the ICO has provided you with a poor service, or if you believe we have not treated you properly or fairly then you may be able to complain to: The Parliamentary and Health Service Ombudsman (PHSO), Millbank Tower, Millbank, London, SW1P 4QP.
All complaints to the PHSO must be made through your MP. If you require further information about the PHSO, you can call its helpline on 0345 015 4033.

Dear Ms Simmons
I am writing further to my email of 3 September 2014. I have now had the opportunity to consider your complaint in detail and am in a position to provide you with the outcome of the case review. Thank you for patience with this.
The focus of this review is M* *** handling of the data protection concern that you reported to the Information Commissioner’s Office (the ICO) about Worcestershire County Council (the council).
Please find attached a leaflet which explains how we handle requests for a case review.
Your complaint
I have considered the points you have raised and have also reviewed the relevant information that we hold about your data protection concern. I am satisfied that M* *** dealt with this matter appropriately and in line with our case handling procedures.
In this case M* *** explained the reasons for her decision in her letter of 21 July 2014. Having reviewed the matter, I agree with the explanations provided.
You have explained in your case review and service complaints form that you consider that you may have received conflicting advice from M* *** and another ICO employee. You say that you were advised by a member of our Helpline that the council had breached the data protection act (DPA) two times, which differs to what M* *** told you.
However looking at M* *** letter to you she has advised you that the council held inaccurate data which led to the disclosure of third party data. She therefore agrees with you that the council did not do things correctly under the DPA.
As you are aware once you let the council know what had happened it investigated your complaint and took steps to put things right. M* *** also wrote to the council and provided advice about how to prevent such an incident from occurring again in the future.
After taking a detailed look at this matter I am satisfied that M* *** approach was correct. I also agree with her that this is not a matter that we will pursue further.
When an individual brings a data protection concern to our attention we will consider whether the issues raised provide us with an opportunity to improve the information rights practice of the organisations that we regulate. However our role is not to investigate or adjudicate on every individual complaint. We are not an ombudsman.
It is up to us to decide whether or not we should take further action. Even where we decide that further action is not required at the moment, perhaps because the organisation has made a mistake but is working to put things right, we will keep concerns on file. This will help us over time to build a picture of an organisation’s information rights practices.
* The council referring to your ***** as *****
In terms of your concerns about the council incorrectly referring to your ***** as ***** this is not something that we intend to pursue. There is no evidence to support that your personal information has been merged with another family, or that it has been incorrectly disclosed. The council have apologised to you for this error and I do not consider that there are further matters for us to take forward.
* Your Freedom of Information (FOI) request
You have explained that you made an FOI request but were advised that you had not asked for recorded information. You therefore consider that the council has provided you with misleading information.
The FOIA gives people the right to request any recorded information held by a public authority, such as a local authority. The key part is that a public authority is only required to consider providing recorded information. A request can be made in the form of a question, rather than a request for specific documents.
However, a public authority does not have to answer a question if it would mean creating new information or giving an opinion or judgement if it not already recorded.
In this instance you requested ‘any information recorded/published on how i can best stop employees of this Council sending out wrong sensitive data belonging to other children as well as myself to wrong addresses other than myself informing the ICO?’
If the council holds the answer to your question, in other words it has something recorded which explains how to stop its employees sending out wrong information; it should consider providing it to you. However if the council does not already hold an answer to your question, we cannot compel the council to respond to you under FOIA.
Looking at the documents that you sent to us I note that the council has replied to your request and explained that because your question seems to be a complaint about the way it deals with personal information it is not appropriate to deal with it under FOIA. This is because the data protection act relates specifically to the way in which organisations handle personal information. It has however responded to your specific complaint and also explained more about data security.
Based on the information that I have seen it does not seem to me that there is a specific FOIA case for us to take forward.
* The wrong address
I would firstly like to sincerely apologise that the incorrect postal address was included in M* *** letter of 21 July 2014.
I have looked into what happened and can confirm that M* *** sent this letter to you by email only.
We have an electronic case management system and each time anything is done with a case the system records what has happened. For example when a letter is generated the system will note who created it and when. It is not possible to delete or amend this information.
Having looked at this information I can confirm that M* *** sent an email to you on 21 July 2014 stating ‘please see the attached relating to Worcestershire County Council.’ The attachment was her more detailed letter about your data protection concerns. This email and attachment was sent to you at 12.27.
As requested I have included a copy of the relevant information from our system. This shows the case reference number and what information was sent by email. You can find this at the end of my letter.
I also understand that you did not receive this email and have therefore looked into this further. Unfortunately it would seem that M* *** email of 21 July 2014 was sent to **********@hotmail.co.uk rather than *************@hotmail.co.uk
Our case work system is such that when an email is generated the email address that we hold for an individual available from a drop down list. This address is then selected and automatically added to the email.
After looking into this further I have ascertained that we do hold the correct email address for you on our systems and this is supported by the fact that M* *** sent emails to the correct address on 4 July, 30 July and 6 August 2014.
Having spoken to M* *** about this I’m afraid it is not clear why her email of 27 July 2014 went to the incorrect email address and can only assume that it was manually entered, rather than being selected from the pre-populated drop down list.
There have clearly been some mistakes made here for which I am extremely sorry. There are important lessons for us to learn from this incident and as such the details of this incident have been circulated to the departmental management team to be shared with all case officers. I have also taken steps to ensure that we hold the correct contact details for you.
We strive to provide an excellent service to those that contact us and I can only reiterate my apologies that we have fallen short in this instance.
Taking your complaint further
A case review is the final stage of the ICO’s case handling process. However, I appreciate that you may disagree with our decision and our case review. If you remain dissatisfied the attached leaflet outlines the options available to you.
Yours sincerely *** **** Team Manager
Tel: 01625 545 896 Monday to Wednesday in the office; 07.00 to 14.00
Thursdays standard hours
Attached: case review information leaflet
Copy of information taken from our casework system showing when the email was sent to you:
Who? ---
Reference ********
Description
How?
---
Details To: **************@hotmail.co.uk, Cc: Bcc: Subject: ICO
Attachments Document Version ICO 21/07/2014 12:27 *********
Closing CU DS Letter 21/07/2014 11:56 **********
When?
Start Date 21/07/2014 12:27 Duration 00:00:00

Dear Sarah Clarke,

I am now in a position to respond further since been in touch with the ICO where several email exchanges have taken place due to there been a problem with transparency on the ICO's part and sadly, i'm still in a position where i'm having difficulty therefore in updating the status of my FOI request which is late.

I received a final response today from the ICO's Manageress. It appears that the ICO Manageress opinion is that there has only been a breach of the 4th data protection principle (dated 24th November 2014) I had sent an audio recording to the ICO Manageress 02/08/14 showing where an ICO Advisor had said to me there had been breaches of both Principles 4 and 7 relating to this particular FOI request.

I had been of the conclusion re: the Investigator that the Investigator had not agreed these breaches had occurred alongside other matters or with any real clarity/transparency; so as described previously, i contacted the ICO where a Manageress took a look at my concerns. On 11/09/14, i received a letter from the ICO Manageress which said in part- 'You have explained in your case review and service complaints form that you consider that you may have received conflicting advice from Ms Hoof and another ICO employee. You say that you were advised by a member of our Helpline that the council had breached the data protection act (DPA) two times, which differs to what Ms Hoof told you.

However looking at Ms Hoof’s letter to you she has advised you that the council held inaccurate data which led to the disclosure of third party data. She therefore agrees with you that the council did not do things correctly under the DPA.'

I wrote an email back dated 27/11/14 to the ICO Manageress as i'd felt as the author of the ICO Manageress response on 11/09/14 to me, she was confirming to me indirectly/potentially that there had been a breach of both principles 4 and 7 but with no real transparency. Here is in part what i wrote-
'27/11/14
Dear Faye Bower,

I received your latest email today which has given me some concern to respond further.

Ms Hoof’s letter

In terms of Ms Hoof’s letter to you it was her view that the council held inaccurate data which led to the disclosure of third party data. This would be a breach of the fourth data protection principle as this requires organisations to ensure it holds accurate and up to date information.

Previously, dated 11/09/14 you responded to me when i further wrote-Where you have stated- "However looking at Ms Hoof's letter to you she advised you that the council held inaccurate data which led to the disclosure of third party data. She therefore agrees with you that the council did not do things correctly under the DPA." I am able to see that this does give me some clarification from both Ms Hoof and yourself, although not with much transparency regards the breaches. Can i presume now that both Ms Hoof and yourself agree with the previous ICO Adviser's advice in that it 'was a breach of Principles 4 and 7 DPA 1998?'

I can confirm i have now received Ms Hoof's latest response dated 21/07/14 to Ms Sarah Clarke, whereby in part; Ms Hoof wrote to Ms Sarah Lewis-In this case, the concern raised relates to the accuracy and security of personal data. Would it be correct for me to say that the 'security' side relates to Principle 7 dpa

https://ico.org.uk/for_organisations/dat... then that indeed the previous ICO Adviser's advice regards there being a breach with both Principles 4 and 7 dpa 1998 were correct? I am unclear if there was a maladministration error made in your latest response today where you only addressed it as being a breach of Principle 4. https://ico.org.uk/for_organisations/dat...

Then today i received an email from the ICO Manageress reiterating there had only been a breach regards the fourth principle although, it had not been denied throughout there was a breach of the seventh principle or the fourth principle which appears to the author prior to asking for further clarification that these breaches had occurred only in not so many words (Until the fourth principle breach got admitted)

In Ms Hoof's letter dated 21/07/14 addressed to yourself where it states- the concern raised relates to the accuracy and security of personal data. Would it be correct for me to say that the 'security' side relates to Principle 7 dpa, i am concerned to see the conflict with decisions in coming to the conclusion of my FOI request as now it would appear that both the public and myself are unfortunately being misled (Due to lack of transparency re: my FOI request)

I in no way intend to appear rude and i would now like to request an internal review and ask if/how many more breaches have occurred through employees at Worcestershire CC relating to children's services, since i made this FOI request 19th August 13 and to have my concerns i mention today addressed before being in a position to update the status of my FOI request.

Yours sincerely,

M M Simmons

Dear Sarah Clarke,

Just an update to show you the response i have sent to Faye Bower Manageress at the ICO.I would like these contents to be considered when carrying out the internal review.

Dear Faye Bower,

Thank you for your response which i read with great interest. Thank you also for confirming to me my Case is closed and you can be of no further assistance to me and you will not enter into any further correspondence about this matter. I am fortunate i do have my local MP's support.

I have now being able to since update the status of my Freedom Of Information request which can be viewed her-https://www.whatdotheyknow.com/request/c...

Whilst i understand the ICO plan to take no further action against Worcestershire CC UK, i feel Policies have not been followed correctly by the ICO at all as with respect, there has been no clarity or transparency shown to me throughout with me being told things differently regards the breaches.

I furthermore had no access to Ms Hoof's letter prior to decisions of the outcome being made which in part stated-

21/07/14 to Ms Sarah Clarke, whereby in part; Ms Hoof wrote to Ms Sarah Lewis-In this case, the concern raised relates to the accuracy and security of personal data. Would it be correct for me to say that the 'security' side relates to Principle 7 dpa and i therefore have found the responses i've received from the ICO most misleading to both the public and myself.

Had i not written back to you asking for clarification which i have not received correctly all throughout, one would have been led to believe that the outcome was different where you stated Ms Hoof agreed with me my Council had breached.

I have therefore requested an internal review where matters have been complicated by inconsistency all throughout when matters should have been concluded sooner due to the said FOI Request still not being finalised. I had rather thought you had made an administrative error regards the other breach.

Yours Sincerely

Ms M M Simmons

Freedom of Information (ChS), Worcestershire County Council

3 Attachments

Dear Ms Simmons

 

Thank you for your Freedom of Information request.  Please find attached
an acknowledgement and request for clarification.

 

Sarah Clarke

Sarah Clarke | Team Manager – Subject Access Requests | Children's
Services

01905 728932

[1]chs[Worcestershire County Council request email]

 

[2]cid:image002.jpg@01D00AE8.C9F37350

show quoted sections

Dear Sarah Clarke,

Thank you for contacting me so promptly. I am still querying the decisions made regards the breach of the seventh principle as putting the ripped envelope aside, the security of one's data has not properly been taken care of and with several ones data.

I accept it has been acknowledged regards the fourth principle being breached but not the seventh principle breach being denied, due to being misled throughout and when i was previously informed it had been breached by an ICO Advisor and i have received a further email as described before from Ms Hoof to yourself . I was clearly told the seventh principle had been broke on a call by an ICO Advisor.Faye Bower manageress, wrote to me stating-However looking at Ms Hoof's letter to you she has advised you that the council held inaccurate data which led to the disclosure of third party data. She therefore agrees with you that the council did not do things correctly under the DPA. Faye Bower did not deny the seventh principle had been breached in her correspondence to me which is misleading and Faye Bower's opinion differs to the ICO Advisor informing me the seventh principle had been breached-

I then received a further email from Ms Hoof showing me the letter you had received from Ms Hoof stating-the concern raised relates to the accuracy and 'security' of personal data which is conflicting with what Faye Bower manageress informed me where she stated-

"In terms of Ms Hoof's letter to you it was her view that the council held inaccurate data which led to the disclosure of third party data" Faye Bower manageress also stated to me-

" This would be a breach of the fourth data protection principle as this requires organisations to ensure it holds accurate and up to date information"

I am therefore seeing that Ms Hoof has addressed the security side and the accuracy side all in one sentence but without admitting these breaches occurred, whereas the ICO Advisor said principles 4 and 7 had been breached to me.

I have furthermore had Ms Hoof send me an email to the incorrect email address which i asked Faye Bower Manageress to consider and i've received written apologies for that too.

I am requesting the internal review with respect, due to there being incompetence by those investigating so far and concerning the breach of Principle 7 occurring since/now being denied to me.

I have sent an email today to the ICO requesting-

May i now request to be sent all correspondence between Ms Hoof, Faye Bower and Sarah Clarke and with myself, so as i can forward the details on to Sarah Clarke data controller from Worcestershire CC UK.

If possible, please could the correspondence be sent to me in date order in one email as i'm having difficulty finding all my emails with the newer Outlook Service.

Please can you confirm if i need to send you all of the correspondence described as in my email i've sent today to the ICO.

Yours Sincerely

Ms M M Simmons

Dear Sarah Clarke,

At paragraph two, sixth line down it should read breached and not broke. I wish to amend this.

Yours sincerely,

M M Simmons

Freedom of Information (ChS), Worcestershire County Council

3 Attachments

Dear Ms Simmons

 

Further to your recent correspondence, please find attached our response.

 

 

Sarah Clarke

Sarah Clarke | Team Manager – Subject Access Requests | Children's
Services

01905 728932

[1]chs[Worcestershire County Council request email]

 

[2]cid:image002.jpg@01D00AE8.C9F37350

show quoted sections

Dear Sarah Clarke,

Thank you for your response 14.01.15.

Can i request recorded information to be sent which relates to the legislation or procedures which state i/we have to ask for recorded information when i have already done so at the beginning of my FOI request? I'm not aware i have seen anyone previously ask for recorded information for an internal review on the 'What do they know' website which would therefore be helpful for me to see that. I believe this information i am requesting is relevant to this FOI request.

21.07.14, Ms Sarah Lewis was sent a letter from Ms Joanna Hoof (Case Officer ICO) which states in paragraph 3 'In this case, the concern raised relates to the accuracy and security of personal data'. I'm requesting an interval review be considered to help address where a letter can state this then addressing in the 4th paragraph where it states 'It does appear that the Council have breached the DPA' it appears the two said breaches have been admitted they both occurred, only not been referred to as Principles in the correct form they should have been like i read on the Information Commissioner's Office website.. I'm trying to ascertain by means of an internal review why this is and i believe i have requested this information a few times and when i did not originally have a copy of the letter sent to Ms Lewis until i requested it after my Case got closed. I have not had fair chance therefore to get this addressed by means of an internal review.

I am trying to ascertain how a public body like the Information Commissioners Office experienced with dealing with data breach concerns can be so vague and admit there were two breaches in their wording as in paragraph 3 and 4 of Ms Lewis letter dated 21.07.14 where it states 'It does appear that the Council have breached the DPA' 'In this case, the concern raised relates to the accuracy and security of personal data but then be so misleading as not to send me a copy of this letter until my Case got closed and not wording the breached Principles correctly and only sending it me after i requested to see it.

https://ico.org.uk/for-organisations/gui...
The ICO have failed in their statutory duties to address this breach properly where i read it on their official website but vaguely admitted it in their letter dated 21.07 14 to Ms Lewis, but since confirmed Principle 4 'was' breached.

https://ico.org.uk/for-organisations/gui...
The ICO have failed in their statutory duty to address this breach properly where i read it on their official website but vaguely admitted it in the letter dated 21.07 14 to Ms Lewis , but since said/referred to it as it 'had not' been breached.

I have in written evidence the wording how these breaches have been addressed but then how it's been denied at a later date that Principle 7 has been breached once the breaches had already been admitted with the wording taken from the Seventh Principle what the concerns were, but as i recall with myself not been sent a copy of Ms Lewis letter 21.07.14 until after my Case got closed.

Lastly, can i request recorded information where it shows me with legislation or procedures, where a public body can address breaches have occurred but failed to address fully the Principles breached as described for the public's information and ask if the Information Commissioners Office website is an official Government website. The internal review i am requesting is to address why with clarity and transparency only Principle 4 was admitted afterwards and not Principle 7 when they'd already previously been as good as admitted and when i was at unfair advantage to get this addressed as described above and would not have had a copy of the letter dated 21.07.14 sent to Ms Lewis had i not requested it. Had i not requested transparency and clarity on the matter to the ICO, i believe both Worcestershire County Council and myself would have been left with the conclusion both the said Principles had occurred (like Ms Lewis reads) because the letter to Ms Lewis 21.07.14, does not state anywhere throughout the letter a breach of Principle 7 did not occur.It did state in paragraph 3 'In this case, the concern raised relates to the accuracy and security of personal data.' I feel as though left as it is both breaches of Principles have been admitted, then denied, then finally only one and half Principle breaches have been admitted.

If it is possible for half of a Principle breach to happen where it can be admitted and lawfully, may i request recorded/published information to see the relevant legislation for this too.

Yours Sincerely,

M M Simmons

M M Simmons left an annotation ()

Freedom of Information (ChS), Worcestershire County Council

3 Attachments

Dear Ms Simmons

 

Further to your recent correspondence, please find attached our response.

 

Sarah Clarke

Sarah Clarke | Team Manager – Subject Access Requests | Children's
Services

01905 728932

[1]chs[Worcestershire County Council request email]

 

[2]cid:image002.jpg@01D00AE8.C9F37350

 

References

Visible links
1. mailto:[email address]

M M Simmons left an annotation ()

http://m.bromsgroveadvertiser.co.uk/news... Breaking news. Read this. Exposed-the council lapses in care of YOUR details.
M M Simmons

M M Simmons left an annotation ()

http://www.bbc.co.uk/news/uk-england-her... Worcester County Council breached boy's human rights
11 March 2016
From the section Hereford & Worcester
A 10-year-old boy has been awarded £5,000 after a judge ruled his human rights had been breached while in local authority care.

M M Simmons

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org