Fraud/Data Protection breaches/training records
Dear Orkney Islands Council
1. Please disclose how many employees have been suspended over allegations of fraud or misconduct in each year going back to 2015?
How many of those were suspended on full pay?
Please provide details on the type of fraud and misconduct.
2. Please provide details of how many data protection violation/cases have occurred from January 2016 to 2024. Are there any current breaches of data protection regulations yet to be processed.
3. Please provide numbers of employees trained in handling clients and customers personal information.
4. Please confirm whether Hayley Green and Roddy Mackay have been fully trained to handle personal information in accordance with the GDPR/DPA 2018.
5. Please provide dates at which both the above named completed their training and whether their training is extent.
6. Please provide the council’s policy on the handling and processing of personal information.
7. Please provide a copy of OIC’ policy detailing the reporting of breaches of the GDPR/DPA in force from 2017 to 2024 and any subsequent amendments.
8. Please confirm the process by which complaints investigation officers are chosen.
9. Please provide information on the qualifications/experience required by staff appointed as investigation officers in the formal complaints process.
10. Please confirm how many formal complaints were raised between 1st April 2021 and 31st October 21.
11. Please break down by year, how many staff have been trained in GDPA/DPA since 2017 to the present time.
Yours faithfully,
Marie-Claire Rackham-Mann
Classification: NOT PROTECTIVELY MARKED
Dear Madam
Freedom of Information (Scotland) Act 2002 – Request for Information
Thank you for your information request dated 04 December 2024 and received on 04 December 2024. Our reference is FOI 2024-1159. This is being dealt with under the Freedom of Information (Scotland) Act 2002.
We are considering your request. We may be in touch soon to ask for further clarification or to offer advice and assistance if we are not able to fulfil your request in its present form.
The legislation allows us up to 20 working days from the date that we receive a valid request, including any clarification we need to make a final response. We will be in touch within 20 working days of receipt of your initial request to provide our response or to seek clarification where necessary. We hope to give you the information you are looking for at an earlier date if possible.
Please be advised that Orkney Islands Council will be closed for business over the festive period. If we are unable to provide a response to your request before close of business on Tuesday 24 December 2024, we will endeavour to provide a response as soon as we can when we re-open in the new year on Monday 06 January 2025.
Regards
Leona Scott
Information Administrator | Strategy, Performance & Business Solutions
Orkney Islands Council | Council Offices | Kirkwall | Orkney | KW15 1NY
Telephone: (01856) 873535 | Extension: 3377
Dear foi,
By law Orkney Islands Council should have responded to our FOI request by 3rd January 2025.
We requested information which is easily accessible. We therefore request that an internal review is conducted.
Yours sincerely,
Marie-Claire Rackham-Mann
Thank you for contacting [Orkney Islands Council request email]. Due to
Orkney Islands Council closing for business over the festive period, our
inbox will not be monitored from 0900 on Tuesday 24 December 2024 until we
re-open for business at 0900 on Monday 06 January 2025.
We will provide a response to your email as soon as possible in the new
year. Kindest regards from the Information Governance Team
We apologise for any inconvenience this may cause if you are waiting for a
response or have submitted a new response.
This will be dealt with as soon as resources allow.
Classification: NOT PROTECTIVELY MARKED
Dear Madam
Freedom of Information (Scotland) Act 2002 – Request for Information
I refer to your email dated 04 December 2024 and received on 04 December 2024; our reference is FOI 2024-1159.
I am pleased to give the information you requested and hope that it meets your requirements. Our response is detailed below. Please note that due to public holidays held on 25 and 26 December 2024 and on 01 and 02 January 2025, the 20 working day deadline to respond to your request was scheduled to be no later than 07 January 2025. Please accept our apologies for submitting your response one day later than the statutory timescale.
1. Please disclose how many employees have been suspended over allegations of fraud or misconduct in each year going back to 2015?
How many of those were suspended on full pay?
Please refer to the attached document. Please note that as some figures are low, disclosure of this information would be unfair for the purpose of the first data protection principle and is exempt in terms of Section 38(1)(b) read in conjunction with Section 38(2A)(a) of the Freedom of Information (Scotland) Act 2002. As such we have removed some of the answers to the question asked. We hope you understand our position.
Please provide details on the type of fraud and misconduct.
Please refer to the attached document. Please note that as some figures are low, disclosure of this information would be unfair for the purpose of the first data protection principle and is exempt in terms of Section 38(1)(b) read in conjunction with Section 38(2A)(a) of the Freedom of Information (Scotland) Act 2002. As such we have removed some of the answers to the question asked. We hope you understand our position.
2. Please provide details of how many data protection violation/cases have occurred from January 2016 to 2024. Are there any current breaches of data protection regulations yet to be processed.
Orkney Islands Council only retains information relating to the last 6 years of data breaches. The figures from 1st January 2018- present are: 173 reported data breaches
There is 1 data breach referred to the Information Commissioner currently awaiting an outcome.
3. Please provide numbers of employees trained in handling clients and customers personal information.
With regard to GDPR iLearn course – all IT users complete this course as part of their mandatory training programme.
4. Please confirm whether Hayley Green and Roddy Mackay have been fully trained to handle personal information in accordance with the GDPR/DPA 2018.
Yes to both completing the mandatory GDPR course annually
5. Please provide dates at which both the above named completed their training and whether their training is extent.
Hayley Green – 11/04/24
Roddy MacKay – 10/06/24
6. Please provide the council’s policy on the handling and processing of personal information.
Policy attached https://www.orkney.gov.uk/media/icngvp5g...
7. Please provide a copy of OIC’ policy detailing the reporting of breaches of the GDPR/DPA in force from 2017 to 2024 and any subsequent amendments.
Policy attached https://www.orkney.gov.uk/media/icngvp5g...
8. Please confirm the process by which complaints investigation officers are chosen.
In line with the OIC Complaints Handling Procedure (https://www.orkney.gov.uk/media/uv3bxhg1...) complaints would be investigated by a suitably senior officer not directly involved in the complaint, for example a line manager, or service manager from a different area. Designated Complaints Officers within each Council Directorate would be involved in identifying an appropriate investigating officer for each complaint.
9. Please provide information on the qualifications/experience required by staff appointed as investigation officers in the formal complaints process.
Investigating officers would be required to be of a sufficient level of seniority, e.g. line or service managers and to have received training on Complaints Handling or other accredited SPSO training.
10. Please confirm how many formal complaints were raised between 1st April 2021 and 31st October 21.
There were 44 formal complaints raised between 1st April 2021 – 31st October 2021
11. Please break down by year, how many staff have been trained in GDPA/DPA since 2017 to the present time.
2024 – 355
2023 – 694
2022 – 1631
We changed learning management systems in 2021/22. We don’t have access to the previous system to give details from 2017 – 2021.
Under FOISA, if you are dissatisfied with our response, you may ask the Council to review its handling of your request. If you wish to do this, you should make your request for review within 40 working days of receiving this email. Please make your request for review to Service Manager (Governance), Council Offices, School Place, Kirkwall, Orkney, KW15 1NY or email to [Orkney Islands Council request email]. Your request must be in permanent form (letter, email, audio tape etc) and should state:
That you are asking for a review of this decision, and
Why you are unhappy with the response you have received.
We will issue a full response to your request for review within 20 working days of our receiving it.
Where the outcome of the review fails to resolve the matter to your complete satisfaction, you then have the right to apply to the Scottish Information Commissioner for a decision. You have six months in which to do so following receipt of our review outcome – see www.foi.scot/appeal.
Regards
Paul Kesterton
Information Governance Officer
Strategy, Performance & Business Solutions
Orkney Islands Council, Council Offices, Kirkwall, Orkney, KW15 1NY
Telephone: 01856 873535 Extension: 2241
www.orkney.gov.uk
Dear Orkney Islands Council,
Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of Orkney Islands Council's handling of my FOI request 'Fraud/Data Protection breaches/training records'.
We requested the disclosure of many employees have been suspended over allegations of fraud or misconduct in each year going back to 2015. The response is that " Please refer to attached document. Please note that as some figures are low, disclosure of this information would be unfair for the purpose of the first data protection principle and is exempt in terms of 38(1)(B) which is in fact the fourth principle and not the first as stated "
It is unclear whether the First or the Fourth principle is being cited however the cited reference refers to:
"every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay".
"The First principle refers to: Personal Data must be processed lawfully, fairly and transparently". Neither of them apply to our request to supply anonymised statistics, unless there is a suggestion that they are inaccurate, in which case that should be clearly stated in lines with FOI Guidelines.
In addition, Section 38(2A)(a) of the Freedom of Information Act is also being cited as reason for non disclosure which refers to a process of :
" weighing up the risks to the health and safety of an individual or group against the public interest in disclosure, in all circumstances of the case".
This citation is also not relevant as the statistics are anonymised. We already have the statistics relating to years 2021-2022, previously provided last year.
We have also not been furnished with a complete submission regarding the following specific questions:
1) "Please provide numbers of employees trained in handling clients and customers personal information'?
2) "Please confirm whether Hayley Green and Roddy Mackay have been fully trained to handle personal information with the GDPR/DPA 2018 BETWEEN January 2016 to present (2024)"? We wanted a breakdown of each year they were in receipt of a valid training certificate.
3) We also request that confirmation is given that Hayley Green had completed training and was qualified on Complaints Handling or other accredited SPSO Training (please specify which course).
Please confirm how Hayley Green was chosen by the Designated Complaints Officers and whether she was deemed to have been "a suitably senior officer" tasked with undertaking Formal Complain's Investigations iaw either training?
4)We request that confirmation is given that Roddy MacKay had completed training and was qualified on Complaints Handling or other accredited SPSO Training (please specify which course).
Please confirm how Roddy MacKay was chosen by the Designated Complaints Officers and whether she was deemed to have been "a suitably senior officer" tasked with undertaking Formal Complain's Investigations iaw either training?
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/f...
Yours faithfully,
Marie-Claire Rackham-Mann
Classification: NOT PROTECTIVELY MARKED
Dear Madam
I acknowledge receipt of your request for review. You will receive a response in due course.
Kind regards
Leona Scott
Information Administrator | Strategy, Performance & Business Solutions
Orkney Islands Council | Council Offices | Kirkwall | Orkney | KW15 1NY
Telephone: (01856) 873535 | Extension: 3377
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now