"Unfettered access" to EDDC council system- Data Protection Issues

tim todd made this Freedom of Information request to East Devon District Council

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

Waiting for an internal review by East Devon District Council of their handling of this request.

Dear East Devon District Council,

We read in the Express and Echo dated today 4th September, in a report about the ICO hearing at Exeter on 28th August concerning EDDC's right to restrict confidential information, that Richard Cohen, Deputy C.E.O. is reported as giving evidence that a private consultant, Steve Pratten, had quote, "unfettered access" to the council system.

Question 1. Is the quote an accurate quote from evidence that was given under oath? Does Mr Pratten have "unfettered access" ?

Question 2. Does 'the council system' contain information about all the council's roles and duties and include highly personal and confidential information about staff, residents and other parties, obtained in confidence in the course of their duties?

Question 3.What is the council's explanation for allowing a private individual, employed as a consultant for a major building project,to have unfettered access to a system that would likely contain highly confidential and personal information including, for example, residents financial and health details?

Question 4.Would such allowing "unfettered access" not amount to a clear breach of the Data Protection Act and indeed, the council's wider duty of confidentiality?

Yours faithfully,

Tim Todd
Research Assistant
on behalf of East Devon Alliance

Kate Symington, East Devon District Council

Mr Todd

Thank you for your request for information. I will deal with each of your questions in turn:

1. No information is held in response to this question and we do not wish to comment on an article written by a third party.

2. There are a number of different IT systems operating within the Council and staff have access to those systems necessary for them to perform their respective roles.

3. As above, employees have access to systems necessary for them to perform their roles.

4. As above. A copy of the Council's Data Protection Policy can be made available on request.

I hope this is helpful.

If you feel dissatisfied with the way we have responded to your request, please contact our Interim Monitoring Officer, Mr Ian Clarke at [email address]

You may also approach the Information Commissioner for advice at www.ico.gov.uk

Mrs Kate Symington
Information and Complaints Officer
East Devon District Council

01395 517417

show quoted sections

Dear East Devon District Council,

Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of East Devon District Council's handling of my FOI request '"Unfettered access" to EDDC council system- Data Protection Issues'.
The questions, as is all too often the case, have not been answered.
It is inconceivable that you hold no information about whether Mr Pratten, as said by Mr Cohen under oath in the court, had unfettered access to the council system.
Kindly confirm that Mr Cohen has seen these FOI questions, and has authorised your response to them, and arrange for a review.
Thank you.
Yours faithfully,
T Todd

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/u...

P Freeman left an annotation ()

I love the way that Mrs Symington says "I hope this is helpful." to what is essential a completely unhelpful (and non-responsive) reply.

1. The IT department must be able to list the systems that Mr. Pratten has access to, the level of access he has, and whether this includes access to personal data of citizens or employees.

2. The answer provided does not relate to the question asked (which relates to council systems and not Mr Pratten directly).

3. As stated in the question, Mr Pratten is not "an employee" of EDDC, so the answer given is (deliberately?) misleading.

4. The Data Protection question is more complex than just IT - The DPA also relates to physical files (which Mr Pratten might also have access to if he has "unfettered access" to the EDDC offices. The Data Protection Policy is referred to in many documents which can be found on the EDDC web site, however (ironically) you cannot find the Data Protection Policy itself on their web site. On http://www.eastdevon.gov.uk/freedom_of_i... it refers to http://www.eastdevon.gov.uk/data_protect... as the Data Protection Policy, however this is titled "Data Protection - Public Commitment Statement" and doesn't cover who will have access to the data (so the answer from Mrs Symington is unresponsive here too). The closest I can find to a copy of the Data Protection Policy is at http://www.eastdevon.gov.uk/eb_300108_it... - see Page 6 which refers to a "Data Sharing Protocol" (for sharing data with 3rd parties like Mr Pratten's employers and Mr Pratten as one of their employees) but I can't find this on their web site either.

P.S. Personally, I have found FoI requests to be more successful when requesting factual data (from which you can then infer whether the organisation has acted properly and maybe then ask questions of councillors based on these facts), and have not found FoI requests to be a good way to ask the organisation whether they have done wrong in any way as you always get weasel answers like these.

Dear Kate Symington,

A reply for my request for an internal review is still awaited.

Yours sincerely,

Tim Todd