A result in 17 hours for the Information Commissioner's Office, who forced Swansea Council to disclose that they had made 202 Personal Data Breaches, which had affected more than 3,435 individuals in the period from May 2018 to December 2021 [1].
The full FOI request for the number of "Personal data breaches since GDPR day" is publicly available on WhatDoTheyKnow.com.
In a strikingly unusual move, a case officer responded to an FOI complaint in nine days, compelling Swansea Council to respond:
Some have questioned whether the new Information Commissioner, John Edwards, who took up his role on 4 January 2022, would uphold the 2000 Freedom of Information Act. There's a massive backlog of cases, in many instances not addressed for over a year.
Has John Edwards as new Commissioner brought with him a new broom for the New Year?
Was Swansea Council's failure to respond according to the law - promptly and in any event no later than twenty working days - too blatant and egregious for even the ICO to overlook?
Does the intersection of GDPR and FOI risk shaming the ICO if had let it slide, grossly undermining any authority it needs to discharge the Commissioner's duties? Knowing how many mistakes have been made and how long it took for the Council to comply with its legal obligations to decide whether to notify (under 2018 DPA/GDPR) is a bread-and-butter metric that should be at the tips of a section head's fingers.
Does adding Annotations to WhatDoTheyKnow, publicly shaming public authorities, trigger the PR department/ministry-of-spin to jump on the Freedom of Information team?
Has John Edwards simply done some comparative maths? Public authorities like billion-pound Swansea have budgets splurged on bulging PR departments and second-rate consultants' reports, whilst their FOI and data protection clean-up crews are woefully understaffed and in many situations not empowered to gather timely, nor (in some cases) truthful responses from their own colleagues. If the humble citizen is resilient enough to file and pursue a complaint at the ICO then Mr Edwards' teams will simply pick up the costs of enforcement - I've a pretty easy fix for that.
Command Post Bunker on Mumbles Hill cc-by-sa/2.0 - © Nigel Davies - geograph.org.uk/p/3064574 |
Swansea itself has monuments scattered around the city to mark the bravery of the air-defence units that sought to protect her citizens, throughout the Second World War and especially during the Three Nights' Blitz. As a young child I remember clambering through the Command Post Bunker up on Mumbles Hill. A friend's father would jam 2-5 of us into the back of his Mini to take us there, in the days before seatbelts! We'd run around, playing innocent hide and seek, then inevitably pretend to strafe and kill each other as we'd defend or attack a bunker, playing out being imaginary soldiers with sticks for Sten guns.
Mr Thomas would describe the huge anti-ship and anti-aircraft guns, the devastating noise and damage to homes they'd make during firing drills, and the intense searchlights that would scour the sky during a raid (Coastal Defence 299 Battery A on the rocks way below). We were perhaps too young and innocent to understand the trauma of living through it, the true horror of war. We dismissed the notion that the city centre was "new". We only saw the first part of Dylan Thomas's "ugly, lovely town", years before the tag of "Pretty Shitty City" was imprinted on celluloid. Come and see for yourself, when COVID restriction safely allow, it's a lovely place to walk to earn yourself a Joe's Ice Cream, and remember those who made sacrifices to protect their communities.
The impact of a personal data breach can be devastating to an individual, and their family. Thousands of families in the Swansea Blitz had their homes and private lives literally blown open, relationships and even "permanent" structures within their communities razed and rocked. Each of the 3,435 individuals affected by these 202 personal data breaches is a person. Many of those individuals won't even know it happened - if the clean-up crew has covered over a mistake *and* decides the breach wasn't notifiable. In some cases those breaches will have exposed people to physical, mental and financial harm or destroyed trusting relationships. It may started from a simple mistake, but can have very serious consequences.
Swansea Council may not know, or even care, just how deeply these personal data breaches can cut. Many times some would love to train a 6 inch naval gun on an organisation. Standing on the hill and pretending with binoculars can be quite cathartic, or so I'm told, and won't get your personal data added to a watchlist 😉
Shining an intense search-light by asserting information rights is a formidable weapon in and of itself. The cascade of mistakes and misdirection that fell out from one simple mistake in this instance are breath-taking. The failures documented, laws broken and contradicting lies revealed are truly shocking.
"Upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals" is the tag-line, for now, of the ICO. Let's hope that this rapid-intervention, keep ing short-accounts to prevent the FOI backlog from ever starting to grow, is maintained. The ICO needs to be more than flashy jackets, buzzwords and sandboxes. Citizen audit, driven by a desire to put right personal injustices, is a massively powerful tool that strengthens our society. The Freedom of Information Act is right at the heart of that.
[1] Note strictly the FOI responded to was only for Personal Data Breaches since GDPR day, and therefore 199 breaches affecting 3,432 individuals, rather than 202 affecting more than 3,435.