Council / ‘Lessons learned’ exercise launched after council’s data breach
SHETLAND Islands Council has asked Audit Glasgow to carry out a “lessons learned” process after a data breach earlier this year.
The council had provided an unnamed local resident with redacted information which had then been passed on to sovereign campaigner Stuart Hill.
From the documents provided Hill had been able to reveal the redacted information including the contact details of people who owed council tax.
In February, the maverick campaigner contacted over 100 people that had owed council tax in July 2024 to say the SIC had “absolutely no authority” to charge them council tax.
Suspected data breach puts list of council tax debtors in hands of Stuart Hill
He also said it was a “measure of the data security at the Shetland Islands Council” that he was able to obtain their information.
The council subsequently apologised to all those affected, and reported itself to the Information Commissioner’s Office – which took no formal action against the SIC.
Speaking to Shetland News, SIC chief executive Maggie Sandison confirmed the council had another person with the list after they made a freedom of information (FOI) request.
While sensitive information provided within the documentation was redacted, she added it was not redacted “in a way that was as secure” as other methods.
As well as FOI requests, individuals can make a subject access request (SAR) to the SIC.
This is a request for all the information an organisation has about that person, how it is being used, who it is shared with and where it came from.
Sandison said the FOI request should have been treated instead as a SAR.
“If a social worker was processing some info as a SAR, there is a particular tool that gets used that provides a level of redaction that can’t be removed,” she said.
“This was redacted, but not in a way that was as secure as that.
“It should have been treated as a SAR, because it was somebody seeking information about their own personal data which also contained some other people’s personal data.
“Sometimes when somebody asks for a copy of some information, and it’s not treated as a SAR, it can result in information that the person has already had being made available in a way that is not as secure as we should treat it.”
The SIC chief said she felt that the lesson to be learned from the incident was to recognise the distinction between information that could be given out in a FOI response, and when it needed to be a SAR response.
She added the council had “done a lot of training and work with individual teams” who handle these requests in response to the incident.
Become a member of Shetland News
Shetland News is asking its readers to consider paying for membership to get additional perks:
- Removal of third-party ads;
- Bookmark posts to read later;
- Exclusive curated weekly newsletter;
- Hide membership messages;
- Comments open for discussion.
If you appreciate what we do and feel strongly about impartial local journalism, then please become a member of Shetland News by either making a single payment, or setting up a monthly, quarterly or yearly subscription.
Already a member? Sign in to hide this message.
