WAVERLEY Borough Council has been found guilty of a string of data protection breaches, including spying on a former senior employee’s private emails.
According to the Information Commissioner’s Office (ICO), Waverley began automatically diverting the ex-employee’s personal emails to the council’s head of strategic HR, Wendy Gane, in August last year without the former employee’s knowledge or consent - nor that of the emails’ recipients.
These emails, sent from the ex-employee’s home email address to former colleagues at Waverley, included many of a private nature not related to council business as well as correspondence with union representatives sensitive to the ex-employee’s ongoing dispute with the council.
In its defence, Waverley claimed all employees are informed that their personal emails may be forwarded to strategic HR “in order to respond to time sensitive employment matters”.
However, the Information Commissioner’s Office ruled that staff were not suitably informed this applied to every email sent to the council - adding the automatic diversion of emails should only be adopted in “exceptional circumstances”.
Helen Jackson, ICO case officer, said in her judgement: “On balance based on the information provided it appears that Waverley Borough Council has breached the Data Protection Act 1998. In particular this appears to be a breach of the first data principle (information must be processed fairly).
“We do not feel that the processing warning made it sufficiently clear that all emails that you send to the council would be ‘automatically diverted to HR’.
“From the wording and context of the email an individual may have assumed that only emails relating to employment concerns and sent to key officers would be diverted to HR.
“We would only expect emails to be automatically diverted or intercepted in exceptional circumstances.”
Waverley was also found to have breached the Data Protection Act 1998 by failing to respond to the former employee’s request for all of their personal information held by the council within the prescribed 40 days.
ICO accepted Waverley’s explanation that due to the large amount of information generated by the search for information, including 23,000 emails, it was not possible to provide a full response within 40 days.
However, the council committed another data protection breach when belatedly releasing this information in September 2015, mistakenly disclosing a confidential letter from a third party as part of its response to the ex-employee’s request.
Waverley discussed this matter with the individual whose data had been disclosed and it was decided that the matter would not be pursued any further.
And since concerns around its automatic diverting of emails were raised, Waverley has also taken steps to ensure employees who are union representatives have a dedicated non-council email address from which they can correspond with union members privately.
ICO has also opted against taking any further action against Waverley, instead recommending that the council avoid the automatic diversion of emails in future as well as ensuring all information is “thoroughly checked in future” before disclosures are made.
However, the ex-employee, who has asked to remain anonymous, expressed disappointment that Waverley has escaped any sanctions. “I appreciate that [ICO] are the experts and have responded as they feel appropriately but I think given Waverley breached a fundamental piece of legislation three times against me, a single ex-employee, I would be really concerned about how they are treating other’s data.
“I have requested a manager’s review of my case with the ICO as I feel that Waverley should be subject to some kind of sanction.”
A council spokesman said: “Waverley Borough Council takes the management of personal data extremely seriously. We have been in correspondence with the Information Commissioner’s Office following a complaint from a former employee and acknowledge the recommendations it has made to the council, which are being followed.
“Staff emails are never redirected to the HR department in any circumstances. Waverley adopts best practice when it comes to IT management and has a robust Acceptable Use ICT Policy. The policy, which all staff agree to and sign when commencing employment at Waverley, clearly sets out the council’s approach on IT usage.
“In exceptional circumstances, for example when dealing with persistent complainants, the council may take the decision to channel all external emails to a single point of contact. This is to ensure those customers receive a consistent and speedy response from the council.”

.png?width=209&height=140&crop=209:145,smart&quality=75)



Comments
This article has no comments yet. Be the first to leave a comment.