EXCLUSIVE: Wirral Council admit disclosure of NI numbers, dates of birth & names of nearly 200 staff was a mistake
The background to this story is that last year Wirral Council accidentally divulged to me around two hundred people’s names, dates of birth, national insurance numbers, job titles and whether they were in the Merseyside Pension Fund (that Wirral Council administers) or not.
This is my response to Wirral Council (and ICO on this matter).
Dear Surjit Tour, Caroline Flint (ICO) and others,
Thank you Mr. Tour for your letter of 28th April 2015 (your reference ST/CG) and the email from ICO’s Caroline Flint dated 30th April 2015 (ICO case reference number RFA0568370). As both communications cover the same topic I am writing this joint response in reply.
I will deal first with an error in the response in the email from ICO. The first sentence in that email states “Thank you for raising your concern with us about Wirral Metropolitan Borough Council’s (Wirral MBC’s) handling of your personal data.”
None of the personal data that this matter relates to is about myself.
Moving to Mr. Tour’s letter of the 28th April 2015, paragraph 2 correctly states that I requested “eight lengthy contracts/leases” (one of which is the PFI contract with Wirral Schools Services Limited that this matter relates to).
Although not implicitly stated, it is implied that I was provided with eight lengthy contracts/leases and that this request “did impose a considerable strain on the officers”.
However four were not provided (the BAM Nuttall contract came into effect during the 2014/15 financial year, the development agreement (dated 9/1/2008) and bond (dated 6/10/2008) with Pochin Land and Development Limited (relating to the Birkenhead ASDA Compulsory Purchase Order) was refused and so was Wirral Council’s agreement with Neptune Developments with regards to the Birkenhead Masterplan proposals).
Two leases were provided (I would estimate each at being around 200 pages long). Two contracts were also provided (including the PFI contract) which are each around 500-1000 pages long. In the case of one of the leases (the New Brighton Marine Point lease) two entire copies of the lease were provided (when I only asked for one). As one of the two copies provided of that lease has a Land Registry official copy stamp on it (so presumably the copying was done by Land Registry) I would respectfully point out that the “considerable strain on the officers” referred to in your letter in making a second copy of that lease (then providing a second copy of that lease to myself with the Land Registry copy) was unnecessary.
In the last sentence of your letter you refer to Regulation 9 of the Accounts and Audit (England) Regulations 2011 which requires the documents to be made available for public inspection twenty working days before the date appointed by the auditor for local government electors to exercise their rights to either ask questions or make an objection.
For the 2013/14 audit, this date was the 18th August 2014. Therefore in order to comply with the regulations the documents should have been made available in the twenty working days leading up to the 18th August 2014 (which was the 21st July 2014 to the 15th August 2014).
As specified in your letter the PFI contract was available for inspection by myself on the 12th September 2014 (a month later than the timescale in the legislation you refer to). The copy of the PFI contract I was given on the 12th September 2014 was incomplete and it was the following month before I received the missing pages of the contract (which was after the accounts for that year had been closed by the auditor).
There were similar problems with the member expense forms as those given to me in September 2014 were also incomplete (or related to the wrong financial year) with the rest given to me in October 2014.
Therefore as the information was provided a month (or in some cases two months) later than the legislation specified I dispute your assertion that “The difficulties were compounded by the short timescales permitted by Regulation 9 of the Accounts and Audit (England) 2011 to produce the documents you had requested that related to the accounts of the Council”.
Had the documents been open for inspection and I had received copies prior to the 18th August 2014 (in compliance with the regulation you refer to) I would agree with you, however they were not.
Moving to the points made in page three of your letter, I was unaware (until I read your letter) of the existing right of inspection to admission agreements under schedule 2 Part 3 paragraph 11 of the Local Government Pension Scheme Regulations 2013.
I refer you to one of the admission agreements in the PFI contract specifically Schedule 19, Part 3, page 4/5 of the PFI Contract:
“3 (i) The Administering Authority shall from the date referred to in paragraph (ii) of this clause admit to participate in the benefits of the Scheme every employee of the Transferee Admission Body –
(a) whose name appears in the List annexed to this Agreement where he is identified as being a member of the Scheme by virtue of being an employee of the Administering Authority (hereinafter referred to as “the List”) or
(b) whom, by notice in writing given to the Administering Authority, the Transferee Admission Body may from time to time nominate provided that any person so nominated must be eligible to become a member of the Scheme.”
The Administering Authority referred to is Wirral Council. Therefore the list of names, dates of birth, job descriptions, NI numbers is of former Wirral Council staff whose employer was changed from Wirral Council to that of the PFI contractor.
You state in the second paragraph on page 3 “The amount of any such deficit would be determined by such factors as salary and age of the employee”. However the list does not include salary details of employees. Therefore as this information does not form part of the admission agreement or annexed list I dispute your statement that “That information would therefore be relevant to any assessment of the financial risk to the Council brought about by the PFI Contract.”
I might also point out that the admission agreement refers to a bond or indemnity with an insurer (Schedule 18 Parts 3 pages 14-17) to cover this sort of situation which reduces the risk of such liabilities falling on Wirral Council. Unfortunately the name of the insurer is not provided on the copy of the contract I have but the admission agreement states this insurance is to a limit of £67,000 (for that admission agreement which is one of three in the contract).
As I am publishing this response to ICO and Mr. Tour, I am also publishing the email from ICO that it refers to and the letter from Mr. Tour.
I have made a determination as data controller (see s.32 of the Data Protection Act 1998) that having regard to the special importance of the public interest in freedom of expression, the fact that I’m publishing my response (which could lead to confusion unless the email from ICO and letter from Wirral Council is also published at the same time), ICO’s view that Wirral Council breached the Data Protection Act 1998 as well as other reasons, that it is in the public interest for these documents to be published.
Finally, although I appreciate your point about whether s.34 of the Data Protection Act 1998 applies to the list is a matter for Wirral Council and ICO to come to a view on, at the very least there appears (from my perspective) to have been maladministration on the part of Wirral Council.
Providing documents requested during the audit outside the timescales you referred to in your letter and indeed in some cases after the accounts were closed prevented me from exercising my right to object to the auditor or to ask questions of the auditor before the accounts were closed at the end of September 2014.
As you are Monitoring Officer for Wirral Council, I draw your attention to section 5A of the Local Government and Housing Act 1989 and the duty of a Monitoring Officer to write a report (circulated to all councillors, the Chief Executive and the Chief Financial Officer) and for this report to be considered at a future Cabinet meeting within a set time period if there has either been a contravention of any enactment or rule of law by the authority or maladministration. I therefore await your response as to whether you will be writing such a report.
date: 30 April 2015 at 15:42
subject: Data Protection Concern: RFA0568370[Ref. RFA0568370]
30 April 2015
Case Reference Number RFA0568370
Dear Mr Brace
Thank you for raising your concern with us about Wirral Metropolitan Borough Council’s (Wirral MBC’s) handling of your personal data.
We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for. Reporting your concerns to us will help us do that.
Our role is not to investigate or adjudicate on individual concerns but we will consider whether there is an opportunity to improve the practice of the organisations we regulate. We do this by taking an overview of all concerns that are raised about an organisation with a view to improving their compliance with the Data Protection Act 1998 (DPA).
From the information provided to us it does appear that Wirral Council has breached the DPA as it has acknowledged disclosing third party data in error. Wirral MBC has stated they have recovered the information disclosed inappropriately. They have also specified that requests made under the Audit Act in the future should not include any personal information which would enable particular individuals to be identified unless the requester can demonstrate that the disclosure is in the public interest to the extent that it should override the individual’s right to privacy.
It is now Wirral Metropolitan Borough Council’s responsibility to explain to us how it intends to improve its information rights practices in relation to reducing the possibility of such inappropriate disclosures in the future. Although we do not intend to write to you again, we will keep the concerns raised on file. This will help us over time to build up a picture of Wirral MBC’s information rights practices.
Thank you for bringing this matter to our attention.
If you are dissatisfied with the service you have received, or would like to provide us with feedback of any kind, please let me know. Further information can also be found on our website by following the following link https://ico.org.uk/concerns/complaints-and-compliments-about-us/complain-about-us/
01625 545 258
The ICO’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
If you are not the intended recipient of this email (and any attachment), please inform the sender by return email and destroy all copies. Unauthorised access, use, disclosure, storage or copying is not permitted.
Communication by internet email is not secure as messages can be intercepted and read by someone else. Therefore we strongly advise you not to email any information, which if disclosed to unrelated third parties would be likely to cause you distress. If you have an enquiry of this nature please provide a postal address to allow us to communicate with you in a more secure way. If you want us to respond by email you must realise that there can be no guarantee of privacy.
Any email including its content may be monitored and used by the Information Commissioner’s Office for reasons of security and for monitoring internal compliance with the office policy on staff use. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you write or forward is within the bounds of the law.
The Information Commissioner’s Office cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended. You should perform your own virus checks.
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk
Department of Transformation
Strategic Director for Transformation
Town Hall, Brighton Street
Merseyside, CH44 8ED
DX 708630 Seacombe
date 28 April 2015
to John Brace
134 Boundary Road
my ref ST/CG
service Legal and Member Services
tel 0151 691 8569
fax 0151 691 8482
Dear Mr Brace
DISCLOSURE OF PERSONAL INFORMATION IN ADMISSION AGREEMENT FORMING PART OF THE COUNCIL’S PFI CONTRACT
I refer to your letter of 19 January and to our subsequent meeting which culminated in your return of the personal information which was inadvertently disclosed to you when a copy of the PFI Contract was provided to you on 12 September 2014.
You will recall that in a written request dated 25 July 2014 you had exercised your right under Section 15 of the Audit Commission Act 1998 (“ACA”) to inspect and receive copies of over 300 invoices, eight lengthy contracts/leases and all member expense forms for 2013 and 2014. These documents related to the Council’s accounts for 2013/14.
The request for those documents did impose a considerable strain on the officers who were required to locate and copy those contracts after redacting commercially sensitive and personal information from those documents in accordance with the requirements of the Data Protection Act 1998 and Article 8 of the European Convention on Human Rights. Article 8, as you may know, requires a public authority to show respect for a persons private life and not to interfere with that right except as is in accordance with the law and is necessary (amongst other things) in the interests of the economic wellbeing of the country or for the protection of the rights and freedoms of others.
I should emphasise that the non-redaction of the personal pension information was not intentional. The information was overlooked amongst the thousands of pages of the documentation which you had requested under Section 15 of the ACA. The difficulties were compounded by the short timescales permitted by Regulation 9 of
www.wirral.gov.uk (LGC logo) Awards 2015 Winner Most Improved Council
the Accounts and Audit (England) 2011 to produce the documents you had requested that related to the accounts of the Council also by the sickness absence of one of the Council’s officers who was dealing with your request.
I have looked carefully into the legal consequences of the inadvertent disclosure of the personal information in the PFI Contract and have indeed taken Counsel’s advice on the matter. My conclusions are set out below.
Section 34 of the Data Protection Act 1998 contains an exemption from the requirement to comply with the non-disclosure provisions of the Act if any personal data consists of information which the Data Controller is obliged to make available to the public under any enactment.
The non-disclosure provisions are defined in Section 27 of the same Act and include the first data protection principle which requires Data Controllers to process personal data both fairly and lawfully.
If however the processing is necessary for compliance with any legal obligation to which the Data Controller is subject, then the requirement to process personal data fairly and lawfully does not apply.
The applicable legal obligation is Section 15 of the ACA which gives a right to any local government elector to inspect all contracts relating to the accounts which are to be audited. There is an exception for information which can identify a particular employee of the Council and also for personal information outside that description ie non-employees of the Council if the information enables a particular individual or individuals “to be identified and the Council’s Auditor considers that it should not be inspected or disclosed”.
In the particular circumstances of the PFI Contract the Auditor had not been requested to authorise non-disclosure. The volume of the documents running into several thousands of pages which you had requested rendered it simply impracticable within the short timescales to seek the Auditor’s opinion on whether the personal information should be disclosed. You must remember the context in which the personal information in the PFI Contract was inadvertently disclosed. It was one of many documents that had to be sifted for personal information and commercially sensitive information.
That however does not end the matter since there is a Judgment of the Court of Appeal in the case of Veolia ES Nottinghamshire Limited v Nottinghamshire County Council and Others 2010 EWCA CIV 1214 which decided that Section 15 of the ACA must be interpreted in a manner which is to ensure compliance by the Council with the rights conferred on individuals by the Human Rights Act 1998 and in particular the right to a private life contained in Article 8 of the European Convention on Human Rights to which I refer above.
The advice I have received is that Section 15 of the ACA should be interpreted in such a way that the Auditor’s prior consent to non-disclosure is not required where it would be impracticable to obtain that consent eg because of the volume of documents required to be submitted to him in the short period of time allowed by the Legislation for production of contracts which relate to the Council’s accounts.
It does not of course follow that the Council’s duty not to interfere with Article 8 Rights of the individuals named in the Admission Agreement of the PFI Contract automatically overrides your right as a local government elector to see that information if it formed part of the contract which you were entitled to inspect.
There is a public interest that is to be considered which is that the local government elector or indeed a member of the public should normally enjoy full disclosure of information which is relevant to the Council’s true financial position and which would enable them possibly to detect any wrong doing by the Council or its employees.
In this regard I would draw your attention to Schedule 2 Part 3 paragraph 11 of the Local Government Pension Scheme Regulations 2013 which imposes an obligation on the Council to make a copy of an Admission Agreement available for public inspection at its offices. Details of the employees of the PFI Contractor who had been transferred to the contractors employment from the Council under the Transfer of Undertakings (Protection of Employment) Regulations are relevant to an assessment of the Council’s financial position. Under the Local Government Pension Scheme Regulations 2013 if a contractor were to default in his obligations to make pension contributions in respect of those employees or were to become insolvent, the Council would have to meet any deficit in the Pension Fund that arose as a result. The amount of any such deficit would be determined by such factors as salary and age of the employee. That information would therefore be relevant to any assessment of the financial risk to the Council brought about by the PFI Contract.
Furthermore such employees of the PFI contractor are only entitled to remain in the Local Government Pension Scheme if they continue to be employed in connection with the provision of the services comprised in the PFI Contract. Members of the public would need to know the identities of the contractors employees who were admitted to the Pension Scheme under the Admission Agreement in order to check whether they were continuing to work on the PFI Contract and therefore still entitled to remain in the Local Government Pension Scheme with the attendant financial risk to the Council and thereby council tax payers if the PFI contractor were to default in payment of pension contributions or become insolvent.
If therefore that personal information had been drawn to my attention l would have had to weigh in the balance the public interest in disclosing information relating to the Council’s financial position and the identity of employees who were only entitled to remain in the Pension Scheme whilst they remain employed on the PFI Contract, against the invasion of those members privacy if their identities, dates of birth, and national insurance numbers were made known to you.
I have to say that if I had been called upon to make that decision I would have redacted the personal information and not disclosed it to you unless you had been able to satisfy me that you required that information in circumstances which related to those aspects of the public interest to which l have referred above.
It is evident from the contents of your letter of 19 January and our subsequent meeting that you yourself do not believe that the public interest in disclosure of the identities of the members of the Pension Scheme in the PFI Contract was more potent than the respect which the Council is required to show for their privacy under Article 8. Your reasons for seeking disclosure of the PFI Contract had nothing to do with your concern over the Council’s financial exposure to potential deficits of PFI contractors in the Local Government Pension Scheme or to any concerns that the PFI employees who had been allowed to retain membership of the Local Government Pension Scheme were abusing that Scheme by retaining their membership when they were no longer working on the PFI Contract. You have acted responsibly by returning that personal information to me because you recognise that it did not serve the purpose you had in inspecting the PFI Contract in relation to the Council’s accounts for 2013/2014.
In future I propose to ensure that future requests to inspect documents under the ACA should not include any personal information which would enable the identity of particular individuals to be ascertained unless you (or any person wishing to inspect the accounts) can demonstrate that the disclosure of that information is in the public interest to the extent that it should override the individuals right to privacy.
Finally I should add that as from 1 April 2015 Section 15 of the Audit Commission Act 1998 has been replaced by Section 26 of the Local Audit and Accountability Act 2014. Under that Act there is no longer a requirement for the Council to seek the prior consent of the Auditor before withholding any personal information in the documents relating to the Council’s accounts which a local government elector is entitled to inspect. It is a recognition by Parliament that the prior involvement of the Auditor is not workable having regard to the short timescale for inspection of the documents and the often voluminous nature of those documents. There are however transitional provisions which mean that the 1998 Act will continue to apply to the inspection of accounts for the year 2014/15.
I am sending a copy of this letter to the Information Commissioner so that he is made fully aware of the Council’s investigation into your complaint and the complicated legal framework within which the Council has to work particularly when it is confronted by a request from the public to inspect a large volume of documents.
Yours sincerely and signed on behalf of
Head of Legal and Member Services
(signature of Jane Corrin)
Information and Central Service Manager
Transformation and Resources
If you click on any of the buttons below, you’ll be doing me a favour by sharing this article with other people.