STEVEN DOWNES reports on how the council’s chief executive has responded to serious concerns about the management of personal data with threats of legal action against this website
The council’s chief executive maintains that there is no risk to the personal data of tens of thousands of residents and businesses whose details are held by Croydon Council – despite the council providing access to that information to contractors based outside the European data “safe zone”, and in spite of warnings of the dangers from whistle-blowers working on the borough’s information technology systems.
Jo Negrini, the council CEO, responded with threats after Inside Croydon’s reports of the Town Hall cover-up of how one of her most senior staff, Graham Cadle, or “The Godfather”, had hired a family friend on £787 per day.
Cadle is the godfather to the child of Harry Singh and Karen Sullivan, another senior council employee. Singh was hired by Cadle as an IT contractor at a daily rate equivalent to nearly £200,000 per year soon after his own company, Sensemble, went bust 12 months ago. Neither Cadle nor Sullivan declared their personal relationship with Singh, as is required under their terms of employment, until after an internal investigation, which was prompted by whistle-blower complaints.
Despite the clear breach of the council’s code of conduct, no disciplinary action was taken and the matter was all hushed up – until Inside Croydon’s reports last month. A second internal investigation is underway, though the monitoring officer has yet to report any findings to the senior councillor who raised concerns.
Cadle, the council’s assistant chief executive for “customer and transformation”, had Singh working on the council’s “digital enabling” project, which managed to burn through a £8.2million annual budget in just five months.
Last month, Singh was despatched to India to find cheaper contractors to carry out elements of that work, with several Croydon-based technicians likely to lose their jobs as a consequence. Neither Cadle nor Singh are understood to be among those who might be looking for new employment just before Christmas as a consequence of this off-shoring move to India.
Whistle-blowers within the council’s IT departments expressed serious concerns that by providing access to the council’s digital data to the contractors in India, the council may have broken the law, as well as put that data at risk of hacking.
But in her letter to Inside Croydon, Negrini wrote, “Any allegations that residents [sic] data is ‘at risk’ is blatantly untrue.
“The council takes its data control responsibilities seriously and we would like to reassure residents that contrary to allegations made in your blog their information has not been transferred outside of our network and remains safe.
“All necessary binding contracts are in place for this arrangement and these accord with the Information Commissioner’s Office and EU guidelines.”
The only trouble with Negrini’s statement is that Inside Croydon never reported that the data had been transferred.
What was made very clear in our report, but appears to have gone right over Negrini’s head, is that Croydon Council has effectively handed the keys to the door to the council’s data to contractors based outside the European “safe area”.
Our report on October 24 quoted one of the council’s own senior IT experts, who said, “We cannot overlook the fact that Croydon residents’ data is, right now, being worked on in India.
“Normally, in other organisations I have worked with, this kind of sensitive data would be ‘scrambled’, but in this case we have opened up and given carte blanche access on the promise that the data will be kept secure.”
Clearly, Negrini is more on the ball with the fine detail of the council’s IT systems, and the requirements of the Data Protection Act, than the experienced experts that are working on IT in the council offices. Or maybe not.
Today, the whistle-blower responded to the comments made by Negrini.
“Negrini’s just playing with semantics. I never mentioned anything about the transfer of data, and you never reported anything about data transfer. But that does not alter the risk which Croydon’s data has been placed in.
“No button was pressed to send the data. The door was opened to access the unscrambled data to be worked on. Jo Negrini has been misinformed.”
The whistle-blower further suggests that there is now a team in India, arranged by Harry Singh, working on migrating Croydon’s MyAccount CRM (customer relationship management) 2011 applications to a new CRM 2016 back-end.
This is likely to affect the security of the personal data of every resident in the borough, including the banking details of everyone who, for the past six years, has received benefits via the council or made payments to the council for rent, Council Tax or for parking permits.
Any transfer of data outside the European Economic Area (EEA) requires the data-holder, in this case Croydon Council, to notify everyone whose data is affected. In this case, Croydon Council seems to consider that because there has not been any physical transfer of the data, they have not had to provide any notification to the borough’s Council Tax-payers, benefits claimants or residents’ parking permit-holders.
Guidance on the Information Commissioner’s Office website says:
“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” India does not fulfil such criteria.
The ICO’s guidance further states that the first principle of data protection “(relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas”. IT professionals who have been in contact with Inside Croydon since we broke this story suggest that by providing unfettered access to residents’ live personal data, Croydon Council would be required to inform individuals about such a disclosure, regardless of whether the data has been physically transferred or not.
The ICO guidance also states: “The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using sub-contractors abroad.”
The ICO guidance requires data-holders, such as Croydon Council to “make an assessment that the level of protection for data subjects’ rights is ‘adequate in all the circumstances of the case’? If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred?”
An ICO spokesperson declined to comment specifically on the circumstances in Croydon, but told Inside Croydon: “Organisations are required by law to keep people’s personal information safe and secure.
“They also need to be aware of specific controls that should be put in place when transferring information to other countries.
“Anyone with concerns about the way an organisation is handling their personal data can report them to the ICO.”
- BECOME AN iC SUPPORTER: For the cost of one over-priced coffee each month, you can support the local journalism that brings you Inside Croydon. Click here to sign-up as a donor
- Inside Croydon is a member of the Independent Community News Network
- Inside Croydon is the borough’s only independent news source, and still based in the heart of Croydon
- 1 MILLION PAGE VIEWS IN 2017 (January to September)
- If you have a news story about life in or around Croydon, a residents’ or business association or a local event to publicise, please email us with full details at firstname.lastname@example.org