It’s always hard when those you admire let you down (Van Morrison duetting with Cliff Richard*, Godfather 3, Larkin’s letters) and I preface what follows with an assertion that I think Citizens Advice Bureaux (CABs) are a force for good, and one that takes on even more importance as the government butchers the legal aid system. However, when those you admire do let you down, it is important not to shrink from criticism.
Last week reports emerged of what appeared to be a very serious incident of inadvertent exposure of large amounts of potentially highly sensitive data of clients of Newcastle Citizens Advice Bureau. I think the Northern Echo were the first traditional news source to break the story (after @FOIMonkey had announced the unfortunate discovery on twitter). Other outlets soon picked this up, including the BBC. What had apparently happened, said the BBC, was
About 1,300 files containing names, addresses, debt history and criminal records were accidentally made available on the internet.
This is no small matter for an organisation which requires, and indeed prides itself on, total confidentiality between it and its clients.
The Chief Executive of Newcastle CAB had reassuring words:
Shona Alexander, chief executive of the branch, said:
This isolated incident at Newcastle CAB is being thoroughly investigated…I’d like to reassure people that, because we take data protection extremely seriously, they can speak to us in total confidence. All Newcastle CAB staff and volunteers are fully trained in information assurance.
(Although, as Tim Turner pointed out, this bore some resemblance to a platitudinous quote given by Greater Manchester Police when they had contravened the Data Protection Act 1998, and as @FOIMonkey suggested, “isolated incident” is an odd way to describe the apparent long-term inadvertent disclosure of 1300 files in 16gb of client data cached by Google.)
However, it was reassuring to know that this compromised data had been identified, and would be removed, with the assistance of Google. Google are, I understand, generally happy to assist with removal, although each one (and there were hundreds here) normally requires a separate request and takedown is effected normally within twenty-four hours (there is also a process whereby site owners can ask that cached copies of entire directories/sites are removed). @FOIMonkey even had the decency and public-spiritedness to get Google to take many down herself, in what was I am sure a time-consuming task of no direct benefit to her.
But this morning (24 September), when I checked twitter, I noticed that @FOIMonkey had tweeted yesterday
Concerned that 5 days after the Newcastle CAB data breach came to light, the information is still online. Please sort them out @ICOnews
She went on to show that more than 11,000 files had still not been removed, pointing out that “it could all have been removed by now”.
Now, in terms of data protection law, I think it is the case that each local CAB functions as a separate data controller, with attendant legal obligations and liabilities, but it seems clear that regional CABs operate under the umbrella of the national organisation, and it seemed to me that this was an issue of general seriousness and importance for the CAB nationally. So I took the time to search out the CAB’s senior press officers, all of whom are on twitter, and asked them for comment, but got no reply.
I then emailed their Press Office, asking for comment, but was merely referred to a statement from last week which (obviously) made no reference to this current issue about apparent failure to remove the data. I pointed this out in reply, and, when I pushed them to say whether they had any further comment, was referred back to the earlier irrelevant statement they had given me earlier.
Meanwhile, I saw that the Assistant Chief Executive of the national CAB was active on twitter, and I asked him for comment. He replied
we take client data protection extremely seriously and working hard with both ICO and Google to resolve this local issue
Which is more like a parroting of the original press release, rather than an answer to the question posed.
It may be that, behind the scenes, frantic efforts are being made and have been made since last Wednesday to remove this data. Maybe Google are being awkward for some reason. I don’t know, but if so, I struggle to understand why we can’t be told this, and why, while we are given bland and unreassuring statements, the only person who publicly seems to be making successful efforts to have the data removed is someone with no obligation to do so, and who alerted the CAB to the problem in the first place.
*Van’s not too bad actually.