A SCOTTISH council has scrambled to cover its tracks after accidentally publishing the personal data of its employees online.
South Lanarkshire Council, which is run by a minority Labour administration propped up by the Tories and LibDems, said it has reported the incident to the Information Commissioner.
But SNP councillors contacted by The National said they had not heard “a single word” about the leak, and called for greater transparency in order to maintain trust.
The data breach came after the council responded to a Freedom of Information (FOI) request, put in through the website whatdotheyknow.com, asking to learn details “of all pay scales including scale points, grades, and values in use for each year for 1996 – 2021”.
READ MORE: Outrage as Labour council decision more than doubles youth sports club entry fees
In responding to the request on April 11, the South Lanarkshire authority included details of its employees as a result of “human error”.
The National has been told that the data leak involved thousands of entries including personal details about staff including their name, pay grade, place of work, and national insurance numbers.
A spokesperson for the council did not comment on the nature of the leaked information, saying only that the breach had involved “personal data that had not been anonymised”.
They did say the council believed the data had not been accessed and could not be used “in a way that would be harmful to those involved”.
Paul Manning, the council’s head of finance and corporate resources, wrote to the person who initially put in the FOI request asking them to delete all records on May 12 – one month after the information was first published online.
Manning wrote: “In its response dated 11th April 2023, [the council] provided you with personal data in error …
“We inadvertently attached a version of a spreadsheet entitled ‘Grades and Positions as at 31 March 2021’ with our response which contained personal data and have now attached the correct version which should have been included.
“I must therefore ask that if you have downloaded and retained a copy of this spreadsheet that you delete it without delay, and also that you delete it from your deleted items folder and confirm to me that you have done so.”
The person who put in the request did not respond to The National’s request for comment. Whatdotheyknow.com has deleted the data from its site.
Councillor Maureen Chalmers, the SNP’s depute group leader in South Lanarkshire, said she had not been aware of the breach until this paper contacted her.
READ MORE: Community groups receive more than £300,000 from wind farm funds since Covid
Chalmers said: “If this is accurate then I would be shocked that there had been no openness and transparency around about it.
“We have had ways of doing things in the past in the council whereby at least group leadership would be informed or there would be something issued to say this is what’s happened and these are the steps that we’ve taken. But I have heard not a single word about this.”
She went on: “We’d want the council to be open and transparent and ensure employees of the council what steps had been taken to investigate the matter and to make sure that no further breach would take place. I think that’s a very basic thing really.
“South Lanarkshire is a good local authority and I’ve never felt there was any secrecy in the system before, but it only takes one to have that trust questioned.”
Asked if she would support an inquiry into the data breach, Chalmers said: “The council has got its processes and there should be a fact-finding investigation and then the council’s processes, they’re well rehearsed, there shouldn’t be any difficulty with that, but the first thing is a fact-finding exercise.”
A South Lanarkshire Council spokesperson said: “A spreadsheet containing anonymised employee data was uploaded to a website in response to a Freedom of Information request.
“Unfortunately as a result of human error, the spreadsheet contained a second page of personal data that had not been anonymised. The error was noticed by the council and we arranged for that data to be removed.
“To the best of our knowledge the information was not accessed, and we believe the data could not be used in a way that would be harmful to those involved.
“However, I can confirm that we are contacting those affected by the error and we have reported the breach to the Information Commissioner.”
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel