Saturday, 1 June 2013

Worrying news from Cllr Sian Caiach...


The entry below is cross-posted from County Councillor Sian Caiach's People First website;

Saturday 1st June 2013 
Covert Surveillance of People First Councillor 
Like all Carmarthenshire County Councillors I was routinely issued with a council laptop and email address on being elected. The purpose appeared to be so I could use it for communications related my council work. However, it is now clear to me that anything I wrote , received or sent from this account could be and some were, accessed by council officers without informing me or the other recipients whose privacy was deliberately violated. 
A couple of weeks ago I was shown a document which Carmarthenshire County Council had released under a document search to someone else. The “Attendance Note Form” showed that the Council's IT security officer, had read and logged my emails in September 2011. The “name of client” was blank. 
In many councils the elected members “run the show” and as an opposition councillor, I should, if this was the case, suspect one of my senior elected colleagues in the ruling group of instructing an officer to snoop on me. However, Carmarthenshire appears to be an officer run council. Senior elected councillors with titles and extra salaries, which in other authorities indicate decision making power, show little sign of actually being in charge. 
And what is the email so serious that it has to be monitored by the administration? Some of you will remember that our Chief Executive Officer, Mark James CBE, posted a statement on a blog criticising another blogger's attempts to get our major council meetings filmed. After this he emailed the same statement to all councillors. I replied to him, disagreeing with his statement. 
Someone in 2011 had to find out who had received copies of my negative reply. 
The answer was I copied my reply to Mr James to quite a lot of people, all of my fellow councillors, an assembly member, a local town councillor and the blogger herself. Who was so desperate to know that, that they invaded my privacy without giving me notice or reason? 
Although I have submitted a Data Protection Act request to find out how often and by whom my council emails are read and monitored by my supposed employees, the Carmarthenshire local government civil servants there is as yet no reply. The report form applies only to one email but I would be surprised if it were the only email monitored and also if I was the only Carmarthenshire councillor snooped on.
          Councillor Sian Caiach, People First

(An earlier post from December 2011 on this blog concerns the 'Access to email' policy, however, as well as being ambiguous to say the least, it doesn't specify councillors emails, which may contain highly sensitive information from their constituents).

Also of interest, from August 2012; Ombudsman dismisses Chief Executive's complaints against Cllr Caiach; http://www.walesonline.co.uk/news/wales-news/ombudsman-tells-council-boss-comments-2025772
My post here; http://carmarthenplanning.blogspot.co.uk/2012/08/chief-executives-complaints-to.html

UPDATED; The Western Mail has picked up the story here, Councillor complains to Information Commissioner after local authority accesses her email

9 comments:

Anonymous said...

It would be interesting to know whether the council was accessing her e-mails leading up the trial!

nospin said...

That is unacceptable, it would be bad enough it were ones own party hierarchy or worse if the opposing party but the UNELECTED executive that must be cause for an enquiry and disciplinary action.

Anonymous said...

Any employee who is given a laptop computer which is set up by their IT dept. to work through an intranet is subject to scrutiny. Usually simply to ensure appropriate Internet use (i.e porn) and also for monitoring offensive emails, or perhaps non-business use and abuse. The said computer can also be remotely accessed, most usually with the user allowing the IT dept. access, for example to fix a problem and apply the regular and required computer updates. Again this is normal practice for a private company where politics matter little.

Inappropriate computer use will therefore be silently monitored 24/7, effectively by a keyword filter programme which will then flag up areas of concern and someone is then charged to investigate those flags for possible abuse.

You should also note that while the email originates on 'your' laptop and thus appears to be on your laptop, it is unlikely to be only copy. All your emails will be regularly backed up to your IT dept. Indeed, dependent upon set up, it is possible to centrally store a backup for EVERYTHING you create on your laptop, even non published documents and even those deleted.

On the plus side, whomever accesses your account WILL DEFINITELY leave a digital footprint. On the negative side, you must assume whatever you do on a corporate computer is monitored 100%, even web history. In practice though, the actual degree will depend upon someone having sufficient motive, your computer system set up and who can legally examine your user account. At least one person in IT will definitely have access to everything, with or without said flags.

I will leave you to draw your own conclusions as to whether you need to use a private computer more.

Anonymous said...

@ Anon 10:00 You make some valid points but lets be clear on this; councillors are not employees of the Council! They are not paid a salary for their duties. They receive an allowance designed to recompense them for the work they undertake. Councillors like Sian Caiach are an essential link between the Council and the constituents they represent.

Anonymous said...

Another thing that needs to be made clear is that employees and customers of CCC have rights under the Data Protection Act to see all personal information that CCC hold on them. To access this information one would need to send a subject access request (SAR)to the Information & Data Protection Officer.

Anonymous said...

@ Anon 11:24 Thank you for your comments, my advices makes no distinction between users, renumeration or job title and merely points to the reality of using an intranet. Whomever accesses the information left by using an intranet (or any other type network) and whether this is legal, illegal or immoral was neither my point, nor purpose. The point is that the information is 'out there' and it can easily be accessed by anyone with a valid intranet key.

At minimum, those with a valid key reside in the IT dept. and regardless of whether people like it or not, large corporations who value their corporate integrity will almost certainly have an internet policy. This policy will require policing and clearly nobody without good reason and or authority should be accessing 'peoples accounts', let alone divulging information. That is what the corporate rule book, law or otherwise will say, remembering also that these accounts are not personal accounts and belong to the corporation. Whether the user can class themself as an employee or not is also irrelevant, it is not the users computer or intranet, both are given upon beneficial loan term use only. What does matter is who is given access, to what and why, and is this access lawful and within corporate policy.

Clearly there is a vast difference between monitoring and snooping. Either way a digital footprint will be left and if a particular account is being regularly accessed without being 'flagged' as containing say spam, porn or racist content etc. then at very minumum you can identify the accessing computer and of course the likely person by their log in pass codes.... be they from the IT dept or management etc.

Once that person or persons have been identified then hopefully they can then justify their actions in line with corporate policy.... or not, as the case in question may be.

Bottom line. If you do not want to chance corporate snooping then do not use your corporate intranet, or corporate computer. Right or wrong, someone is almost certainly watching you.... in one form or another.

Anonymous said...

http://www.thisissouthwales.co.uk/Silk-Commission-hold-public-meetings-greater/story-18855681-detail/story.html#axzz2V8UPGzGk

As these public meetings are all about Ministers powers, perhaps it would be a good idea to attend if only to ask why the Minister Carl Sargeant doesn't use the powers he has.

Alexander Dutton said...

The ICO have guidance about this:

"""
Correspondence between councillors or information held by a councillor for their own private, political or representative purposes will not usually be covered.

Information received, created or held by a councillor on behalf of the local authority will be covered, for example, where a councillor is acting in an executive role as part of a council cabinet.

Information created or received by a councillor but held on a local authority’s computer system or at its premises will only be covered if it is held for the authority’s own business.
"""

In particular:

"""
Information created or received by a councillor but held on a local authority’s premises or computer system will be covered if it is held by the authority on its own behalf. It will not be covered by the FOIA if it was produced by the councillor for private or political purposes and the authority is just providing storage, office space or computing facilities.
"""

My feeling is that in this case such a disclosure would be unwarranted, but IANAL and don't know all the facts.

nospin said...

Yes you are correct Anon any corporate Pc can be monitored as are.

However business between a councillor and constituent should be confidential and not accessed without agreement.