CaRT director published my personal information
I WANT to warn anybody requesting information from Canal & River Trust via whatdotheyknow.com, writes Fredrik 'Freddy' Brown.
Your personal details are not safe! My advice is create a new email address to log into whatdotheyknow.com and for any correspondence with the Information Commissioner. I did not do this and have suffered the consequences.
Middlewich request
I will not bore readers with the reasons that I asked CaRT for information relating to the Middlewich breach. Suffice to say, I was one of several that felt that the Trust needed to 'come clean' on the matter and publish reports it was withholding. CaRT's reluctance to provide information led to the Information Commissioner issuing a decision notice. For reasons that escape me, a CaRT director decided to publish this decision notice on the whatdotheyknow.com website without removing my personal data.
However, I get ahead of myself...
Hate mail
Some months ago, I started to receive much higher than normal levels of spam. Worse still, I started receiving what I can only describe as 'hate mail' from several email addresses. These emails mentioned me by name with some (but not all) referring to my information requests made on whatdotheyknow.com.
The reason for these emails escaped me until a fellow user of whatdotheyknow.com pointed out to me that a CaRT director, Tom Deards, had published a decision notice on that site without removing my name and email address.
Some 'googling' found that Tom Deards is CaRT's Head of Legal and Governance Services and Company Secretary. The Trust's website yields the following information for him:
'Tom has responsibility for the legal and governance functions of the Trust. He is a qualified solicitor who joined the Trust’s legal team in 2007, having trained and qualified at City law firm Clifford Chance, before going on to complete a Legal Masters at UCL in Environmental Law, whilst working as an environment and planning lawyer in local government. T om is the Trust’s Company Secretary and Data Protection Officer and also sits on the Waterway Ombudsman Committee'.
Yes you read that right. Mr Deards, is also CaRT's Data Protection Officer! Presumably, one of his functions is to ensure that CaRT process personal data according to the General Data Protection Regulation (GDPR).
Data concerns
Unable to find any guidance on CaRT's website on how to report this data breach, I contacted the Information Commissioner on 3rd October by following the Information Commissioners Office published guidance. On 15th October, I again contacted the Information Commissioner, asking about progress but also to inform that the spamming and 'hate mai'" had reached such a level that I had taken the drastic step of deleting my email account and creating a new one.
After almost three weeks, on 23rd October, the Commissioner's case officer told me:
'I have being trying to speak to Mr Deards about this matter for the last week but unfortunately I have not been able to speak to him. However, I have spoken to someone in the Freedom of Information team today and they have asked me to email through the details to look into the matter.
I have therefore emailed the Canal & River Trust this afternoon with the details and provided it with the link to the WhatDoTheyKnow website.
I have asked them to take steps to remove your name and email address from the decision notice that it has published. I have asked that it contact both of us as soon as possible about this matter and advise us when the matter has been resolved.
If you require the Commissioner to look into this matter as a formal complaint then before we can do this we would need you to raise the concern with the Canal and River Trust directly...'.
...which is what I would have done more than a month earlier if CaRT's website had told me how to do it!
Raising the concern
Two weeks later, on 7th November, I was contacted by CaRT's Frazer Halcrow, Commercial & Information Lawyer, and informed that he was taking action to remove my personal data from the whatdotheyknow.com website. However, his dismissive "I apologise for the error in this instance," did not sit well with me. I emailed their Mr Deards copying the Information Commissioner and Frazer Halcrow as follows:
'7th November 2019
Dear Canal & River Trust
Whilst the actions you are taking to have my personal information removed appear appropriate, I am unhappy with your response in general. Perhaps you are unaware of the distress this matter has caused me? I attach emails dated 3rd and 15th October 2019 which give the background.
I would like you to take the following actions (in addition to removing my personal data):
• Provide me with a full apology from the person responsible (Tom Deards?) or his superior.
• Provide an explanation as to how this data breach occurred.
• Explain what actions you intend to take to prevent repetition.
• Provide clear guidance on your website for reporting of 'personal information concerns'.
• Explain what you intend to do to compensate me.
I look forward to a satisfactory response within one calendar month.
Yours sincerely
Freddy Brown."
No response
To date, I have received no response, not even an acknowledgement. Also, my personal data still has not been removed from the whatdotheyknow.com website. A 'chase-up' email was made on 18th November. To my surprise, I found Frazer Halcrow's email address was now permanently rejecting my emails whilst Tom Deards was not. On 23rd November, a further attempt to copy Mr Halcrow with the rejected email also failed with the same error 'SMTP error from remote server for RCPT TO command, host: canalrivertrust-org-uk.mail.protection.outlook.com (104.47.20.36) reason: 550 5.4.1 Recipient address rejected: Access denied'
Not the first time
This is not the first time that CaRT has published someone's personal data. In August 2018, a data breach occurred in relation to CaRT licensing renewals affecting over 1,200 customers. In a letter to these customers, Tom Deards, in his capacity as Data Protection Officer, blamed the breach on technical issues at its sub-contractors, Concurrent, rather than a breach of its own security system.
He finished the letter by saying: "Finally, I would like to apologise on behalf of the Trust for any distress and inconvenience this breach might have caused."
It would seem that Mr Deards is happy to apologise when he can shift the blame onto a third party. Unfortunately, he appears to be unwilling to do the same when it is him that has caused the breach.