Community news and investigative journalism for Wapping E1W and Tower Hamlets London

Tower Hamlets Homes data theft report – full text

This is the full unedited text of the report published by Tower Hamlets Homes at the conclusion of their investigation into the alleged data theft of Tower Hamlets Homes residents personal information for use in electioneering by Tower Hamlets First.

(Formatting has been changed slightly for web publication.)

The LW news story and analysis of this report can be found here.

The original report can be downloaded from the Tower Hamlets Homes website. 

thh-logo
Investigation Report into Data Protection

Security Incident

November 2015

Background

Tower Hamlets Homes (THH) is an Arm’s Length Management Organisation appointed by Tower Hamlets Council (the Council) to manage its housing stock.

The appointment is formally recorded in the terms of a Management Agreement, under which THH is obliged to comply with the Council’s instructions.

In its capacity as the manager of the Council’s housing stock, THH clearly holds data relating to the Council’s tenants.

On the 9 August 2015 a blog news story was published on the Love Wapping website (www.lovewapping.org) alleging unauthorised use of the Council’s tenants’ data by Councillors as part of the 2014 and 2015 Tower Hamlets Mayoral campaigns. (See Appendix 1).

In particular, Love Wapping claimed that this data was used to contact residents by text message seeking their support as part of Cllr Rabina Khan’s 2015 Mayoral campaign.

Although resident data was redacted on the website, it was clear that the properties referred to are THH managed properties.

Reporting

THH became aware of the Love Wapping blog item shortly after its release on 9 August 2015. Although Love Wapping did not allege that the data had been disclosed by THH, it was suggested that the data had been derived from THH data sheets, and THH was concerned that as the data related to properties managed by THH, there may have been a security breach.

THH therefore reported a potential breach to the ICO on 12 August 2015.

An internal investigator was appointed to investigate the incident. Trowers & Hamlins, THH’s lawyers, provided support throughout the process to ensure that the approach to the investigation was robust.

We understand that the incident was also reported to the police by Tower Hamlets Council.

Methodology

An investigation plan was developed to guide evidence gathering and the production of this report.

One of the early decisions required as part of the investigation process was whether THH should notify residents of the potential breach.

Our conclusion was that this would not be a proportionate response taking into account the nature of the data which was not sensitive, that much of the data was freely obtainable from the electoral register, that all the data was historic – about 15 months old – and our desire not to unnecessarily alarm residents.

We concluded that we could see no purpose in writing to or contacting all residents individually with respect to the incident.

Evidence gathering

The starting point with the investigation was to contact the editor of the blog to establish if he was willing to share the information he received and if possible to tell us how he obtained it.

Love Wapping is run on a voluntary basis and describes itself as a hyper-local website covering news in Tower Hamlets. Despite several attempts Love Wapping did not respond to our request for further information to assist us with our investigation. In October 2015, the website announced that it was closing down.

In the absence of any information from Love Wapping, we then considered the nature of the data to which they had referred, in order to determine whether this would assist us in identifying the source of the data.

At the head of the list of the residents’ names, addresses and telephone numbers was a reference to ‘Year 3’. This suggested to us that the report was a property list for use in conjunction with a major property refurbishment programme (the ‘Decent Homes programme’) which the Council had appointed Tower Hamlets Homes to manage.

The Decent Homes programme is the Council’s £181m programme over a five year period from 2011–16. We therefore believed that it was reasonable to assume that the data in question had been obtained from documentation created in connection with the programme, thereby providing a firm line of enquiry for the investigation.

On that basis, we identified the following THH post holders and organisations who had some involvement in the programme and who we decided should be interviewed:

  • The Decent Homes Programme Manager
  • The Decent Homes Project Manager
  • Property Services Office Manager
  • THH Resident Liaison Team Leader
  • THH Data Specialist
  • THH Resident Liaison Co-ordinators x 3
  • Axis Contractors x2
  • Keepmoat contractors x1
  • Former Lead Member for Housing and 2015 Mayoral candidate, Cllr Rabina Khan
  • Senior Executive Support Office to the THH CEO at the time the incident took place

Findings

On the basis of the information that we have been able to gather through our discussions with those individuals referred to in section 4.3 above, we have reached the following conclusions:

None of the individuals to whom we spoke acknowledged that they were the source of the data in question;

Through our investigations, we established that on 20 March 2013, the Communications Officer for the Executive Mayor’s Office (a secondee from THH) sent an email to THH’s Senior Executive Support Officer and to her superior, the Head of Communications and Governance, requesting a detailed list of individual resident names and addresses of those residents who have and will receive decent homes works.

As the owner of the stock in question, it was not believed that this request on behalf of the Council was unusual, or indeed a request that could be declined, as under the terms of the Management Agreement under which THH is appointed by the Council, THH is obliged to comply with requests made of it by the Council.

In response to the request, the information was provided by the THH Data Management and Performance Analyst and forwarded to the Communications Officer for the Executive Mayor’s Office on the 27 March 2013.

From the data file provided to the Communications Officer we know that this contained 5,837 records, of which 3,225 related to Year 3 of the Decent Homes works.

The data spreadsheet provided to the Communications Officer is in the exact format as the data report on the ‘Love Wapping’ blog site, including the reference to ‘Year 3’. The only difference is the way in which the information was sorted. We have not been able to speak to the Communications Officer for the Executive Mayor’s Office, who left after the former Mayor’s departure in 2015, to establish whether it was this data set which was allegedly provided to the Tower Hamlets First party or to the Independent Mayoral candidate, Cllr Rabina Khan’s campaign.

We are however comfortable that the data referred to in the Love Wapping blog site was in all probability derived from the data supplied to the Communications Officer.

We ascertained that the Communications Officer in the Executive Mayor’s Office did have limited access to the THH Housing Management system (“Northgate Sx3”) for legitimate purposes – the Mayor’s Office dealt with case work queries from tenants – but that, this access only enabled information to be viewed, rather than enabling any reports to be run on any underlying data.

In other words, the data in the hands of the Love Wapping blog site did not appear to have emanated from Northgate Sx3.

Following the publication of the Love Wapping blog, we understand that Councillor Rabina Khan, the former Lead Member for Housing and 2015 Mayoral Candidate, made contact with the Council to assist with investigations relating to the incident.

When we spoke to her as part of our investigation, she stated that the contact database used as part of her campaign was inherited from the previous Tower Hamlets First Mayoral Campaign and that data collected on it was collected through publicly available electoral lists and election campaign door knocking exercises.

We have asked to see those databases but at the date of writing this has not been produced.

Conclusion

It is reasonable to conclude, for the reasons set out above, that the source of the data which was subsequently handed to Love Wapping was that data provided in response to the request from the Executive Mayor’s Office in March 2013.

As THH is a wholly-owned subsidiary company of the Council set up to manage the Council’s housing stock, and to deliver the Decent Homes programme, which was a major strategic priority for the Council, we believe that there was nothing unusual about the request which was made and that the data was supplied in good faith to the former Mayor’s Office.

Since then many of the staff members involved have either left THH or the Council, so this limited our investigation as we do not know what happened to the data after THH provided it to the former Mayor’s Office.

According to the Love Wapping blog, the information had been used by the Tower Hamlets First Party/Independentsfor electoral campaigns of both 2014 and 2015, and Councillor Khan had confirmed that she simply made use of a database already in existence.

If the data which THH provided in good faith to the Mayor’s Office in 2013 was then used for the purpose of political campaigning, this was something of which THH was unaware.

THH appreciates its responsibility for ensuring that appropriate technical and organisational measures are taken to guard against the unlawful processing of data.

In this regard, there are specific provisions in the Management Agreement between THH and the Council requiring both parties to comply with their obligations under the Data Protection Act, and requiring neither party to do anything which may place the other in breach of their obligations under the Act.

This incident has highlighted that even though such provisions are in place, and even though we are owned by the Council, and obliged to respond to requests for information by the Council, it would be beneficial to develop a specific data sharing protocol with the Executive Mayor’s Office, so that all parties are clear what the information will be used for and how long it will be retained prior to destruction or return to THH.

Recommendations

The following recommendations arise from the investigation:

  • Develop a more detailed Data Sharing Protocol in conjunction with the Council
  • Refresh our mandatory and fully documented Data Protection, IT Security and Information Security training for all THH staff.
  • Establish a THH Information Governance Working Group, in conjunction with the Council, to ensure that all aspects of Information Governance are complied with.
  • Ensure new starters to THH undergo mandatory Data Protection, IT Security and Information Security training as part of their induction.
  • A briefing note to be sent out to all staff reminding them of the importance of sending data securely through the secure email transmission software (“Egress”) when sending data to external agencies.

The original report can be downloaded from the Tower Hamlets Homes website. 

Tags: ,

Subscribe

If you enjoyed this article, subscribe now to receive more just like it.

Comments are closed.

Top