Data theft report published by Tower Hamlets Homes

The internal report into the alleged data theft of Tower Hamlets Homes (THH) tenants personal information has been published by Tower Hamlets Homes (THH) but it provides no clear conclusions.

One unnamed individual seems to be of interest to the THH investigators but this person left Council employment after Lutfur Rahman was thrown out of office.

This does not mean or imply that this person (see below for details) is guilty of anything. But it would be nice to find out their view of events at that time.

The full report can be found in the news section of  the THH website (“Investigation Report into Data Protection Security Incident”) and is also reproduced in a separate LW post here.

THH are to be congratulated for publishing this report for everyone to read. Their demonstration of openness and transparency has yet to filter through to the rest of Tower Hamlets Council.

Evidence gathering

Although the report seems detailed and methodical there is one glaring error. Under the ‘evidence gathering’ section there is the below statement which is just plain wrong:

“The starting point with the investigation was to contact the editor of the blog [Love Wapping] to establish if he was willing to share the information he received and if possible to tell us how he obtained it.

Love Wapping is run on a voluntary basis and describes itself as a hyper-local website covering news in Tower Hamlets. Despite several attempts Love Wapping did not respond to our request for further information to assist us with our investigation.  In October 2015, the website announced that it was closing down.

In the absence of any information from Love Wapping, we then considered the nature of the data to which they had referred, in order to determine whether this would assist us in identifying the source of the data.”

All we can say about this is that the THH investigators didn’t try very hard to contact LW. On several occasions we have mentioned in this blog that at no time has anyone from any organisation come to collect the documentary evidence of the data theft (as photographed below).

Apart from anything else it makes our office look untidy.

The data sheets given to Love Wapping. We still have them.

It is of course true that LW did shut down for a while (we were worn out and broke) but the editorial staff were still (a) alive and (b) only too keen to provide evidence to this or any other enquiry.

Hopefully the report will demonstrate more zeal in tracking down the guilty than it does witnesses.

The report lists those THH post holders who may have had access to the data in question and who were to be interviewed:

  • The Decent Homes Programme Manager
  • The Decent Homes Project Manager
  • Property Services Office Manager
  • THH Resident Liaison Team Leader
  • THH Data Specialist
  • THH Resident Liaison Co-ordinators x 3
  • Axis Contractors x 2
  • Keepmoat contractors x 1
  • Former Lead Member for Housing and 2015 Mayoral candidate, Cllr Rabina Khan
  • Senior Executive Support Office to the THH CEO at the time the incident took place

To the surprise of nobody at all none of the individuals to whom THH spoke ‘acknowledged that they were the source of the data in question’.

However the report then gets interesting.

Lutfur’s Executive Office

Ex-Mayor Lutfur Rahman

To quote from the report again:

“Through our investigations we established that on 20 March 2013, the Communications Officer for the Executive Mayor’s Office (a secondee from THH) sent an email to THH’s Senior Executive Support Officer and to her superior, the Head of Communications and Governance, requesting a detailed list of individual resident names and addresses of those residents who have and will receive decent homes works.

As the owner of the stock in question, it was not believed that this request on behalf of the Council was unusual, or indeed a request that could be declined, as under the terms of the Management Agreement under which THH is appointed by the Council, THH is obliged to comply with requests made of it by the Council.

In response to the request, the information was provided by the THH Data Management and Performance Analyst and forwarded to the Communications Officer for the Executive Mayor’s Office on the 27 March 2013.

From the data file provided to the Communications Officer we know that this contained 5,837 records, of which 3,225 related to Year 3 of the Decent Homes works.

The data spreadsheet provided to the Communications Officer is in the exact format as the data report on the ‘Love Wapping’ blog site, including the reference to ‘Year 3’. The only difference is the way in which the information was sorted. We have not been able to speak to the Communications Officer for the Executive Mayor’s Office, who left after the former Mayor’s departure in 2015, to establish whether it was this data set which was allegedly provided to the Tower Hamlets First party or to the Independent Mayoral candidate, Cllr Rabina Khan’s campaign. “

(Our emphasis)

Lutfur Rahman’s ‘Executive Mayor’s Office’ comes up in the different investigations that LW is running on numerous occasions. Come to think of it the Executive Mayors Office comes up in the investigations of anyone who cares to investigate.

This simply reflects the simple but fundamental way Rahman and Tower Hamlets First blindsided everyone by concentrating executive power in a small closed group that did what it wanted how it wanted away from any public scrutiny of any type.

There is of course nothing whatsoever to imply or prove that the Communications Officer in question who left after Lutfur was shown the door is the source of the data breach. It would however be interesting to find out what they recall of the incident.

The report continues:

“We are however comfortable that the data referred to in the Love Wapping blog site was in all probability derived from the data supplied to the Communications Officer.

We ascertained that the Communications Officer in the Executive Mayor’s Office did have limited access to the THH Housing Management system (“Northgate Sx3”) for legitimate purposes – the Mayor’s Office dealt with case work queries from tenants – but that, this access only enabled information to be viewed, rather than enabling any reports to be run on any underlying data.

In other words, the data in the hands of the Love Wapping blog site did not appear to have emanated from Northgate Sx3.

Following the publication of the Love Wapping blog, we understand that Councillor Rabina Khan, the former Lead Member for Housing and 2015 Mayoral Candidate, made contact with the Council to assist with investigations relating to the incident.

When we spoke to her as part of our investigation, she stated that the contact database used as part of her campaign was inherited from the previous Tower Hamlets First Mayoral Campaign and that data collected on it was collected through publicly available electoral lists and election campaign door knocking exercises.

We have asked to see those databases but at the date of writing this has not been produced.”

LW has emailed Cllr. Rabina Khan to see if she intends to supply those databases to THH for examination.

No response to this request had been received from Cllr. Khan at the time of publication.

Cllr. Rabina Khan

Cllr. Khan stated that “the contact database used as part of her campaign was inherited from the previous Tower Hamlets First Mayoral Campaign and that data collected on it was collected through publicly available electoral lists and election campaign door knocking exercises.”

There are several issues with this statement by Cllr. Khan that are not addressed in the THH report.

  1. Residents complained to LW that they were contacted by Tower Hamlets First by text message without their authorisation during both the 2014 mayoral, local and European elections in the borough and the 2015 mayoral election.
  2. So if the data was inherited from the previous Tower Hamlets First Mayoral Campaign how did residents mobile phone numbers get into that database? Using data improperly obtained by someone else is not a defence.
  3. Also did the Tower Hamlets First contact database contain these residents mobile phone numbers during the initial 2010 mayoral election campaign? Has anyone checked? Might be a good idea.

The Information Commissioner’s Office (ICO) has clear and detailed guidelines for the use of text messages for electoral campaigning purposes which can be found in this document ICO Guidance on Political Campaigning (PDF). Some of the relevant extracts are quoted below:

F. What do organisations need to do when contacting individuals by email, text message (SMS), video message (MMS), social media, or voicemail left on answering machines?

32. An organisation must carefully consider its compliance with the DPA and PECR when communicating with individuals by means of email, text message, social media, video message and voicemail.

33. The organisation must have the individual’s consent to communicate with them in this way. In addition, in all such communications the organisation must identify itself and provide an address that individuals can use to object and request that it does not send them any further communications.

34. An organisation might have collected email addresses or mobile phone numbers in connection with particular issues highlighted in previous campaigns: for example, school closures or road building. As prior consent is required, the organisation must assess the basis on which those contact details were collected originally if it wants to use them to promote subsequent campaigns by electronic communication including text messages and emails.

38. The use of third parties requires particular care. If the organisation purchases email addresses or mobile phone numbers from a third party such as a list broker with the intention of sending an electronic communication to those listed, it needs to be sure that the individuals have consented to receiving these forms of contact from it. Better Together, a campaign group in the 2014 Scottish independence referendum, signed an undertaking in November 2013 that they would ensure any future electronic marketing was only sent to people who had consented to receiving this type of message.

It would be nice to think that compliance with these requirements by Tower Hamlets First have been investigated by both the ICO and the Electoral Commission.

Would be amazed if that had happened. If it is has then let us know – we like nice surprises.

The Bottom Line

The main finding of the THH report is as follows:

“It is reasonable to conclude, for the reasons set out above, that the source of the data which was subsequently handed to Love Wapping was that data provided in response to the request from the Executive Mayor’s Office in March 2013. “

One. Two. Three.

Another inconclusive investigation.

First the Metropolitan Police finds no evidence of electoral fraud in the borough.

Then the Information Commissioner’s Office (ICO) decides that it ‘will not be taking any further action’ after it spent some months further investigating the data breach that the THH report investigated.

And now we have sight of the original THH report which gets closer to the truth but not close enough.

Three investigations by the authorities into odd goings on in the London Borough of Tower Hamlets.

Three investigations failing to provide residents with any answers.

A pattern emerges

There is a saying that ‘One’s an incident, two’s a coincidence, and three’s a pattern.’ Basic common sense stuff.

Let us assume that three inconclusive investigations is a pattern. Why are they inconclusive? Why is no one ever held to account? Or as many borough residents ask us: “Why is no one in jail?”

We must exclude the conclusive findings of the electoral petition judgement of corrupt practise by Lutfur Rahman and his agents, the members of Tower Hamlets First.

What links the three Metropolitan Police, THH and ICO investigations?

Same person, same place

The investigative work of LW into the specific case of the THH data theft continues. Thanks to the THH report we have some new people to look at.

As if we did not have enough names already.

The more the Wapping Mole burrows away the more he finds that every issue of serious wrongdoing revealed leads back to the same person(s)  in the same place.

Odd that. Maybe it’s a pattern.

These investigations are slowly uncovering systematic acts of criminality that are so strange that they stretch credibility even by the weird and wonderful standards of Tower Hamlets.

The Wapping Mole

But they all seem to be true.

As a result our entire team would like to apologise in advance to the Tower Hamlets Council staff who have to deal with the increasing number of Freedom of Information requests we submit and the level of detail required.

We cannot promise that the number or variety of FOI request will reduce any time soon.

If you find the above information interesting please consider supporting the investigative work of Love Wapping by giving the Wapping Mole some pennies to buy a new extra big shovel.

Moley does like a nice shovel.

%d bloggers like this: