Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The National (Scotland)
The National (Scotland)
National
Xander Elliards

Scottish council gaffe sees employees' personal data published online

A SCOTTISH council has scrambled to cover its tracks after accidentally publishing the personal data of its employees online.

South Lanarkshire Council, which is run by a minority Labour administration propped up by the Tories and LibDems, said it has reported the incident to the Information Commissioner.

But SNP councillors contacted by The National said they had not heard “a single word” about the leak, and called for greater transparency in order to maintain trust.

The data breach came after the council responded to a Freedom of Information (FOI) request, put in through the website whatdotheyknow.com, asking to learn details “of all pay scales including scale points, grades, and values in use for each year for 1996 – 2021”.



In responding to the request on April 11, the South Lanarkshire authority included details of its employees as a result of “human error”.

The National has been told that the data leak involved thousands of entries including personal details about staff including their name, pay grade, place of work, and national insurance numbers.

A spokesperson for the council did not comment on the nature of the leaked information, saying only that the breach had involved “personal data that had not been anonymised”.

They did say the council believed the data had not been accessed and could not be used “in a way that would be harmful to those involved”.

Paul Manning, the council’s head of finance and corporate resources, wrote to the person who initially put in the FOI request asking them to delete all records on May 12 – one month after the information was first published online.

Manning wrote: “In its response dated 11th April 2023, [the council] provided you with personal data in error …

“We inadvertently attached a version of a spreadsheet entitled ‘Grades and Positions as at 31 March 2021’ with our response which contained personal data and have now attached the correct version which should have been included.

“I must therefore ask that if you have downloaded and retained a copy of this spreadsheet that you delete it without delay, and also that you delete it from your deleted items folder and confirm to me that you have done so.”

The person who put in the request did not respond to The National’s request for comment. Whatdotheyknow.com has deleted the data from its site.

Councillor Maureen Chalmers, the SNP’s depute group leader in South Lanarkshire, said she had not been aware of the breach until this paper contacted her.



Chalmers said: “If this is accurate then I would be shocked that there had been no openness and transparency around about it.

“We have had ways of doing things in the past in the council whereby at least group leadership would be informed or there would be something issued to say this is what’s happened and these are the steps that we’ve taken. But I have heard not a single word about this.”

She went on: “We’d want the council to be open and transparent and ensure employees of the council what steps had been taken to investigate the matter and to make sure that no further breach would take place. I think that’s a very basic thing really.

“South Lanarkshire is a good local authority and I’ve never felt there was any secrecy in the system before, but it only takes one to have that trust questioned.”

Asked if she would support an inquiry into the data breach, Chalmers said: “The council has got its processes and there should be a fact-finding investigation and then the council’s processes, they’re well rehearsed, there shouldn’t be any difficulty with that, but the first thing is a fact-finding exercise.”

A South Lanarkshire Council spokesperson said: “A spreadsheet containing anonymised employee data was uploaded to a website in response to a Freedom of Information request.

“Unfortunately as a result of human error, the spreadsheet contained a second page of personal data that had not been anonymised. The error was noticed by the council and we arranged for that data to be removed.

“To the best of our knowledge the information was not accessed, and we believe the data could not be used in a way that would be harmful to those involved.

“However, I can confirm that we are contacting those affected by the error and we have reported the breach to the Information Commissioner.”

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.