In a letter to Ms Jayne Smailes, CEO of Lydney Town Council, Zac said:
I am writing to you with regards to a selection of documents released to the press and public on Thursday 21 February 2019 by Lydney Town Council. These documents including a series of confidential emails, screenshots from social media platforms and related documents concerning
myself and other individuals.
In this series of documents, you have acted in a way that, in my view, amounts to gross negligence with regards to the protection of personal data, namely email addresses, of many individuals including elected members of Lydney Town Council, members of the public and officers of third-party organisations of which you have communicated with.
As a public servant and somebody in a professional position that involves the strict protection of the data of individuals and organisations under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) I would hope that you would understand the serious nature of the breaches present in this document as outlined in this correspondence.
Firstly, the failure to remove personal email addresses from documents before their release into the public domain. On page 3, despite attempts made to ‘block out’ personal email addresses. You have failed to do so and thus made the personal email addresses of Cllr Harry Ives, Cllr Bob Berryman and Cllr Carol Harris freely available in the public domain.
On page 6, you have made the email address of Dr Judith Mortimore available in the public domain without prior written consent from the individual. This individual is an officer of the local Labour Party and therefore this is no longer just a breach of your internal data but the data of other organisations and members of the public.
On page 9, you have made the personal email address of Cllr Bernie O’Neill available in the public domain without prior written consent from the individual. This individual is an officer of the local Labour Party also.
On page 11, despite attempts to ‘block out’ you have made the personal email address of Cllr Brian Pearman available in the public domain. Presumably if you attempted to block out this email address you also did not obtain prior written consent for this release.
As a body that holds personal data you are categorised as a ‘data controller’ under the Data Protection Act and General Data Protection Regulation. I advise that the release of personal email address without prior written consent is in breach of the law and therefore, if the
Information Commissioner’s Office deem it necessary, Lydney Town Council could be subject to a fine of up to £500,000 or the officer of the council responsible could face criminal prosecution. I have copied the Information Commissioner’s Office into this letter.
Secondly, you have released a series of confidential emails between officers of Lydney Town Council and members of staff at Labour Party Headquarters regarding myself. Whilst you are entirely within your rights to release emails written by Lydney Town Council into the public domain, providing you comply with the law, you are not in a position to release emails from a
third party without their prior written consent. This is especially the case considering the emails in question are subject to confidentiality statements.
The confidentiality statement on the emails from Labour Party Headquarters employees states as follows: “The Labour Party’s complaints process operates confidentially. That is vital to ensure fairness to you as a complainant and to the member against whom a complaint is made, and to
protect the rights of all concerned under the Data Protection Act 2018. I must therefore ask you to ensure that you keep all information and correspondence relating to your complaint private, and that you do not share it with third parties or the media (including social media). That includes the name of the member you have complained about, the allegations you have made, the identity of any witnesses, and the names of Party staff dealing with the matter. If you fail to do so, the Party reserves the right to take action to protect confidentiality…”
In the documents released by Lydney Town Council you have breached both this confidentiality statement and the Data Protection Act 2018. Please see pages 4 through 11. The council have released: the name of myself, the allegations that you have made, the identity of multiple witnesses and the name of the member of staff that was dealing with the complaint in question breaking all aspects of the confidentiality statement and potentially putting Labour Party staff, witnesses and council officers at risk of harm.
On page 6 of the pack, the confidentiality statement is visibly highlighted by yourselves and on page 11 in an email signed by Cllr Pearman he explicitly states in one of his points that the correspondence with Labour Party Headquarters is “marked as confidential” and therefore it is fair
to assume that the council and its officers were fully aware that this was confidential correspondence and decided to release it anyway.
The Labour Party Legal and Governance Unit at Party Headquarters have been informed of this data breach and have been copied into this letter.
Finally, you have failed to redact the names of various individuals that are not publicly involved in this issue potentially putting these people at risk. The release of names is not usually a breach of the Data Protection Act or General Data Protection Regulation as it is unlikely that it could be
deemed that they identify a specific person (multiple people could have that name.)
However, these names have been used in a context, sometimes with job titles and registered business addresses that allow for the individual to easily be identified. Some of which also have public profiles in the local area and thus many will be aware of them.
In the initial statement on page 1 of the pack you state that the release of this data was “supported by legal opinion” if that is truly the case, I suggest you may wish to find somebody else from which to obtain an opinion.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me via email to