A Hadleigh resident has called on the town council to apologise to people affected by a personal data breach, which was allegedly not dealt with weeks after being reported.

Although not named directly in the public statement, Hadleigh's town clerk Wendy Brame, is accused of being 'curt', denying there was a breach of personal data, and 'misinforming, or even lying' to councillors to cover up the extent of the breach.

Council failed to act after breach reported (Image Pixabay)

The statement was made by experienced computer expert Neil Bevis ahead of Hadleigh town council's monthly meeting last Thursday (18 January , which also included an agenda item on the complaint made against the clerk in a confidential session towards the end of the meeting.

Mr Bevis, who has knowledge of the council's archive system but is no longer used by them, reported the breach when a member of the public pointed out that they could see other peoples personal data.

This is a clear breach of the General Data Protection Regulation (GDPR) under Principle (f): Integrity and confidentiality (security, as outlined by the Information Commissioners Office (ICO).

The law states organisations are required to report breaches within 72 hours of discovery under Article 33 of the GDPR. 

Hadleigh town council could face a fine of two per cent of the council's annual turnover, which would be met by Hadleigh taxpayers.

Hadleigh clerk Wendy Brame allegedly did not deal with GDPR breach

Mr Bevis was left frustrated by Mrs Brame's failure to deal with the issue and then way she treated him and his complaint.

He was also upset that the very person he complained about to the council, was the same person dealing with the complaint. He was not allowed to be represented, or see any of the documents seen by councillors at the confidential session, where the public and members of the Press were required to leave the room.

Complaint against Hadleigh Town Council statement in full: 

Good evening.

First off let me start by saying how disappointed I am at having to attend a public meeting because of a clear breach of the General Data Protection Regulations which should have been resolved with an immediate response, in order to protect the identity and private financial data of members of Hadleigh Council, however, unfortunately it was denied, not investigated and still has not been dealt with, which has compromised the data of Council personnel. This has therefore led me to make an official complaint against a member of the town council.

I was employed by a member of the public in my professional capacity to look at an issue with a computer, a computer that is linked to the Hadleigh Archives group and controlled by the Hadleigh Town Council.  

My customer was concerned as she could see other people's personal documents within the archive group folder which is shared with other members of the group.

I could see instantly that this clearly should not be happening and asked if we could call the lady from the archive group of which it's her data I could see.

I called and explained what we could see, she acknowledged that she was aware of this issue, so I asked to speak to the person in charge of this section within the HTC. I first spoke with a person who was very 'curt' with me to say the least, I mentioned a data breach and was told 'It's not a huge one' So at this point they already knew about the breach. I would have thought they would be more grateful for the intervention from myself to assist in rectifying the situation, but unfortunately this was not the case.

I was then passed onto the person in charge, and again, I was met with what felt like hostility straight away. I tried to explain the situation and I was asked 'What do you want me to do Neil' Not once but twice. This was not what I was expecting to hear from someone in charge who should have already acted long before my phone call and in line with the timelines from the GDPR regulations, which is 72 hours after the issue has been raised.

I then discover that the Data breach had already been reported to the council well over 4 weeks before hand, not just in person, but also via email, of which nothing had been done to protect the people's personal data at this point.

After many discussions and me being copied in on emails I decided to make a formal complaint, and I have a duty of care to do this. However, knowing that the problem was being allegedly being dealt with I chose to wait to give the benefit of the doubt to the HTC to resolve the matter.

Unfortunately my trust in this process proved fruitless.

An email from HTC claiming the problem had been stopped and that it was their IT company that stopped it is false, it was actually paused via an outside source. 

HTC claims to have set up a new system and migrated over the data. I was called back to confirm if this had been achieved. However, After the laptop had been played around with via the HTC she now has a laptop that cannot be used as a government 365 gateway account has been added of which the password she was given is incorrect. So, she has no laptop for personal use and no laptop for the Archive.

It was a few days after this that the lady then gets advised that it was her fault, not told via the HTC but by one of her friends, it would only be later in an email that she was told it was her fault by the HTC. Others were told this before the lady in question. 

I met a Councillor approx. two weeks ago so he could have a better understanding of what had happened. He had already been misinformed or worse lied to regarding the data breach as he was told it was only the archive data, and not the personal data that could be seen. I have 3 pages of evidence here to prove otherwise.

HTC believe the old system has been migrated and moved into the new system. So let me confirm to you all this evening, the old system has not been shut down and is still active and still accessible. Thousands of documents, some with protection are now out of the hands of the HTC as the system was not closed and cleared. I can prove this if required. 

They have a Data Breach policy that shows it should have been updated in August 2023, it wasn't, and it has not been since 2020. 

A single person blamed by the HTC for the data breach, however there were three people's data from three different machines available to be viewed, moved, deleted, changed, copied, or even sent on. I have evidence of this.  

As for the confidential meeting that follows, I am not allowed to attend, even though I made the complaint. I do not have any ulterior motive, I have no relationship whatsoever with the person I am complaining about, I am just concerned that there is a clear data breach, which could cost the Council thousands of pounds in fines for not being properly reported or dealt with and my customer still has an issue that has not been properly resolved. The details of this complaint given to councillor's, composed by someone in the HTC that I am not allowed to know, the contents I am not allowed to read. 

My last 72 hours being in communication with the HTC via email, asking questions and given answers by the person that I have officially complained about. This is clearly not acceptable. 

Finally, the most important item, an apology needs to be given to those who's data was ignored with a total lack of respect shown to them. It has caused them sleepless nights, worry and the feeling that the work they do within the archive group is not worthy of inclusion of some of those within the HTC.

I feel any meeting taking place, without being allowed to be present, could be biased and given the track record to date regarding honesty, I do not trust this process to be carried out properly.

Thank you

Hadleigh town council has been approached for comment.