I do however want to remind my readers of some general issues regarding Barnet Council and data security. I received this document from the London Borough of Barnet on 7th July in a freedom of information response. This clearly demonstrates that Barnet Council has been aware of issues surrounding information security since at least April 2011.
Is Action Plan Final Redacted)
On page 4 of this document it outlines the following risks regarding Information and Data management.
* Information is leaked through weakness and ICO impose a fine on the council for not taking all possible steps to prevent loss
* Information can be downloaded to personal home computers via Citrix leavving the council fully exposed to data falling into the wrong hands
* Unable to track source of information leak
So it is clear that there is an acknowledged issue with information security at Barnet Council. Whilst it may be easy or convenient for Barnet Council to kid themselves that this document is the only document to have been leaked regarding the One Barnet process and that I am the only person it may have been leaked to, they clearly haven't got a clue who has seen what or who has sent what to who.
Let us just for one moment consider exactly what is happening at Barnet Council at the moment. There are two contracts being tendered as part of the One Barnet process. One is worth £250 million and one is worth £750 million. Whoever wins those contracts will make a huge amount of money. This is public domain information. The companies who are bidding for these contracts are probably spending tens, if not hundreds of thousands of pounds putting together their tenders.
That makes the information used to decide the outcome of the tenders a valuable commodity.It is clear that the security surrounding these tenders has been compromised. If a document was leaked where there was clearly no financial benefit to the recipient and presumably no financial benefit to the person who leaked it, what else could have been leaked and to who? If a person is prepared to take the risk of leaking a document for no financial gain, what on earth could have been leaked if people were offered financial inducements? Many people working on the One Barnet program are consultants with no long term allegiance to Barnet Council. Other staff know their jobs are under threat and may be vulnerable to temptation. Now I am not alleging anything of the sort has happened. All I am saying is that in light of what has happened it clearly COULD of occurred and the Council would clearly be none the wiser.
As with the fact that Metpro were operating without licenses, CRB checks or accreditation, this weakness in process has happened because Barnet have no robust systems in place to detect problems. No one from the CEO of Barnet down can be sure that any information, at any stage of the One Barnet program hasn't been shared inappropriately with any third party. The truth is that the only leaks Barnet become aware of are the ones to bloggers. Whilst these are embarrassing, the ones which have the potential to really damage the council finances are ones to commercial companies that no one ever finds out about. These give companies an unfair competetive advantage to the detriment of the taxpayer.
What never ceases to amaze me in my dealings with Barnet Council is the way that whenever a crisis emerges, they always seek to shoot the messenger. If I was the CEO of Barnet, Mr Nick Walkley I would have been far more concerned with working out what is wrong with my organisation, why such problems occur and how I could restore faith in my administration. If Mr Walkley really believed that the document was damaging, he could have picked up the phone, explained why and asked me to remove it. If I had been unreasonable, he would then have been quite justified in taking whatever actions he deemed necessary. I could have explained exactly why I published it, what my concerns were and why I felt that such a leak showed that the program had been compromised (not by myself or this leaked document).
All of the Barnet bloggers have received leaked documents. I am not alone in this respect. Most are not published because they would put the person who leaked them at risk. Barnet Council have resorted to ever more stringent procedures to prevent leaks, but still the leaks happen. Most important meetings are now held in the offices of expensive city lawyers. Distribution of documents is supposedly strictly controlled, yet I am sure Mr Walkley and his team would be flabbergasted to see what bloggers have received and not published. All of this is unsolicited. I have never once asked a Barnet Council employee to tell me anything or give me any document. This has been going on for three years now, more or less since the blog first appeared. Barnet Council are fully aware of this situation, but seemingly have never asked the question "If staff can leak this to bloggers out of a sense of public duty, what could have been leaked by staff with other motivation?". That is by far the most serious question. Barnet Council are obsessed with leaks to bloggers, but have completely missed the elephant in the room - leaks to commercial companies. Let me give one example. I was given information which proved beyond doubt such information loss had caused Barnet Council financial loss. I could not act on the information (and destroyed the brown envelope) because it would without doubt have exposed my source and they would have lost their job. Who knows what else has occurred, which will never see the light of day? I believe that more than 99% of staff at Barnet are honest decent people who care passionately about the Borough. In every organisation, there is a small element who have a different motivation. The concern is that there is no effective process in place to ensure that such breaches ever come to light. It seems it only ever comes to light by chance or when the person does something extremely stupid.
One final piece of advice for Barnet Council and their legal team ( I am sure they will be avidly reading my blog today). Any document which contains information which you do not want the world to see should contain a legal warning on every page. Here is an example of such a warning :-
This document may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.
A document carrying text such as this leaves no one in any doubt as to the legal status of the document. It is a sensible precaution that costs nothing. I would suggest that Barnet legal put their time to good use today and design a document template which ensures that every Barnet Council document which they believe to be sensitive carries this wording.
Oh and finally I'd like to thank everybody who has contacted me with pledges of support and advice.