Skip to main content

Data Breach

Part 2 from Body Of Teachers sender

 

Whilst Dr. Zimmer might have resigned, and not too soon, sad his legacy will be the loss of what was a tight-knit staff community, a significant financial debt for WCC and a bland building. Where is the accountability for his actions and failings in leadership, other than to pass the buck? Robocop has been allowed to run amok in Secondary.

High turnover of respected staff has been a sign of some rot for a few years now, and it doesn’t appear to be slowing. A clear example of this ‘rot’ follows. The following was an email that essentially shows culpability and implicates senior staff:

“Dear colleagues,
Some of you have noticed a potential risk to our data protection when they found a non-WCC e-mail address listed on the permission to access and edit CAG Google sheets with the assessment data summaries. This e-mail address, which is the administrator’s, has now been removed, and the account mailto:administratorCAG@wcc.com has been created and added instead. It will be used for administration purposes, and it will be live for a limited number of days only.
In order to economise on time and utilise expertise running a complex script (code), I have asked Robocop’s partner (he is the administratorCAG) to write the script which I have attached. This code enables us to automatically extract student data from a variety of different spreadsheets and feed them into individual letters to the students and their parents. You will see from the code, which is attached, that this is not a simple mail-merging exercise. While the code is now written, it will still need administrating while the data sharing process is going on and letters are being sent. Since we have been spot-checking the details of the process, I can assure you that no data has been compromised at any stage.
Kind regards.
Dr Zimmer”


First, this was not a potential risk to data protection, but an actual breach, not limited to a data breach alone, as shown below.

A non-WCC e-mail address permitted to access and edit KAAGH sheets that contained named pupils and their assessments is a serious issue, not to be blown off as is the case here.

Under most circumstances, there is no need for a non-WCC person to access these files. If such access was necessary, all staff should have been informed in advance, with clear descriptions of the scope and restrictions placed on that access. This was lacking and implies misdemeanour.

To compound further, the non-WCC e-mail address was that belonging to a spouse of a senior member of WCC.  Further, this spousal unit had an offspring at that time in the year to which the KAAGH file pertained, such that a serious conflict of interest existed without strong controls in place to manage. Did Robocop allow her partner access to files he had no right to access? How is she being held to account for this blatant disregard for data protection, and laxity in controlling for conflicts of interest. It seems Robocop is allowed to run amok in her role, not held to account. That matter rests with Dr. Zimmer for failing to equally be accountable for senior staff behaviour.

Creating a new e-mail address and granting administration access to this person fails to address the breaches and conflicts of interest. It condones a data breach and conflict if interests as normal business.

Next, allowing a non-employee to code a script begs the question as to accountability. Further, what due diligence was conducted to ensure the person was competent and accredited professionally to code such a script and it be allowed to run on a WCC file for such a significant matter?

Given the data breach and conflicts of interest here, the leadership should have identified the need themselves for such a script and tendered through an appropriate organisation for this. To “economise on time” shows a significant lapse in governance, as does assigning “expertise” in such scripts cause concern as to the due diligence in making such decisions.
Where is the transparency and document trail to confirm adequate precautions were taken? What would the parent body think to know this happened?

Another example of poor judgement is sending the actual code to staff. Of what expectation? If a member of staff was capable of interpreting the code, then why was a staff member not asked to create the code in the fist instance? Was that a feeble attempt to show pseudo-transparency? Yet more examples of disingenuous attitude towards staff, pupils and parents? How much of what is relayed to the stakeholders is reliable and the truth? Then back to some of the issues raised in recent years, where leadership were allowed to make false accusations, terminate contracts based on unfounded allegations whilst not being held to account themselves.
“Data sharing process” going on does not instil confidence that adequate protections were in place, leaving a non-WCC staff member responsible as administrator. Are you reassured?
Do we have a fully transparent, credible assurance that could maintain the school’s reputation and unquestionably demonstrate to parents, examination boards, and universities that no manipulation could have occurred?
Unfortunately, evidence and witnesses tend to suggest otherwise. Leadership continue to swipe issues under the carpet and deny the reality.

There is no reassurance in “we have been spot-checking the details of the process”, since the administration by a non-WCC person, a spouse of a senior member of staff, and father to a pupil within the cohort concerned, shows poor judgement in this. Further, how can there be an assurance from the principal that “no data has been compromised”? How was this verified? From his extensive expertise in this area?

In summary, Dr. Zimmers implicates himself with Robocop and her partner, in a data breach and the risks of allowing code by allowing access to data by non-WCC personnel, one with a conflict of interest.. Serious matters that might harm the WCC reputation, and as such must be robustly addressed and those involved held to full account.

Now Quiz this one….

Comments