Police are investigating an alleged abuse of Dundee City Council’s database for recording sensitive family, criminal and health information.
Details of the breach emerged during an online meeting of the council’s scrutiny committee.
Councillors were considering a review into the Mosaic database, “a single case management system operating across the children and families service, criminal justice and adult health and social care services.”
An internal audit process judged there were “weaknesses in the system which should be addressed.”
Responding to a question on the severity of the weaknesses, Michael Holligan, of the children and families team, said: “I am aware of one example of unauthorised access that has been investigated and reported to the information commissioner.
“I’m not sure about whether it’s related to the design of the system. It was unauthorised access, by use of a password, when an employee was on sick leave and subsequently left the service.
“While I am aware of one example, I’m not clear if it falls underneath the umbrella of a system fault.
“There were other underlying issues related to that, which have been investigated. It is an open case with the police.”
Councillor Derek Scott, Conservative, had asked about breaches to strict laws governing the way public bodies store and use personal data.
He said: “There are lots of personal details held on that system. Are we aware if there has been any unauthorised access. Are we in danger of not complying with GDPR as a result of not having appropriate measures in place?”
Scrutiny committee convener Kevin Keenan, Labour, moved to prevent identification of the former member of council staff.
He said: “Given there’s a personnel issue I would caution against any sort of questions that would lead to delivering the person.
“It would be best if some of the questions were to be asked outwith this meeting with regards to that. If that needs to be followed up in some way.
“We can’t get in a position of having a personnel meeting here.”
Pamela Redpath, internal audit senior manager, delivered a report on the Mosaic system. More widely, her team discovered weaknesses in 41% of the council systems it had looked at.
Her report identified a number of problems with the database, including with the ease council staff could access the system or delegate use to colleagues.
She said: “I’m not aware there’s been any unauthorised access.
“We were looking at the controls in place to mitigate the risk of unauthorised access and so, obviously, the recommendation around reviewing those controls and taking steps to approve them was the output from that work.
“There has been commitment that has been looked at as a matter of priority,” she added.
A Police Scotland spokesman did not comment on the investigation.
A Dundee City Council spokesman said: “The audit findings and recommendations were formally reported to the Executive Director of Corporate Services, the Executive Director of Children and Families and the Chief Officer, Dundee Health and Social Care Partnership and appropriate action agreed to address the matters raised.
“It would not be appropriate for the council to comment on any individual police investigation.”
