By Tony Collins
In one of the most bizarre regressions since the FOI Act came into force in 2005, officials at Somerset County Council have redacted an audit report on SAP security weaknesses after the report was published in full.
The result is that anyone can see links to both reports. This is the report with parts of it redacted – blacked out. These are links to the full versions, which were published before the redactions – here and here.
The report was written by auditors Grant Thornton for Somerset County Council and highlights weaknesses in a database that is shared by the council, Taunton Deane Borough Council and Avon and Somerset Police. The database is part of a SAP system run by Southwest One on behalf of the three authorities.
Southwest One is an IBM-led enterprise that provides IT and other services to the three authorities under a controversial outsourcing contract. Dave Orr has written comprehensively about the deal.
Somerset published the Grant Thornton report in full. The media including Campaign4Change published some details of the IT security weaknesses mentioned in the Grant Thornton report. It appears that Avon and Somerset Police asked officials at Somerset to black out details of some of the weaknesses.
Somerset-based FOI campaigner Dave Orr says the blacking out is to save the blushes of the police.
Says Orr: “Much of the redaction in the Somerset County Council IT Controls report by Grant Thornton, especially generic and available password advice in Section 3, is not based in a genuine security threat, but looks to be rooted in a Police culture that seeks to avoid criticism and/or embarrassment.”
Somerset MP Ian Liddell-Grainger says:
“SAP was built on the cheap by IBM to serve three different customers – the County Council, Taunton Deane district council and the Police. It would have made sense to bung in a few partitions to stop council eyes taking a peek at police matters, or vice versa. But that would have cost money – perish the thought.”