Historical Institutional Abuse: Data breach was 'procedural error', report finds

  • Published
HIA Inquiry sign
Image caption,

Some of the individuals involved had been part of the Historical Institutional Abuse (HIA) inquiry

A data breach involving the identities of hundreds of historical institutional abuse survivors in NI was a "procedural error", an investigation has concluded.

In May, it emerged a newsletter had been sent without details of 251 recipients being anonymised.

The Executive Office said it was a "deeply regrettable incident" that significantly impacted victims.

Nine recommendations have been suggested, external to prevent further incidents occurring.

Some of the individuals whose details were published had been part of the Historical Institutional Abuse (HIA) inquiry and had chosen to remain anonymous.

First Minister Arlene Foster later confirmed that an internal fact-finding investigation was being carried out.

The report, now published, external, said that on 22 May, the office of the Interim Victims' Advocate, Brendan McAllister, was preparing to send a regular newsletter to individuals on its mailing list.

It added that the office manager would normally have copied and pasted all email addresses from the mailing list into the 'To' field of the email, and then move them into the 'Bcc' (blind carbon copy) field, meaning email addresses in that field are not visible to anyone else receiving the email.

The report found that "putting email addresses into the 'To' field and then moving them to the 'Bcc' field creates a risk that materialised in this case as the email was unintentionally sent while the email addresses were sitting in the 'To' field".

'Full review of information arrangements'

It said the data breach "would not have occurred" had the email addresses been pasted immediately into the 'Bcc' field.

The report recommended that the email addresses are put directly into the 'Bcc' field.

It also recommended "a full review" of the information management arrangements in place within the office of the Interim Victims' Advocate be carried out.

At the time of the data breach, first revealed by BBC News NI, some victims and survivors called on Mr McAllister to resign as Interim Victims' Advocate.

He apologised for the breach but said he would remain in the job until a full-time commissioner for victims and survivors of abuse is appointed in late August.

Report should 'reassure people'

In a statement, Mr McAllister said he welcomed "the speedy conclusion" of the investigation.

"It has addressed concerns that have been raised since the data breach occurred, and enables my colleagues to implement a small number of specific recommendations which should serve to reassure the people we are here to serve," he said.

Mr McAllister added that he would be in touch with all of those affected by the data breach to inform them of the steps that have been taken.

In a joint statement, four of the five groups representing victims and survivors of historical institutional abuse in NI, said the error should never have happened, but insisted that they still had "full confidence" in Mr McAllister and his staff.

While Owen Beattie of KRW LAW said he trusted the necessary procedures will be put in place "to ensure this grievous breach of privacy does not occur again".

But Claire McKeegan of Phoenix Law, who represents the majority of abuse survivors, questioned why a timeframe for the implementation of the report's recommendations had not been given.

"How can the survivors therefore have confidence or be assured that their data is safe?" she said.

"We have been instructed to request that the interim advocate's office no longer retain our clients' private data given the lack of compliance.

"We await confirmation that our clients' details have been removed from their systems."

The matter has also been notified to the Information Commissioner's Office, which will conduct its own investigation separately.