Serious data breaches across NI government departments

Sensitive information being left behind in a restaurant and the possible disclosure of a person's former identity are among serious government data breaches in Northern Ireland.

New figures show there have been almost 50 breaches by Stormont departments during the past decade.

Almost a third were by the Department of Justice.

Several breaches by the Department for Communities were deemed to be "major incidents".

They included the loss of papers containing medical data and a member of staff inappropriately accessing their ex-partner's benefits information.

The nine Stormont departments said that where breaches occurred the cases were referred to the Information Commissioner's Office (ICO) and action was taken to ensure information was deleted.

But a former government watchdog has said the data breaches highlight a worrying trend.

Felicity Huston was previously the commissioner for public appointments in Northern Ireland.

She said: "The government is insisting more and more that we go online and they collect vast amounts of our data that way - the least they can do is keep it safe."

The Department for Communities (DfC) was responsible for the breaches relating to information being left in a restaurant and the possible disclosure of a former identity.

Other breaches by the DfC included the loss of a laptop and hard-copy files containing "special category information".

In that case the police were informed of the incident and the laptop was disabled. A hard copy file and laptop were subsequently handed into Police Service of Northern Ireland (PSNI).

The Department for Communities said it referred all data breaches to the ICO and was advised that no further action was required in relation to each case.

Information on the breaches comes as details of 10,000 police employees were accidentally included in a response to a freedom of information request.

That breach, and two others that were subsequently made public, caused considerable concern among PSNI officers and staff, who face continuing threat from paramilitaries and must be vigilant about their personal security.

An independent review is being carried out to establish how those breaches happened.

PSNI Chief Constable Simon Byrne has since resigned after a number of controversies, including the data breaches.

The latest figures obtained by BBC News NI show that of the 48 data breaches recorded by Stormont departments since 2013, 13 were by the Department of Justice.

They included a letter posted by the Northern Ireland Policing Board which did not arrive at the intended recipient's address.

The DoJ's policing policy and strategy department was also found to have shared information with "unauthorised parties".

In an another case a letter was sent from Laganside Courts to the wrong person and there was "the erroneous release of personal data" by the Coroners' Service.

The DoJ said all of the cases were reported to the ICO and staff awareness training was carried out.

Data breaches recorded by the Department for Infrastructure (DfI) included a staff member who accessed personal folders of colleagues and medical information being sent to the wrong home address.

The breaches were reported to the ICO while the individuals whose personal data was breached were informed and they received an apology.

The Executive Office (TEO) breaches involved an incident in which 77 email addresses of members of the Truth Recovery Victim and Survivor Consultation Forum were identifiable in a calendar invitation.

TEO also recorded a breach from the Historical Institutional Abuse Inquiry in which the email addresses and names of approximately 251 people were issued.

In both cases the incidents were reported to the ICO and letters were issued to those affected.

TEO said it apologised to all those people, adding that the breaches were "deeply regrettable" and that is had learned from the incidents.

The Department of Health (DoH) published a report provided by the Muckamore Abbey Hospital (MAH) Independent Review Panel, which included some personal details of a small number of patients and staff.

The DoH also received reports from six members of the public who experienced issues with their Northern Ireland Covid Certification Service (CCS).

Their accounts were showing personal details and vaccine certificate information relating to other users.

During an investigation it was discovered that the issue was a technical malfunction.

The incidents were reported to ICO and correspondence was issued to all of the people who were affected.

Felicity Huston previously criticised the leaking of the names of candidates for the role of victims' commissioner in 2008.

She said the latest data breaches were deeply worrying.

She added: "I was struck by the variety of breaches, from small things like envelopes not arriving to lost healthcare information, and that's deeply disturbing.

"After what's happened with the police and now this, people will quite rightly start to think: 'What next will turn up in the public domain?'"

The information on data breaches was released to BBC News NI under Freedom of Information legislation.

The data relates to breaches by government departments and did not always include information on activity by their arms-length bodies.

An ICO spokesperson said: "People have the right to expect that their personal information is kept safe and handled responsibly.

"Organisations must have robust measures in place to protect personal information, especially when that data is sensitive."