GDPR: Welsh government breached data laws 300 times since 2019

  • Published
Data breach image of keyboardImage source, Getty Images
Image caption,

A Welsh government spokesperson said it "takes data protection obligations seriously"

The Welsh government has broken data protection laws more than 300 times in less than three years.

Breaches since the start of 2019 involved documents which included criminal allegations and "personal sensitive data".

Some breaches were made from a "secure" government site, a Freedom of Information (FOI) request found.

The Information Commissioner's Office (ICO) said people should expect personal data to be handled securely.

The Welsh government said it "takes data protection obligations seriously and carries out an internal reporting process".

It added: "Once each breach is reported, processes are reviewed and where necessary, remedial action is agreed with management."

Of the 300 breaches, 11 were referred to the ICO, including:

  • A care home inspection report containing personal sensitive data was published on the Care Inspectorate Wales website in error (April 2021)

  • A sub-contractor issued a form containing sensitive personal information of one individual to 26 individuals via email (March 2021)

  • A safeguarding enquiries court report containing personal sensitive data was emailed in error to the wrong service users (March 2021)

  • "Personal sensitive data that also included criminal allegations" was published on the Planning Inspectorate's appeals casework portal (August and September 2019)

  • A prisoner was sent a court report relating to a different family as well as the information that he should have received (August 2019)

In three cases, the subject of the data was offered protection under the fraud prevention service Cifas.

Cifas then flags the subject's details in the National Fraud Database, allowing companies to see that person is at risk of impersonation and take extra steps to ensure they are protected.

Image caption,

The Welsh government has about 5,500 full-time equivalent staff

Thirty-three Welsh government staff members were referred to the human resources department, with disciplinary action or the "underperformance procedure" used with some and "informal action" taken against others.

In addition, about 60 staff have had to repeat mandatory data protection training.

Desk instructions, relevant policy documents and guidelines have been reviewed and updated in response to the cases.

Some staff were asked to turn off the email auto-fill facility in Outlook, which automatically fills in names and email addresses based on the characters you start to enter.

The Welsh government - which has about 5,500 full-time equivalent staff - added all breaches were "reported, recorded and acted upon, no matter how small, with very few meeting the criteria for reporting to the ICO despite the level of personal data processing undertaken by the Welsh government."

The ICO said: "Not all data breaches need to be reported to the ICO. The organisation must assess the seriousness of the incident and whether it poses any risk to the rights and freedoms of people. If they decide not to report it, they must be able to say why.

"People have the right to expect that organisations will handle their personal information securely, when that doesn't happen, they should contact the organisation first, if they are still not satisfied, they can come to us."

Related internet links

The BBC is not responsible for the content of external sites.