Nearly 50 data breaches at nine Stormont departments: DfI civil … – Belfast Telegraph

Almost a third were by the Department of Justice, and multiple breaches by the Department for Communities were deemed to be “major incidents”.

The nine Stormont departments involved said that where breaches occurred the cases were referred to the Information Commissioner’s Office (ICO) and action was taken to ensure information was deleted.

Stormont’s Department for Infrastructure (DfI) and its arm’s-length bodies have had seven data breaches in recent years, it has emerged.

In one case a civil servant accessed personal folders of their colleagues and was suspended, while in another someone’s medical information was sent to the wrong home address.

The news comes following a series of high-profile PSNI data breaches, including one which saw the details of more than 10,000 officers and staff were mistakenly released on a public website.

Details of data breaches within DfI and its arm’s-length bodies, such as the Driver and Vehicle Agency (DVA), were obtained via an FOI.

The first of the breaches was in 2014, while there was one in 2015 and two in 2016. Another breach was detected in 2019, again in 2021 and the latest was last year.

All of the incidents were reported to the Information Commissioner’s Office.

In February of last year personal data of a third party was given out in a phone call by a member of the DVA, while in September, 2021, personal details attached to MOT bookings were unprotected for several hours due to unencrypted internet cookies.

Internet cookies are pieces of data from a website that are stored in web browsers that a website can retrieved at a later time.

In the later case the cookies were encrypted five hours after the breach were discovered and a “full system security check was carried out”, according to the FOI response.

Back in March of 2019 a member of DfI’s digital services branch accessed personal folders of colleagues. The members of staff affected were informed and the individual responsible was suspended.

An individual’s medical information was sent to the wrong home address in October, 2016. The person whose personal data was breached was informed and received an apology.

Mark H Durkan is the SDLP’s infrastructure person, and also a member of the Policing Board which grilled former Chief Constable Simon Byrne over the PSNI data breaches.

“Any data breach within a Stormont department must be treated with the utmost seriousness given the sensitive information that departments and their staff hold,” he said.

“It’s important that departments have robust policies in place to guard against and deal with data breaches and I would hope that when such breaches occur policies are reviewed and the fallout is dealt with in an appropriate manner.

“Recent events have shown us just how serious the fallout from data breaches can be, with wide-ranging effects for those involved. We need to have confidence in our departments and staff and any breach can seriously undermine their work.”

Alliance Party MLA Andrew Muir added said news of the breaches are a “serious cause for concern”, with range of “highly sensitive information wrongly made available that was no doubt worrying for many”.

He added that it is vital DfI and other department have robust plans in place to ensure data is kept safe and not wrongly made available as a result of system or human actions.

“Citizens and employees have a right to expect that often highly sensitive personal data government is entrusted to hold is kept secure,” he said.

DfI said: “All seven data breaches were reported to the Information Commissioners Office and appropriate action taken.

“Staff are reminded of the importance of regular data protection and Freedom of Information training following any breach of personal information and all staff are required to pass regular training courses on both.”

The Department of Health (DoH) published a report provided by the Muckamore Abbey Hospital (MAH) Independent Review Panel, which included some personal details of a small number of patients and staff.

The department also received reports from six members of the public who experienced issues with their Northern Ireland Covid Certification Service (CCS), with accounts showing personal details and vaccine certificate information relating to other users.

During an investigation it was discovered that the issue was a technical malfunction.

The incidents were reported to ICO and correspondence was issued to all of the people who were affected.