Aerial view of Cardiff Bay

Welsh government guilty of over 300 data breaches since 2019

A Freedom of Information (FOI) request has revealed that the Welsh government has broken data protection laws over 300 times in under three years.

The data breaches in question, all of which have occurred since 2019, include several involving “personal sensitive data” and criminal allegations. In addition, several of the data breaches were found to have originated from a “secure” Welsh government website.

Among the over 300 breaches were 11 that were referred to the Information Commissioner’s Office (ICO).

These included:

  • In August 2019, a prisoner was sent a court report relating to a different family.
  • In August and September 2019, personal data and criminal allegations were published on the Welsh Planning Inspectorate’s appeals portal.
  • In March 2021, a safeguarding enquiries court report containing personal and sensitive data was emailed out in error.
  • A Welsh government sub-contractor emailed a form containing sensitive information about an individual to 26 people in the same month.
  • In August 2021, a care home inspection report containing personal and sensitive data was published on the Care Inspectorate Wales website.

Such was the sensitivity of the data included in these breaches that in three cases, Cifas offered the individuals concerned protection, flagging their details in the National Fraud Database to highlight they’re at risk of identity fraud. While such a step is positive in preventing fraud and financial loss, it also means the individuals concerned would likely have faced further checks and a more protracted process if they applied for credit.

Government staff disciplined and retrained

The Welsh government employs around 5,500 full-time equivalent people. Thirty-three were referred to the Welsh government’s human resources department following a data breach, with varying levels of action taken. The Welsh government also told around 60 staff to repeat data protection training.

The Welsh government has disclosed that it has reviewed and updated desk instructions and some policy documents and guidelines following these data breaches. In addition, some team members were reportedly told not to use email auto-fill functions, which may lead to emails and data being sent to people in error.

The BBC reported a Welsh government statement as saying that all breaches were “reported, recorded and acted upon, no matter how small, with very few meeting the criteria for reporting to the ICO despite the level of personal data processing undertaken by the Welsh government.”

Meanwhile, the ICO said: “Not all data breaches need to be reported to the ICO. The organisation must assess the seriousness of the incident and whether it poses any risk to the rights and freedoms of people. If they decide not to report it, they must be able to say why.

“People have the right to expect that organisations will handle their personal information securely, when that doesn’t happen, they should contact the organisation first, if they are still not satisfied, they can come to us.”

Contact LawPlus today if you have been affected by Welsh government data breaches

If your data has been exposed due to a data breach by the Welsh government, or any other governmental organisation or local authority, you may be entitled to compensation.

Contact us today for a FREE, no-obligation assessment of your data breach claim.