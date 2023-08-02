The Information Commissioner’s Office (ICO) has reprimanded both organisations.

The Executive Office disclosed email addresses of those subscribed to an e-newsletter related to the Historical Institutional Abuse (HIA) Inquiry

The Executive Office (TEO) is among two Northern Ireland organisations which have been reprimanded by the Information Commissioner’s Office (ICO) for email data security breaches.

Along with the Patient and Client Council (PCC), TEO have been rapped for disclosing people’s information inappropriately via email.

Both organisations disclosed recipient details by using inappropriate group emails, and should have found an appropriate alternative such as mail merge, the ICO have said.

The Executive Office’s Interim Advocate’s Office, established following the report of the Historical Institutional Abuse (HIA) Inquiry, sent an e-newsletter to 251 subscribers using the ‘to’ field.

Although only email addresses were disclosed, it can be inferred that the people included in the email were likely to be victims and survivors, as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging, with the HIA Inquiry compensation scheme.

The PCC had sent an email to 15 people across Northern Ireland, each of whom had lived experience of gender dysphoria, using the carbon copy (cc) option.

Although the body of the email did not contain personal information, the people who received the email could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email.

This could have been information the recipients would not wish to be shared with people unknown to them.

UK Information Commissioner John Edwards said this type of breach was “all too common but is easily avoidable”.

"Organisations must take responsibility for training their staff properly and for putting appropriate systems and policies in place to avoid such incidents,” he said.

“Even if the content of an email is not sensitive or confidential, identifying people who have received it could reveal sensitive or confidential information about them.

"That could be very distressing and potentially harmful to the people affected.”

Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately disclosed to others.

The ICO’s investigation found that the email options chosen in both cases were not appropriate and that both organisations had insufficient guidance for staff about sending communications by bulk email.

The ICO recommended that PCC and the Executive Office should review and update their policies and procedures and provide appropriate guidance to staff in relation to email use.

The organisations will need to provide details of actions taken within three months of the reprimand being issued.

The Executive Office said they had fully accepted the ICO’s findings.

“The Executive Office deeply regrets the data breach and acknowledges the profound impact it has had on those affected,” said a spokesperson.

"We fully accept the reprimand as issued by the Information Commissioner’s Office and we will continue to work to ensure that no repetition of the data breach occurs in the future.

"In light of the ongoing legal proceedings, it is not appropriate for us to comment further at this time.”

The PCC said they are taking the data breach “very seriously”.

“We apologise to those affected by it. We fully accept the recommendations made by the ICO and have been fully engaging with them throughout this process,” said a spokesperson.

“When the data breach was recognised, we immediately referred it to the ICO and have been taking a number of additional steps to ensure that our information governance is in line with best practice and UK GDPR.”