A full review of how information is managed at the office of Northern Ireland's Interim Victims' Advocate has been recommended following a data breach that resulted in the identities of almost 250 abuse survivors being leaked.
n May 22, the Interim Advocate's Office (IAO), where interim victims' advocate Brendan McAllister is based, sent a newsletter to 251 people without the recipients' names being anonymised.
Some 248 of those emails were to external recipients, while three were internal to the IAO.
Many of the individuals were involved in the Historical Institutional Abuse (HIA) Inquiry and wished to remain anonymous.
The email in question was sent by the office manager at the IAO on behalf of Mr McAllister.
When the breach came to light, many victims reacted with outrage, calling for Mr McAllister to resign. Others instructed their solicitor to launch civil claims, which one legal source told the Belfast Telegraph could about to some £2.5m in damages.
Solicitor Claire McKeegan of Phoenix Law represents the group Survivors and Victims of Institutional Abuse (Savia) and said the group's trust in the interim advocate had been "shattered".
"Many of them have underlying psychiatric conditions which have now been exacerbated by the upset and distress caused by the interim advocate unwittingly releasing their information," she said.
An investigation into the breach was launched by the civil service's Group Internal Audit and Fraud Investigation Service, which published its findings on Tuesday.
Investigators found the breach was the result of a simple "procedural error", when the office manager copied the IAO mailing list into the 'To' field of the email rather than the 'Bcc' field, which would have kept the recipients names anonymous.
They found that the normal process of sending a newsletter at the IAO was to copy the email addresses into the ‘To’ field of the email before moving them into the ‘Bcc’ field, however in this case, the email was unintentionally sent before this was done.
The report also uncovered issues with the IAO's Data Protection Officer role (DPO), whose job it is to monitor and advise on General Data Protection Regulation (GDPR) rules.
While the DPO is required to be an "independent expert in data protection", this role was filled on an interim basis by the office manager, and there were "concerns expressed (by the senior accountable officer and the office manager) that the office manager may not have the skills or training for the DPO role; the intention was that once additional staff were in place, the DPO role would be revisited."
Investigators also concluded there were problems around some victims giving adequate consent to be included on the IAO's mailing list.
"Review of a sample of entries on the mailing list identified that consent was indicated in approximately 65% of cases, however, this consent was not always explicitly stated," they found.
"In a further 26% of cases, where consent was not indicated, the individuals concerned are connected to a group and consent may have been provided by the group.
"However, when consent is provided by a third party, they need to demonstrate that they have authority to act on behalf of the individual and this evidence must be retained."
A total of nine recommendation have been made by the Group Internal Audit and Fraud Investigation Service on how to avoid such breaches in the future.
- A full review of information management arrangements at the IAO be carried out.
The DPO role within the IAO is reviewed and a decision taken on how to ensure the role is properly fulfilled.
Comprehensive data protection/information management policies and procedures for the IAO are developed as a matter of urgency.
Email addresses are entered directly into the ‘Bcc’ field and recipients’ email addresses are only added once the email is ready to send.
In response to the findings of the investigation, Brendan McAllister pledged that the recommendations made will be fully implemented.
“I welcome the speedy conclusion of this investigation because it has addressed concerns that have been raised since the data breach occurred, and enables my colleagues to implement a small number of specific recommendations which should serve to reassure the people we are here to serve," he said.
Mr McAllister added that he would be in touch with all of those affected by the data breach to inform them of the steps that have been taken.
In a joint statement, representatives of four victims groups – Survivors (North West); the Rosetta Trust, Survivors Together and an Independent Collective of Women Survivors of Institutional Abuse - said the error should never have happened, but insisted that they still had full confidence in Mr McAllister and his staff.
The groups also addressed controversy about Mr McAllister's studies to become a deacon in the Catholic Church, which they said they were aware of that following his appointment in August last year and had no issue with.
“When we met, or were in discussions with Brendan McAllister over the last 11 months, we were meeting him as the Interim Advocate. His faith; his relationship with God and his practice of that faith was never on the table. It was a matter personal to him, and never the subject of discussion or division," they said.
“It has never influenced our view of him. His role as Interim Advocate does not exclude him from practicing his faith or deepening his relationship with God. His faith is independent of his role.
“There is much more work to be done. Even with the current working arrangements making it difficult between now and the appointment of the Commissioner for Survivors of Institutional Childhood Abuse (COSICA), there are discussions to be had on additional support, future care needs, acknowledgement, an apology and memorialisation.
“With his knowledge and experience we believe Brendan McAllister is best placed to advance that process, and at the same time safeguard the interests of the victims and survivors. He and his staff continue to have our full confidence.”
SDLP MLA Colin McGrath advocated for a timeline for the implementation of the recommendations.
“The private email addresses of victims and survivors should not have been circulated and I have been in touch with many of those who were deeply distressed after receiving the communication," he added.
"They need to have confidence that renewed procedures are in place to prevent this from happening again and I would welcome an implementation timeline for the report recommendations.
“This matter has also been referred to the Information Commissioner’s Office and will be subject to a separate investigation which I look forward to seeing as soon as possible."