exclusive ‘Strictly confidential’ Belfast Trust files found in desk bought at charity shop – including report on protecting data

Watchdog probe after member of public uncovers major data breach

Documents: The filing cabinet containing the confidential documents was bought in a second-hand furniture store

Allison Morris Twitter Email

November 23 2021 02:42 AM

Personal details of the top executive team at the Belfast Health and Social Care Trust, along with the home addresses of job applicants, were among hundreds of documents discovered abandoned in a charity shop.

The documents were stored in a desk purchased by a member of the public from a second-hand furniture store in Co Down.

Concern as ICU nurses quit jobs amid mounting crisis at the Belfast Health Trust

Among the hundreds of pages were the personal phone numbers of the trust’s top managers.

The Information Commissioner’s Office is now investigating the data breach.

Among the files — some labelled ‘Strictly Confidential’ — was an information risk assessment looking at how Health and Social Care Northern Ireland can better protect sensitive data.

The document stated: “The guardianship and management of information in all its aspects (integrity, availability and confidentiality) is essential for the trust.

“Information can take many forms — from data sets of confidential personal information through to records of sensitive meetings, personnel records, policy recommendation, correspondence, case files and historical records.”

The report stated that during 2012/13 there were 17 incidents reported to the Information Commissioner for consideration.

They included information sent to the wrong individual, security of records, loss of data, inappropriate access to information, and transportation of records.

The document added the Information Commissioner had undertaken an audit of how the trust manages personal data, that “provides us with a reasonable assurance level that processes, and procedures are in place for delivering data protection compliance”.

Among the files were policy recommendations on an increase in the minimum wage, private personnel records including expenses claims, and handwritten minutes of meetings.

Most concerning was the dumping of highly personal records linked to a job application processes. One senior position was advertised at paying a salary of between £65,922 and £81,618.

The personal details of six candidates, including home addresses, previous employment and education, phone numbers, email addresses and personal references, were all contained in a folder abandoned in the set of office drawers. The majority of the documents were linked to the Belfast Health and Social Care Trust. There were also a small number linked to the South Eastern Health Trust.

They included a claim form for ordering a vehicle under the Business Lease Scheme. It revealed the employee’s £75,712 salary, address, and make and model of the car they leased under the scheme.

A personal address book full of contacts was among the bundle of documents. As was a report commissioned to allow staff to talk about safety concerns.

The majority of documents appear to be dated around 2015/16, though some dated back to 2012.

One showed that issues around patient safety predates the recent pandemic.

A questionnaire filled out by a senior member of nursing staff highlighted a number of significant failings on a Belfast hospital ward.

It stated staff training, patient falls and infection control as the three major areas of concern for nursing staff.

It added that problems with managing infection control included a “bedpan washer frequently out of order due to faults or lack of detergent”.

The report dated July 2014 stated that a housekeeper post on the ward had been vacant for almost a year, and that staff nurse vacancy posts needed filled.

Many of the documents related to job recruitment and staff salaries.

One labelled ‘Confidential’ and dated 2017 outlined the trust’s considerations linked to paying social care staff the national living wage.

It gave confidential budget breakdowns of the cost of providing domiciliary care to older people and those with mental health and learning disabilities.

The loss of such a large quantity of highly personal and sensitive information is believed to be the biggest data breach since the loss of patients’ details at Belvoir Park Hospital.

The Belfast Health Trust was fined £225,000 after records were found abandoned in the disused hospital, which closed in 2006.

The Information Commissioner imposed the fine because the trust failed to secure confidential files.

The watchdog received new powers in 2010 allowing it to impose fines on public bodies which failed to secure personal data.

Responding to the data breach, the Belfast Trust said; “Thank you for bringing this matter to our attention.

“The trust takes the handling of personal sensitive data very seriously.

“In order to further investigate and report the breach to the ICO, we would require copy of the documents to evaluate where the data has come from.

“The trust would wish to undertake a thorough internal investigation and report same in line with the Health and Social Care incident management process.”

The South Eastern Trust said: “Thank you for bringing this matter to our attention.

“The South Eastern HSC Trust takes the handling of personal sensitive data very seriously.

“In order to further investigate and report the breach to the ICO, we would require copy of the documents to evaluate where the data has come from.

“The trust would wish to undertake a thorough internal investigation and report same in line with the Health and Social Care incident management process.”

The Information Commissioner’s Office said: “We’ve been made aware of a potential incident and will assess any further details.”