As public authorities, the Belfast and South Eastern Trusts should be fully aware of strict obligations in respect of data security and management.
Trusts handle some of the most sensitive data when dealing with patients. This breach could really question the confidence the public places in them.
Article 5(f) of the General Data Protection Regulations specifies personal data be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
It appears there may have been major and multiple failings on behalf of the trust.
When it comes to data or information about recruitment, employment or personal details — such as salary and vehicle registrations — it would be fair to contend the person who the data relates to would have a reasonable expectation of privacy in relation to it, and this breach is likely a breach of GDPR, misuse of private information, and a potential breach of Article 8 of the European Convention on Human Rights .
Any Information Commissioner’s Office (ICO) investigation should properly investigate the circumstances of the breach but with the trust having previous breaches and fines levied against them, this may act as an aggravating feature if they did not learn from previous errors, and same could be reflected in any future fines.
Those affected by this data breach are likely entitled to compensation under the Data Protection Act 2018 and GDPR.
That hundreds of pages of documents were allegedly discarded in a set of desk drawers that was later purchased in a charity shop is highly concerning.
It appears these documents relate to trust staff and potential staff with, in some cases, highly personal details, including addresses, previous employers, and sensitive financial information. This is something the ICO is likely to take a dim view of.
More embarrassing is that the documents also contained a report detailing how the trust intended to protect data and ensure there were no future breaches.
It would be blatantly obvious to anyone that appropriate filing, use of digital security, provision of shred bins and emptying of drawers before disposal of desks should be commonplace in a workplace.
The public, and indeed trust staff, need to know that their personal data will be properly handled, stored securely and that all documents containing personal or private information will be disposed of in the appropriate manner.
Ciaran Moynagh is a partner in Phoenix Law specialising in human rights law.