Data breach probe ordered by ICO after ‘covert’ op by Belfast trust
Since the GDPR became law in May of 2018, several hospital trusts have been the subject of data privacy and data protection incidents. Last year, a number of news reports revealed cases of unauthorised access to patient records, attracting unwanted attention to individuals’ and punitive fines for offending hospitals.
Earlier this month, the Information Commissioner’s Office (ICO) ordered an “enforcement investigation” into the Belfast health trust following the loss of “sensitive personal data” linked to a covert operation into allegations of sectarianism.
According to The Irish News, correspondence sent by the commissioner to a former security guard at Belfast City Hospital acknowledges the “extreme upset” caused by the trust’s secret monitoring of him.
The letter also notes that it is “unlikely” the trust complied with data protection laws in terms of protecting personal information.
Earlier this month, The Irish News revealed that the trust had installed listening devices and a hidden camera in the hospital to probe allegations of “toxic” sectarianism among security staff.
It has since emerged that a laptop used to download and view the covert recordings has been lost, while “major concerns” have been raised as to who sanctioned the surveillance.
Bullets sent to the home of a Catholic employee, staff supplying wooden pellets to a nearby loyalist bonfire and a photograph of paedophile priest Brendan Smyth being placed on a St Patrick’s Day rota were among the allegations reported.
A staff member also reportedly escorted Milltown murderer Michael Stone through the hospital and was alleged to have punched the air and shouted: “Michael Stone is my hero”.
The secret monitoring was carried out in 2012 but only came to light after individuals who were filmed received a tip-off from a whistleblower last summer.
No action was ever taken by the trust against any employees on the back of the operation but a confidential report into the trust’s management of the matter – published at the beginning of this year – was highly critical.
The latest correspondence sent by the commissioner, seen by The Irish News, was issued to an individual who had made a complaint about the trust filming him without his knowledge.
Dated March 19, it states:
…it is my assessment that it is unlikely that the trust has complied with the requirements of the DPA in this case, namely, the seventh data protection principle. As you may be aware, the seventh principle requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. It also appears that the data concerned may constitute sensitive personal data.
The Information Commissioner’s Office (ICO) letter adds: “We do realise that the trust’s covert monitoring of your personal data by your ex-employer is extremely upsetting for you. The ICO will now take further action to consider whether any more formal regulatory action is appropriate and may exercise its regulatory powers.”
The Belfast trust confirmed earlier this month that it had reported itself to the commissioner and that it had met with the staff affected. It also admitted the loss of the laptop.
“Efforts are being made to locate a laptop so that its contents can be examined and the Information Commissioner’s Office is aware of this. We are unable to provide the names of those involved as this is data personal to them.”
The commissioner’s letter confirms that its “Enforcement Department” is now conducting a live investigation into the trust after it had “self-reported” the incident.
“As part of the Enforcement Department’s investigation into whether the breach is serious and whether regulatory action is appropriate, they will now take steps to ensure that the trust has addressed all foreseeable weaknesses in its organisational and technical controls, with a view to reducing the potential for a recurrence,” the correspondence adds.
Aidan Hanna, who represented two of the affected security guards on behalf of the Staff and Workers Association (SAW) trade union, described the ICO’s intervention was “extremely significant”.
“The fact this is now at an enforcement investigation shows how seriously this is being taken. I’m also pleased the commissioner has accepted the distress caused by the trust to its employees,” he said.
Sources: The Irish News