The Welsh government has broken data protection laws more than 300 times since 2019, according to a FOI (Freedom of Information) request.
Of those incidents, 11 were referred to the Information Commissioner’s Office, and three resulted in the affected data subject being offered protection by the fraud prevention service Cifas.
The BBC reports that the incidents also involved 33 Welsh government staff members being referred to HR; some faced disciplinary action or the “underperformance procedure”, whereas others were subject to “informal action”.
Additionally, approximately 60 employees were required to repeat mandatory data protection training.
Why were only some incidents reported?
UK data protection law states that data breaches only need to be reported to the Information Commissioner’s Office if they “pose a risk to the rights and freedoms of natural living persons”.
This generally refers to the possibility of affected individuals facing economic or social damage (such as discrimination), reputational damage or financial losses.
When organisations detect a data breach, they must decide whether is meets their notification requirements.
In response to the FOI request, the Welsh government confirmed that it completed this requirement.
It also said that it has since reviewed and updated its desk instructions, relevant policy documents and guidelines.
One change that it emphasised was that some staff have been asked to turn off autofill features when selecting email recipients in Outlook.
Commenting on the report, the Information Commissioner’s Office said: “People have the right to expect that organisations will handle their personal information securely, when that doesn’t happen, they should contact the organisation first, if they are still not satisfied, they can come to us.”
Managing your data breach notification requirements
Are you looking for help deciding when breaches must be reported, and if so, how to do so?
GRCI Law’s Retained Data Breach Management Service gives you the peace of mind that when a breach occurs, you will know exactly who to call for help and you will have priority access to our specialist data breach management team.
Our experts will help you respond to an incident or data breach quickly and in line with the GDPR’s 72-hour reporting requirement so that you can resume your normal business operations with minimal disruption and hassle.