UK – Public Health Wales has apologised and notified the Information Commissioner’s Office (ICO) after publishing data online from 18,105 people who have tested positive for Covid-19.
The incident took place on the afternoon 30th August 2020, when the data was uploaded by mistake to a public server, meaning it was searchable to anyone using the Public Health Wales website.
After being alerted to the issue, Public Health Wales removed the data on the morning of 31st August. The data was online for 20 hours and was viewed 56 times.
The data included initials, date of birth, sex and geographical area for the majority of cases. For 1,926 people living in care homes or supported housing, the name of the place of residence was also included.
Public Health Wales said it has conducted a risk assessment and has sought legal advice. It said the legal opinion was that there was a low risk of the data breach leading to individuals being identified.
As well as the ICO, the Welsh government has also been informed, and an external investigation into the breach will be commissioned by Public Health Wales and led by the head of information governance at the NHS Wales Informatics Service.
Public Health Wales has created an incident management team to lead on changes to its standard operating procedures for data uploads, which are now carried out by senior team members.
Tracey Cooper, chief executive of Public Health Wales, said: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed.
“I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”
An ICO spokesperson said: “Trust and confidence in the way NHS Wales Test, Trace and Protect Service uses and safeguards personal data is essential to public participation, so the programme is successful in helping tackle the coronavirus pandemic.
“Public Health Wales has made us aware of an incident and we will be making enquiries.”