Public Health Wales has admitted that the details of just over 18,000 people who had tested positive for COVID-19 were available online for a short time on 30th August.
The information included initials, date of birth, gender and geographical area and Public Health Wales has suggested that the risk of identification was therefore low. This presupposes that no one could match initials and dates of birth which actually is not that difficult. For those living in nursing homes or in supported housing, the risk was higher as the details also included the name of their place of residence.
In the 20 hours that the data was online, it was evidently viewed 56 times and it seems that the data breach policies may not have been accurately followed. Of course, the statement said that they take their data protection responsibilities very seriously, and they have referred themselves to the ICO.
So let’s remind ourselves again of some basic rules to help stop this:
- Make sure that ‘data protection by design and by default’ is at the heart of your IT systems
- Build robust policies and procedures, and make sure people are trained to use them
- Test your data breach procedure regularly