Historical Institutional Abuse: Data breach was ‘procedural error’

In May, it emerged a newsletter had been sent without details of 251 recipients being anonymised.

The Executive Office said it was a “deeply regrettable incident” that significantly impacted victims.

Nine recommendations have been suggested to prevent further incidents occurring.

Some of the individuals whose details were published had been part of the Historical Institutional Abuse (HIA) inquiry and had chosen to remain anonymous.

First Minister Arlene Foster later confirmed that an internal fact-finding investigation was being carried out.

The report, now published, said that, on May 22, the office of the Interim Victims’ Advocate, Brendan McAllister, was preparing to send a regular newsletter to individuals on its mailing list.

It added that the office manager would normally have copied and pasted all email addresses from the mailing list into the ‘To’ field of the email, and then move them into the ‘Bcc’ (blind carbon copy) field, meaning email addresses in that field are not visible to anyone else receiving the email.

The report found that “putting email addresses into the ‘To’ field and then moving them to the ‘Bcc’ field creates a risk that materialised in this case as the email was unintentionally sent while the email addresses were sitting in the ‘To’ field”.

It said the data breach “would not have occurred” had the email addresses been pasted immediately into the ‘Bcc’ field.

The report recommended that the email addresses are put directly into the ‘Bcc’ field.

It also recommended “a full review” of the information management arrangements in place within the office of the Interim Victims’ Advocate be carried out.

At the time of the data breach, some victims and survivors called on Mr McAllister to resign as Interim Victims’ Advocate.

He apologised for the breach but said he would remain in the job until a full-time commissioner for victims and survivors of abuse is appointed in late August.

In a statement, Mr McAllister said he welcomed “the speedy conclusion” of the investigation.

“It has addressed concerns that have been raised since the data breach occurred, and enables my colleagues to implement a small number of specific recommendations which should serve to reassure the people we are here to serve,” he said.

Mr McAllister added that he would be in touch with all of those affected by the data breach to inform them of the steps that have been taken.

In a joint statement, four of the five groups representing victims and survivors of historical institutional abuse in NI, said the error should never have happened, but insisted that they still had “full confidence” in Mr McAllister and his staff.