Coronavirus: FM learned of data breach 11 days after health minister

Image source, Getty Images
Image caption,
The breach involved the details of people who tested positive for Covid-19

First Minister Mark Drakeford found out about a major coronavirus data breach 11 days after his Health Minister Vaughan Gething, according to accounts given in the Senedd by the pair.

Mr Gething said he received a "serious incident alert" on 3 September.

But Mr Drakeford said he found out on Monday - the day when Public Health Wales disclosed what happened publicly.

Details relating to 18,000 people who tested positive for the virus had been published on the health body's site.

The data, including the initials, date of birth, geographical area and sex of individuals involved, remained live from 14:00 on 30 August to 09:55 the next morning.

Public Health Wales (PHW) has apologised for the breach.

In the Senedd Mr Drakeford said he did not know when officials and ministers, other than himself, were informed of the breach.

Tory Senedd member Andrew RT Davies said called for an investigation by the permanent secretary into how the first minister "claims to have been kept in the dark on such a serious issue".

Image source, Getty Images
Image caption,
The information was online for 20 hours before being taken down

At First Minister's Questions Welsh Conservative group leader Paul Davies called for the first minister to apologise to those affected by the incident.

Mr Drakeford replied: "I learned of this data breach yesterday [Monday], and I learned of it as a result of Public Health Wales' statement."

"It is a serious matter when data regulations are not properly observed."

He said PHW had been right to apologise to those concerned.

"Thankfully... the breach lasted for less than a day, and the initial inquiries suggest that no harm has been done as a result, but that is a matter of luck rather than anything else."

Mr Drakeford said it was right that PHW had instituted an inquiry and informed the information commissioner.

Image source, Getty Images
Image caption,
Mark Drakeford was questioned on the matter by Andrew RT Davies in the Senedd on Tuesday

'I know when I was informed'

Pressed by Tory Senedd member Andrew RT Davies on when the Welsh Government was informed and which minister was the first to be told, Mr Drakeford said: "I know when I was informed.

"I don't know the answer to those other questions nor would I expect to know them just standing up here in the chamber."

But Vaughan Gething later told Senedd members he was informed by "a serious incident alert on 3 September", after officials were told on 2 September.

"That is entirely normal," he said.

"We don't believe anyone has come to harm. But it is a serious breach and it needs to be treated seriously.

"That's why there is an independent investigation," he said, promising that a report on the matter will be released publicly.

'Serious questions'

Andrew RT Davies said: "This either points to a seriously dysfunctional working relationship between currently the two most important people in the Welsh Labour Government, or someone is not telling the full story.

"There are also serious questions as to why Public Health Wales and Vaughan Gething sat on this breach for two weeks before making it public."

Public Health Wales, in answering a question as to why it took two weeks before the public was informed, said: "The time between the breach itself and the announcement included notifying the Information Commissioner's Office and Welsh Government of the breach, seeking legal advice from GDPR experts, conducting a risk assessment, liaising with NHS and local authority partners about the incident and mitigation strategy, and establishing an independent investigation.

"After these steps had been taken, we made the announcement on Monday in order to maximise media and public engagement."

Related Internet Links

The BBC is not responsible for the content of external sites.