Published on September 15th, 2020 📆 | 6652 Views ⚑0
Coronavirus: FM learned of data breach 11 days after health minister
First Minister Mark Drakeford found out about a major coronavirus data breach 11 days after his Health Minister Vaughan Gething, according to accounts given in the Senedd by the pair.
Mr Gething said he received a “serious incident alert” on 3 September.
But Mr Drakeford told the Senedd that he learned about it when Public Health Wales informed the public on Monday.
Details relating to 18,000 people who tested positive for the virus had been published on the health body’s site.
The data, including initials, date of birth, geographical area and sex, remained live from 14:00 on 30 August to 09:55 the next morning.
Public Health Wales (PHW) has apologised for the breach.
In the Senedd, Mr Drakeford said he did not know when officials and ministers other than himself were informed of the breach.
Tory Senedd member Andrew RT Davies said called for an investigation by the permanent secretary into how the first minister “claims to have been kept in the dark on such a serious issue”.
At First Minister’s Questions Welsh Tory group leader Paul Davies called for the first minister to apologise to those affected by the incident.
Mr Drakeford replied: “I learned of this data breach yesterday [Monday], and I learned of it as a result of Public Health Wales’ statement.”
“It is a serious matter when data regulations are not properly observed.”
He said PHW had been right to apologise to those concerned.
“Thankfully… the breach lasted for less than a day, and the initial inquiries suggest that no harm has been done as a result, but that is a matter of luck rather than anything else.”
Mr Drakeford said it was right that PHW had instituted an inquiry and informed the information commissioner.
‘I know when I was informed’
Pressed by Tory Senedd member Andrew RT Davies on when the Welsh Government was informed and which minister was the first to be told, Mr Drakeford said: “I know when I was informed.
“I don’t know the answer to those other questions nor would I expect to know them just standing up here in the chamber.”
But Vaughan Gething later told Senedd members he was informed “with a serious incident alert on 3 September”, after officials were told on 2 September.
“That is entirely normal,” he said.
“We don’t believe anyone has come to harm. But it is a serious breach and it needs to be treated seriously.
“That’s why there is an independent investigation,” he said, promising a publicly published report.
Andrew RT Davies said: “This either points to a seriously dysfunctional working relationship between currently the two most important people in the Welsh Labour Government, or someone is not telling the full story.
“There are also serious questions as to why Public Health Wales and Vaughan Gething sat on this breach for two weeks before making it public.”
Public Health Wales, in answering a question as to why it took two weeks before the public was informed, said: “The time between the breach itself and the announcement included notifying the Information Commissioner’s Office and Welsh Government of the breach, seeking legal advice from GDPR experts, conducting a risk assessment, liaising with NHS and local authority partners about the incident and mitigation strategy, and establishing an independent investigation.
“After these steps had been taken, we made the announcement on Monday in order to maximise media and public engagement.”