³ÉÈË¿ìÊÖ

A Stormont department and a patients' organisation have been reprimanded by a data watchdog for disclosing people's information inappropriately via email.

The Executive Office and the Patient and Client Council both used bulk email methods to send messages on sensitive topics to multiple recipients.

The recipients saw full lists of people who were emailed about either gender dysphoria or historic child abuse.

The breaches were investigated by the Information Commissioner's Office.

It found that 266 email addresses had been shared as part of the bulk messages and said this "could be very distressing and potentially harmful" to those affected.

They included 15 people across Northern Ireland who the Information Commissioner's Office (ICO) said had "lived experience of gender dysphoria".

These individuals were included in a bulk email from the Patient and Client Council after staff chose the carbon copy (cc) option to send the message.

"Although the body of the email did not contain personal information, the people who received the email could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email," the watchdog said.

"This could have been information the recipients would not wish to be shared with people unknown to them."

Similarly, the ICO investigated a bulk email sent by the Executive Office's Interim Advocate's Office in May 2020.

It was set up after the report of the Historical Institutional Abuse (HIA) Inquiry, which investigated child abuse in residential institutions.

The advocate's office sent an e-newsletter to 251 subscribers using the 'to' field, meaning everyone who received the newsletter could see the other recipients.

"Although only email addresses were disclosed, it can be inferred that the people included in the email were likely to be victims and survivors, as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging, with the HIA Inquiry compensation scheme," the ICO said.

UK Information Commissioner John Edwards said was an "all too common" data breach.

"Even if the content of an email is not sensitive or confidential, identifying people who have received it could reveal sensitive or confidential information about them. That could be very distressing and potentially harmful to the people affected," he said.

The ICO said its investigations had found that both the Executive Office and the Patient and Client Council had insufficient guidance for staff about bulk email.

They have been asked to update their policies and provide details of their actions within three months.