Following Data Breach Procedures and Staff Awareness

In the news this week, it was reported that Public Health Wales suffered a personal data breach when details of over 18,000 people who had tested positive for COVID-19 were inadvertently made available online.

The data was available on the site for 20 hours. The breach occurred at 14:00 on 30 August and the BBC reports that an individual at Public Health Wales became aware of the breach that evening. However, the data was not removed until 09:55 on 31 August. It is reported that the individual who discovered the breach did not follow the incident reporting procedures.

This serves as an important reminder that organisations should have data protection and data breach policies in place, and importantly those procedures and policies should be brought to the awareness of staff and followed by staff. Prompt incident reporting processes will enable organisations to take immediate steps to try and stop and ongoing breaches and take steps to mitigate the impact of a breach.

Accountability is one of the principles of the GDPR and the ICO has created an Accountability Framework to help organisations assess their compliance with that principle. One of the aspects of the framework is staff awareness.

By ensuring staff are aware of data protection obligations and its importance it can help organisations to mitigate the risks of a data breach occurring, and in the unfortunate event a breach does occur, staff awareness can assist with mitigating any damage.

Some of the steps organisations can take to assist with staff awareness are:

  • Ensure staff are aware of internal policies are procedures and that they are easily accessible.
  • Make staff aware of the key contacts in your organisations if they have data protection queries.
  • Provide data protection training as part of staff inductions and continue to provide refresher training to all staff on a regular basis. This may involve specialist training for relevant roles.
  • Consider running awareness campaigns with staff which could involve posters in offices and computer screensavers explaining the importance of data protection.
  • Make data protection an agenda item. That could be at management meetings, team meetings and whole office forums.

If you have any questions about data protection compliance in your organisation, please contact Charlotte Smith

This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published. If you would like further advice and assistance in relation to any of the issues raised in this article, please contact us today by telephone or email

Posted in Data, Privacy and Information Law, GDPR, Latest news and blog.