The Department of Justice in Northern Ireland has been fined almost £150,000 for a serious breach of the Data Protection Act after confidential documents were found inside a filing cabinet sold in an auction.
They included personal details relating to victims of a terrorist attack, the injuries they suffered and the amount of compensation being offered, as well as private ministerial advice.
The cabinet was one of 59 belonging to the Northern Ireland Compensation Agency that was sold, without a key, with other unwanted furniture to a member of the public at an auction in May 2012 after staff moved to other offices months earlier.
When the lock was forced open, papers dating from the 1970s until 2005 that contained highly sensitive information were discovered.
Police and the Information Commissioner’s Office (ICO) were immediately alerted.
The agency is under the control of David Ford’s Justice Department, which confirmed yesterday it had been fined £185,000 by the ICO. The penalty was discounted to £148,000 for early payment.
The ICO said that while there was an expectation within the agency that personal data would be handled securely, its investigation found limited instructions to staff on what that meant in practice, despite the highly sensitive information the office held.
Ken Macdonald, the assistant commissioner for Northern Ireland, said: “This is clearly a very serious case. While failing to check the contents of a filing cabinet before selling may seem careless, the nature of the information typically held by this organisation made the error all the more concerning.
“The distress that could have been caused to victims and their families had this fallen into the wrong hands is self-evident.”
Mr Ford said the breach of the Data Protection Act should not have happened.
He added: “We informed the Information Commissioner as soon as we became aware of the breach. The Justice Committee was also subsequently made aware. The department has co-operated fully with the Information Commissioner and paid the penalty imposed.
“This was an unfortunate breach of data security caused by simple human error and not a systemic problem within the department. We are satisfied that none of the information was compromised and none of the other cabinets sold contained any files.
“Detailed procedures have now been implemented to ensure that, in future, any personal data contained in furniture that is being disposed of will be dealt with securely.”