COMPUTERS THAT WERE sent to a Rehab Group facility were sold on to a third party and not destroyed as instructed by clients.
The issue came to light through a 2022 audit commissioned by Rehab Group to review concerns raised by a member of staff at Rehab Recycle Tallaght through a protected disclosure.
The staff member claimed that, during an unspecified period in 2020, computers to be wiped and destroyed were sold to a third party who reused them in the second-hand electronics market.
Multiple staff at the south Dublin facility told the audit team that a third party business had unrestricted access to the warehouse. This company, staff said, then chose the assets it wanted to buy “without regard to client instructions for destruction or re-use”.
There was “sufficient evidence” this occurred in one particular case highlighted by the audit team. Rehab itself bought a refurbished laptop back from the third party. It turned out to be a laptop a client had given them to wipe which “was not supposed to be recycled”.
Clients listed in the audit include State entities that hold sensitive data, including government departments and publicly-funded entities. The audit does not state if any of the computers sold to the third party came from any State clients.
It is unclear the number of laptops or other equipment that this audit covers but two unnamed companies whose equipment was sent for destruction to Rehab were mentioned by the auditors in their report.
- Noteworthy, the crowdfunded community-led investigative platform from The Journal, supports independent and impactful public interest journalism. This article was funded in its entirety by the Noteworthy investigative fund. Please support our work here>>
The “Tallaght site processed over 735 tonnes of IT kit in 2020”, according to the charity’s annual report from that year.
We asked Rehab Group for more details on the number of devices processed during the period in question, how many devices were impacted and if any State bodies were affected. Rehab did not answer our queries in relation to this.
The audit, conducted in 2022 by external auditors, and seen by Noteworthy, collated a “significant volume of evidence” to support the majority of the concerns raised. The auditors noted this evidence was “largely in the form of oral representations”.
Rehab Group confirmed it received a protected disclosure “concerning a branch of its Rehab Enterprises division” in 2022.
A Rehab statement said that the company acted immediately by hiring an independent external consultant to investigate the “concerns and allegations raised”.
“The findings of this review and its recommendations have been addressed, and monitoring and further checks and balances have been put in place… Rehab Group acts on concerns raised by employees and is committed to robust, transparent, and consistent procedures.”
Two government departments listed in the audit as clients in 2020 said that hard drives were wiped on-site prior to disposal.
Another department told us a certification of destruction was received from Rehab for items that were to be “physically destroyed to such a degree that no data could be retrieved”. Other departments said that they did not have any contract with Rehab in 2020.
‘Checks and balances’ put in place
The audit also examined claims the third party was allowed to purchase decommissioned scanning equipment from Beaumont Hospital that was sent to Tallaght to be destroyed.
A Beaumont spokesperson told Noteworthy it has an equipment disposal contract with a different provider. They said the hospital “has not been informed” about any alleged purchase of decommissioned equipment but “will make necessary enquiries to its contractor”.
In addition, the audit also said there was a risk that personal data from a client company was still on hard drives of equipment sold to the third party to be dismantled. The third party appears to have instead reused the equipment, the audit found.
The audit recommended that Rehab investigates whether a personal data breach occurred in this case. We asked Rehab if it investigated this further, or any other cases.
Rehab did not answer this question, instead telling us: “The findings of this review and its recommendations have been addressed, and monitoring and further checks and balances have been put in place. Arising from the review Rehab is satisfied no personal data breach occurred.”
Noteworthy asked Rehab what steps it had taken to be satisfied that no personal data breach had occurred but a spokesperson did not provide a comment to our further queries.
The audit did state that after the initial concerns were raised in 2020, regional management at Rehab Recycle instructed only equipment received for reuse purposes was to be sold to this third party in future. Since October 2020, the third party is also no longer allowed into the warehouse, according to the audit.
‘A data breach may have occurred’
Rehab Recycle is a branch of Rehab Enterprises, the largest non-governmental employer of disabled people and is a part of the charity Rehab Group.
Its core business centres on the recycling of computer hardware and confidential data destruction – “pioneering the field since 1984” – its website states.
A client can give permission for equipment to be reused, with the charity wiping and refurbishing the devices for sale into the second life market. But when a client requests that the equipment is destroyed, it should be shredded and a certificate of destruction issued.
Rehab Recycle’s website states that its commitment to data privacy “is total” with the “fullest compliance with all relevant waste disposal law and data protection law”.
With the potential that personal records on computers were not destroyed, in terms of one specific client’s equipment, the audit team identified a data protection concern and potential GDPR breach.
Obligation to inform clients
As a processor, Rehab has various obligations under GDPR, the strict EU law on data protection and privacy. This includes a requirement to use risk-appropriate security measures and to only process data according to the client’s set instructions.
Under GDPR, any concern in relation to a potential data breach should also be raised with the company’s Data Protection Officer. This did not happen in a case identified by the audit.
A processor must also notify the customer without delay when it becomes aware of a personal data breach. We asked Rehab Group if it informed its clients or the Data Protection Commissioner (DPC) about a potential data breach.
Rehab Group did not answer these questions. “In order to ensure respect for the rights of all parties concerned, Rehab Group would stress that the report arising as a result of this review is strictly private and confidential,” it said.
“The findings of this review and its recommendations have been addressed, and monitoring and further checks and balances have been put in place,” Rehab Group added.
We asked the DPC if it was informed about the concerns raised in the audit.
The DPC told us “it does not appear” that it received a breach notification from Rehab and that it was “not in a position to confirm” if notification would have been necessary in this case “without seeing the audit report and the details contained therein”.
“The requirement for organisations under the GDPR to report personal data breaches to the DPC is dependent on several factors including the nature of the breach, the cause of the breach, the type of data exposed, mitigating factors in place, and whether the personal data of vulnerable individuals has been exposed,” a spokesperson added.
By Niall Sargent of Noteworthy
Noteworthy is the crowdfunded investigative journalism platform from The Journal.
This article was funded in its entirety by Noteworthy’s investigative fund. We can’t do this work without your support. Please consider contributing here>>