Intimate photos, medical reports and financial statements were just some of the documents found on internet cafe computers in an investigation by The Sunday Times of Malta.

Browsing sessions at four different internet cafes uncovered a wealth of personal data left behind by customers.

The most sensitive was found at the final cafe visited, with some documents seemingly stored for several months without being deleted.

Among the many documents found in the downloads folder of one computer were a July 2013 American Express Blue Card statement, a pathology report of a colon cancer patient and photos of a woman’s breasts.

Information which identifies individuals should not be retained after a session is closed

There was a March 2013 call sheet for the filming of a Maltese production, a scan of a Western Union money transfer receipt and a letter from the Employment Training Centre regarding a Russian citizen’s work permit application.

Also found were a US State Department immigrant visa form with the applicant’s name printed on it, a purchase agreement for holiday property in the Philippines, a detailed breakdown of a student’s results from a London university, an Eritrean baptism certificate and a letter of good conduct for a Somali looking to open bank account.

Furthermore, there was a letter to customs certifying an Albanian national’s work and residence history, a timetable for the final assessments of students on a Directorate for Lifelong Learning Course and various sales invoices.

There was even a letter from the European Commission’s Directorate General for Education and Learning, in response to a letter that was originally addressed to President José Manuel Barroso.

All this confidential inform­ation was found during one 30-minute browsing session.

This newspaper checked recycling bins, document and download folders on as many computers as possible at each internet cafe it visited. The folders are all freely accessible within seconds.

Among the items found during a one-hour browsing session at the first internet cafe visited were an employment contract, hotel and holiday package invoices, a Maltese ID card scan and numerous CVs and boarding passes.

A letter from Swiss tourists to a Paceville hotel detailing a theft that took place in their room was also found, as well as a booking form on which the client has described how she suffers from “severe claustrophobia”.

On one particular computer at this popular cafe, when the internet session started it was still logged into the Gmail account of the previous user.

At the two other internet cafes visited, CVs, boarding passes and a boat charter agreement between a Russian client and a British firm were found during 30-minute sessions.

The processing and retention of personal data by internet cafes falls under the parameters of the Data Protection Act.

“Information which identifies individuals should not be retained after a session is closed,” the Office of the Data Protection Commissioner said.

The law empowers the commissioner to issue fines of up to €23,000 for breaches. Fines are imposed depending on the nature of offence, the number of individuals affected and also its recurrence.

“Internet cafes should have specific mechanisms in place which will automatically remove content and sign out individuals from their personal mail or social network account when a session is discontinued,” a spokesman for the Data Protection Commissioner said.

“This will ensure the timely deletion of personal data including form data, and also prevent the next user from having access to the e-mail or other accounts of the previous user.”

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.