07.08.12
£175,000 fine for trust that put 1,373 staff profiles online
An NHS trust has been hit with a £175,000 fine for an “extremely troubling” data breach following an investigation by the Information Commissioner’s Office (ICO).
Torbay Care Trust accidentally published sensitive details of over 1,000 employees on a spreadsheet on its website in April 2011 and only spotted the mistake when it was reported by a member of the public 19 weeks later.
It included 1,373’s people’s names, dates of birth and National Insurance numbers, along with sensitive information about religion and sexuality.
The ICO’s investigation found that the trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems.
Stephen Eckersley, head of enforcement at the ICO, said: “We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.
“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the trust are now taking action to keep their employees’ details secure.”
The Trust has now introduced a new web management policy to make sure personal data is not mistakenly published on their website in the future.
The trust’s chief executive, Andrew Farnsworth, has said it has accepted the findings, will take advantage of an early payments discount to reduce the impact of the fine, and that as it had been expected, it will not affect patient care or budgets.
Tell us what you think – have your say below or email [email protected]