The Information Commissioner’s Office (ICO) has fined an NHS trust in Devon £175,000 after it accidentally published an Excel spreadsheet containing sensitive personal data of over 1,000 NHS employees online.
Staff at the Torbay Care Trust (TCT) published data covering the equality and diversity responses of 1,373 workers alongside their name, sexual orientation, religious beliefs, national insurance number and date of birth.
The data, which was published in April last year, was viewable for over 19 weeks until the error was reported by a member of the public. During this time, the website received approximately 21,000 visits and the spreadsheet was viewed 300 times.
Interesting Links
The ICO’s investigation found that Trust’s staff had been given no guidance on what information should not be published online and had inadequate checks in place to identify potential problems.
Stephen Eckersley, head of enforcement, said the breach was “extremely troubling” and “entirely avoidable”. “We regularly speak with organizations across the health service to remind them of the need to look after people’s data,” he said.
“Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud. While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust are now taking action to keep their employees’ details secure.”
The NHS has traditionally been one of the worst offenders for data breaches, perhaps because of the sensitive nature of the data it handles. Until recently, however, the ICO had not issued any fines to the NHS.
That has changed recently, however. In June, it issued a Civil Monetary Penalty (CMP) of £325,000 – the highest amount since it was granted the power to issue CMPs in April 2010 – to Brighton and Sussex University Hospitals NHS Trust in June after patients’ medical records were sold on hard drives on an Internet auction site in October and November 2010.
