Health trust fined over data breach
Monday 06 August 2012
A health body has been handed a six-figure penalty after publishing sensitive personal details of more than 1,000 NHS staff on the internet.
Employees with the Torbay Care Trust (TCT) in Devon found details of their sexual orientation and religious beliefs were published online, alongside their name, date of birth, pay scale and National Insurance number. It did not contain any patient or clinical data, the trust said.
TCT was handed a £175,000 penalty today, following the investigation by the Information Commissioner's Office (ICO), which described the data breach as "serious" and "extremely troubling".
The ICO said the trust published the information in a spreadsheet on its website in April 2011, and only spotted the mistake when it was reported by a member of the public 19 weeks later.
It was estimated that the spreadsheet was viewed 300 times during that period, although investigators were unable to identify all of those who accessed the information.
The ICO's investigation found that the trust had no guidance for staff on what information should not be published online and had inadequate checks in place to identify potential problems.
Stephen Eckersley, ICO head of enforcement, said: "The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable.
"Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.
"While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the trust is now taking action to keep its employees' details secure."
In its report, the ICO adds: "The contravention (of security) is serious because (the trust's data protection policies) did not ensure a level of security appropriate to the harm that might result from such unauthorised processing.
"If the data has in fact been accessed by untrustworthy third parties then it is likely that the contravention would cause further distress and also substantial damage to the data subjects such as exposing them to identity fraud and possible financial loss."
The ICO said it had not received any complaints from NHS employees, adding that it was not aware of any previous data breaches at the trust, which has now introduced a new web management policy to make sure personal data is not mistakenly published on the internet.
Apologising to staff, TCT chief executive Anthony Farnsworth said: "This was an organisational issue, in which the absence of sufficient checks within our processes made an error possible, and we have treated this with the utmost seriousness.
"We have since implemented far more robust procedures for managing staff information to make this more secure, and to remove the risk of any such incidents occurring in the future.
"We are of course disappointed that the Information Commissioner has found it necessary to impose a fine for this incident, but we accept the findings. Provision was made to potentially pay such a fine, so there is no affect on budgets for staff, or health and social care services.
"I would like to apologise, again, to these individuals for any concern that has been caused."
Civil liberties campaigners have condemned the body's decision to hold employees' personal information.
Nick Pickles, director of Big Brother Watch, said: "The best way to protect people's privacy is for only absolutely necessary information to be held. Why was a single record of people's salary, sexual orientation and religious views ever created?
"While fining the organisation does send a message to senior management, it is clear that some frontline staff are not taking these issues seriously and far more needs to be done to hold to account those responsible for errors and improve standards to stop small errors having a significant impact on patient privacy."
elephant appealThe first 23 lots in our charity auction have now gone. But there are 22 more still up for grabs
Dennis Rodman will coach the North Korea basketball team - and is preparing a special birthday treat for 'friend for life' Kim Jong-un
Jennifer Lawrence attacks mass media again over body image
Jennifer Lawrence: 'It should be illegal to call someone fat on TV'
Ian Watkins: Police probed over earlier allegations as paedophile Lostprophets singer sentenced to 35 years for child sex offences
Iain Duncan Smith leaves Commons food banks debate early
DNA from a 50,000 year old toe shows Neanderthals were highly inbred
Devyani Khobragade: India-US row escalates over arrest of diplomat in New York
Exclusive: Young people ‘want UK to stay in Europe’: Four in 10 adults aged 18 to 24 are ‘firmly in favour’ of membership, poll shows
You can STILL be jailed for being a republican, government confirms, and it remains illegal to even 'imagine' overthrowing the Queen
Kiss and yell: Italian protester charged with sexual assault after kissing riot police officer
Tom Daley ‘is gay because his father died’ says UK evangelist
Fighting back: the woman giving a voice (and 49,999 others) to the victims of sexism - by giving an airing to their horror stories
PM denies two child limit for benefits is part of Tory welfare policy
- 1 America's 'virgin births'? One in 200 mothers 'became pregnant without having sex'
- 2 Sun will 'flip upside down' within weeks, says Nasa
- 3 Christmas comes early: Justin Bieber is 'retiring from music'
- 4 Iain Duncan Smith leaves Commons food banks debate early
- 5 Children evacuated from swimming pool after prosthetic leg mistaken for paedophile
- < Previous
- Next >
£500 - £550 per day: Cornwallis Elt : Business Analyst Target Operating Mod...
£10 - £12 per hour: Pro-Recruitment Group: An opportunity has arisen within th...
Flexible, Competitive, Weekly.: Randstad Education Cambridge: The JobRandstad ...
£9600 - £14400 per annum: Randstad Education Cambridge: Randstad Education are...