Trust fined for publishing staff details

  • 6 August 2012
Trust fined for publishing staff details
The Information Commissioner’s Office will not take regulatory action over NHS Digital/

Torbay Care Trust has been fined £175,000 after accidentally publishing sensitive details of more than 1,300 employees on its website.

The fine is the sixth handed down to an NHS trust by the Information Commissioner’s Office since April, taking the total close to £1m.

Staff at Torbay Care Trust published the information in a spreadsheet on their website in April 2011; and only spotted the mistake when it was reported by a member of the public 19 weeks later.

The data covered the equality and diversity responses of 1,373 staff and included people’s names and National Insurance numbers, as well as sensitive information about their religion and sexuality.

During the time the data was available, the webpage with the spreadsheet received about 300 visits.

The trust’s data controller was not able to say how often the spreadsheet was actually accessed by the public, but the ICO understands that 32 visits were from unidentified IP addresses.

The ICO’s investigation found that the Torquay trust had no guidance for staff on what information should not be published online and that it had inadequate checks in place to identify potential problems.

Head of enforcement Stephen Eckersley said the office regularly speaks with organisations across the health service to remind them of the need to look after people’s data.

“The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable,” he said.

“Not only were they giving sensitive information out about their employees, but they were also leaving them exposed to the threat of identity fraud.”

The chief executive of the trust at the time of the breach, Anthony Farnsworth, said there was no suggestion that the information was accessed by anybody other than the person who reported it.

However, he apologised to staff for any concern caused and said robust procedures were now in place to prevent it happening again.

“We are of course disappointed that the Information Commissioner has found it necessary to impose a fine for this incident, but we accept the findings and will be taking advantage of the early payments discount (20%) to minimise the financial impact of the fine,” he said.

“Provision was made to potentially pay such a fine, so there is no effect on budgets for staff, or health and social care services.”

Eckersley said that while organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information.

“We are pleased that the trust is now taking action to keep their employees’ details secure,” he said.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.
ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp

ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp

The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Lanarkshire following the use of WhatsApp by staff to share patient data.
Transgender charity Mermaids fined £25k for data protection breach

Transgender charity Mermaids fined £25k for data protection breach

The transgender charity has been fined £25,000 by the Information Commissioner’s Office (ICO) for failing to keep the personal data of its users secure.