Trust fined for publishing staff details
- 6 August 2012
Torbay Care Trust has been fined £175,000 after accidentally publishing sensitive details of more than 1,300 employees on its website.
The fine is the sixth handed down to an NHS trust by the Information Commissioner’s Office since April, taking the total close to £1m.
Staff at Torbay Care Trust published the information in a spreadsheet on their website in April 2011; and only spotted the mistake when it was reported by a member of the public 19 weeks later.
The data covered the equality and diversity responses of 1,373 staff and included people’s names and National Insurance numbers, as well as sensitive information about their religion and sexuality.
During the time the data was available, the webpage with the spreadsheet received about 300 visits.
The trust’s data controller was not able to say how often the spreadsheet was actually accessed by the public, but the ICO understands that 32 visits were from unidentified IP addresses.
The ICO’s investigation found that the Torquay trust had no guidance for staff on what information should not be published online and that it had inadequate checks in place to identify potential problems.
Head of enforcement Stephen Eckersley said the office regularly speaks with organisations across the health service to remind them of the need to look after people’s data.
“The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable,” he said.
“Not only were they giving sensitive information out about their employees, but they were also leaving them exposed to the threat of identity fraud.”
The chief executive of the trust at the time of the breach, Anthony Farnsworth, said there was no suggestion that the information was accessed by anybody other than the person who reported it.
However, he apologised to staff for any concern caused and said robust procedures were now in place to prevent it happening again.
“We are of course disappointed that the Information Commissioner has found it necessary to impose a fine for this incident, but we accept the findings and will be taking advantage of the early payments discount (20%) to minimise the financial impact of the fine,” he said.
“Provision was made to potentially pay such a fine, so there is no effect on budgets for staff, or health and social care services.”
Eckersley said that while organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information.
“We are pleased that the trust is now taking action to keep their employees’ details secure,” he said.