Devon health trust fined
A health body in Devon has been handed a six-figure penalty after publishing sensitive personal details of more than 1,000 NHS staff on the internet.
A health body in Devon has been handed a six-figure penalty after publishing sensitive personal details of more than 1,000 NHS staff on the internet.
Employees with the Torbay Care Trust (TCT) found details of their sexual orientation and religious beliefs were published online, alongside their name, date of birth, pay scale and National Insurance number. It did not contain any patient or clinical data, the trust said. TCT was handed a £175,000 penalty following the investigation by the Information Commissioner's Office (ICO), which described the data breach as ``serious'' and ``extremely troubling''.
The ICO said the trust published the information in a spreadsheet on its website in April 2011, and only spotted the mistake when it was reported by a member of the public 19 weeks later. It was estimated that the spreadsheet was viewed 300 times during that period, although investigators were unable to identify all of those who accessed the information.
The ICO's investigation found that the trust had no guidance for staff on what information should not be published online and had inadequate checks in place to identify potential problems. Stephen Eckersley, ICO head of enforcement, said: ``The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud. While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the trust is now taking action to keep its employees' details secure.''
The ICO said it had not received any complaints from NHS employees, adding that it was not aware of any previous data breaches at the trust, which has now introduced a new web management policy to make sure personal data is not mistakenly published on the internet.
Apologising to staff, TCT chief executive Anthony Farnsworth said: ``This was an organisational issue, in which the absence of sufficient checks within our processes made an error possible, and we have treated this with the utmost seriousness. We have since implemented far more robust procedures for managing staff information to make this more secure, and to remove the risk of any such incidents occurring in the future.''