Sensitive details of NHS staff published by Trust in Devon
News release: 6 August 2012
A health trust in Torquay has been served with a £175,000 penalty after the sensitive details of over 1,000 employees were accidentally published on the Trust’s website, the Information Commissioner’s Office (ICO) announced today.
Staff at Torbay Care Trust published the information in a spreadsheet on their website in April 2011 and only spotted the mistake when it was reported by a member of the public 19 weeks later. The data covered the equality and diversity responses of 1,373 staff and included individuals’ names, dates of birth and National Insurance numbers, along with sensitive information about the person’s religion and sexuality.
The ICO’s investigation found that the Trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems.
Stephen Eckersley, Head of Enforcement, said:
“We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.
“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust are now taking action to keep their employees’ details secure.”
The Trust has now introduced a new web management policy to make sure personal data is not mistakenly published on their website in the future.
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
4. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
5. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
7. For more information, please contact the ICO press office on 0303 123 9070.