The Information Commissioner's Office (ICO) has imposed a monetary penalty of 175,000 on an NHS Trust in Torquay after the sensitive details of over 1,000 employees were published accidentally on the Trust’s website.
Staff at Torbay Care Trust published the information in a spreadsheet on their website in April 2011 and only spotted the mistake when it was reported by a member of the public 19 weeks later.
The data covered the equality and diversity responses of 1,373 staff and included individuals’ names, dates of birth and national insurance numbers, along with sensitive information about the person’s religion and sexuality.
The ICO’s investigation found that the Trust had no guidance for staff on what information should not be published online and had inadequate checks in place to identify potential problems.
“The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable," said Stephen Eckersley, head of enforcement at the ICO.
ICO data breach fines ICO issues first monetary penalty to the NHS Lush escapes ICO monetary penalty after thousands of customer details were exposed ICO hits NHS Trust with biggest penalty to date NHS Trust to appeal 375k data loss penalty Many UK organisations still failing on the basics of data protection, says ICO ICO failure to punish Lush for data breach 'sends wrong message' Data Protection Act: Penalties limited, but expect more audits ICO hits Ealing and Hounslow councils with 150,000 fines for laptop theft ICO fines Midlothian Council 140K for data breaches
"Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud," he said.
While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for releasing their personal information, said Eckersley.
The Trust has undertaken to take steps to keep employee details secure, including the implementation of a web management policy to ensure personal data is not published on the website in the future.
The biggest penalty to be imposed by the ICO since it was granted the power to issue civil monetary penalties of up to 500,000 is 325,000.
It was issued against the Brighton and Sussex University Hospitals NHS Trust in June after highly sensitive personal data belonging to tens of thousands of patients and staff was discovered on hard drives sold on internet auction site eBay in October and November 2010.
However, the trust disputes the ICO's findings, especially that it was negligent, and is preparing to appeal to the Information Tribunal in one of the first challenges by a public sector organisation against a penalty issued by the ICO.