A health trust in Devon has been fined £175,000 after it published personal details of many of its employees on its website.
Torbay Care Trust, based in Torquay in Devon, published a spreadsheet on its website containing the names, dates of birth, National Insurance numbers and information regarding sexuality and religion of 1,373 members of staff. The data was part of an equality and diversity questionnaire the Trust had asked staff to fill in.
The spreadsheet was uploaded to the website in April 2011, and, worryingly, it was not spotted by any members of staff. The Trust only became aware of the error when it was spotted by a member of the public 19 weeks later, the ICO said.
During that time that section of the site received 21,000 hits and the spreadsheet was viewed around 300 times, although the ICO said its investigations were unable to determine how many times members of the public saw the information. However the data controller for Torbay Care Trust said 32 of the hits on the spreadsheet were from unidentified IP addresses.
The ICO’s report into the error also revealed the spreadsheet was removed from the site as soon as the Trust became aware and that to date, no complaints have been received.
The ICO said the Trust had no guidance in place for what information should and should not be published online and that adequate checks were not in place to spot potential data privacy breaches.
"We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable," said Stephen Eckersley, head of enforcement.
"Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud," he added.
The financial penalty of £175,000 is one of the biggest fines the ICO has handed out. The largest currently stands at £325,000, given to Brighton and Sussex University Hospitals NHS Trust after hard drives containing sensitive information on patients and staff were sold online. The Trust is appealing the decision, arguing that it was the victim of a crime as the hard drives were stolen.
Belfast Health and Social Care Trust was fined £225,000 after patient files were photographed and posted online. The Trust also failed to notify the ICO of the breach.
Powys County Council, Midlothian Council and Croydon Council have also been fined over £100,000 for breaches of the Data Protection Act (DPA). Away from the public sector, loan company Welcome Financial Services was fined £150,000 after it lost two backup tapes containing personal details of half a million customers.