Out-Law News 2 min. read
08 Aug 2012, 4:43 pm
The "entirely avoidable" error, which saw a spreadsheet containing the equality and diversity responses of 1,373 staff published on the website of Torbay Care Trust, was only spotted when it was reported by a member of the public 19 weeks later, the ICO said.
An investigation by the data protection watchdog after the breach, which occurred in April 2011, found that the Trust had no guidance for staff on what information should not be published online and did not have adequate checks in place to identify potential problems. The amount of the penalty reflected the "very serious" nature of the breach, it said in its notice (10-page / 1.3MB PDF).
The published information included "sensitive" information about the employees' religion and sexuality; as well as names, dates of birth and National Insurance numbers. In its notice, the ICO said that the page containing the spreadsheet received around 300 visits while the document was available online, however it was unable to ascertain how many times the spreadsheet itself had been accessed.
The ICO said that it was unaware of any previous, similar breaches by the Trust and that no staff members had raised complaints.
The Trust was in breach of the provisions of the Data Protection Act (DPA) requiring organisations to take "appropriate organisational measures" against unauthorised use of personal data, including having "effective policies and procedures in place to control its use and further dissemination". The breach was particularly serious due to the nature of the data, which the ICO said was "of a kind likely to cause substantial damage and/or substantial distress".
The ICO has the power to issue penalties of up to £500,000 for breaches of the DPA.
Stephen Eckersley, head of enforcement with the ICO, described the breach as "extremely troubling". In addition to the sensitive information, the published details left staff open to the threat of identity fraud, he said.
"We regularly speak with organisations across the health service to remind them of the need to look after people's data," he said. "While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information."
The watchdog was "pleased" that the Trust had since introduced a new web management policy to ensure that personal data was not mistakenly published on their website in future, he added.
Anthony Farnsworth, who was head of the Trust at the time, told the BBC said that breach was an "organisational issue" made possible due to a lack of sufficient checks within its processes.
"We have since implemented far more robust procedures for managing staff information to make this more secure, and to remove the risk of any such incidents occurring in the future," he said. "We are of course disappointed that the Information Commissioner has found it necessary to impose a fine for this incident, but we accept the findings. Provision was made to potentially pay such a fine, so there is no effect on budgets for staff, or health and social care services."