Out-Law News 1 min. read
06 May 2016, 11:13 am
The Information Commissioner's Office (ICO) said that Blackpool Teaching Hospitals NHS Foundation Trust was responsible for a serious breach of the Data Protection Act.
The ICO said that the Trust mistakenly disclosed data about 6,574 members of staff past and present in March 2014 when it published a spreadsheet with equality and diversity metrics data in it. However, personal data such as employees’ name, pay scale, National Insurance number, date of birth, as well as details of employees' ‘disabled’ status, ethnicity, religious belief and sexual orientation could be accessed by double-clicking on an area of the spreadsheet, the ICO said.
A staff member at the Trust only spotted the mistake on 30 January 2015. The ICO said that the Trust's breach of the DPA was aggravated by the fact it failed to notify affected staff of its mistake until May last year.
"The Trust ought reasonably to have known that there was a risk that this contravention would occur unless it ensured the process was governed by written procedures, undertaken by staff with appropriate training and that the spreadsheets were checked for hidden data prior to publication," the ICO said in its monetary penalty notice (17-page / 142KB PDF).
"This is an opportunity to remind data controllers who use spreadsheets that personal information can be hidden from plain sight," it said.
Stephen Eckersley, head of Enforcement at the ICO, said the Trust had "played fast and loose with the highly sensitive and private information that was entrusted to them". He said it "beggars belief" that the Trust's error "went unnoticed for so long beggars belief."
“There was a need for robust measures to safeguard against this kind of disclosure," Eckersley said. "I can see no good reason for that not happening and that is why we have taken action."