ICO hits NHS trust with £175,000 fine for 'avoidable' breach

ICO hits NHS trust with £175,000 fine for 'avoidable' breach

Compromised personal data of 1,373 staff on website

Article comments

The Information Commissioner’s Office (ICO) has issued a swingeing £175,000 fine on a health trust that published a spreadsheet containing sensitive information on 1,400 employees on its website.

The breach came to light in August 2011 when a member of the public reported that the document on the website of Torbay Care Trust (TCT) in Devon contained personal data for 1,373 employees, including their name, date of birth, pay scale and National Insurance number.

Other data leaked included ethnicity, sexual orientation, disability status and religious beliefs. Originally posted in error in April, the issue only came to light 19 weeks later, by which time the web page containing it had been accessed 300 times, including 32 times from unidentified IP addresses.

The publication seems to have occurred after a mix-up over the extent of the information that should have been included, leaving the trust nursing a humiliating rebuke for poor internal processes and lax controls.

“The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable,” said the ICO.

“Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud,” the judgment continued.

“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information.”

Torbay Care Trust head Anthony Farnsworth reportedly apologised for the error.

"This was an organisational issue, in which the absence of sufficient checks within our processes made an error possible, and we have treated this with the utmost seriousness.

"We are of course disappointed that the information commissioner has found it necessary to impose a fine for this incident, but we accept the findings. Provision was made to potentially pay such a fine, so there is no effect on budgets for staff, or health and social care services,” he was reported to have said.

Although steep by historical standards, the fine is still smaller than the £325,000 penalty slapped on Brighton and Sussex University Hospitals NHS Trust in June for failing to properly dispose of a large number of old hard drives. 



  • Guest NHS
Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *