NHS trust hit with £175,000 fine for avoidable breach

The Information Commissioner’s Office (ICO) has issued a swingeing £175,000 fine on a health trust that published a spreadsheet containing sensitive information on 1,400 employees on its website.

The breach came to light in August 2011 when a member of the public reported that the document on the website of Torbay Care Trust (TCT) in Devon contained personal data for 1,373 employees, including their name, date of birth, pay scale and National Insurance number.

Other data leaked included ethnicity, sexual orientation, disability status and religious beliefs. Originally posted in error in April, the issue only came to light 19 weeks later, by which time the web page containing it had been accessed 300 times, including 32 times from unidentified IP addresses.

The publication seems to have occurred after a mix-up over the extent of the information that should have been included, leaving the trust nursing a humiliating rebuke for poor internal processes and lax controls.

“The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable,” said the ICO.

“Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud,” the judgment continued.

Related:

“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information.”

Torbay Care Trust head Anthony Farnsworth reportedly apologised for the error.

"This was an organisational issue, in which the absence of sufficient checks within our processes made an error possible, and we have treated this with the utmost seriousness.

"We are of course disappointed that the information commissioner has found it necessary to impose a fine for this incident, but we accept the findings. Provision was made to potentially pay such a fine, so there is no effect on budgets for staff, or health and social care services,” he was reported to have said.

Although steep by historical standards, the fine is still smaller than the £325,000 penalty slapped on Brighton and Sussex University Hospitals NHS Trust in June for failing to properly dispose of a large number of old hard drives.