NHS trust in South West handed third highest fine for data breach
The Information Commissioner’s Office has fined a health trust in the South West £175,000 for a data protection breach when it published sensitive details on more than 1,000 employees online.
The incident at Torbay Care Trust saw data on its employees published in a spreadsheet on its website in April 2011. A member of the public alerted the trust to the mistake 19 weeks later.
The information covered the equality and diversity responses of 1,373 staff. This included their names, dates of birth and National Insurance numbers. There was also information about individuals’ ‘disabled’ status, ethnicity, religious belief and sexual orientation.
The web page containing the spreadsheet received approximately 300 visits.
Torbay was unable to establish how often the actual spreadsheet was accessed by the public. The ICO said it understood that 32 of the visits to the website were from unidentified IP addresses.
As soon at the Trust became aware of the breach, it removed the spreadsheet from the website. A third party deleted all of the cached information.
The ICO said the Trust had no guidance for staff on what information should be published online. Its investigation also revealed inadequate checks were in place to identify potential problems.
In the monetary penalty notice, the watchdog said contravention was “especially serious because of the large number of employee records involved and the confidential and sensitive nature of the personal data”.
It also took the view that there was the potential for damage in the form of identity fraud and possible financial loss.
The Trust has taken remedial action, including the introduction of a new web management policy and the implementation of a formal process governing requests for information from the electronic staff records system.
The penalty imposed on Torbay is the third highest so far levied by the ICO.
The two organisations that received the higher fines were also NHS bodies. The record amount, £325,000 was served on Brighton and Sussex University Hospitals NHS Trust in June this year. BSUH initially considered an appeal over the fine, but later decided to pay up in time to receive a discount.
In the same month the Belfast Health and Social Care Trust was ordered to pay £225,000 after failures to keep data held at a disused property secure.
Stephen Eckersley, the ICO’s Head of Enforcement, said: “We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.
“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information.”
Anthony Farnsworth, who was Chief Executive of Torbay Care Trust at the time of the breach prior to the organisation’s separation into commissioner and provider organisations, said: “This was an organisational issue, in which the absence of sufficient checks within our processes made an error possible, and we have treated this with the utmost seriousness.
“We have no evidence that the information was accessed by anyone other than the individual who reported it, and it was removed as soon as it was brought to our attention. Nevertheless, we reported the incident both to our staff and to the Information Commissioner as quickly as possible.”
Farnsworth said the Trust had, following the incident, implemented “far more robust” procedures for managing staff information.
He added: “We are of course disappointed that the Information Commissioner has found it necessary to impose a fine for this incident, but we accept the findings and will be taking advantage of the early payments discount to minimise the financial impact of the fine. Provision was made to potentially pay such a fine, so there is no affect on budgets for staff, or health and social care services.”
“It is important to clarify that this information did not contain any clinical or patient data. Neither have we received any evidence to suggest the information has been used inappropriately.”
The fine imposed will be reduced to £140,000 if the Trust pays up by 31 August 2012.