Health Trust Fined £175k After Website Gaffe

Torbay Care Trust in Torquay has been fined £175,000 after it accidentally published details relating to over 1000 members of staff on its website.

A spreadsheet was placed on the Trust’s website in April 2011, but it took 19 weeks for anyone to notice. The exposed data included equality and diversity responses of 1,373 employees and included individuals’ names, dates of birth and National Insurance numbers. Information on their religion and sexuality was also revealed.

Stephen Eckersley, head of enforcement at the Information Commissioner’s Office (ICO) said the breach was “entirely avoidable”.

“Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud,” he added. “While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information.”

Trust ‘disappointed’

The health trust said it was “disappointed” by the fine, but accepted it, confirming it would be taking advantage of the early payments discount offered by the ICO. That will reduce the penalty to £140,000.

“Provision was made to potentially pay such a fine, so there is no affect on budgets for staff, or health and social care services,” said Anthony Farnsworth, who was chief executive of Torbay Care Trust at the time of the breach.

“It is important to clarify that this information did not contain any clinical or patient data. Neither have we received any evidence to suggest the information has been used inappropriately.

“The Care Trust has always had extremely hard working and dedicated staff, so it is of particular regret that in this instance we failed in our responsibilities to them. I would like to apologise, again, to these individuals for any concern that has been caused.”

The body has implemented a new web management policy to make sure personal data is not mistakenly published on their website again.

Other NHS bodies have not been so accepting of ICO-enforced fines. When Brighton and Sussex University Hospitals NHS Trust was set to be hit with a £375,000 penalty, after hard drives containing patient data were handed over to a registered contractor for destruction only to end up for sale on eBay, it decided to appeal.

In June, when the fine was cut to £325,000, the Trust said its representations to the ICO were ignored, even after  a freedom of information request was sent to the watchdog, which was refused on the basis that it would “prejudice the monetary penalty process”. The appeal is yet to be heard.

Are you a security guru? Test yourself with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

15 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

16 hours ago

Europe’s Longest Hyperloop Test Track Opens

European Hyperloop Center in the Netherlands seeks to advance futuristic transport technology, despite US setbacks

16 hours ago

NHS Scotland Confirms Clinical Data Published By Ransomware Gang

NHS Dumfries and Galloway condemns ransomware gang for publishing patients clinical data after cyberattack earlier…

18 hours ago

Fewer People Using Twitter After Musk Takeover – Report

Research data suggests fewer people are using Elon Musk's X, but platform insists 250 million…

21 hours ago

Julian Assange Wins Temporary Reprieve For US Extradition Appeal

US assurances required. Julian Assange handed a slender reprieve in fight against his extradition to…

23 hours ago