NHS Trust fined £175,000 for 'entirely avoidable' data breach

ICO gives penalty to Torbay Care Trust

The Information Commissioner's Office (ICO) has fined Torbay Care Trust (TCT) £175,000 for a data breach it said was "entirely avoidable".

The Trust, based in Devon, had published "sensitive details" of over 1,000 employees on its website in April 2011, the ICO said.

The details were found in a spreadsheet on the website and the Trust was only made aware of the mistake when it was reported by a member of the public 19 weeks after being published.

The data comprised the equality and diversity responses of 1,373 staff, which included individuals' names, dates of birth and National Insurance numbers, as well information about religion and sexuality.

The ICO said that its investigation found that TCT issued no guidance to staff on the information that should not be published online and did not have the necessary checks in place to identify potential problems.

Stephen Eckersley, head of enforcement at the ICO, emphasised the importance for NHS Trusts to ensure that they are not publishing sensitive data in the public domain.

"We regular speak with organisations across the health service to remind them of the need to look after people's data. The fact that this breach was caused by TCT publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud," he said.

"While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust is now taking action to keep their employees' details secure," he added.

TCT has now introduced a new web management policy to make sure personal data is not published on its website in the future.

In an interview in April with deputy Information Commissioner David Smith, Computing questioned the willingness of the ICO to levy fines against negligent organisations in the NHS. A week later, the ICO imposed its first fine on an NHS body - £70,000 against the Aneurin Bevan Local Health Board in Pontypool, South Wales, for sending a report with sensitive, personal information to the wrong patient.

The biggest fine to date from the ICO to a NHS body is £375,000 in a case against Brighton and Sussex University Hospitals NHS Trust. The fine, which is being contested by the Trust, comes after a batch of hard-disk drives that should have been destroyed by a contractor were sold on auction website eBay.