Blackpool NHS Trust fined £185,000 for publishing ultra-private data about staff

National Insurance numbers, sexual orientation, religious beliefs. You name it, they published it

Blackpool Teaching Hospital NHS Foundation Trust has been hit with a £185,000 fine by the Information Commissioner's Office (ICO) for inadvertently publishing the private details of 6,574 members of staff.

The details included their National Insurance number, date of birth, religious belief and sexual orientation.

The Trust is required to publish equality and diversity metrics annually on its external website. In February 2014, the equality and diversity lead in HR had asked the electronic staff records team for the equality and diversity metrics. These were sent over by 3 March 2014, but the team had not detached the data displayed within pivot tables on Excel as they were not aware of this feature.

The lead then forwarded the spreadsheets to the web services team, asking it to upload them to the trust's website. The web services team uploaded the spreadsheets and the associated data was inadvertently published on the Trust's website on 4 March 2014.

In January last year, the equality and diversity lead asked the electronic staff records team for these metrics as usual. A team member decided to search the trust's website to check the format of the Excel spreadsheets for 2014 so that they could be replicated. In the process, it was discovered that data on leavers, protected groups and equality pay bands could all be accessed via the pivot table.

The spreadsheets contained confidential and sensitive personal data relating to 6,574 employees (some of who had left) including names, pay scale, National Insurance number, date of birth, ethnicity, religious belief, ‘disabled' status and sexual orientation.

The spreadsheets had been publicly available on the trust's website for 11 months, during which time the pivot tables were accessed at least 59 times by 20 different visitors.

According to the ICO, the associated data was also downloaded by more than one unknown person, on several occasions.

The ICO found that the trust had contravened the Data Protection Act, particularly because it had no procedure in place for governing requests for information from ESR to control its use and further dissemination.

It also didn't provide the team with any - or at least any adequate - training on the functionality of Excel spreadsheets or possible alternatives. In addition, the Trust had in place no guidance for the web services team to check the spreadsheets or hidden data before they were uploaded to its website.

If the Trust pays the full monetary penalty by 31 May 2016, the Commissioner will reduce the fine by 20 per cent, to £148,000. However, an early payment ‘discount' won't be available if the trust decides to exercise its right of appeal.