In March 2014, Blackpool Teaching Hospitals NHS Foundation Trust inadvertently published workers’ confidential data, including their National Insurance numbers, dates of birth, religious beliefs and sexual orientation.
The Trust failed to notice the mistake for ten months, and then took a further five months to alert affected staff.
Commenting on the case, Stephen Eckersley (head of enforcement at the ICO) said: “This NHS Trust played fast and loose with the highly sensitive and private information that was entrusted to it. It seems the duty to put rules in place to protect staff who deliver hospital services to others was ignored. Any measures taken to protect this information from reaching the public domain were either woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief.”
The personal information was volunteered by staff as part of the Trust’s commitment to publish annual equality and diversity metrics on its website, but the Trust failed to notice the published spreadsheets also contained hidden data that became visible by simply double-clicking the table. This is how the personal details of individual members of staff were revealed.
Eckersley added: “There was a need for robust measures to safeguard against this kind of disclosure. I can see no good reason for that not happening, and that’s why we’ve taken the necessary enforcement action.”
The ICO’s blog: “Now You Don’t See It, Now You Do – The Dangers of Hidden Data” was published in November last year alongside new guidance put together to offer practical advice on what to look out for when providing information in different formats.
This isn’t the first time the ICO has fined an organisation for inadvertently publishing hidden data. Torbay NHS Trust (July 2012) and Islington Council (August 2013) have both received penalties for similar mistakes.
Council rapped for data protection failings
A Scottish Council has been rapped by the ICO for repeatedly failing to train staff around data protection matters.
West Dunbartonshire Council was told to implement training on several occasions, as well as being advised to put in place a policy around home working, but its failure to do so ultimately contributed towards a data breach that led to a child’s medical reports being stolen.
The ICO carried out an audit of the Council in January 2013. That audit gave a reasonable assurance of the Council’s compliance with the law, but made recommendations for areas that needed improvement, including training for all staff and adopting a home working procedure.
A follow-up audit in November 2013 showed progress, but also highlighted the fact that some of the recommendations still hadn’t been implemented.
In July 2014, the Council reported a data breach to the ICO after an employee had a bag containing confidential information stolen. The employee had taken details of an adoption case out of the office to work on them from home, but a laptop and paperwork left in their car overnight were subsequently stolen.
An ICO investigation found the employee hadn’t been given training on the Data Protection Act, and that the Council still had no guidance in place for staff on handling personal information when working from home. The Council avoided a fine as the breach didn’t cause either substantial damage or distress.
West Dunbartonshire Council has now been issued with an enforcement notice obliging it to implement training and guidance, or otherwise face court action.
Ken Macdonald, the Assistant Information Commissioner for Scotland, said: “Time and time again we’ve told this Council to make these changes, and yet they’ve still not completed everything we set out. We’ve been left with no choice but to issue this formal notice requiring action to be taken.”
Macdonald added: “Let’s be clear. What we’re asking for here is a basic requirement for an organisation that’s trusted with large amounts of local people’s personal data. When people in Dunbartonshire provide the Council with their details, they expect staff are trained to handle this information properly. Unfortunately, more than three years after this point was made clear to the Council, this still hasn’t happened.”
*The ICO is the regulatory body in Scotland for data protection issues. Ken Macdonald leads its offices in Scotland and Northern Ireland. Scotland also has its own Information Commissioner to regulate the Freedom of Information (Scotland) Act that covers Scottish public authorities