ICO fines NHS Trust £185,000 for publishing private details of thousands of staff online

A National Health Service Trust that posted the private details of no less than 6,574 members of staff on its website has been fined £185,000 by the Information Commissioner’s Office (ICO).

In March 2014, Blackpool Teaching Hospitals NHS Foundation Trust inadvertently published workers’ confidential data, including their National Insurance numbers, dates of birth, religious beliefs and sexual orientation.

The Trust failed to notice the mistake for ten months, and then took a further five months to alert affected staff.

Commenting on the case, Stephen Eckersley (head of enforcement at the ICO) said: “This NHS Trust played fast and loose with the highly sensitive and private information that was entrusted to it. It seems the duty to put rules in place to protect staff who deliver hospital services to others was ignored. Any measures taken to protect this information from reaching the public domain were either woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief.”

The personal information was volunteered by staff as part of the Trust’s commitment to publish annual equality and diversity metrics on its website, but the Trust failed to notice the published spreadsheets also contained hidden data that became visible by simply double-clicking the table. This is how the personal details of individual members of staff were revealed.

Eckersley added: “There was a need for robust measures to safeguard against this kind of disclosure. I can see no good reason for that not happening, and that’s why we’ve taken the necessary enforcement action.”

The ICO’s blog: “Now You Don’t See It, Now You Do – The Dangers of Hidden Data” was published in November last year alongside new guidance put together to offer practical advice on what to look out for when providing information in different formats.

This isn’t the first time the ICO has fined an organisation for inadvertently publishing hidden data. Torbay NHS Trust (July 2012) and Islington Council (August 2013) have both received penalties for similar mistakes.

Council rapped for data protection failings

A Scottish Council has been rapped by the ICO for repeatedly failing to train staff around data protection matters.

West Dunbartonshire Council was told to implement training on several occasions, as well as being advised to put in place a policy around home working, but its failure to do so ultimately contributed towards a data breach that led to a child’s medical reports being stolen.

The ICO carried out an audit of the Council in January 2013. That audit gave a reasonable assurance of the Council’s compliance with the law, but made recommendations for areas that needed improvement, including training for all staff and adopting a home working procedure.

A follow-up audit in November 2013 showed progress, but also highlighted the fact that some of the recommendations still hadn’t been implemented.

In July 2014, the Council reported a data breach to the ICO after an employee had a bag containing confidential information stolen. The employee had taken details of an adoption case out of the office to work on them from home, but a laptop and paperwork left in their car overnight were subsequently stolen.

An ICO investigation found the employee hadn’t been given training on the Data Protection Act, and that the Council still had no guidance in place for staff on handling personal information when working from home. The Council avoided a fine as the breach didn’t cause either substantial damage or distress.

West Dunbartonshire Council has now been issued with an enforcement notice obliging it to implement training and guidance, or otherwise face court action.

Ken Macdonald, the Assistant Information Commissioner for Scotland, said: “Time and time again we’ve told this Council to make these changes, and yet they’ve still not completed everything we set out. We’ve been left with no choice but to issue this formal notice requiring action to be taken.”

Macdonald added: “Let’s be clear. What we’re asking for here is a basic requirement for an organisation that’s trusted with large amounts of local people’s personal data. When people in Dunbartonshire provide the Council with their details, they expect staff are trained to handle this information properly. Unfortunately, more than three years after this point was made clear to the Council, this still hasn’t happened.”

*The ICO is the regulatory body in Scotland for data protection issues. Ken Macdonald leads its offices in Scotland and Northern Ireland. Scotland also has its own Information Commissioner to regulate the Freedom of Information (Scotland) Act that covers Scottish public authorities

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts