Health trust fined after posting private details of staff on its website

By The Press Association4th May 2016News EnglandData, News England, NHS, Workforce

A health trust has been hit with a £185,000 fine after it posted the private details of thousands of members of staff – including their sexual orientation – on its website.

Blackpool Teaching Hospitals NHS Foundation Trust inadvertently published workers’ confidential data which also included their National Insurance number, date of birth and religious beliefs in March 2014, watchdogs revealed.

The organisation failed to notice the mistake for 10 months and then took a further five months to alert affected staff, the Information Commissioner’s Office (ICO) said as it announced the penalty.

Stephen Eckersley, head of enforcement at the ICO, said:”This trust played fast and loose with the highly sensitive and private information that was entrusted to them.

“It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others.

“Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief.”

The breach related to spreadsheets containing confidential and sensitive personal data relating to 6,574 employees past and present – including pay scale, disabled status, ethnicity, religious belief and sexual orientation.

Information was volunteered by staff as part of the trust’s commitment to publish annual equality and diversity metrics on its website.

The ICO said the trust failed to notice that the published spreadsheets also contained hidden data that became visible by simply double-clicking the table.

During the period that the spreadsheets were publicly available, tables were accessed at least 59 times by 20 visitors, while associated data was also downloaded by “persons unknown” on several occasions, according to a penalty notice published by the watchdog.

Mr Eckersley added: “There was a need for robust measures to safeguard against this kind of disclosure. I can see no good reason for that not happening and that is why we have taken action.”

Wendy Swift, interim chief executive of Blackpool Teaching Hospitals NHS Foundation Trust, said: “The Trust has sincerely apologised to its staff for the error and, following a thorough internal investigation, has put in place robust measures to ensure the same problem cannot happen again.

“Upon discovery of the error, immediate action was taken to disable the links from the reports on our website.

“The incident, which related to staff data only, was reported both locally and to our relevant regulatory bodies, which include Monitor and the CQC, as well as the Information Commissioner’s Office (ICO). We liaised with the ICO throughout the investigation.

“Once the results of the investigation were known we wrote to every member of staff to inform them of the incident and offer support and guidance if they had any concerns.

“On behalf of the board of governors I would like to apologise once again for any worry or concern this incident may have caused staff.”