A health trust in the UK has been fined £185,000 ($235,000) for posting the confidential details of thousands of staff members on its website and failing to respond to the incident for nearly a year.
In a legal document disclosed by the UK privacy watchdog, the Information Commissioner’s Office (ICO), it was revealed the Blackpool Teaching Hospitals NHS Foundation Trust had inadvertently posted the details to the web.
The exposed information included names, date of births, pay scales and National Insurance numbers of a total of 6,574 employees both past and present. Additionally, the ICO said the compromised records also included ‘disabled’ status, ethnicity, religious belief and sexual orientation.
The details had been publicly available on the Trust’s website for 11 months, the ICO added. During that time, they were accessed “at least 59 times by 20 visitors”. According to the watchdog’s investigation the data had also been downloaded by “persons unknown on several occasions”.
However, the ICO, which acts independently of government and has the power to enforce fines of up to £500,000 on organisations that misuse sensitive data, said it considered the matter a “serious oversight” rather than a deliberate attempt to bypass data protection laws.
Stephen Eckersley, head of enforcement at the ICO, said: “This trust played fast and loose with the highly sensitive and private information that was entrusted to them. It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others.
He added: Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief. There was a need for robust measures to safeguard against this kind of disclosure. I can see no good reason for that not happening and that is why we have taken action.”
Wendy Swift, interim chief executive of Blackpool Teaching Hospitals NHS Foundation Trust, toldITV: “The Trust has sincerely apologised to its staff for the error and, following a thorough internal investigation, has put in place robust measures to ensure the same problem cannot happen again.”