£175,000 fine for NHS Trust over data leak

(ZDNet) An NHS trust in Devon has been fined £175,000 after publishing the sensitive personal details of more than a thousand employees on its website.


Torbay Care Trust was handed the monetary penalty by the Information Commissioner's Office (ICO) after leaking the equality and diversity responses of 1,373 staff in April 2011, the ICO said on Monday. Details including names, sexuality, religion, National Insurance numbers and dates of birth were available online as part of an Excel spreadsheet for 19 weeks.

"The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable," said ICO head of enforcement Stephen Eckersley.

"Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud," he added.

The UK privacy watchdog can impose fines of up to £500,000 on organisations that breach the Data Protection Act, a power it has had for more than two years. It has served 23 monetary penalties since November 2010, including six levied on NHS bodies. The Torbay Care Trust website was visited around 21,000 times over the course of the 19 weeks, according to the ICO monetary penalty notice. The website containing the spreadsheet was visited 300 times, although the Trust could not say how many people had looked at the spreadsheet itself.

The vast majority of fines have been to public-sector institutions — only three have been issued to private-sector organisations, and one of those, A4E, was a contractor to the public-sector Legal Services Commission.

Written by

In partnership with