Torbay Care Trust in Torquay has been fined £175,000 after it published the sensitive details of over 1,000 employees on the Trust’s website.

Staff at the Trust published the information in a spreadsheet on their website in April 2011 and only realised when a member of the public reported it 19 weeks later.

The data covered the equality and diversity responses of 1,373 staff and included individuals’ names:-

  • Dates of birth
  • National Insurance numbers
  • Religion
  • Sexuality

The Information Commissioners Office’s investigation found that the Trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems.

Stephen Eckersley, Head of Enforcement, said:

“We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.

“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust are now taking action to keep their employees’ details secure.”

With the proposed European Data Protection Act the scope of what is classified as Personally Identifiable Information (PII) will be better defined but will include more than most business think is actually covered.

It is time businesses undertook thorough risk assessments of their exposure to the PII data leakages because the proposed new fines are potentially up to 2% of global turnover.

Read my summary of the proposed European Data Protection Act here.