Author Profile Picture

Cath Everett

Sift Media

Freelance journalist and former editor of HRZone

LinkedIn
Email
Pocket
Facebook
WhatsApp

News: NHS Trust fined £175,000 for publishing staff details online

pp_default1

An NHS Trust has been fined £175,000 by the Information Commissioner’s Office after it published a spreadsheet containing highly sensitive information about more than 1,000 of its staff online. 

Last April, the Torbay Care Trust posted the equality and diversity details of 1,373 workers on its website alongside their name, sexual orientation, religious beliefs, national insurance number and date of birth.
 
The data remained in the public domain for more than 19 weeks, during which time the website was visited 21,000 times. The spreadsheet itself clocked up 300 viewings. 
 
Stephen Eckersley, the ICO’s head of enforcement, pointed out that the breach was entirely avoidable. “Not only were they giving sensitive information out about their employees, but they were also leaving them exposed to the threat of identity fraud," he said.
 
While organisations were permitted to publish equality and diversity information about their employees in  aggregated form, there was "no justification for unnecessarily releasing their personal information", he added.
 
The situation would appear to justify the old information security adage that staff are always the weakest link, however.
 
Alan Calde, chief executive of risk management consultancy IT Governance, said that the Torbay Care Trust was given the fine after the ICO discovered that no guidance had been issued for staff about what information that they could publish online.
 
The organisation also had inadequate checking processes and procedures in place to identify potential problems.
 
“To be blunt, staff will always be the weakest link in matters of information security and data protection. Staff education and training in all aspects of data protection is, therefore, vital," Calde said. “There are no excuses. Any organisation – private or public sector – claiming not to be able to afford the time or money needed for staff awareness education should simply consider the cost of failure – not only in terms of fines, but also in terms of reputational damage."
 
Moreover, when "fast, convenient, inexpensive routes to training" such as e-learning courses existed, "any further excuses for ignorance simply cannot be tolerated,” he added.
 
 

Want more insight like this? 

Get the best of people-focused HR content delivered to your inbox.
Author Profile Picture
Cath Everett

Freelance journalist and former editor of HRZone

Read more from Cath Everett