Personal data breach costs NHS Trust £175,000

Personal data breach costs NHS Trust £175,000


Author: Aisling Duffy

On 6 August 2012 Torbay Care Trust was fined £175,000 by the Information Commissioner's Office (ICO), after personal and sensitive data about more than 1,000 employees was accidently published on its website.

The personal information concerned the equality and diversity responses provided by 1,373 staff, and included the names, dates of birth and National Insurance numbers of individuals, plus details about their religion, 'disabled' status, ethnicity and sexual orientation.

What made matters worse is that the blunder only came to the Trust's notice after 19 weeks, when it was reported by a member of the public. During that time, the Trust's website received 21,000 visitors, with approximately 300 visits made to the webpage featuring the spreadsheet containing the personal data.

In this instance, the ICO said its investigation 'found that the Torbay Care Trust had no guidance for employees on what information shouldn't be published online and had inadequate checks in place to identify potential problems'.

The ICO found that the incident amounted to a serious breach of Principle 7 of the Data Protection Act 1998, which requires organisations to put in place and maintain appropriate technical and security measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction or damage.

In particular, it concluded that the Trust had failed to have effective policies and procedures in place to control the dissemination of personal data.

The ICO also said the breach had the potential to expose individuals not only to substantial damage and distress, but also to the risk of financial loss and identify theft.

Lessons learned

As well as highlighting the need for organisations to have comprehensive and effective policies and procedures in place to control the use and processing of personal data, this case also demonstrates the need for companies to ensure their employees receive adequate training about the Act and its requirements.

Training is a necessary element to raising awareness and reducing the risk of breaches like this taking place.

Guidance and training should be given to all staff who access personal data, and compliance with the policies and procedures should be actively monitored and enforced.

What can you do?

For further information or assistance on data protection compliance, please contact:

Aisling Duffy
03700 865089
[email protected]