UK health trust fined for privacy breach

The UK Information Commissioner's Office has fined a health trust for publishing sensitive details of its 1373 employees online.

Torbay Care Trust in Torquay, Devon, was fined £175,000 ($AU258,000) for publishing a spreadsheet with staff responses to equality and diversity questions, as well as personal data such as names, dates of birth, National Insurance numbers, religion and sexuality.

The commissioner's office said the spreadsheet was put onto the trust's website in April last year but was only spotted after a member of the public reported its existence 19 weeks afterwards.

The trust's website received roughly 21,000 visits during the time the spreadsheet was publicly available.

The page containing links to the spreadsheet was visited approximately 300 times, but it is not known how many times the actual data was accessed.

An investigation by the ICO found that the trust's staff had been given no guidance as to what information should not be published online.

There were also inadequate checks on place to identify and prevent potential problems, the ICO says.

The head of enforcement at ICO, Stephen Eckersley, called the privacy breach "extremely troubling" and said it was entirely avoidable. Publishing the information meant sensitive information left staff open to identity fraud, Eckersley said.

The Torbay Care Trust has introduced a new web management policy following the investigation to ensure further privacy breaches do not occur.