ICO fines NHS trust for publishing staff's personal information

Torquay Health Trust has been fined a £175,000 by the Information Commissioner's Office (ICO) after publishing employee details on its website.

The ICO said the sensitive information of more than 1,000 employees included individuals' names, dates of birth and National Insurance numbers. The information accidentally published also contained personal information about the person's religion and sexuality.

Last year the ICO called for prison sentences for serious personal data breaches. In this case Stephen Eckersley, Head of Enforcement, said the breach was "extremely troubling and was entirely avoidable".

Read more: Privacy news | PC help

The information was online for 19 weeks and it was only removed after it was spotted by a member of the public.

The ICO has said it is concerned about data protection at the NHS. The privacy watchdog said it regularly speaks with organisations across the health service to remind them of the need to look after people's data,

Torquay Health Trust's breach was possible as the organisation had no guidance for staff on what information shouldn't be published online according to the ICO. It also said the Trust had inadequate checks in place to identify potential problems.

The ICO said the Trust had made changes, introducing a new web management policy to make sure personal data is not mistakenly published on their website in the future.

"While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust is now taking action to keep their employees' details secure," said Eckersley.