Trust placed staff members' confidential details on its website, then left them there for 10 months
The Information Commissioner's Office (ICO) has dished out a £185,000 fine to Blackpool Teaching Hospitals NHS Foundation Trust for allowing the personal details of 6,574 members of staff to appear on its website.
The information included national insurance numbers, dates of birth, religious beliefs and sexual orientation and remained on the site for 10 months until trust officials noticed the mistake. It then took them an additional five months to notify the affected staff.
They had provided the information as part of the trust's commitment to publish equality and diversity metrics on the site, but it posted spreadsheets without realising they contained hidden data that could be made visible simply by double clicking the table.
Stephen Eckersley, head of enforcement at the ICO, had some harsh words for Blackpool Teaching Hospitals.
“This trust played fast and loose with the highly sensitive and private information that was entrusted to them,” he said. “It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others.
“Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief.”
The ICO has previously fined for Torbay NHS Trust and the London Borough of Islington, in July 2012 and August 2013 respectively, for similar mistakes.
Image: Blackpool Victoria Hospital, by Roger May, CC BY-SA 2.0 via Wikimedia Commons