NHS trust fined £185k over inadvertent release of confidential data on staff

The Information Commissioner’s Office has fined Blackpool Teaching Hospitals NHS Foundation Trust after it posted the private details of 6,574 members of staff on its website.

The trust is the third organisation – after Torbay NHS Trust (£175,000 in July 2012) and Islington Council (£70,000 in August 2013) – to have been fined by the ICO for inadvertently publishing hidden data.

According to the monetary penalty notice issued by the ICO, the background to the security breach was a requirement for the trust to publish equality and diversity metrics annually on its external website.

On 30 January 2015, the equality and diversity lead in HR asked the electronic staff records (“ESR”) team for equality and diversity metrics held on the electronic staff records system.

A member of the ESR team decided to search the Trust’s website to check the format of the Excel spreadsheets for 2013 so that they could be replicated. However, he inadvertently double-clicked on a pivot table on the ‘leavers’ spreadsheet which opened up the associated data.

It was discovered that the associated data to the ‘protected groups’ and ‘equality pay bands’ spreadsheets could also be accessed via a pivot table, the monetary penalty notice said.

These spreadsheets contained confidential and (sensitive) personal data relating to 6,574 employees (past and present) including the employees’ name, pay scale, National Insurance number and date of birth. They also contained their ‘disabled’ status, ethnicity, religious belief and sexual orientation.

According to the monetary penalty notice the spreadsheets had been publicly available on the trust’s website for 11 months. During that time, the pivot tables were accessed at least 59 times by 20 visitors. The associated data was also downloaded by persons unknown on several occasions.

“Historically, the Trust did not have a procedure governing requests to the team for information from the ESR, which were poorly controlled. The team provided the information without being informed of its intended use or purpose,” the ICO said.

On 28 February 2014, the equality and diversity lead at the trust had asked the ESR team for the equality and diversity metrics as in previous years.

The team sent the spreadsheets to the equality and diversity lead on 3 March 2014. The team had not detached the associated data because it was not aware that Excel had this feature within pivot tables.

The equality and diversity lead then forwarded the spreadsheets to the web services team asking it to upload them to the Trust’s website. In the absence of any guidance on what information should not be published, the web services team placed a degree of reliance on the equality and diversity lead responsible for the information, the ICO said.

Consequently, the web services team uploaded the spreadsheets and the associated data was inadvertently published on the Trust’s website on 4 March 2014.

Although the security breach was discovered on 30 January 2015, the affected data subjects were not notified about it until early May 2015.

Stephen Eckersley, Head of Enforcement at the ICO, said: “This trust played fast and loose with the highly sensitive and private information that was entrusted to them. It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others.”

“Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief.”

Eckersley added: “There was a need for robust measures to safeguard against this kind of disclosure. I can see no good reason for that not happening and that is why we have taken action.”

Wendy Swift, Chief Executive (Interim) of the NHS trust, said: “The Trust has sincerely apologised to its staff for the error and, following a thorough internal investigation, has put in place robust measures to ensure the same problem cannot happen again. Upon discovery of the error immediate action was taken to disable the links from the reports on our website.

“The incident, which related to staff data only, was reported both locally and to our relevant regulatory bodies, which include Monitor and the CQC, as well as the Information Commissioner’s Office (ICO). We liaised with the ICO throughout the investigation.

“Once the results of the investigation were known we wrote to every member of staff to inform them of the incident and offer support and guidance if they had any concerns.

“On behalf of the Trust Board of Directors, I would like to apologise once again for any worry or concern this incident may have caused staff. Action has been taken to ensure this will never happen again.”

The ICO published a blog in November 2015 alongside new guidance to give practical advice on what to look out for when providing information in different formats.