Torbay Care Trust
Torbay fined over information breach
PERFORMANCE: Torbay Care Trust has been fined £175,000 by the Information Commissioner’s Office after the sensitive details of more than 1,000 employees were accidentally published on the trust’s website.
HSJ Local newsletters
Get the latest health headlines in your region sent direct to your inbox
Choose your HSJ local newsletters now
Staff at the trust published information including names, dates of birth and national insurance numbers along with details of individuals’ religion and sexuality in April 2011. The information remained online for 19 weeks until spotted by a member of public.
The ICO’s investigation found that the trust had no guidance for staff on what information should not be published online and had inadequate checks in place to identify potential problems.
ICO head of enforcement Stephen Eckersley said: “The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.
“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust are now taking action to keep their employees’ details secure.”
Anthony Farnsworth was chief excecutive of the care trust when the breach happened and is now chief executive of the community provider Torbay and Southern Devon Care Trust.
In a statement, he said the incident had been treated with the “utmost seriousness”, but there was no evidence the data had been accessed by anyone other than the individual who reported it.
He said more robust information management procedures had now been put in place.
He added: “The Care Trust has always had extremely hard working and dedicated staff, so it is of particular regret that in this instance we failed in our responsibilities to them. I would like to apologise, again, to these individuals for any concern that has been caused.”
ICO announcement and trust statement
6 August 2012