Skip to main content

Torbay Care Trust Fined For Data Protection Breaches


As a result of breaching data protection laws, the Torbay Care Trust has been fined £175,000 by the ICO. A spreadsheet containing "sensitive" information about the employees' religion and sexuality; as well as names, dates of birth and national insurance numbers was published on to their website. The ICO said that such information was likely to cause substantial damage and/or distress to those who had had their details exposed. What is more, head of enforcement with the ICO, Stephen Eckersley, highlighted that the release of such information put staff at risk of being victims of identity fraud. The breach only came to light when a member of the public reported it 19 weeks after it was posted, the ICO said.

The Data Protection Act (DPA) requires organisations to exercise the appropriate organisational measures to eliminate the risk of such sensitive information being used without authorisation. This includes the need to have "effective policies and procedures in place to control its use and further dissemination". Organisations may publish equality and diversity information about staff in an aggregated form, but the publication of their personal information in such a way is strictly prohibited.

Head of the Trust at the time of the incident, Anthony Farnsworth, attributed the breach of the DPA to a lack of organisation due to minimal checks within its processes. The data protection watchdog carried out an investigation and concluded that the Trust did not provide guidance for staff as to what information can be published online. They also were found to not have adequate check in place to identify potential problems. 

The watchdog acknowledged the steps the Trust has taken since the incident in order to avoid such a breach in the future. Farnsworth explained that they have now implemented more robust procedures for managing staff information to overcome such risks. Although disappointed by the large fine, the organisation accepts the conclusion the ICO came to. Provisions have been made so the fine can be paid without need to cut budgets for staff or health and social care. 


Brian can be contacted at Stone King, Solicitors.  For further news and information on legal topics of interest, please visit Brian's other blogs:



Comments

Popular posts from this blog

Ten Questions to Ask Your Cloud Provider

The use of cloud computing is on an exponential rise, as it offers users almost unlimited storage of data, reduces the need for organisations to have physical servers and allows easy access to information from anywhere in the world. As such, many UK based organisations are now turning to cloud computing to satisfy their data storage needs. But there is one issue which seeks to bring grey clouds over an otherwise silver lining and that is data security . By using the cloud instead of a physical storage device, organisations are obliged to hand over data to a third party cloud provider, some or all of which might be personal data within the meaning of the Data Protection Act. An organisation must therefore be sure, before it enters into a contract with a cloud provider, that its information will be kept securely and the provider’s handling of data will be compliant with the Act and any other applicable laws. Before you embark upon acquiring a business which uses cloud computing o...

Jail Sentences for Data Protection Offenders

The House of Commons' Home Affairs Select Committee are encouraging the Home Secretary to introduce jail sentences as a possible punishment for data protection offenders. This is to act as a stronger deterrent than the current, quite ineffective fines.  It is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data", under Section 55 of the Data Protection Act (DPA). But now, personal data has never been easier to access and the risks of information being leaked are an increasing concern. There are many new suppliers of information who are unlikely to understand or take notice of the rules to which they must comply. While the maximum fine for committing a section 55 offence is £5,000 when the case is heard in a Magistrates Court, and unlimited when ...

Data Leaks Prevalent Amongst Staff and Contractors

A twenty-five page report by security outfit Symantec has concluded that contractors and employees are the main cause for person data breaches in the UK. According to the report, thirty-six  firms in the UK covering eleven different industries has experienced data breaches during 2011 which resulted in a notification to the Information Commissioner. Apparently the data breaches were caused over a third of the time by " a negligent employee or contractor " whilst " system glitches " were responsible for another third of the instances. The glitches account for " a combination of both IT and business process failures ," the report said. Malicious or criminal attacks were the cause of the remaining one third of cases. Symantec expressed the view that the amount of information breached on average had fallen and that a larger number of customers were remaining loyal to companies that had lost data. " The average abnormal churn decreased from 3....