Skip to main content

Torbay Care Trust Fined For Data Protection Breaches


As a result of breaching data protection laws, the Torbay Care Trust has been fined £175,000 by the ICO. A spreadsheet containing "sensitive" information about the employees' religion and sexuality; as well as names, dates of birth and national insurance numbers was published on to their website. The ICO said that such information was likely to cause substantial damage and/or distress to those who had had their details exposed. What is more, head of enforcement with the ICO, Stephen Eckersley, highlighted that the release of such information put staff at risk of being victims of identity fraud. The breach only came to light when a member of the public reported it 19 weeks after it was posted, the ICO said.

The Data Protection Act (DPA) requires organisations to exercise the appropriate organisational measures to eliminate the risk of such sensitive information being used without authorisation. This includes the need to have "effective policies and procedures in place to control its use and further dissemination". Organisations may publish equality and diversity information about staff in an aggregated form, but the publication of their personal information in such a way is strictly prohibited.

Head of the Trust at the time of the incident, Anthony Farnsworth, attributed the breach of the DPA to a lack of organisation due to minimal checks within its processes. The data protection watchdog carried out an investigation and concluded that the Trust did not provide guidance for staff as to what information can be published online. They also were found to not have adequate check in place to identify potential problems. 

The watchdog acknowledged the steps the Trust has taken since the incident in order to avoid such a breach in the future. Farnsworth explained that they have now implemented more robust procedures for managing staff information to overcome such risks. Although disappointed by the large fine, the organisation accepts the conclusion the ICO came to. Provisions have been made so the fine can be paid without need to cut budgets for staff or health and social care. 


Brian can be contacted at Stone King, Solicitors.  For further news and information on legal topics of interest, please visit Brian's other blogs:



Comments

Popular posts from this blog

ICO imposes fine of £250,000 for data protection breach by Scottish council

A Scottish council hired a man known as ‘GS’ to “digitise” its employees’ pension records with no written contract in place between the Scottish council and GS containing the data processing and security requirements specified by the Information Commissioner’s Office (ICO).   Files containing Council employees’ names, addresses, national insurance numbers and, in some cases, individual’s salary and bank account details, had been dumped in a supermarket’s recycling bank and found by a member of the public.   In its civil monetary penalty notice, the ICO said that approximately 8,000 pension records, some of which included details of ill health benefits, had been digitised by GS.  GS would send to the council by standard post unencrypted discs containing the information.  It said that the council was unaware that GS was disposing of the paper records in recycling banks.   The ICO said in its civil monetary notice “ The Commissioner is satisfied that the contravention w

Cloud Service Providers Now Subject To Scrutiny Of Assurance Registry

After mounting concerns relating to the security of cloud computing, a new online platform is to enable users to assess the security features of registered cloud providers. The Security, Trust & Assurance Registry (STAR) hopes to encourage providers to improve their data protection security thanks to this increased transparency, as well as aid organisations using the providers to comply with data protection laws. The Working Party drew attention to firm’s lack of control over customer’s personal data when using cloud services. As cloud computing uses an internet based network in place of local computing resources, they stated that there is risk of "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures," by organisations using these providers.          Operated by not-for-profit body the Cloud Security Alliance (CSA), STAR hopes to limit such risks to data protection. The CSA’s members include Google, Microsoft and m

Thirteen Point Guide to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“ GDPR ”) will come into force and apply to all EU member states from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR. It contains eighty-eight pages, 99 articles and 173 related recitals and is therefore no small piece of legislation. Overall, the principles under the GDPR are similar to those under the current Data Protection Act. However, there are new elements and significant enhancements; particularly in relation to accountability. The GDPR puts the onus on organisations to show how it complies with the data protection principles and there is a greater emphasis on documenting specific activities. Other  key changes  to be aware of include: Wider scope of application  – certain definitions under the GDPR have been broadened, for example, the definition of “personal data”. Higher penalties  – the GDPR introduces tougher sanctions, including administrative fines for non-com