A health trust that exposed the private details of 6,574 members of staff on its website has been fined £185,000 by UK data privacy watchdogs.
And while the issue is alarming enough in itself, the length of time that it dragged on for without intervention is possibly of particular seriousness.
The Trust failed to notice its mistake for 10 months, at least according to the account of the Information Commissioner’s Office (ICO).
Blackpool Teaching Hospitals NHS Foundation Trust inadvertently published workers’ confidential data including their National Insurance number, date of birth, religious beliefs and sexual orientation in March 2014.
This is among the most sensitive information that could have been published, and obviously the consequences are serious for both the organisation and staff.
The issue brought back memories of the Child Tax Credit system being hacked just after the turn of the century, which led to hundreds of thousands of National Insurance numbers being stolen at that time, and ultimately to a shakeup of the entire tax credits application process.
Even after the penny dropped at Blackpool, such was the tardiness of the response that it took a further five months to alert affected staff.
Stephen Eckersley, head of enforcement at the Information Commissioner’s Office, was extremely critical of the conduct of the trust.
“This trust played fast and loose with the highly sensitive and private information that was entrusted to them. It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others. Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief.”
The exposed information was volunteered by staff as part of the Trust’s commitment to publish annual equality and diversity metrics on its website.
With IT and technology projects being frequently handed out by the government to private sector organisations, often with a chequered ethos and human rights record – for example Raytheon and Northrop Grumman – there will be question marks regarding how IT is handled in the NHS.
The Trust failed to notice that the published spreadsheets contained more than just aggregated stats but also contained hidden data that became visible by simply double-clicking the table.
The oversight meant personal details of individual members of staff were inadvertently revealed.
An ICO blog post, “Now you don’t see it, now you do – the dangers of hidden data”, from last November offers guidance on how organisations can guard against making similar slip-ups.
Both Torbay NHS Trust and Islington Council both received penalties for inadvertently publishing hidden data, indicating that this is not a one-off problem.
The oversight will be extremely worrying for people in the Blackpool area, and in an era in which data security is an absolutely critical issue, it seems crystal clear that the NHS must improve in this department.