The Information Commissioner's Office (ICO) has fined a health body a £175,000 penalty for accidentally publishing sensitive personal details of almost 1,400 NHS staff on the internet.

In April 2011 Torbay Care Trust (TCT) in Devon inadvertently published a spreadsheet to their website which contained employees' names alongside their sexual orientation, religious belief, date of birth, pay scale and their National Insurance number. The data was publicly available for 19 weeks until the mistake was reported by a member of the public.

The ICO's investigation found that there was no guidance available for staff to consult in relation to the type of data that could be published on-line. Furthermore, there was also a distinct lack of controls in place to help identify potential data breach issues.

The ICO found the blunder to be a clear breach of the Seventh Data Protection Principle, which requires organisations to have appropriate security in place in order to prevent personal data held by the organisation being accidentally or deliberately compromised.

TCT have since taken remedial action by implementing a formal process governing requests for information from the electronic staff records system together with a "management of website" policy.

The £175,000 fine is the third largest handed down by the ICO. The largest fine of £325,000 was handed down on 1 June to Brighton and Sussex University Hospitals NHS Trust, for the sale of hard drives containing highly sensitive personal data belonging to tens of thousands of patients and staff.

Belfast Health and Social Care Trust received the second highest penalty of £225,000 on 19 June, following a serious breach which also led to the sensitive personal data of thousands of patients and staff being compromised.


Data protection breaches of this nature are entirely avoidable and are therefore not worth the reputational damage and financial penalty in which they so often result.

Organisations need not fear the ICO so long as they have in place the appropriate measures to ensure compliance with data protection law and demonstrate a full awareness of the responsibility which comes with holding personal data. Formal policies and procedures should be implemented to provide staff with proper guidance, along with training to ensure staff fully understand what is required of them in terms of data protection compliance.

Lack of knowledge will be no excuse if a breach occurs.