Torbay Care Trust published the information in a spreadsheet on its website back in April 2011; the trust only spotted the mistake when a member of the public reported the breach 19 weeks later, according to an ICO news release.
The information included names, dates of birth, national insurance numbers, equality and diversity responses, along with sensitive information about religion and sexuality, for 1,373 staff members.
ICO discovered that Torbay Care Trust has inadequate checks in place to identify information disclosure problems and no guidance for staff on what information was confidential and should not be posted on the website.
“The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud”, commened Stephen Eckersley, the ICO’s head of enforcement.
In response to the ICO’s investigation, the trust has introcuded a new web management policy governing information that is restricted and should not appear on the public website.