The Information Commissioner's Office (ICO) has fined Blackpool Teaching Hospital NHS Foundation Trust £185,000 after it inadvertently published the private details of 6,574 members of staff.
The details included National Insurance number, date of birth, religious belief and sexual orientation.
The trust is required to publish equality and diversity metrics annually on its external website. In February 2014, the equality and diversity lead in HR had asked the electronic staff records team for the equality and diversity metrics.
These were sent by 3 March 2014, but the team had not detached the data displayed in pivot tables on Excel as they were not aware of this feature.
The lead then forwarded the spreadsheets to the web services team, asking it to upload them to the trust's website. The associated data was inadvertently published on the trust's website on 4 March 2014.
In January last year, the equality and diversity lead asked the electronic staff records team for these metrics as usual. A team member decided to search the trust's website to check the format of the Excel spreadsheets for 2014 so that they could be replicated. In the process, it was discovered that data on leavers, protected groups and equality pay bands could all be accessed via the pivot table .
The spreadsheets contained confidential and sensitive personal data relating to 6,574 employees (some of whom had left) including names, pay scale, National Insurance number, date of birth, ethnicity, religious belief, ‘disabled' status and sexual orientation.
The spreadsheets were publicly available on the trust's website for 11 months, during which time the pivot tables were accessed at least 59 times by 20 visitors. The associated data was downloaded by more than one unknown person on several occasions.
The ICO found that the trust had contravened the Data Protection Act, particularly because it had no procedure in place for governing requests for information from ESR to control its use and further dissemination.
It also didn't provide the team with any, or at least any adequate, training on the functionality of Excel spreadsheets or possible alternatives. In addition, the trust had no guidance in place for the web services team to check the spreadsheets or hidden data before they were uploaded to the website.
The fine will be reduced by 20 per cent to £148,000 if the trust pays the full amount by 31 May 2016. An early payment ‘discount' won't be available if the trust decides to exercise its right of appeal.
Looking to boost your career in IT? Here are the best-earning roles out there!
Biggest screen ever, Qualcomm Snapdragon 835 and 6GB of RAM for forthcoming Samsung Galaxy Note 8
Windows 10 Chinese Government Edition completed by Microsoft
The '80s were when the games industry blossomed from a niche sideline into a huge mainstream behemoth. Join V3 as we look at the top titles of the period to appear on the Atari, Commodore 64, ZX Spectrum and others