The Information Commissioner's Office (ICO) has fined Blackpool Teaching Hospital NHS Foundation Trust £185,000 after it inadvertently published the private details of 6,574 members of staff.
The details included National Insurance number, date of birth, religious belief and sexual orientation.
The trust is required to publish equality and diversity metrics annually on its external website. In February 2014, the equality and diversity lead in HR had asked the electronic staff records team for the equality and diversity metrics.
These were sent by 3 March 2014, but the team had not detached the data displayed in pivot tables on Excel as they were not aware of this feature.
The lead then forwarded the spreadsheets to the web services team, asking it to upload them to the trust's website. The associated data was inadvertently published on the trust's website on 4 March 2014.
In January last year, the equality and diversity lead asked the electronic staff records team for these metrics as usual. A team member decided to search the trust's website to check the format of the Excel spreadsheets for 2014 so that they could be replicated. In the process, it was discovered that data on leavers, protected groups and equality pay bands could all be accessed via the pivot table .
The spreadsheets contained confidential and sensitive personal data relating to 6,574 employees (some of whom had left) including names, pay scale, National Insurance number, date of birth, ethnicity, religious belief, ‘disabled' status and sexual orientation.
The spreadsheets were publicly available on the trust's website for 11 months, during which time the pivot tables were accessed at least 59 times by 20 visitors. The associated data was downloaded by more than one unknown person on several occasions.
The ICO found that the trust had contravened the Data Protection Act, particularly because it had no procedure in place for governing requests for information from ESR to control its use and further dissemination.
It also didn't provide the team with any, or at least any adequate, training on the functionality of Excel spreadsheets or possible alternatives. In addition, the trust had no guidance in place for the web services team to check the spreadsheets or hidden data before they were uploaded to the website.
The fine will be reduced by 20 per cent to £148,000 if the trust pays the full amount by 31 May 2016. An early payment ‘discount' won't be available if the trust decides to exercise its right of appeal.
Theresa May always the keenest cabinet voice in favour of draconian online censorship, surveillance and controls
No need to waste time on Google launch planned for 4 October
10nm processors now won't be ready until 'late-2018'
Revelation comes just four months after WannaCry struck