Health trust fined £175k for publishing 1,300 employees' sensitive data online

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.wsandb.co.uk/wsb/news/2204909/health-trust-fined-gbp175k-for-publishing-1-300-employee-s-sensitive-data-online

A health trust has been fined £175,000 by the Information
Commissioner’s Office for publishing the personal details of 1,373
staff members on its website.

The data covered the equality and diversity responses of the workers
and included names, dates of birth, National Insurance numbers and
other sensitive information about the person's religion and sexuality.

Torbay Care Trust uploaded a spreadsheet on its website in April and
only rectified the mistake when it was reported by a member of the
public 19 weeks later.

The Trust has now introduced a new web management policy to make sure
personal data is not mistakenly published on their website in the
future following an ICO investigation which found that the Trust had
no guidance for staff on what information shouldn't be published
online and had inadequate checks in place to identify potential
problems.

ICO head of enforcement Stephen Eckersley said: "We regularly speak
with organisations across the health service to remind them of the
need to look after people's data.

"The fact that this breach was caused by Torbay Care Trust publishing
sensitive information about their staff is extremely troubling and was
entirely avoidable. Not only were they giving sensitive information
out about their employees but they were also leaving them exposed to
the threat of identity fraud.
"While organisations can publish equality and diversity information
about staff in an aggregated form, there is no justification for
unnecessarily releasing their personal information. We are pleased
that the Trust is now taking action to keep their employees' details
secure," he added.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.