The UK Information Commissioner's Office (ICO) has fined Torbay Care Trust £175,000 for publishing on its website sensitive data of more than 1,000 employees, including information on religious and sexual orientation. Such information cannot be claimed to be anything other than sensitive personal data, and generally needs to be protected under the Data Protection Act via various means, including drive encryption software like AlertBoot where appropriate.
Staff at Torbay Care Trust uploaded a spreadsheet with employee information to its website in April 2011. They only realized they had a data breach when a member of the public alerted them of the fact 19 weeks later. The spreadsheet contained survey responses of 1,373 staff, and included names, dates of birth, pay scale, National Insurance numbers, and sensitive information concerning ethnicity, disability status religion, and sexuality. Again, such information is regarded as personal information, and the latter two, especially, would be considered sensitive personal information. In the past, the ICO has gone to great measures to point out the importance of protecting such data, including the assessment of monetary penalties in the five figures (tens of thousands of dollars). Today, it looks like the ICO is to emphasize that point by levying a penalty in the six figures.
Staff at Torbay Care Trust uploaded a spreadsheet with employee information to its website in April 2011. They only realized they had a data breach when a member of the public alerted them of the fact 19 weeks later.
The spreadsheet contained survey responses of 1,373 staff, and included names, dates of birth, pay scale, National Insurance numbers, and sensitive information concerning ethnicity, disability status religion, and sexuality.
Again, such information is regarded as personal information, and the latter two, especially, would be considered sensitive personal information. In the past, the ICO has gone to great measures to point out the importance of protecting such data, including the assessment of monetary penalties in the five figures (tens of thousands of dollars).
Today, it looks like the ICO is to emphasize that point by levying a penalty in the six figures.
The ICO has noted that the data breach was "entire avoidable." Torbay, for its part, has apologized to staff and has implemented measures for managing staff information. Their position is that This was an organisational issue in which the absence of sufficient checks within our processes made an error possible, and we have treated this with the utmost seriousness. [bbc.co.uk] The spokesperson continued on to say We have no evidence that the information was accessed by anyone other than the individual who reported it, and it was removed as soon as it was brought to our attention. However, idg.no reports that (my emphasis) Originally posted in error in April, the issue only came to light 19 weeks later, by which time the web page containing it had been accessed 300 times, including 32 times from unidentified IP addresses. Something doesn't add up.
The ICO has noted that the data breach was "entire avoidable." Torbay, for its part, has apologized to staff and has implemented measures for managing staff information. Their position is that
This was an organisational issue in which the absence of sufficient checks within our processes made an error possible, and we have treated this with the utmost seriousness. [bbc.co.uk]
The spokesperson continued on to say
We have no evidence that the information was accessed by anyone other than the individual who reported it, and it was removed as soon as it was brought to our attention.
However, idg.no reports that (my emphasis)
Originally posted in error in April, the issue only came to light 19 weeks later, by which time the web page containing it had been accessed 300 times, including 32 times from unidentified IP addresses.
Something doesn't add up.
Related Articles and Sites:http://news.idg.no/cw/art.cfm?id=01820300-B44B-67FA-206F7F14BE386780http://www.guardian.co.uk/government-computing-network/2012/aug/06/torbay-care-trust-ico-fine?newsfeed=truehttp://www.bbc.co.uk/news/uk-england-devon-19150290