back to article Devon NHS trust left data of 1,373 staff online for MONTHS

A painful £175,000 fine has been slapped on a health trust in Torquay, Devon, after it published sensitive details of nearly 1,400 employees on its website. The Information Commissioner's Office issued the penalty, following the embarrassing incident that took place in April 2011. A spreadsheet containing the information was …

COMMENTS

This topic is closed for new posts.
  1. Kwac
    Stop

    Sensitive?

    Sensitive information about the persons' religion & sexuality"?

    WTF is that needed for?

    1. Anonymous Coward
      Anonymous Coward

      Re: Sensitive?

      It's a government thing. They check and see if they are discriminating against any groups of people based on religious beliefs, sexuality, ethnicity, age, gender etc etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sensitive?

        I think they have a shortage of white homosexual Jamaican born males following the Jedi religion over the age of 55 and with their left leg missing. If that fits you then apply for a job there.

      2. Anonymous Coward
        Anonymous Coward

        Re: Sensitive?

        At the MoD we always had a 'Choose not to respond' option for each (actually I think it was "Prefer not to disclose"). Always chose that because a) I didn't trust them not to lose the data and b) I considered it none of their business. Don't know if they still give that option.

        Something interesting did come of it though, during a grievance, my lack of responses were raised in relation to a disability. I had to point out that they had been notified using the formal process, and that the law states that if it's reasonable an employer should have known then it's deemed that they did (which as they'd been told, they did!). Just goes to show that these E&D things do get read sometimes, though given the circumstances surrounding that, it could have been more to do with a grudge than anything.

        They do like to be able to say "x%" of our work-force are homosexual, "x%" are disabled etc. Unfortunately, they really hate it if you then say "as X% are disabled" would it not be reasonable to implement a procedure for a?

        Anon because I'd rather not take the risk that any grudges remain!

        1. John H Woods Silver badge
          Happy

          Re: Sensitive?

          I always put my origin as "African". Because it's true for everybody.

          1. LinkOfHyrule
            Paris Hilton

            Re: Sensitive?

            I always put my sexuality as MILF curious

  2. Thomas 4
    Mushroom

    Oh for fuck's sake

    Seriously people, would it actually physically kill to *READ* that document before you hit the big shiny "Upload to the world" button?! The button isn't going to magically vanish if you don't click it within ten seconds and it might save someone a hell of a lot of grief and harassment if you do.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh for fuck's sake

      Seriously people, would it actually physically kill to *READ* that document

      I think you're overestimating the educational level of people applying for jobs at that paygrade nowadays. The state of some of the applicants I saw was abysmal, but you pay peanuts you get.....

      1. Anonymous Coward
        Anonymous Coward

        pay peanuts you get.....

        These people are probably fairly handsomly paid as it is, when you consider the job they are paid to do.

        1. Anonymous Coward
          Anonymous Coward

          Re: pay peanuts you get.....

          Never worked for a public body I take it? It's rare that your job is what's specified in the job description, there's always a 'few' extras.

          That said, given the cockup mentioned I'd be happy to amend to "These people are probably fairly handsomly paid as it is, when you consider the quality of the work they've done in comparison to the job they are paid to do."

  3. Anonymous Coward
    Anonymous Coward

    Nothing will change

    Because nobody senior has been sacked.

    NHS trusts have a long history of data protecton failures, but being "fined" by the ICO merely means that one public sector organisation moves money from another public sector body's budget back to the treasury. Where's the incentive to do things properly, when the guilty can stay in their generously paid jobs, and merely lop off some front line services to balance the books?

    1. mark 63 Silver badge

      Re: Nothing will change

      Do the other trusts find out about these fines? or is it just us that read the reg that know?

      Maybe if when they fined one trust , they informed all the others we'd see less of it.

      (and fined the upper management obviously)

      1. Dave the Cat
        Stop

        Re: Nothing will change

        @ mark63

        Hi Mark,

        Yes they all get told before the public is informed. Still makes no difference though :-(

    2. tmTM

      Re: Nothing will change

      It's the NHS, of course nothing will change.

      Tar and feather the upper management - so we can easily identify those who've failed.

  4. Dave the Cat
    Thumb Up

    Nothing will change

    Absolutely spot on, why wasn't the comms director/manager hauled up before the board? (hint: they're probably all bestest chums). Why wasn't there a policy/procedure/some sort of instruction on what to do and how to do it?

    Until the ICO starts fining senior personel personally nothing will ever change. 6 months wages ought to do it. I work in the health service, and the apathetic/blase response by many senior managers to incidents like this is nothing short of staggering.

  5. adam payne

    This kind of thing shouldn't be happening but it continues to happen again and again. These people need a swift kick up the (insert word here).

    Guess who will be paying the fine?

  6. Ted Treen
    FAIL

    Wrong penalty AGAIN...

    "...A painful £175,000 fine..."

    Which comes out of a publicly-funded pocket, to be transferred to ANOTHER publicly-funded pocket, doing little but feed the growth of n0n-productive bureaucrats whilst hampering the workings of an NHS trust.

    What's wrong with identifying the culpable cretin and applying the fine and/or dismissal to him/her?

    No-one seems to give a damn when it's public money. No wonder taxes are shooting skywards and yet we're still deep in the mire.

    Doesn't the word "responsibility" exist in public sector management?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wrong penalty AGAIN...

      Having work with the Trust in question and others in the area. Responsibility ownership is a political hot potato. If somebody can shark responsibility they will!

      Disciplining the person(s) in question that failed with this epic cock up, would be a waste of time. Having been an interested party in the NHS disciplinary process in a previous incarnation, I can say first hand what a bureaucratic/red tape nightmare it is!

  7. wowfood

    Wait

    These people are making massive cockups because average joes are doing jobs that need at least some kind of training, and because they're hiring in the cheapest people rather than the best qualified.

    When the cock up because of the above problems, caused by lack of money, they are then fined.

    This fine leads to letting go of more good staff, hiring in a lower number of even lesser qualified staff to replace them, who will invariably cock up even more than the first lot, leading to another fine continuing the cycle.

    Why dont we skip the middle man, replace all hospital staff with stoners aside from the doctors, and just give all the money straight back to the government, it'd save money in the long run.

    1. Crisp
      Unhappy

      Re: Wait

      But I don't want a sponge bath from a stoner :(

  8. Anonymous Coward
    Anonymous Coward

    For starters, I couldn't agree more that the individuals concerned should be the ones facing the fine/sack/all of the above.

    Working in the education sector myself and having responsibility for access to large amounts of data one would presume common sense should prevail (even if the user in question has not been given any formal training). People should think in terms of "hang on a minute, if my name, national insurance number, sexual preferences and religion were in this document, would I want it being found on the internet". I mean c'mon, it really isn't that hard is it.

    On top of that, why not fine the people AND the trust, inform all other parties of the infringement then should anything similar happen again (whether in the same trust or any other) double the fine/punishment. On the basis of "For God sake, we told you about this happening somewhere else last month and you've just done the same thing, you're even more of an idiot than they are".

    Just my 2p's worth

    Cheers

  9. Anonymous Coward
    Anonymous Coward

    The Quality o NHS Management (example of DPA98 knowledge)

    A PCT has spun off a hospital to a respectable private organisation, but unfortunately shipped the existing HR and senior managers as well.

    New organisation not trusting anything the PCT is saying now (after finding buildings failing to comply with HSE and Fire Regs, etc.), asked for proof of eligibility to work from all staff.

    please send passports, birth certificates, etc.

    Weeks later, back comes letter to some staff, stating that some documents sent have been misplaced, and that they need to work with their line manager to locate the documents and pass them on to HR. This letter was created by the head of HR, and as they where threating to sack staff for failure to provide documents, hand signed by Cheif Exec.

    Ignoring the employment law issues.......

    What part of NHS given personal data, and lost it, do they not understand as violation of DPA, and then having the cheek to make it the responsibility of the data subject to find it again, or risk being sacked!

    If the HR dunce (sorry manager) doesn't understand the act, what chance for a lowly admin person?

  10. Anonymous Coward
    Anonymous Coward

    One not have a training scheme in place, similar to the CBT for motorcycles (keep with me here).

    Basically, you apply for a job, the job entails access to data covered under the DPA, you may possibly have a CRB, everything checks out fine and you're offered the position with a start date. However, said start date is only applicable AFTER you have been on some training.

    So, BEFORE someone starts their new job as it put into a position of responsibility with access to data, ensure they undertake some training of how to access the data and they are not able to start the job until this is completed.

    Otherwise, everything is "yes no problem, once you've started we'll organise some training.." .... "welcome to your new job, get on with a, b and c... oh training, yes that we'll get back to you on that one".

    If the organisation is registered to handle data covered under the DPA then all employees who have will have access to said data should be required to undertake training BEFORE they are given access of any kind.

    Cheers

    1. Anonymous Coward
      Anonymous Coward

      Training

      I work for an NHS body. We're required to do an "information governance" online training module once a year. And whether you complete it is one of the few things that's actually audited and actioned.

      I'm pretty cynical about the effectiveness of many of the processes we have to follow, but this is one that almost seems OK. I was always under the impression it applied across the NHS. Certainly the training is freely available. Maybe I'm wrong, or maybe someone's not doing their job.

  11. Anonymous Coward
    Anonymous Coward

    It's interesting how the thread seems to be that someone (albeit negligently) uploaded the file to the website and "should have known better".

    Given the state of IT configuration in many organisations, it would not seem at all unlikely that there was simply an unsecured share on the webserver which was wide open (no DMZ, no firewall) to the internal network.

    If, as a low level admin clerk, someone tells you "save that spreadsheet to \\thebigfileserver\myfileshares\" then you are hardly going to think "hmm, I wonder if one of the web team has created a path pointed at the file server and exposed it to the internet"?

    Similarly, the web team may have been told "yes, we need a way to publish CSVs of waiting lists statistics in accordance with the government open data policy. Where can we put them" and created a share specifically for that purpose ... which just happened to be \\thebigfileserver ...

    It's easy to see how this sort of thing falls through the cracks, when you have no proper separation of systems. So perhaps best not to just blame the staff?

    1. Dave the Cat

      @ Petboy

      "Given the state of IT configuration in many organisations, it would not seem at all unlikely that there was simply an unsecured share on the webserver which was wide open (no DMZ, no firewall) to the internal network."

      Without giving too much about the architecture away, that cannot happen. The NHS code of connection prohibits external links from anything other than the N3 network (NHS "backbone"). More info here: http://n3.nhs.uk/

  12. Anonymous Coward
    Anonymous Coward

    @dave the cat

    My ex wife was trivially able to tunnel out of the Southampton NHS network from supposedly secure locations.

    Attempts to notify the NHS were met with a head in the sand response.

    1. Anonymous Coward
      Anonymous Coward

      Re: @dave the cat

      Tunnelling out is not the same as a web document being put on display to an externally facing web server. If you want to get info out of the Trust, then you can if you put effort into it.. Given unlimited resources, it would probably be possible to completely segregate each of the several hundred (about 5-600) different systems and their clients into a set of machines (4000+, with constant churn) that are secured to exactly the right level with access restrictions appropriate to their task, while still allowing the users of those machines to do their job without constantly having to phone the service desks complaining that they don't have access needed to do their job (which is an extra cost all round, and slows everything down, resulting in missed targets, which cost the trusts even more, or worse, things getting lost in the ether and patients not receiving information they need to know).

      However, the NHS trusts aren't often highly resourced in the IT front, which means that care is put into the big things (keeping infrastructure running and as secure as it can be at that level). Staff are trained in Information Governance, which is the common sense thing of saying "Think carefully. Do you want to expose this to the world?". They're taught the ramifications, and general strategies of keeping info safe.

      Attempting to notify the NHS? Did you talk to the DoH? The Trust? Did you raise a job with the service desk and chase up the progress? Did she raise it on the Trust's risk register? "Notifying the NHS" is a very fuzzy thing to say.. If it's on the correct risk register, and isn't being actioned, the chances are that effort is currently being put into keeping things running and not grinding to a halt, so the risk of a trained individual deliberately disclosing information via a tunnel is less than that of taking sysadmins out of the regular, overloaded roles to find out how far the rabbit hole of consequences goes for those workstations and isolating them further, and having the infrastructure fail as it's not being looked after.

      I assume your solution would be "hire someone to do that". Great. Most places are having head count cut, not increased. Or would you fire several other people doing other jobs to fund that, and shift the risk to other areas?

This topic is closed for new posts.

Other stories you might like