back to article ICO fines NHS trust £185K for publicly airing personnel files

A health trust that exposed the private details of 6,574 members of staff on its website has been fined £185,000 by UK data privacy watchdogs. Blackpool Teaching Hospitals NHS Foundation Trust inadvertently published workers’ confidential data including their National Insurance number, date of birth, religious beliefs and …

  1. JimmyPage Silver badge

    religious beliefs and sexual orientation

    it took a further five months to alert affected staff, who had been left at heightened risk of identity theft and other scams as a result of their employers’s data handling incompetence.

    Sorry, given the number of fundamentalist knuckle draggers out there, I'd say - depending what those two fields held - that identity theft would be the *last* of my worries.

  2. Known Hero
    Flame

    Im sorry

    But Why the F*CK cannot we not fire somebody ?!?!?!?

    Why are we fining ourselves and allowing them to rinse and repeat!

    1. Stu J

      Re: Im sorry

      If it's not the NHS, it's the councils losing their own taxpayers' data, then paying the fine with...their taxpayers' taxes...

      Sod firing them, let's start with jail time for the execs at the top. And work down the chain. And until each level in the chain can prove that they've done everything possible to prevent data breaches, in terms of systems, policies, and training, only then does the lowly minion who actually copied the stuff onto a USB stick and left it on a train get jail time.

      It's the only way the decision makers will ever take it seriously.

      And no taxpayer funded body should EVER be fined, no matter what they do. It should always be someone either losing their job, or going to prison.

      1. Ledswinger Silver badge

        Re: Im sorry

        And no taxpayer funded body should EVER be fined, no matter what they do. It should always be someone either losing their job, or going to prison.

        In which case, they should get in somebody like you, sunshine. Somebody who's never pressed the return key and thought "oh fuck...". Somebody who doesn't work with insufficient resources, insufficient management support. Somebody so perfect they're never going to make a mistake.

        This breach is bad. Somebody should be for the high jump. But proving who is actually at fault is going to be very difficult, so the chances are that a peon like you or me will be the one taking the heat, not the managers who wouldn't pay for it, took a wrong IT management decision, or simply outsourced it to their spivvy mate.

        Given that actually murdering somebody only gets you six years chokey these days, how long do you think losing a bit of data is going to merit?

    2. John 110
      Thumb Up

      Re: Im sorry

      Because when you fire somebody, you get a new somebody who'll just go and make the same stupid mistake again. The real answer is to remove a non-typing finger (you know the one!!) and turn the debacle into a learning opportunity.

      That's the NHS way!

      1. Sam Haine

        Re: Im sorry

        "Because when you fire somebody, you get a new somebody who'll just go and make the same stupid mistake again. The real answer is to remove a non-typing finger (you know the one!!) and turn the debacle into a learning opportunity."

        Docking a percentage of the pay of all the individuals responsible (all the way up the corporate heirarchy) would help to concentrate the minds of those who need to learn and save the NHS money. Win/win!

  3. Pete4000uk

    Why do they need to know

    Whether I sleep with guys or girls?

    1. frank ly Silver badge

      Re: Why do they need to know

      There is a legal requirement to give equal opportunities regardless of religious belief and sexual orientation. Also, as a publicly funded body, the NHS has made commitments to these principles. How can they prove that they have given equal opportunities, for compliance checks and flag waving? Simple: they note, record, analyse, (and publish) these data metrics about their staff.

      (However, I have a feeling that if you said that you're a pansexual Pastafarian, your career wouldn't go very far.)

      1. Warm Braw Silver badge

        Re: Why do they need to know

        > legal requirement to give equal opportunities

        Certainly noteworthy that they're only interested in "equal opportunities" as long as they're legally-mandated.

        I worked, briefly, for another large public sector organisation and had to sit through a morning of patronising equal-opportunities platitudes on joining, emphasising how commited the entire organisation was to equality and diversity of all kinds and how intolerant of transgressions. Several weeks later, they had to overhaul their entire retirement policy because of its palpable discrimination against older workers - which said organisation had hitherto been perfectly happy with - as that discrimination was about to become illegal and therefore would become a matter of compliance.

        It's all just about ticking boxes.

  4. s. pam
    FAIL

    Then how fucking much will the

    fine be for selling patient data to Google. Of all companies who not to trust with sensitive data its Google.

    Merge NHS ineptitude with the evils of Google = people going to get seriously violated!

    1. Adam 52 Silver badge

      Re: Then how fucking much will the

      None. The ICO offered the NHS an undertaking in leiu of enforcement action and gave them 6 months to think about asking for consent.

      The press release is on the ICO website.

      1. Anonymous Coward
        Anonymous Coward

        Re: Then how fucking much will the

        The only press release I see there is about the HSCIC and the DPA. Nothing about the trust who are giving the data to Google. The trust and the HSCIC are two completely different legal entities (There is no NHS, nor has there been for a long time). The trust are the data controller for their data, not the HSCIC.

    2. KeithR

      Re: Then how fucking much will the

      "Then how fucking much will the fine be for selling patient data to Google. Of all companies who not to trust with sensitive data its Google."

      Don't know much about the DPA, do you?

      Google "Section 33".

      1. Anonymous Coward
        Anonymous Coward

        Re: Then how fucking much will the

        Google don't actually need identifiable data for the research though, the diagnosis, the procedures, an age band etc. yes. They do not need, as New Scientist pointed out, NHS numbers, ages, dates of birth, postcodes, addresses, names etc. Therefore section 33 is not applicable. Additionally the personal information was not gathered for the purpose of research on bulk data sets like this and it is, as such, a breach on those grounds.

        1. Uberseehandel

          Re: Then how fucking much will the

          Actually, some form of pseudo-geocode is required to discover any clustering effects. As are possibly ranged ages, and genders. Detailed location information is not to be shared in any way shape or form, as it can be linked with other "non-identifying" information to reveal actual identities. I know that some TLA/FLAs use these techniques which were first demonstrated several decades ago.

  5. cantankerous swineherd Silver badge
    Black Helicopters

    "commitment to publish annual equality and

    diversity metrics" I've always passed on these questions because I'm paranoid.

    1. allthecoolshortnamesweretaken Silver badge

      Would you tick the 'Yes, I'm paranoid' box on a survey form?

      1. Vic

        Would you tick the 'Yes, I'm paranoid' box on a survey form?

        Why do you want to know?

        Vic.

  6. Anonymous Coward
    Anonymous Coward

    And when notified which are you expected to change from "National Insurance number, date of birth, religious beliefs and sexual orientation "?

    1. Anonymous Coward
      Anonymous Coward

      People change their dates of birth all the time... judging from their given age and pictures on dating sites.

  7. TDog

    There is a huge difference between inadvertently and incompetently. If it is your job to prevent this, then should you fail then you probably are incompetent and should be sacked. Exactly how many people have been sacked.

    Ex NHS Trust IT Director (and Executive Board Member)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019