Tuesday, 7 August 2012

A healthcare nightmare

There’s a really nice picture on the front page of the website of the Torbay & South Devon Healthcare NHS Trust today. It features a group of people most generously donating £1,018.57 to the Make a Wish Foundation to improve the lives of local sick people. I know the area. It’s quite close to where I was born. And charities like this need all the support they can get.

How ironic it is that, yesterday, an ICO press release announced that the Trust will face a Civil Monetary Penalty of £175,000 (reduced to £140,000 if it pays before 31 August) because sensitive personal details of 1,373 staff was inadvertently published on their website.

As the ICO explains, the information was published in April 2011, but the mistake was only spotted when it was reported by a member of the public 19 weeks later. The data covered the equality and diversity responses of the staff and included individuals’ names, dates of birth and National Insurance numbers, along with sensitive information about the person’s religion and sexuality.

The Monetary Penalty Notice acknowledges that during the 19 weeks, the Trust’s website received 21,000 visits, and the web page containing the sensitive information received approximately 300 visits. While it was not possible to establish how often the actual spreadsheet was accessed by the public, some 32 of the visits were from unidentified IP addresses.

So, in this case we have a situation where something has evidently gone wrong, but it took 19 weeks before anyone in authority realised. All affected staff received an apology and compensation was evidently offered. No member of staff has apparently complained. The Trust voluntarily disclosed the incident, a full investigation took place and remedial action was taken, and the Trust was fully co-operative with the Commissioner’s Office.

And still, the Trust gets a fine of this size. I just don’t understand how the ICO can argue that the incident was “of a kind likely to cause substantial damage or substantial distress” - which is the statutory test which must be applied - when, evidently, no victim did complain. And these victims have had some 10 months to complain since the incident was reported. Give me evidence-based regulation any time.

But, every cloud has a silver lining.

Hopefully, it will inspire people in similar situations to pick up the phone and call me to explain that they’re in a bit of a mess and they want some help improving their data protection standards before they dare phone the Information Commissioner’s Office. Bad news like this is always good for business.

Also, it will act as an additional incentive to those plucky charity workers in the Torbay and South Devon area to inspire Devonians to dig even deeper in their pockets to replenish the funds that, if spent on healthcare, would certainly have gone some way to improve the lives of local sick people.


http://www.torbaycaretrust.nhs.uk/Pages/home.aspx (And no, the website doesn’t mention the ICO’s Civil Monetary Penalty - yet)