Private information and data posted online by Blackpool Teaching Hospitals NHS Foundation Trust

11th May 2016 Media Law

Blackpool Teaching Hospitals NHS Foundation Trust has been fined £185,000 for posting private information relating to 6,574 members of staff online. The fine was imposed by the Information Commissioner's Office (ICO), the organisation responsible for upholding the data privacy rights of individuals.

Much of the information inadvertently published by the Trust was of a sensitive nature, and included the National Insurance numbers, religious beliefs and sexual orientation of the staff involved. The data was published online in March 2014. However, the error was not spotted until the following year, when the breach was discovered on 30 January 2015.

The Trust is obliged to publish equality and diversity data on an annual basis. In January 2015 the task of compiling the statistics from the previous year began. As part of this process a member of the Trust's electronic staff records team visited the Trust's website to view the format of the data used in the previous year. The team member inadvertently double-clicked on one of the tables displayed, and discovered that there were links to spreadsheets containing personal data. The Trust had not been aware that this 'hidden' data could be accessed in this manner.

These spreadsheets were publicly available for 11 months, during which time the personal data was downloaded on numerous occasions by unknown individuals. Although the breach was discovered in January 2015, the staff members affected were not notified by the trust until May 2015.

Organisations such as the Trust have a legal duty imposed by the Data Protection Act 1998 (DPA) to take steps to avoid unlawful or unauthorised processing of personal data. The ICO has the power to impose monetary penalties in cases where there has been a serious contravention of the DPA and the contravention was of a kind likely to cause substantial damage or distress. This can apply even in cases where the breach was unintentional.

The ICO found that although the Trust did not deliberately ignore the DPA, the issue was caused by a combination of inadequate training and lack of appropriate procedures. The Trust had failed to take appropriate organisational measures to protect against the unauthorised processing of personal data and a fine was therefore appropriate.

The Information Commissioner appears keen to encourage other organisations to avoid the Trust's mistakes. He states in the published penalty notice that the financial penalty 'would act as an encouragement to ensure that such deficiencies are not repeated elsewhere.'

This case may give rise to issues relating to privacy law, breach of confidence and data protection. If you were affected by this incident and would like to discuss your legal rights you can speak to a member of the JMW team on 0345 241 7976.

We're Social

Nick McAleenan is a Partner located in Manchester in our Media & Reputation Management; Data Protection & Privacy department

View other posts by Nick McAleenan

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest