Personal and sensitive data of thousands of employees working for Blackpool Teaching Hospitals NHS Foundation Trust was inadvertently posted online.
The discovery was made on 30th January 2015 and reportedly affects more than 6,500 employees when a spreadsheet containing highly confidential information was published online back in March 2014.
The data included names, national insurance numbers, birth dates, religious beliefs, pay scales, disability statuses, ethnicity, and sexual orientation.
This is a serious breach of data protection and one of the worst we have ever seen here in the UK.
The information was volunteered by staff as part of equality and diversity metrics, but the data was of course supposed to be confidential. Spreadsheets were uploaded online, and a member of staff, who was looking to replicate the format of the tables, inadvertently double clicked on a pivot table which opened up the associated data to the ‘protected groups’ and ‘equality pay bands’ spreadsheet which were freely accessible.
Following investigations it has been revealed that the data has been accessed almost 60 times and downloaded 20 times with at least some of those who downloaded the data classed as “persons unknown.” There is therefore absolutely no way of knowing for sure who has the data now, and the result of this terrible and significant mistake is a serious and extensive leak of personal information.
A serious breach
This is a serious breach that affects 6,574 current and former employees and includes highly sensitive and confidential data made available to anyone with access to the internet.
We know from previous breaches we have been involved in that such personal data can be used for fraud, as well as the mere fact that a lot of the data is extremely sensitive. The repercussions of this leak are set to be huge and our lawyers have started investigations in response.
More must be done
This is not the first time we have had to investigate serious breaches in the public sector, and this breach itself is an alarming one. Investigations with the Information Commissioners Office (ICO) found that the team handling the data had no idea that the hidden information could still be accessed. It was also found that training was not provided and there was no guidance in place to check whether hidden data could still be made available.
At the end of the day this breach has stemmed from a very simple error that has arisen from a lack of knowledge in the use of data on excel spreadsheets. Given the nature of the data that has been leaked, there is simply no excuse for this happening.
In a word from our team:
“We have the tools and guidance necessary to abide by legislation, yet time and time again organisations fail to adhere to their duties. These simple errors that end up being hugely costly need to be ironed out – these breaches are happening almost continually nowadays.”
Have you been affected?
You are entitled to claim for compensation as a victim of the Blackpool NHS breach so please contact us if you would like any advice.