UK Issues Monetary Penalty in Privacy Breach Case

The UK Information Commissioner's Office recently announced that it had fined Torbay Care Trust over $275,000 in monetary penalties for the Trust's accidental publishing of employees' personal information on its website. Information that was published was part of an equality and diversity study the company was conducting, and included birth dates, insurance numbers, ethnicity, religion and sexual orientation. According to the ICO, the information was available online for 19 weeks and was accessed approximately 300 times (32 of which was from unidentified IP addresses). Upon learning of the accidental publishing, termed a "breach" by the ICO, the company took the spreadsheet down from its website. According to the ICO, the Trust failed to take reasonable safeguards to protect the information as required under UK law, insofar as it had insufficient internal controls to prevent incidents of this kind. There were, for example, no procedures in place to govern requests to the electronic staff records systems, and the ICO felt that the system itself was not well controlled. According to the ICO, it was as a result of this lack of guidance that the incident occurred. The ICO has indicated that the Trust has put in place a new management policy to stop the accidental publishing of personal information on its website. This penalty is the third highest that the ICO has levied to-date.

TIP: This case serves as a reminder for companies to help protect themselves against accidental breaches and misuses of personal information by having clear data use policies in place. Such policies can help in jurisdictions like the UK, where failure to sufficiently protect information might lead to monetary penalties.