An NHS Trust has been fined £185,000 by the data protection regulator after it was found to have inadvertently published the personal information of staff members online.
Some 6,574 employees of Blackpool Teaching Hospitals NHS Foundation Trust had details including dates of birth, National Insurance numbers, religious beliefs and sexual orientations published on the organisation's website in March 2014.
The error occurred as part of the Trust's efforts to increase transparency by publishing annual equality and diversity metrics on its website. However, it failed to notice that the spreadsheets containing these details also contained hidden personal data, which anyone could access simply by double-clicking the table.
The oversight went unnoticed for ten months, and even after it was brought to the Trust's attention, it was a further five months before affected staff were alerted to the breach.
Stephen Eckersley, head of enforcement at the Information Commissioner's Office, said that the Trust had "ignored their duty" to protect staff who deliver essential hospital services to others, and played "fast and loose" with the highly confidential information that was entrusted to them.
"Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief," he continued.
Mr Eckersley added that he can see "no good reason" why the necessary measures to safeguard against this type of disclosure were not in place, which is why the ICO opted to hit the Trust with a fine.
This is not the first time an NHS Trust has been given a financial penalty by the ICO for accidentally publishing hidden data. In 2012, Torbay NHS Trust was fined for a similar incident, while elsewhere in the public sector, Islington Council also received a fine in 2013.