ICO fines NHS trust £185K for publicly airing personnel files A health trust that exposed the private details of 6,574 members of staff on its website has been fined £185,000 by UK data privacy watchdogs. Blackpool Teaching Hospitals NHS Foundation Trust inadvertently published workers’ confidential data including their National Insurance number, date of birth, religious beliefs and …
it took a further five months to alert affected staff, who had been left at heightened risk of identity theft and other scams as a result of their employers’s data handling incompetence.
Sorry, given the number of fundamentalist knuckle draggers out there, I'd say - depending what those two fields held - that identity theft would be the *last* of my worries.
If it's not the NHS, it's the councils losing their own taxpayers' data, then paying the fine with...their taxpayers' taxes...
Sod firing them, let's start with jail time for the execs at the top. And work down the chain. And until each level in the chain can prove that they've done everything possible to prevent data breaches, in terms of systems, policies, and training, only then does the lowly minion who actually copied the stuff onto a USB stick and left it on a train get jail time.
It's the only way the decision makers will ever take it seriously.
And no taxpayer funded body should EVER be fined, no matter what they do. It should always be someone either losing their job, or going to prison.
And no taxpayer funded body should EVER be fined, no matter what they do. It should always be someone either losing their job, or going to prison.
In which case, they should get in somebody like you, sunshine. Somebody who's never pressed the return key and thought "oh fuck...". Somebody who doesn't work with insufficient resources, insufficient management support. Somebody so perfect they're never going to make a mistake.
This breach is bad. Somebody should be for the high jump. But proving who is actually at fault is going to be very difficult, so the chances are that a peon like you or me will be the one taking the heat, not the managers who wouldn't pay for it, took a wrong IT management decision, or simply outsourced it to their spivvy mate.
Given that actually murdering somebody only gets you six years chokey these days, how long do you think losing a bit of data is going to merit?
"Because when you fire somebody, you get a new somebody who'll just go and make the same stupid mistake again. The real answer is to remove a non-typing finger (you know the one!!) and turn the debacle into a learning opportunity."
Docking a percentage of the pay of all the individuals responsible (all the way up the corporate heirarchy) would help to concentrate the minds of those who need to learn and save the NHS money. Win/win!
There is a legal requirement to give equal opportunities regardless of religious belief and sexual orientation. Also, as a publicly funded body, the NHS has made commitments to these principles. How can they prove that they have given equal opportunities, for compliance checks and flag waving? Simple: they note, record, analyse, (and publish) these data metrics about their staff.
(However, I have a feeling that if you said that you're a pansexual Pastafarian, your career wouldn't go very far.)
> legal requirement to give equal opportunities
Certainly noteworthy that they're only interested in "equal opportunities" as long as they're legally-mandated.
I worked, briefly, for another large public sector organisation and had to sit through a morning of patronising equal-opportunities platitudes on joining, emphasising how commited the entire organisation was to equality and diversity of all kinds and how intolerant of transgressions. Several weeks later, they had to overhaul their entire retirement policy because of its palpable discrimination against older workers - which said organisation had hitherto been perfectly happy with - as that discrimination was about to become illegal and therefore would become a matter of compliance.
It's all just about ticking boxes.
The only press release I see there is about the HSCIC and the DPA. Nothing about the trust who are giving the data to Google. The trust and the HSCIC are two completely different legal entities (There is no NHS, nor has there been for a long time). The trust are the data controller for their data, not the HSCIC.
Google don't actually need identifiable data for the research though, the diagnosis, the procedures, an age band etc. yes. They do not need, as New Scientist pointed out, NHS numbers, ages, dates of birth, postcodes, addresses, names etc. Therefore section 33 is not applicable. Additionally the personal information was not gathered for the purpose of research on bulk data sets like this and it is, as such, a breach on those grounds.
Actually, some form of pseudo-geocode is required to discover any clustering effects. As are possibly ranged ages, and genders. Detailed location information is not to be shared in any way shape or form, as it can be linked with other "non-identifying" information to reveal actual identities. I know that some TLA/FLAs use these techniques which were first demonstrated several decades ago.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
