Blackpool hospital trust fined for posting workers' private details online
A Lancashire hospital trust has been fined £185,000 for posting the private details of thousands of members of staff on its website.
Blackpool Teaching Hospitals NHS Foundation Trust published workers' confidential data in March 2014, the Information Commissioner's Office said.
It included their sexual orientation, date of birth and religious beliefs.
The trust failed to notice the mistake for 10 months and took a further five months to alert staff, the ICO said.
Head of enforcement at the watchdog, Stephen Eckersley, said the trust had "played fast and loose with the highly sensitive and private information".
"It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others."
The breach related to information volunteered by staff as part of the trust's commitment to publish annual equality and diversity metrics on its website.
Spreadsheets were published containing confidential and sensitive personal data relating to 6,574 employees, including pay scale, National Insurance number, disabled status, ethnicity, religious belief and sexual orientation.
The trust did not notice that the spreadsheets contained hidden data that became visible by double-clicking the table, the ICO said.
The tables were accessed at least 59 times by 20 visitors while they were publicly available online and associated data was also downloaded by "persons unknown" on several occasions, according to a penalty notice published by the watchdog.
"Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent," Mr Eckersley said.
"The fact that the error went unnoticed for so long beggars belief."
He added: "There was a need for robust measures to safeguard against this kind of disclosure. I can see no good reason for that not happening and that is why we have taken action."