"Staff at Torbay Care Trust published the information in a spreadsheet on their website in April 2011 and only spotted the mistake when it was reported by a member of the public 19 weeks later," writes Computer Weekly's Warwick Ashford.
"The information included names, dates of birth, national insurance numbers, equality and diversity responses, along with sensitive information about religion and sexuality, for 1,373 staff members," Infosecurity reports. "ICO discovered that Torbay Care Trust has inadequate checks in place to identify information disclosure problems and no guidance for staff on what information was confidential and should not be posted on the website."
"Torbay has since introduced a new web management policy intended to ensure that personal data is not mistakenly published on its website in future," The Guardian reports.
"The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable," ICO head of enforcement Stephen Eckersley said in a statement. "Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud."
"The fine is the third largest handed out by the ICO," notes V3.co.uk's Gareth Morgan. "The largest fine of £325,000 was handed down on 1 June to Brighton and Sussex University Hospitals NHS Trust, after it sold hard drives containing highly sensitive personal data belonging to tens of thousands of patients and staff. Belfast Health and Social Care Trust received a £225,000 penalty on 19 June, following a serious breach which also led to the sensitive personal data of thousands of patients and staff being compromised."