Staff at a major NHS Foundation Trust have been informed of a data breach. The personal data was contained within an email sent to around 450 managers, related to arrangements for industrial action.

The personal data included names, addresses, ethnicity (special category data), dates of birth, national insurance numbers, and salaries, within a hidden tab in a spreadsheet. It is understood recipients would have been able to unhide the tab and view the information, although this was considered unlikely.

The email also went to 24 external email accounts of staff. The Trust has contacted each individual, to confirm deletion of the file. The trust stated they would send a letter to each individual whose data appeared on the hidden tab.

An external review of the incident has been commissioned, and it has been referred to the Information Commissioner’s Office (ICO).

What do you need to do?
  • Ensure that your staff are aware of the need for extra vigilance in document handling, especially when sending emails.
  • Check your organisation has effective DPA 2018 processes, including recording high risk breaches which may significantly impact on the rights and freedoms of individuals and necessitate reporting to the ICO within 72 hours.

Source: Health Service Journal (HSJ)

For further discussion and support, including data protection awareness training services please email dpa@tiaa.co.uk