Blackpool hospital trust has been fined for posting workers’ details online, according to the BBC. The error arose due to “hidden” data – what lessons should be learnt?
Well firstly, thanks to Ray Butler who posted this on Eusprig, a wider discussion can be found on their discussion board. As can be seen from the following lifted from the BBC article as well as expensive, costing the trust £189,000, the mistake was also embarrassing and potentially caused real distress to those whose names were divulged:
“Spreadsheets were published containing confidential and sensitive personal data relating to 6,574 employees, including pay scale, National Insurance number, disabled status, ethnicity, religious belief and sexual orientation.
The trust did not notice that the spreadsheets contained hidden data that became visible by double-clicking the table, the ICO said.
The tables were accessed at least 59 times by 20 visitors while they were publicly available online and associated data was also downloaded by ‘persons unknown’ on several occasions, according to a penalty notice published by the watchdog.”
In commenting on this, I will limit myself to a plugging a familiar theme of these pages, and that is to highlight that this issue, although not a spreadsheet issue per se, would have been picked up with a rigorous implementation of the ICAEW’s 20 principles for good spreadsheet practice, particularly:
PRINCIPLE 3: Ensure that everyone involved in the creation or use of spreadsheets has an appropriate level of knowledge and competence.
We believe that adopting the principles is a great first step for any organisations concerned that lack of management and control the use of spreadsheets is a major risk issue.
themodelauditor.com is the blogsite of the Mazars model audit team. As well as being a leading provider of model review services we provide a “health check” services giving assurance and advice on management and control of spreadsheets.