ICO Issues Reprimand For Disclosure Of Address To Ex-Partner

Published: May 3rd, 2023

7 min read

The ICO has recently published details of a reprimand it has issued against University Hospitals Dorset NHS Foundation Trust for failing to comply with the UK GDPR's security principle.

On 25 April 2023, the ICO published details of a reprimand it had issued to the Trust for inappropriately disclosing an address to a former partner. The ICO found that an address was disclosed to an ex-partner of the individual concerned, which they had wanted to withhold following previous allegations of abuse.

The Law

Article 5(1)(f) of the UK GDPR states that personal data must be "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures". This is often known as the 'Data Security Principle' and organisations must ensure personal data is protected to ensure it is not disclosed inappropriately.

The ICO's Findings

The ICO's investigation found that:

  • The Trust had a procedure in place where they would list the postal address of other recipients of the same piece of correspondence. This procedure resulted in the address of the individual concerned being disclosed to their expartner, in circumstances where there had been previous allegations of abuse.
  • Whilst the individual concerned had not notified the Trust that it should not disclose their address to their expartner, it was reasonable for them to expect that their address would not be disclosed to the ex-partner without their permission.
  • No process was in place to manage parental disputes and there was no system in place to flag patients in this scenario, to ensure data is not disclosed inadvertently.
  • The procedure of listing the postal addresses of all recipients to correspondence posed a significant risk to individuals and this risk had not previously been identified.

The ICO found that the fact that this risk had not be identified previously and no formal consent process was in place, meant that this incident warranted a reprimand being issued against the Trust.

Lessons Learned

Following the incident, the Trust apologised to the individual concerned and conducted an investigation into the incident. An action plan has been implemented and the Trust has undertaken a benchmarking exercise with other organisations to establish good practice for dealing with parental disputes. This includes ensuring that, where requested by a parent, clinicians would blind copy parents into correspondence.

The ICO has also recommend that the Trust takes the following steps ensure its compliance with the UK GDPR:

  • The Trust should complete a review of its practices, incorporating any relevant learnings from the benchmarking exercise to identify any further areas of risk; and
  • The Trust should also ensure that areas identified by the action plan are fully implemented and subject to regular review.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

Conclusion

In this case, a reprimand was issued even though the individual concerned did not make a formal complaint about the unauthorised disclosure of their address. The organisation here has received a reprimand because it had simply failed to recognise the risk posed by copying recipient addresses into correspondence. The case is a reminder that organisations should always exercise caution when disclosing contact details to other parties, to ensure they have a lawful basis under data protection law to do so and, if not, to obtain consent before making the disclosure.

A full copy of the reprimand is available to view here.

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here. Authorised and regulated by the Financial Conduct Authority.