£40,000 Fine For GP Surgery With Inadequate Systems To Safeguard Personal Data

The GP practice, Regal Chambers, in Hitchin, Hertfordshire, has been fined £40,000 by the Information Commissioner due to leaked confidential information about a woman and her family to her estranged ex-partner. Despite express warnings from the woman that staff should take particular care to protect her details, a 62 page document was provided after her ex-partner made a request for the medical records of the former couple’s son. The document not only included this information but in addition, the woman’s contact details as well as those of her parents and an older child the man was not related to.

An ICO investigation found that the GP practice had insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it. This was a breach of the Data Protection Act. The information was released in July 2014 in response to a Subject Access Request, a formal way of requesting information under the Data Protection Act. The person responsible for handling the request advised the child’s GP about it, but in the absence of a sufficient written procedure, went ahead and released everything. The ICO’s investigation found staff did not receive adequate guidance or supervision about what could be disclosed or should be withheld.

Steve Eckersley, the ICO’s Head of Enforcement, commented: “In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line. It was unfair to expect this person to deal with the potentially devastating fall-out created by sharing personal data wrongly. GPs could have protected staff by providing proper support, training and guidance. They did not do this.”

It is important to note, anyone who processes personal information must comply with eight principles of the Data Protection Act, which seek to ensure that personal information is:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept for longer than is necessary;
  • processed in line with the rights of the data subject;
  • secure; and
  • not transferred to other countries without adequate protection.

Forbes Solicitors regularly advise a range of clients on requests for disclosure of information whether under the DPA, FOIA or DBS. If you would like more information please contact Daniel Milnes.

This entry was posted in Housing Litigation and tagged , .