03 May, 2023
The ICO has recently published details of a reprimand it has issued against University Hospitals Dorset NHS Foundation Trust for failing to comply with the UK GDPR's security principle.
On 25 April 2023, the ICO published details of a reprimand it had issued to the Trust for inappropriately disclosing an address to a former partner. The ICO found that an address was disclosed to an ex-partner of the individual concerned, which they had wanted to withhold following previous allegations of abuse.
Article 5(1)(f) of the UK GDPR states that personal data must be "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures". This is often known as the 'Data Security Principle' and organisations must ensure personal data is protected to ensure it is not disclosed inappropriately.
The ICO's Findings
The ICO's investigation found that:
The ICO found that the fact that this risk had not be identified previously and no formal consent process was in place, meant that this incident warranted a reprimand being issued against the Trust.
Following the incident, the Trust apologised to the individual concerned and conducted an investigation into the incident. An action plan has been implemented and the Trust has undertaken a benchmarking exercise with other organisations to establish good practice for dealing with parental disputes. This includes ensuring that, where requested by a parent, clinicians would blind copy parents into correspondence.
The ICO has also recommend that the Trust takes the following steps ensure its compliance with the UK GDPR:
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
In this case, a reprimand was issued even though the individual concerned did not make a formal complaint about the unauthorised disclosure of their address. The organisation here has received a reprimand because it had simply failed to recognise the risk posed by copying recipient addresses into correspondence. The case is a reminder that organisations should always exercise caution when disclosing contact details to other parties, to ensure they have a lawful basis under data protection law to do so and, if not, to obtain consent before making the disclosure.
A full copy of the reprimand is available to view here.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here