19 June, 2023
The ICO has recently published details of a reprimand it has issued against University Hospitals Dorset NHS Foundation Trust for failing to comply with the UK GDPR's security principle.
On 25 April 2023, the ICO published details of a reprimand it had issued to the Trust for inappropriately disclosing an address to a former partner. The ICO found that an address was disclosed to an ex-partner of the individual concerned, which they had wanted to withhold following previous allegations of abuse.
Article 5(1)(f) of the UK GDPR states that personal data must be "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures". This is often known as the 'Data Security Principle' and organisations must ensure personal data is protected to ensure it is not disclosed inappropriately.
The ICO's investigation found that:
The Trust had a procedure in place where they would list the postal address of other recipients of the same piece of correspondence. This procedure resulted in the address of the individual concerned being disclosed to their expartner, in circumstances where there had been previous allegations of abuse.
Whilst the individual concerned had not notified the Trust that it should not disclose their address to their expartner, it was reasonable for them to expect that their address would not be disclosed to the ex-partner without their permission.
No process was in place to manage parental disputes and there was no system in place to flag patients in this scenario, to ensure data is not disclosed inadvertently.
The procedure of listing the postal addresses of all recipients to correspondence posed a significant risk to individuals and this risk had not previously been identified.
The ICO found that the fact that this risk had not be identified previously and no formal consent process was in place, meant that this incident warranted a reprimand being issued against the Trust.
Following the incident, the Trust apologised to the individual concerned and conducted an investigation into the incident. An action plan has been implemented and the Trust has undertaken a benchmarking exercise with other organisations to establish good practice for dealing with parental disputes. This includes ensuring that, where requested by a parent, clinicians would blind copy parents into correspondence.
The ICO has also recommend that the Trust takes the following steps to ensure its compliance with the UK GDPR:
The Trust should complete a review of its practices, incorporating any relevant learnings from the benchmarking exercise to identify any further areas of risk; and
The Trust should also ensure that areas identified by the action plan are fully implemented and subject to regular review.
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
Whilst this is not a case of a reprimand being issued against an RP, there are certainly points for RPs to consider. It is not unusual for RPs to be involved in cases involving domestic violence and the relocation of tenants due to domestic violence. RPs must ensure that in such cases every care is taken to separate the records of parties involved so that there is no accidental disclosure of details to the wrong party. Given the ICO's increase in the use of reprimands, RPs will also want to ensure that all staff receive training on protecting personal data and how to recognise a data breach.
In this case, a reprimand was issued even though the individual concerned did not make a formal complaint about the unauthorised disclosure of their address. The organisation here has received a reprimand because it had simply failed to recognise the risk posed by copying recipient addresses into correspondence. The case is a reminder that organisations should always exercise caution when disclosing contact details to other parties, to ensure they have a lawful basis under data protection law to do so and, if not, to obtain consent before making the disclosure.
A full copy of the reprimand is available to view at - University Hospitals Dorset NHS Foundation Trust | ICO
For more information contact Bethany Paliga in our Housing & Regeneration department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Housing & Regeneration department here