A serious data leak occurred at a GP surgery which resulted in an ICO investigation and a fine.
Mr A was the estranged ex-partner of the mother of his 5 year old son (Child B). The practice had been warned by the child’s mother not to let Mr A know of the whereabouts of Child B and her family because of family problems. This information was noted on the child’s medical records.
However, Mr A made a request to have the child’s medical records and provided a court order to show that he had parental responsibility. The practice did not have an adequate written procedure on how to deal with such a case, which resulted in Mr A being sent all of Child B’s medical records four days after the request had been made.
The medical records contained information that was sensitive and personal, such as the mother of Child B’s contact details; her parents information; and the information about Child C, who was not a blood relative of Mr A. Child protection reports and correspondence with the social services were also included.
These documents were then filed by Mr A in court proceedings between the parties, where the mother of Child B received them, which included the child’s medical records.
What the court found…
The court found that the Practice had failed to take appropriate organisational measures against the unauthorised processing of personal data; contrary to the Data Protection Act.
The practice did not have an adequate written procedure for requests such as the one in this case. The person who was in charge of the disclosure process did not receive any insight or supervision which would have enabled the person who disclosed the information to be able to distinguish what information should and should not have been disclosed.
The Commission considered it to be a serious breach due to the high sensitivity and nature of the information that was disclosed, and steps should have been taken by the practice to ensure that such failures did not happen.
The practice faces a monetary penalty
A serious data breach has taken place by disclosing all of Child B’s information to Mr A, as well as the other information too. This disclosure was likely to cause distress and it should have been envisaged what could have happened, and steps to prevent those risks from happening should have been assessed.
It has been decided that a monetary penalty should be enforced on the practice given the circumstances. It is believed that, by enforcing a penalty, it will prevent such occurrences happening in the future.
The practice has to ensure that it will be taking steps in order to make sure that it doesn’t happen again, such as staff members not being given full responsibility for such disclosure. The fine that was given to the practice was £40,000.
The practice has to have paid the fine by 8th September 2016, and the money will be going into the Government’s general bank account at the Bank of England. If the fine is paid by 7th September 2016, there will be a 20% reduction.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a Callback from our team!
Fill out our quick call back form below and we’ll contact you when you’re ready to talk to us.
All fields marked * are required.
You have the right to object to the processing of your personal data.