ICO slaps £40,000 fine on GP practice for disclosing patient information in error

Subject access requests – a warning. Watch out for third party data in your records.

The GP practice, from Hitchin, is paying the hefty penalty for wrongfully revealing 62 pages of confidential details about a woman and her family to her estranged ex-partner.

The ex-partner asked to see the medical records of the former couple’s son. Staff at the GP practice disclosed the notes which also contained the woman’s contact details as well as information relating to her parents and another child not related to the ex-partner. This is despite express warnings from the woman to staff to protect her confidential details.

The reputation and financial consequences (not to mention the effect on patients) from a wrongful disclosure are incalculable.  Such a data security breach could so easily have been avoided. According to the Information Commissioner’s Office 46 percent of all complaints made to the ICO last year were about subject access requests.

I suspect many will understand how such a mistake can so easily have happened with real pressures of time and resources. But, it shouldn’t, there is no excuse. Most health and care organisations hold sensitive personal data face such requests every day. Staff must be fully trained and prepared to deal with these routine requests. In this case, the ICO investigation found that the GP had “insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitle to see it”.

If you have concerns about Data Protection in your Practice or would like support the LMC offers a Data Protection Officer service. To find out more give call us on 0117 9702755 or email kelly@almc.co.uk