A GP practice that revealed confidential details about a woman and her family to her estranged ex-partner has been fined £40,000. The practice gave out the information despite express warnings from the woman that staff should take particular care to protect her details.
The information was provided in response to a Subject Access Request the ex-partner made for the medical records of the former couple’s son.
Staff at the practice responded with 62 pages of information that included the woman’s contact details as well as those of her parents and an older child the man was not related to.
The ICO’s investigation found staff did not receive adequate guidance or supervision about what could be disclosed or should be withheld.
An investigation found staff did not receive adequate guidance or supervision about what could be disclosed or should be withheld and that the practice had insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it.
The ICO said: “In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line. It was unfair to expect this person to deal with the potentially devastating fall-out created by sharing personal data wrongly. GPs could have protected staff by providing proper support, training and guidance. They did not do this.”
NB: The ICO has said it issued a fine of ‘only’ £40,000 because the practice’s partners would be individually liable and that most organisations would expect to receive a much larger fine.
Do your staff receive adequate guidance and supervision about what can be disclosed in response to a Subject Access Request? Do you have sufficient systems in place to guard against releasing unauthorised personal data to people who are not entitled to see it?
We can put in place procedures and systems and train staff to prevent something similar happening at your organisation.
This article is intended for informational purposes only, so please don’t rely on it as legal advice!
We believe that data protection is about protecting people and that the four elements of data protection are trust, transparency, privacy and security. If you agree and like this page please feel free to share it.
TO CONTACT US CALL 07902 395989 OR USE OUR CONTACT FORM