A GP Practice has been fined £40,000 by the Information Commissioner's Office for disclosing a woman's confidential details to her ex-husband. The case highlights the importance for data controllers to ensure that they have adequate written procedures in place to comply  with their obligations under the Data Protection Act 1998.


A mother and father divorced in acrimonious circumstances. The mother asked her GP Practice not to reveal her whereabouts to the father. Her address was recorded on their son's medical record.

The father made a subject access request for the son's medical record. Four days later, an individual at the Practice sent all of the son's medical records to the father. The records contained confidential information and sensitive personal data relating to the mother her wider family (who were not related to the father). The records also contained child protection reports compiled by the Police and correspondence with Social Services.


The ICO was satisfied that the Practice had failed to ensure that it had in place appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data. This was a serious contravention of the seventh data protection principle of the Data Protection Act 1998. The Practice did not have an adequate written procedure for handling subject access requests, it did not sufficiently supervise the person handling the request and it did not physically check the information which was being sent to the father. The Practice should have been aware of the importance of distinguishing between information which should be disclosed and information which should be withheld.

The ICO also found that the Practice should have known that the contravention was likely to cause substantial damage or distress to those affected by the breach. Although the Practice may not have deliberately contravened the DPA, the ICO considered that the inadequacies were a serious oversight.


When considering whether to issue a fine, the ICO accepted that the Practice had acted promptly to ensure that staff members would be properly supervised, the Practice had referred the incident to the ICO and it had co-operated with the ICO's investigation. However, the ICO's underlying objective in imposing fines is to promote compliance with the DPA and the Commissioner considered that this was an opportunity to reinforce the need for GP Practice's to ensure that they have complied with the seventh data protection principle before disclosing information in response to a subject access request.

The ICO currently has the power to fine data controllers up to £500,000. The fine of £40,000 reflects the fact that the Practice's partners are individually liable for the fine. The ICO has warned that most organisations should expect to receive a much larger for a similar DPA breach.


This case highlights the importance for data controllers to have sufficient technical and organisational procedures in place to minimise their risk of breaching the DPA. If the Practice had written processes in place for dealing with subject access requests which were actively followed by its staff, not only would the risk of a breach have been significantly reduced, the Practice may have avoided a fine if a breach had occurred in spite of adequate procedures.

Bevan Brittan's Information Law Team specialise in drafting technical and organisational data protection procedures, assisting data controllers with handling complex subject access requests and providing tailored staff training on data protection compliance.  If your organisation would like help to ensure compliance with the DPA, please contact Emma Godding, Jonathan Moore or Joanna Smart.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.