A GP Practice has been fined £40,000 by the Information Commissioner's Office for disclosing a woman's confidential details to her ex-husband. The case highlights the importance for data controllers to ensure that they have adequate written procedures in place to comply with their obligations under the Data Protection Act 1998.
A mother and father divorced in acrimonious circumstances. The mother asked her GP Practice not to reveal her whereabouts to the father. Her address was recorded on their son's medical record.
The father made a subject access request for the son's medical record. Four days later, an individual at the Practice sent all of the son's medical records to the father. The records contained confidential information and sensitive personal data relating to the mother her wider family (who were not related to the father). The records also contained child protection reports compiled by the Police and correspondence with Social Services.
THE ICO'S DECISION
The ICO was satisfied that the Practice had failed to ensure that it had in place appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data. This was a serious contravention of the seventh data protection principle of the Data Protection Act 1998. The Practice did not have an adequate written procedure for handling subject access requests, it did not sufficiently supervise the person handling the request and it did not physically check the information which was being sent to the father. The Practice should have been aware of the importance of distinguishing between information which should be disclosed and information which should be withheld.
The ICO also found that the Practice should have known that the contravention was likely to cause substantial damage or distress to those affected by the breach. Although the Practice may not have deliberately contravened the DPA, the ICO considered that the inadequacies were a serious oversight.
When considering whether to issue a fine, the ICO accepted that the Practice had acted promptly to ensure that staff members would be properly supervised, the Practice had referred the incident to the ICO and it had co-operated with the ICO's investigation. However, the ICO's underlying objective in imposing fines is to promote compliance with the DPA and the Commissioner considered that this was an opportunity to reinforce the need for GP Practice's to ensure that they have complied with the seventh data protection principle before disclosing information in response to a subject access request.
The ICO currently has the power to fine data controllers up to £500,000. The fine of £40,000 reflects the fact that the Practice's partners are individually liable for the fine. The ICO has warned that most organisations should expect to receive a much larger for a similar DPA breach.
This case highlights the importance for data controllers to have sufficient technical and organisational procedures in place to minimise their risk of breaching the DPA. If the Practice had written processes in place for dealing with subject access requests which were actively followed by its staff, not only would the risk of a breach have been significantly reduced, the Practice may have avoided a fine if a breach had occurred in spite of adequate procedures.
Bevan Brittan's Information Law Team specialise in drafting technical and organisational data protection procedures, assisting data controllers with handling complex subject access requests and providing tailored staff training on data protection compliance. If your organisation would like help to ensure compliance with the DPA, please contact Emma Godding, Jonathan Moore or Joanna Smart.