A Hitchin doctors’ surgery has been fined £40,000 after confidential information about a female patient and her family was given to her ex-partner.
Regal Chambers in Bancroft was handed the five-figure fine by the Information Commissioner for a breach of the Data Protection Act.
The woman’s ex-partner had requested the medical records for the former couple’s son and was supplied with 62 pages of information – including her contact details, as well as those of her parents and an older child the man was not related to.
This information was given out despite express warnings from the woman that staff should take particular care to protect her details.
Publishing the outcome of an Information Commissioner’s Office investigation yesterday, the ICO found that the GP practice had insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it.
Steve Eckersley, the ICO’s head of enforcement, said: “Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded.
“When that information could have devastating consequences if released incorrectly, it is even more important that measures are robust.
”There is no doubt that releasing this information would have caused great distress to the woman, her children and the rest of her family.”
The information was released in July 2014 in response to a subject access request, a formal way of requesting information under the Data Protection Act.
The person responsible for handling the request advised the child’s GP about it but, in the absence of a sufficient written procedure, went ahead and released everything. The ICO’s investigation found staff did not receive adequate guidance or supervision about what could be disclosed or should be withheld.
Mr Eckersley added: “In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line.
“It was unfair to expect this person to deal with the potentially devastating fall-out created by sharing personal data wrongly. GPs could have protected staff by providing proper support, training and guidance. They did not do this.”
The ICO said the fine was £40,000 because the practice’s partners would be individually liable, but most organisations would expect to receive a much larger fine due to the serious nature of the breach.
A statement issued by the surgery’s partners said: “We would like to apologise for the error that occurred which resulted in third party data being shared with another third party.
“We take patient confidentiality very seriously indeed and as soon as this incident came to light, we self-referred to the Information Commissioner’s Office so that they could investigate.
“We have since provided all staff with further training and implemented new guidance in respect of the sharing of data. We would like to apologise again to the patient involved and their family.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here