Hitchin doctors’ surgery handed £40,000 fine after confidential information about a female patient and her family was released to ex-partner
- Credit: Archant
A Hitchin doctors’ surgery has been fined £40,000 after confidential information about a female patient and her family was given to her ex-partner.
Regal Chambers in Bancroft was handed the five-figure fine by the Information Commissioner for a breach of the Data Protection Act.
The woman’s ex-partner had requested the medical records for the former couple’s son and was supplied with 62 pages of information – including her contact details, as well as those of her parents and an older child the man was not related to.
This information was given out despite express warnings from the woman that staff should take particular care to protect her details.
Publishing the outcome of an Information Commissioner’s Office investigation yesterday, the ICO found that the GP practice had insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it.
Steve Eckersley, the ICO’s head of enforcement, said: “Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded.
“When that information could have devastating consequences if released incorrectly, it is even more important that measures are robust.
- 1 Tranquil Turtle officially opens with dazzling launch event
- 2 Dangerous paedophile jailed for sexual abuse of vulnerable girl
- 3 Serious collision on A602 injures four
- 4 Man charged with multiple burglaries after police chase
- 5 Christmas markets return to Hitchin
- 6 Icon building planning appeal quashed after High Court review
- 7 Here are the new Covid travel rules which begin today
- 8 175-year-old primary school saved after months of uncertainty
- 9 Christmas Fayre and switch-on attracts hundreds
- 10 Does your MP support drug testing in Parliament?
”There is no doubt that releasing this information would have caused great distress to the woman, her children and the rest of her family.”
The information was released in July 2014 in response to a subject access request, a formal way of requesting information under the Data Protection Act.
The person responsible for handling the request advised the child’s GP about it but, in the absence of a sufficient written procedure, went ahead and released everything. The ICO’s investigation found staff did not receive adequate guidance or supervision about what could be disclosed or should be withheld.
Mr Eckersley added: “In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line.
“It was unfair to expect this person to deal with the potentially devastating fall-out created by sharing personal data wrongly. GPs could have protected staff by providing proper support, training and guidance. They did not do this.”
The ICO said the fine was £40,000 because the practice’s partners would be individually liable, but most organisations would expect to receive a much larger fine due to the serious nature of the breach.
A statement issued by the surgery’s partners said: “We would like to apologise for the error that occurred which resulted in third party data being shared with another third party.
“We take patient confidentiality very seriously indeed and as soon as this incident came to light, we self-referred to the Information Commissioner’s Office so that they could investigate.
“We have since provided all staff with further training and implemented new guidance in respect of the sharing of data. We would like to apologise again to the patient involved and their family.”