How safe is our personal data in medical practices?

On 8th August the Information Commissioner issued a monetary penalty of £40,000 to the GP practice Regal Chambers (located in Hitchin, Hertfordshire) due to them releasing confidential details about a woman and her family to her estranged ex-partner.


The Information Commissioner found that Regal Chambers did not have the appropriate organisational measures in place to safeguard the personal data it holds from unauthorised disclosure – which is a breach of Principle 7 of the Data Protection Act.


What did the GP practice do wrong?


Regal Chambers received a subject access request from Mr A on 14 July 2014 who wanted his child B’s medical record.  Mr A was acrimoniously divorced from child B’s mother so he provided Regal Chambers with a court order to prove he had parental responsibility for child B.


A member of Regal Chambers Practice actioned the request and only 4 days later, on 18 July 2014 sent child B’s full medical record to Mr A.


You might be thinking “what is wrong with that?” the medical practice has answered the request and provided the full medical record in a very quick turn around and certainly well within the 40 calendar days allowed to respond to such requests.


Well, here’s what you need to know:


  • The mother of child B had warned Regal Chambers in January 2013 of the family problems (remember it was an acrimonious divorce) and specifically asked them not to inform Mr A of their whereabouts.
  • The medical record of child B contained confidential and sensitive personal data including the telephone contact details of child B’s mother, her parents and her elder child C who was not blood related to Mr A. Additionally it included child protection reports compiled by the Police and correspondence with Social Services.


What happened next was that Mr A filed child B’s medical report at court in ongoing proceedings between him and his ex-partner. This meant child B’s mother received the documents that had been filed at court including her child B’s medical report. Imagine her shock when she received that!


Where did the GP practice fall down?


The Information Commissioner found that Regal Chambers:


  • did not have any written procedures on how to deal with requests for personal data;
  • only had one person who dealt with such requests and they did not receive any adequate input, supervision or oversight from another member of the practice;
  • did not have any procedures to check the requested information before it was disclosed to the requestor;
  • had failed to comply with the request from child B’s mother not to provide information of their whereabouts to Mr A.


The seriousness of the situation

The release of child B’s full medical record to Mr A, given that it included the personal data of other individuals and highly sensitive and confidential information means the disclosure is certainly more than likely going to cause substantial distress to the data subjects.


Given the lack of controls Regal Chambers had in place to safeguard the personal data it holds when dealing with requests and the substantial distress that was caused by the release of the data the Information Commissioner really had no choice but to issue a monetary penalty. Personally I would have issued a bigger amount than £40,000 given the circumstances.


Do medical practices really take care with our personal data?


It got me thinking at the weekend whether medical practices, this includes GPs, hospitals, opticians, dentists, really do take the appropriate care with our personal data and sensitive personal data (medical and health data)?


All those that know me, know I wear glasses, and I was at my opticians on Saturday for a routine eye examination. Whilst sat in the public seating area waiting for my appointment I picked up on a telephone conversation that the ophthalmic assistant was having at the reception desk. I soon got to discover the name of the person they were talking to, their age, some of their medical details which included a history of glaucoma in the individual’s family and that they were diabetic. I also found out when their eye appointment was booked in for. I was not the only person in the optician’s waiting area at this time, so the personal data of this individual was broadcast to a small number of people all listening to the telephone conversation.


A similar set up is also in place at my doctor’s surgery where patients who are sat waiting to see the doctor can hear every conversation that takes place at the reception counter.  These conversations are not just appointments being booked, but people divulge the nature of their medical conditions to the reception staff.


When we are constantly being told to be careful with our personal data and who we disclose it to, we certainly seem to be a nation who are happy to discuss our sensitive personal data in front of complete strangers who are sat in medical practices’ waiting rooms. Or are we, the patients, just being stereotypically British and too polite not to say to the medical staff that we don’t want to discuss our medical problems in front of the whole waiting room?


This brings me back to my initial question of whether medical practices really do take the appropriate measures to safeguard our personal data, when it is they themselves who design the open reception/waiting room areas and expect people to divulge personal and sensitive personal data in front of a captive audience who are sat in those waiting areas.


Furthermore, a somewhat amusing incident happened a while ago during a consultants appointment at the hospital. The consultant left my husband and I in their consultation room for about 15 minutes or so whilst they went to consult with a colleague. Why is this an issue you ask? Well in the room was an open storage crate sat right next to me with quite a number of individual’s medical records clearly on display – although I restrained myself from taking a peek at these records, I did take photographic evidence of the inappropriate security of medical records. As I continued to survey the room I then noticed that the consultant had left us in their room without logging out of their computer.  The screened stayed live for a further 5 minutes after I spotted it before going into sleep mode – plenty of time for anyone to have had a good snoop at the files on the computer. Before you ask, no I didn’t, but once again a photo was taken. Although the photos of these very lax security incidents do raise a laugh with workshop attendees, they do go to show that medical practices are not really taking care with our sensitive personal data.


Are medical practices breaching Principle 7 of the Data Protection Act on a daily basis? Perhaps they need to think a bit more seriously about the privacy risks associated with the open plan layout of the reception/ waiting room areas and how they store medical records within their practices.


Do you want to make sure your data protection is done well?


If you need an expert to give you advice and guidance on how to respond to the personal data requests you receive or would like a Privacy Impact Assessment undertaking to identify and assess the privacy risks relating to your work operations then give Samantha a call at Dunwell Data Protection.


I will leave you with this thought “If you think compliance is expensive – try non-compliance” – can you afford to be hit with a £40,000 fine, like Regal Chambers, for failing to deal with a personal data request in line with the requirements set out in the Data Protection Act?