Over the last 2 years, England & Wales has witnessed several occurrences of medical organisations receiving regulatory enforcement action from the data protection supervisory authority, the Information Commissioner's Office ("ICO"). The ICO has several powers including issuing warnings, reprimands and a temporary or permanent ban on an organisation’s processing of personal data (and therefore ceasing that organisation’s operations). In this blog, we have pulled together a brief note outlining some of the ICO’s recent enforcement action.
November 2023 – NHS Fife
On 23 November 2023, the ICO issued a reprimand to NHS Fife due to infringements of Article 5(1)(f) of the United Kingdom General Data Protection Regulation (“UK GDPR”).
In February 2023, an unauthorised person gained access to a ward. Due to a lack of identification checks and formal processes, the non-staff member was handed a document containing personal data of 14 people and assisted with administering care to one patient.
The data was taken off site by the person and has not been recovered. The police have not been able to identify the person or recover the lost data, hindered by the lack of CCTV footage.
The ICO’s investigation concluded that NHS Fife did not have appropriate security measures for personal data, as well as low staff training rates.
Following this incident, NHS Fife introduced new measures such as a system for documents containing patient data to be signed in and out, as well as updated identification processes.
NHS Fife is expected to update the ICO with the effectiveness of standard operating procedures in relation to bank staff attending the hospitals, the implementation and effectiveness of the ID process, the data protection training rates and the steps taken to update the relevant policies in line with the UK GDPR by 6 June 2024.
October 2023 – University Hospital of Derby and Burton NHS Trust
On 30 October 2023, the ICO issued a reprimand to the University Hospital of Derby and Burton NHS Trust (“UHBD”) for infringements of Article 5(1)(5) of the UK GDPR.
The ICO’s investigation found UHBD failed to implement a formal process or apply a suitable level of security when processing referrals. UHBD failed to have any formal oversight in place to ensure referrals were being effectively managed.
As a result of this error, nearly 5,000 patients were affected. Of those, more than 4,100 patients experienced delays in their referral which had the potential to cause distress and inconvenience.
The remaining 569 patients’ referrals disappeared from the system altogether. Some patients had to wait for over two years for medical treatment to be arranged. UHBD had failed to have appropriate organisational measures in place to prevent the accidental loss of personal data. As this involved the processing of special category data, UHBD should have ensured extra measures were put in place.
The ICO recommended that UHBD assess any new processes and procedures that have been put in place as a result of this incident and continue to monitor these over a period of time to ensure that they are effective and to prevent another occurrence of this incident in the future and ensure the learning from any breach is shared across the organisation.
July 2023 – NHS Lanarkshire
On 31 July 2023, the ICO issued a reprimand to NHS Lanarkshire due to infringements of Article 5 (1)(f), Article 25 and Article 32 (1) of the UK GDPR.
A team within NHS Lanarkshire had created a WhatsApp Group in which staff shared personal data of patients. It was found that 26 members of staff had access to the WhatsApp Group from 1 April 2020 to 25 April 2022. In this WhatsApp Group there were at least 533 entries which included names of patients (both adults and children). From the 533 entries, some of the personal data consisted of phone numbers, dates of birth, addresses, images and videos.
The ICO provided steps of remedial action including the consideration of implementing a secure clinical image transfer system to store images and videos within a care setting as well as updating policies and procedures and ensuring that staff are aware of their obligations.
NHS Lanarkshire is expected to provide the ICO with an update on its progress in relation to the remedial steps by 14 January 2024.
July 2023 – The Patient and Client Council
On 19 July 2023, the ICO issued a reprimand to The Patient and Client Council (“PCC”) due to infringements of Article 5 (1)(f) and Article 32 (1) of the UK GDPR.
In January 2021, a PCC staff member sent an email to 15 members of a Gender Identity Liaison Panel, inadvertently disclosing their email addresses by not using the Blind Carbon Copy (“BCC”) field and instead using the Carbon Copy (“CC”) field when sending the email. There was no personal data in the email, however the disclosed email addresses were considered to contain enough information to identify at least 13 of the data subjects as those who suffered with gender dysphoria.
The ICO provided steps of remedial action which they expect PCC to take including ensuring their policies, procedures and guidance are reviewed and updated and appropriately provided to staff to ensure they are implemented. In addition, PCC was urged to conduct a Data Protection Impact Assessment (“DPIA”) regarding whether the use of BCC in emails is appropriate for special category data.
PCC is expected to provide the ICO with an update on its progress in relation to the remedial steps by 11 October 2023.
April 2023 – Achieving for Children
On 3 April 2023, the ICO issued a reprimand to Achieving for Children (“AfC”) due to infringements of Article 5(1)(f) of the UK GDPR.
The ICO’s investigation found that AfC inappropriately disclosed personal data, special category data and criminal convictions data in a report. Due to communication failure, the manager concerned did not realise on two occasions that the assessment was being sent to both the father, step-father and birth mother. As a result, criminal conviction data, children’s data, sex life data and health data, which should have been removed or redacted, was disclosed in error.
AfC did not have the required organisational measures in place to ensure that an incident such as this would occur. The social worker responsible for this incident was not trained in completing redactions and neither was the manager who reviewed the report. This was because there was no redaction training offered to these members of staff at the time of the incident.
The ICO has recommended that AfC ensures that every employee who is expected to complete redactions has completed redaction training, the expectations of AfC senior leadership are documented in policy documents and annual data protection and information governance training is provided to all staff.
April 2023 – University Hospitals Dorset NHS Foundation Trust
On 25 April 2023, the ICO issued a reprimand to the University Hospital Dorset NHS Foundation Trust (“Trust”) in relation to the infringement of Article 5(1)(f) of the UK GDPR.
The Trust had a procedure in place that when issuing correspondence by letter, it would include the full postal address of other recipients of that letter (by way of adding a “cc” at the bottom of the letter) without obtaining consent from the primary recipient to whom the letter is addressed to (i.e., the patient).
There was a circumstance where the ex-partner of a patient became informed of the patient’s address because of the practice of the Trust. This is something that should have been withheld because the patient had alleged that their ex-partner had been abusive to them in the past.
The ICO also identified that the Trust did not have a clear process in place for managing situations where there are parental disputes. It found that the Trust has no formal system to ensure that personal data is not shared and remains restricted. It was also recognised that the Trust provided no formal training to administration staff involved in dealing with correspondence.
March 2023 – NHS Highland
On 9 March 2023, a reprimand was issued to NHS Highland in respect of infringing Article 5(1)(f), Article 32(1) and Article 25 of the UK GDPR.
This is because NHS Highland emailed 37 people likely to be accessing human immunodeficiency virus (“HIV”) services inadvertently by using CC instead of BCC. The error meant that recipients of the email could see the personal email addresses of other people receiving the email with 1 person confirming they recognised 4 other individuals – 1 of whom was a previous sexual partner.
2 persons submitted formal complaints to the NHS Highland and 1 of those patients made more than 1 complaint.
The ICO stated that it had considered imposing an administrative penalty in the amount of £35,000. However, since June 2022, the ICO has adopted a revised approach to public sector enforcement and therefore on this occasion, it decided not to impose an administrative penalty.
March 2023 – University Hospitals Bristol and Weston NHS Foundation Trust
On 7 March 2023, the ICO issued the University Hospital Bristol and Weston NHS Foundation (“Trust”) with a reprimand in respect of the Trust infringing Article 5(1)(f), Article 24(1) and Article 24(2) of the UK GDPR.
The Trust had been saving documents on an electronic viewing system. It then decided to terminate the use of this system and migrate to another system. Prior to the expiration of the license to the system that it had been using, the Trust believe that it had downloaded all of the records.
The download, however, was not fully successful and this was not realised until after the license to the system had expired and the records were inaccessible (and some of which were permanently lost). The inaccessibility of personal data related to 1159 data subjects from 19 January 2020 until 12 October 2021. Out of the 1159 data subjects, there were 4 data subjects for whom a total of 115 pages were permanently deleted.
November 2022 – Royal Free London NHS Foundation Trust
On 10 November 2022, the ICO issued the Royal Free London NHS Foundation Trust (“Trust”) with a reprimand.
The Trust had saved hysteroscopy scans on to a series of 3 Universal Serial Bus (“USB”) sticks over a period of 9 years from May 2013 until the remaining 2 encrypted USB sticks became inaccessible on 5 April 2018. The personal data on the USB sticks was that of between 4,000 and 10,000 data subjects.
It is unknown whether this inaccessibility was because of a technical failure of the USBs or human error from inputting the wrong password.
The ICO found that the Trust had failed to ensure an appropriate level of security for the personal data. It was also concerned by the fact that the Trust did not initially recognise that the inaccessibility of the USB sticks meant that there had been a personal data breach (and its lack of awareness of this meant that there was a delay in reporting it to the ICO).
The ICO found that the Trust had infringed Article 5(1)(f) and Article 24(1) of the UK GDPR.
August 2022 – Christopher O'Brien - South Warwickshire NHS Foundation Trust
Christopher O’Brien (“O’Brien”) is a former health adviser who was found guilty of accessing medical records of patients without a valid legal reason.
He accessed the records of 14 patients who were personally known to him between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust.
O’Brien pleaded guilty at Coventry Magistrates Court on 3 August 2022 to unlawfully obtaining personal data in breach of s.170 of the Data Protection Act 2018 (“DPA”).
On 5 August 2022, the ICO ordered O’Brien to pay £250 compensation to 12 patients, totalling £3,000.
June 2022 – The Tavistock and Portman NHS Foundation Trust
On 30 June 2022, the ICO issued the Trust with an administrative fine for the amount of £78,400.
Between May 2018 and September 2019, the Tavistock, and Portman NHS Foundation Trust (“Trust”) used Outlook to send bulk emails to 1,781 Gender Identity Clinic (“GIC”) patients. The patients’ email addresses were put in the “To” field instead of the BCC field which meant that all of the patients could see each other’s email addresses.
The email was an image-based advertisement for an upcoming arts competition. It was clear from the content of the email that it was welcoming submissions from GIC patients and was intended to assist with increasing the participation of this particular patient group.
The ICO considered that the Trust failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 of the UK GDPR.
May 2022 – NHS Blood and Transplant
On 9 May 2022, the ICO decided to issue NHS Blood and Transplant with a reprimand after the NHS Blood and Transplant inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. The impact of this was that there was an integration error which led to a number of a prospective patients being excluded from the NHS Blood and Transplant’s Liver Matching Run between 11 and 18 September 2019.
The ICO initially issued an administrative fine of £749,856 for infringements of Article 32 of the UK GDPR but it subsequently decided that it is not necessary to issue a fine and that a reprimand would be more appropriate.
April 2022 – Epsom and St Helier University Hospital NHS Trust
On 7 April 2022, the ICO decided to issue Epsom and St Helier University Hospital NHS Trust (“Trust”) with a reprimand for infringing Article 5 (1)(f), Article 32 (1)(b) and Article 32 (1)(d) of the UK GDPR.
The Trust incorrect passed covid test result data to Public Health England (“PHE”) and this resulted in data subjects erroneously being contacted via the NHS Test and Trace system and advised to isolate.
The required isolation of all affected data subjects resulted in the one-day closure of three local schools and one special needs nursery.
It should also be noted that the ICO conducted an audit on the Trust and published an audit report in September 2021 which identified that the Trust had (i) a lack of controls in place to ensure that all staff had read and understood key data protection and security related policies; and (ii) a lack of information sharing agreements in place for data sharing arrangements.
Article by Puja Modha (Partner) and Sarah Davies (Paralegal) – 25 January 2024