This site is intended for health professionals only

At the heart of general practice since 1960

Read the latest issue online

CAMHS won't see you now

Practice hit with £40,000 fine for releasing vulnerable patient's information

A practice has been fined £40,000 after releasing a five year old child’s medical records, including confidential information about the mother’s family and contact details, to the child’s estranged father.

The Regal Chambers Surgery, Hitching, Hertfordshire was found to have inadequate processes in place to prevent personal data being released to persons not entitled to see it, in breach of the Data Protection Act.

The practice has since changed its processes.

The 62-page records - which included the mother’s contact details and those of her parent’s - were released to the woman’s ex-partner despite a specific warning to the practice, and a request not to inform the father of their whereabouts, a note of which was placed on the child’s record.

The records were then filed by the father as part of ongoing court proceedings between the parents, which is when the mother was made aware.

The Information Commissioner’s Office judgement found that there were not adequate written processes or supervision for staff tasked with releasing requested information, and that the release could not be described as a one-off or attributable to human error.

The judgement adds: ‘The practice had in place no procedure for physically checking the information prepared for disclosure by the [redacted] before it was disclosed to the requester.’

A fine of £40,000 was issued to ‘act as an encouragement to ensure that such deficiencies are not repeated elsewhere’.

The fine was mitigated by the fact that practice has changed its processes, referred the incident itself, and the fact that larger fines –as the ICO notes would be expected for a breach like this – could seriously harm the practice’s reputation.

GPs were warned last month that they could expect ‘strengthened’ inspections on their data protection procedures and security as part of a revamped CQC regime.

Steve Eckersley, the ICO’s head of enforcement, said: ‘When that information could have devastating consequences if released incorrectly, it is even more important that measures are robust.

’In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line.

’It was unfair to expect this person to deal with the potentially devastating fall-out created by sharing personal data wrongly. GPs could have protected staff by providing proper support, training and guidance. They did not do this.”

Readers' comments (9)

  • Cobblers

    Now how much were the CQC fined for release of GP details? Nothing? Thought not. What about the recurrent theme of civil servant losing laptop on train. Fined? No thought not too.

    Whilst not being happy at all with data breach it seems that £40k is way over the top.

    Unsuitable or offensive? Report this comment

  • Sadly I'm not surprised by this fine, there is a widespread lack of appreciation of the challenges of IG (worse in secondary care than primary). IG has become a core competency for us and needs to be in every education programme. Money (probably not enough) gets spent on IT infrastructure and software, but there is no equivalent commitment of funding to support the required educational programmes.

    Unsuitable or offensive? Report this comment

  • So the expected fine for Capita on the PCSE contract with the millions of records lost in the system is...?

    Oh, that's right, sweet fanny adams.

    Unsuitable or offensive? Report this comment

  • Mr Mephisto

    Good argument for adopting a "Salaried GP Service" then the organisation takes the risk not the individual GP partners

    Unsuitable or offensive? Report this comment

  • Unless there is a court order, isn't dad (assuming is a legal guardian) entitled to the medical info? I suspect this is more a case of giving the 3rd party details more than the medical record

    Unsuitable or offensive? Report this comment

  • Russell Thorpe

    And the HSCIC releasing almost 700K pt's data to 3rd parties against their coded non consent for them to do so.

    Unsuitable or offensive? Report this comment


    62 page record given to father
    Come on.. That kind of event has to be via the practice manager
    As opposed to an accidental slip up on
    Brief summary printout to take to hospital

    If the legal guardian was clearly one and messages have been added to the records
    then this should not have occurred.

    If the parents have shared custody then they must have some arrangement
    With regards how they meet and pass on the children

    This sounds like the father should not have any custody and the mum does not want him knowing their address.... Akin to a police restraining order which can subsequently be abused as the father now knows the mother and kids location..

    So how did the father attend with the children
    Or did he just manipulatively try and get the information

    Does this mean the father has committed a crime?
    Trying to get information he did not have the right to..

    40,000 to serve as a deterrent to other practices
    Always the stick...

    Why not an educational message to highlight this very tricky and unfamiliar

    Unsuitable or offensive? Report this comment

  • One staff member was placed in the firing line......
    Isn't that always the way it is in the NHS
    The buck stops somewhere
    Usually the GP

    These days you get the feeling
    you are only there to be the Fall Guy
    All that matters is that you have ....
    the right level of medical indemnity

    Helps to be good

    Unsuitable or offensive? Report this comment

  • Please read above with Theme tune from "The Fall Guy"
    Series starring Lee Majors.. You tube it

    Unsuitable or offensive? Report this comment

Have your say