This site is intended for health professionals only

At the heart of general practice since 1960

pulse june2020 80x101px
Read the latest issue online

GPs go forth

GPs' details included in 500 confidential records lost by CQC

A number of GPs and practice managers who have undergone checks to become their practice’s CQC registered providers have had their confidential personal information lost by the regulator. 

In a serious incident report (SIR) released on Thursday, the CQC announced it had lost 500 ’disclosure and barring service (DBS)’ files - formerly known as CRB checks - which Pulse understands include those from primary medical services.

The files contain details of GPs and practice managers who have applied to be the practice’s CQC lead, including personal information such as their name, and date and place of birth, but also mental health information.

The CQC has written to GPs to apologise and notify them of the data breach, which occured during an office refurbishment.

It comes as the regulator announced earlier this month that practices could expect ‘strengthened’ inspections on their data security processes, as part of an overhaul of how the NHS manages sensitive information.

The CQC report says theft ‘cannot be ruled out’ but believes this is unlikely. However, it concludes the information could cause ‘harm and distress’ should it fall into ‘unscrupulous hands’.

The report highlights that the files were lost when a cabinet was accidentally tagged for removal partly due to a lack of on-site supervision by CQC staff.

CQC chief executive David Behan wrote to affected individuals earlier this week to notify them of the breach, and an independent review of the CQC’s security arrangements has been launched.

A statement on the CQC website says: ‘During a planned refurbishment of its office in Newcastle earlier this month, it appears that a locked filing cabinet containing up to 500 DBS certificates was wrongly marked for removal and destruction.

The SIR report concludes: ‘The root cause of the loss of these documents was the last minute verbal changes to the requirements for the contractors made on 7 July, the lack of adherence to the documented plan and a misunderstanding between CQC staff and the primary contractor team.

‘Should the information contained in the missing folders fall into unscrupulous hands then is has the potential to cause further harm and distress to the individual data subjects.’

There are 38,000 CQC registered managers in England, the majority of whom operate adult social care homes, and they are responsible for ensuring their provider meets CQC standards.

The CQC requests copies of DBS certificates as part of its registration checks. The recent breach relates to applications between July 2015 and March 2016 – an online system was launched in April 2016 which removes the need for paper copies.

Mr Behan said:I would like to apologise to the individuals whose DBS certificates have been lost during the recent refurbishment of our office in Newcastle and for any distress this may cause. I deeply regret that this has happened.’


Readers' comments (27)

  • Really setting the standards by example.
    Another vote of no confidence in the CQC. Bet Professor Field is even more ashamed to be a GP now. Anyone who has suffered damages should rightly sue the CQC.

    Unsuitable or offensive? Report this comment

  • Do they get breach notices for breaching data protection?

    Unsuitable or offensive? Report this comment

  • Just heard back from our inspector 10 weeks after our inspection. The report we should have in 6 weeks is still not ready.


    Unsuitable or offensive? Report this comment

  • Why don't we all contact them to find out if we were effected. Just for fun.

    Unsuitable or offensive? Report this comment

  • I think I understood the confidential bit on my first day as a medical student.
    The idea that CQC overviews General Practice has gone beyond satire.

    Unsuitable or offensive? Report this comment

  • Having dealt with a data breech whilst I was a partner and responsible manager, I sincerely hope that the CQC have reported themselves to the Information Commissioner and have to provide a full report detailing how why and what they are going to do to prevent it happening again. I hope they are advised that they could be liable for an enormous fine and potential court action as I was. I hope they visit every person affected as I did and apologise to them in person with a full explanation of what happened and what they will be doing to ensure it doesnt happen again. I hope they do all this in their precious spare time, because the day job has to go on. I hope they have a supportive defence union to help them with how to construct the report. I hope they get a remedial notice from NHS England, despite being told that whilst the breach had happened the practice had dealt with it well. I hope the people concerned are kind and tell them to get back to being a GP and stop explaining and apologising because it isn't necessary. I am now retired early and working as a locum, many reasons, but I didn't want to be responsible for data without feeling in control of it anymore !!

    Unsuitable or offensive? Report this comment

  • Wouldn't have happened if it had been laminated.......

    Unsuitable or offensive? Report this comment

View results 10 results per page20 results per page50 results per page

Have your say