Your partner’s locked car is broken into, resulting in the theft of a set of medical records from the boot. What are your legal obligations?
The Data Protection Act is clear on this point. You, as the data controller, have no legal requirement under the act to inform either the data subject (patients) or the Information Commissioner’s Office (ICO) of the breach.
This may not be best practice, but if you feel confident that patients are not at risk as a result of the breach and that no benefit will come from disclosing the breach either to them or the ICO, you would be operating within the boundaries of the act.
However, there are some benefits to disclosing the breach to both the data subject and the ICO.
Firstly, there’s always a risk that the breach may become public or that the data subject may complain to the ICO. Your lack of openness may be viewed negatively by the ICO, suggesting that you have something to hide, and so this could result in a harsher penalty if later investigated.
Therefore, it’s very important to have a policy on data breaches. This will enable you to assess the risk from the breach and act accordingly. The data subject may, at some point in the future, make a subject-access request under the act to view their records.
This would immediately bring to their attention that their records had been stolen, and they may well be aggrieved at not having been informed.
Also, if a ‘significant’ number of medical records are breached, then the Department of Health states that you must inform the ICO – and new Data Protection Act legislation planned for the near future will require that all breaches of personal data are reported to the ICO and the data subject.
There is even talk of data controllers having to provide data subjects whose information was breached with insurance policies to indemnify them against any loss caused as a result of the breach.
David Taylor is the principal Data Protection Act practitioner at Data Protection Consultancy
This is the first in a series of case-studies looking at how GP practices can avoid falling foul of data protection legislation.