GPs urged to review data protection processes as practice given reprimand by ICO

GP practices are being reminded to put robust measures in place for handling personal data after a surgery was issued with a formal warning by the data protection watchdog over the way it managed an insurance request for a patient’s details.

The Information Commissioner’s Office (ICO) issued a reprimand at the end of 2025 to Staines Health Group for a breach of data protection rules, after finding it had sent excessive medical information about a patient diagnosed with a terminal illness and who made a claim to their insurance company.

As part of the claim made in 2024, the insurer, on behalf of the patient, had requested that five years of medical history be sent to the patient to review, before being sent to the insurer in order to progress the claim.

But, instead of five years of medical history being sent to the patient, a member of staff Staines Health Group sent 23 years of medical records direct to the insurer, prompting the patient to report their concerns that their records had been shared.

The patient believed the excessive disclosure of unnecessary medical records led to a reduction in the pay out of their claim, the ICO said. It prompted the patient to raise concerns with the practice that their records had been shared.

And although the practice formally reported the personal data breach to the ICO – it was only after a delay of more than 72 hours, which also goes against GDPR regulations and was a factor contributing to the warning being issued.

After an investigation, the watchdog said that a lack of written process for staff to follow when handling insurance requests and a lack of regular refresher data protection for staff had led to the breach. For example, the member of staff responsible for the incident received training around processing insurance requests in 2022 but received no further training or refresher training after that.

It also concluded that the ‘data that was shared… was not adequate, relevant and
limited to what is necessary in relation to the purposes for which it was processed’.

Meanwhile, the delay in reporting the breach had been an infringement of regulations too, the ICO said, caused by the practice not being able to access password-protected information needed in the absence of a member of staff who was on leave – and no continency arrangements being in place.

The ICO said the practice has since taken steps to improved processes including:

Completing a significant event report which aimed to establish the root cause of the disclosure email and what lessons could be learned from the incident.
Drafting a written document staff can follow when handling insurance requests
Updating its procedure for handling insurance provider requests to include additional training and a sign off sheet
Giving the member of staff responsible a warning and placing them under supervision for six months.

David Doodson, ICO interim head of investigations, said that they ‘recommend other organisations take note of the lessons learned from the mistakes of Staines Health Group in this case.’

He added: ‘All personal information must be handled with care but health records – sensitive personal data – require particularly robust measures. This is because the loss of this kind of data can have distressing consequences for those involved. ‘

What are the lessons learned for other GP practices?

The need for written processes to be in place to support staff when handling personal data
Consider the need for a quality assurance process when sharing personal data externally
Provide up-to-date and regular data protection training for staff.

Source: ICO

A version of this article was first published by Pulse’s sister title Management in Practice

READERS' COMMENTS [4]

Please note, only GPs are permitted to add comments to articles

Centreground Centreground 9 February, 2026 12:45 pm

We will now await the case when the patient, insurer / ICO or some legal team complains that relevant information which was outside of the period should have been included as part of the doctor’s own judgement with the consequence of an under or overpayment following this omission.
This is the result when over regulation becomes rampant and uncontrollable replacing common sense with no foreseeable cure.

Oliver Barnsley 9 February, 2026 1:34 pm

If the claim was reduced due to the extra information then does that not confirm that the extra information was actually relevant to the claim and thus should have been declared.
Having said that if permission only for 5yrs and only 5yrs requested, give 5yrs. Anything else is not our (gp) problem.

Mark Metcalfe 9 February, 2026 10:21 pm

Should GPs just stop doing insurance reports?
That would prevent this happening again.
ICO can impose fines of millions if they want to, doesn’t seem worth the risk.

Merlin Wyltt 10 February, 2026 10:56 am

Life as a GP in the UK is becoming untenable and miserable. After a gruelling day of 2 surgeries and overwhelming admin I then have to deal with upwards of 50 eConsults. These trickle in until about 18.45.
My day is 07.30 to 20.00 with no let up. Of course that doesn’t touch on all the management and business decisions. I’m working in a broken system.
This is unsafe for clinicians and patients.