A practice has been fined £40,000 after releasing a five year old child’s medical records, including confidential information about the mother’s family and contact details, to the child’s estranged father.
The Regal Chambers Surgery, Hitching, Hertfordshire was found to have inadequate processes in place to prevent personal data being released to persons not entitled to see it, in breach of the Data Protection Act.
The practice has since changed its processes.
The 62-page records – which included the mother’s contact details and those of her parent’s – were released to the woman’s ex-partner despite a specific warning to the practice, and a request not to inform the father of their whereabouts, a note of which was placed on the child’s record.
The records were then filed by the father as part of ongoing court proceedings between the parents, which is when the mother was made aware.
The Information Commissioner’s Office judgement found that there were not adequate written processes or supervision for staff tasked with releasing requested information, and that the release could not be described as a one-off or attributable to human error.
The judgement adds: ‘The practice had in place no procedure for physically checking the information prepared for disclosure by the [redacted] before it was disclosed to the requester.’
A fine of £40,000 was issued to ‘act as an encouragement to ensure that such deficiencies are not repeated elsewhere’.
The fine was mitigated by the fact that practice has changed its processes, referred the incident itself, and the fact that larger fines –as the ICO notes would be expected for a breach like this – could seriously harm the practice’s reputation.
GPs were warned last month that they could expect ‘strengthened’ inspections on their data protection procedures and security as part of a revamped CQC regime.
Steve Eckersley, the ICO’s head of enforcement, said: ‘When that information could have devastating consequences if released incorrectly, it is even more important that measures are robust.
’In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line.
’It was unfair to expect this person to deal with the potentially devastating fall-out created by sharing personal data wrongly. GPs could have protected staff by providing proper support, training and guidance. They did not do this.”