Nine complaints were made to the UK's data regulatory body, the Information Commissioner's Office (ICO), after a clinic within the NHS Trust disclosed the personal details of 781 of its HIV patients.
So what went wrong?
56 Dean Street is a Soho based clinic within the NHS Foundation Trust that provides sexual health care services and services to patients with HIV. The clinic uses a system, which enables its patients to make appointments via e-mail and to receive results and newsletters from the clinic via e-mail.
In late 2015 a clinic staff member e-mailed a newsletter to 781 patients in such way that that all the recipients of the e-mail could see the e-mail addresses of all the other recipients. This was because the e-mail addresses had been wrongly entered into the 'to' field instead of the 'bcc' field. What makes this blunder more concerning is that 730 of the 781 e-mail addresses contained the full names of the recipients.
This was not the first time the Trust had breached data protection in this way. Back in March 2010 a staff member sent a questionnaire to 17 patients regarding their access to HIV treatment, again incorrectly entering the e-mail addresses into the 'to' field.
What did the ICO Say?
The ICO found the Trust in breach of the seventh data protection principle which sets out that organisations implement appropriate security measures to prevent personal data held by them being accidentally or deliberately compromised. The ICO deemed the breach serious because:
- the recipients of the e-mails could infer the HIV status of many of the other recipients;
- the data compromised was confidential and sensitive, the disclosure of which was likely to cause the patients substantial distress;
- the clinic's services were limited to a small geographical area (Soho) which increased the possibility of the recipients knowing one another; and
- e-mail addresses can be searched via social networks to enable one to discover an individual's profile.
What did the ICO do?
Despite the Trust having taken substantial remedial action, the ICO imposed a hefty fine of £180,000 on the Chelsea and Westminster Hospital NHS Foundation Trust for this breach.
Importance of data security
This incident should remind all organisations dealing with personal data that:
- Small administrative errors can lead to a serious data breach, which can result in a serious fine and reputational damage (typing information into the wrong box is easily done by all!).
- Organisations are caught under the seventh data protection principle even when the data breach was accidental.
- Data controllers should be aware of the data protection practices implemented within and throughout their various offices and organisations – in this case the breach was incurred by the clinic but the NHS Trust was the body that was disciplined by the ICO.
What can you do?
This case highlights a number of areas for all organisations dealing with personal data, here are just a few to take away:
- Staff training – make sure your staff are aware of the data protection act and its underpinning principles and help them to apply this knowledge to processing databases and personal data generally.
- Input data correctly – take steps to ensure all data is used in accordance with your organisation's procedures.
- Retention of data – keep your databases and records up-to-date and if you don't need them any longer then dispose of them (in a confidential manner).
- Security – take back-ups; secure your data and provide anti-virus software and firewalls.
MacRoberts' team of data protection specialists can advise and assist those organisations looking to learn more about data protection compliance and best practice.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
