In August, the UK's data protection regulator, the ICO, fined a Hertfordshire GP practice
£40,000 under the Data Protection Act 1998 ("DPA")
after a subject access request ("SAR") went badly wrong.
A lack of process, training and supervision resulted in
confidential details about a patient being sent to her estranged
ex-partner, who then used them in ongoing court proceedings between
them. Considerable distress was caused to those affected.
The ICO took the view that this was a serious breach of the DPA
(specifically of Principle 7 relating to security) and that a fine
was justified under section 55A because of (a) the highly sensitive
nature of the information, (b) the substantial distress caused by
the breach, and (c) the fact that the GP practice knew or should
have known substantial distress or damage would occur and failed to
take reasonable steps to prevent it.
The SAR was made by the father of Child A, who proved to the GP
practice that he had parental responsibility (and therefore was
entitled to make an SAR on behalf of the child); however, Child
A's entire medical file was released. This included telephone
contact details for the mother (who was in vulnerable
circumstances), as well as information about her parents and
details of another child unrelated to the requester; child
protection reports by the police and correspondence with social
services were also disclosed.
The ICO published a blog highlighting this case and reminding
organisations of the importance of being ready to respond to SARs
efficiently and effectively. Last year, 46% of all complaints
received by the ICO were in relation to SARs. Typically,
SAR-related complaints arise from a lack of – or an
inadequate – response, but, as this case illustrates, a lack
of process around handling SARs can lead to a serious security
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).