A major data protection leak by a London Sexual Health Clinic has resulted in the details of 780 patients who have attended HIV clinics being shared in a newsletter.
Nature of the breach
Anonymity following attendance at a sexual health clinic is one of the main reasons why patients continue feel comfortable utilising these facilities. Therefore, when the 56 Dean Street Clinic in Soho mistakenly distributed the names and email addresses of 780 patients who have attended the clinic this was enough for a headline slot on the 10 o'clock news.
All 780 patients had signed up to the clinic's newsletter however rather than be blind copied into the email, the patients' details were distributed as a group email. To inflame matters further, once the clinic noticed the mistake and attempted to retrieve the email they only succeeded in resending the original.
Involvement of the Information Commissioner's Office
What are the rules relating to a Data Protection breach?
The Data Protection Act states that all data controllers have a responsibility to ensure appropriate and proportionate protection of the data under their control. Where there is perceived to have been a serious breach of this responsibility the matter can then be brought to the attention of the Information Commissioner's Office. The nature of the leak, the volume of personal data lost and the sensitivity of that data will all be considered by the Commissioner in his findings.
Potential consequences of this breach
When coming to his decision in the earlier North Tees and Hartlepool case the Commissioner stated that a policy should be established to deal with the recovery and containment of such leaks and the retrieval of secure information. Even though the Dean Street Clinic in Soho have acknowledged that the breach was a "devastating error", it is reasonable to expect that they will be the subject of a substantial fine from the ICO.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
