The UK Information Commissioner reprimands South Tees Hospitals for a serious harmful data breach.
January 28, 2024 |
The UK Information Commissioner has reprimanded the South Tees Hospitals NHS Foundation Trust for a serious data breach. The breach involved providing sensitive information to an unauthorised family member. The nature of the information is not specified but it involved sending a letter relating to an upcoming appointment which found its way into the hands of another person.
The ICO’s release provides:
The Information Commissioner’s Office (ICO) has today announced it has reprimanded South Tees Hospitals NHS Foundation Trust for a data breach which resulted in a disclosure containing sensitive information to a unauthorised family member.
In November 2022, a Trust employee sent a standard letter to inform the father of a patient of an upcoming appointment, but the appointment letter was sent to the wrong address.
Whilst the subsequent investigation by the ICO confirmed that the disclosure was the result of human error, it also found no evidence that the Trust fully and appropriately prepared staff for their role in dealing with correspondence that was particularly sensitive.
Joanne Stones, Group Manager at the Information Commissioner’s Office, said:
“This breach resulted in extremely sensitive information being passed to the wrong person. This was a serious, harmful incident that has understandably caused upset to the individuals involved and such an error must never be repeated.
“This breach highlights how even seemingly minor errors can have very serious consequences. To other organisations handling similarly sensitive data, this shows just how important proper training and procedures are in preventing mistakes.”
Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately disclosed to others.
South Tees Hospitals NHS Foundation Trust should now implement new standard operating procedures and provide further staff training to ensure data is protected and reduce possibility of future disclosures in error.
Personal information held by a health organisation is almost by definition sensitive. The Information Commissioner was correct in formally reprimanding South Tees.
Compare the ICO’s approach to the decision of the Victorian Civil and Administrative Tribunal in Dunne v Victorian Aboriginal Health Service Co-operative (Health and Privacy) [2012] VCAT 1770, per Member Dea. In that case the applicant, Ms Dunne, was under care in a health centre. Her mother, who was not advised of this attendance (and from whom Dunne was not on good terms) was told Dr Belfrage that Dunne was there. The Member found the complaint about the providing personal information proved but declined to take any further action. How extraordinary. In the United Kingdom, the United States and Europe this would not occur if the facts were similar to the Dunne case. It would be regarded as a serious breach, even in 2012 when the VCAT decision was published.
In the Dunne decision the Member reasoned, if that is the right word, that when Dr Belfrage spoke to Ms Dunne’s mother, she assumed that she was aware that Ms Dunne was in hospital and the conversation took place in a context where Dr Belfrage was seeking to offer support to Ms Dunne’s mother [41]. That argument would receive short shrift in other jurisdictions with mature privacy jurisprudence. Dea then fell back on the argument that as the self represented litigant did not provide evidence of her health conditions and the distress she and her family had experienced had been worsened by the disclosure [44]. The Member accepted that Dunne suffered distress. And distress is sufficient for an award of damages. That is specified in the Act as well as the common law by 2012. The Member also regarded as relevant that she continues to attend the clinic from time to time [45]. That is at best a weak argument which rests on quite simplistic assumptions.
It is an entirely regrettable, and hopefully forgettable, decision. It is little wonder that issuing proceedings in VCAT under the Privacy and Data Protection Act is at best difficult and a least preferred option. Better to bring action in the courts.
It will be interesting to see how the Victorian legislature will respond to the mooted significant amendments to the Commonwealth Privacy Act 1988. Those amendments will not affect Victorian government entities or agencies. Conceivably then there will be strong privacy protections within the private sector (small business operators probably excepted) and Commonwealth bodies but inadequate protections within the Victorian public sector.
