A GP Surgery has been fined £40,000 for the unauthorised disclosure of a patient’s personal data. The patient had warned the surgery to be careful about disclosing her data. However, the data was released following a subject access request made by the ex-partner of the patient.
A subject access request is a request to access personal data made by the person to whom the data relates. Subject access requests cannot be properly made for someone else’s personal data. Before releasing data pursuant to a subject access request the data controller should ensure that they have enough information to be sure of the identify of the person making the request.
Steve Eckersley, the Information Commissioner’s Head of Enforcement, said:
“In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line.
It was unfair to expect this person to deal with the potentially devastating fallout created by sharing personal data wrongly. GPs should have protected staff by providing proper support, training and guidance. They did not do this.”
The Information Commissioner enforces our data protection laws. It has the power of criminal prosecution, non-criminal enforcement and audit. It powers include imposing penalties of up to £500,000.
How can our Business Law Solicitors help?
If your organisation deals with personal data you will need to understand the Data Protection Act 1998. If your organisation deals with public bodies such as local authorities and councils, you need to understand the Freedom of Information Act 2000.
Here at Gotelee, our specialist team of business law solicitors can be found at our offices in Ipswich, Hadleigh, Felixstowe, Melton and Woodbridge, and can give advice on all aspects of data protection and freedom of information.
To find out more, contact Victoria Spellman at 01473 298181, or [email protected]