The ICO exists to empower you through information.

The Information Commissioner’s Office (ICO) has today announced it has reprimanded South Tees Hospitals NHS Foundation Trust for a data breach which resulted in a disclosure containing sensitive information to a unauthorised family member.

In November 2022, a Trust employee sent a standard letter to inform the father of a patient of an upcoming appointment, but the appointment letter was sent to the wrong address.

Whilst the subsequent investigation by the ICO confirmed that the disclosure was the result of human error, it also found no evidence that the Trust fully and appropriately prepared staff for their role in dealing with correspondence that was particularly sensitive.

Joanne Stones, Group Manager at the Information Commissioner's Office, said:

“This breach resulted in extremely sensitive information being passed to the wrong person. This was a serious, harmful incident that has understandably caused upset to the individuals involved and such an error must never be repeated.

“This breach highlights how even seemingly minor errors can have very serious consequences. To other organisations handling similarly sensitive data, this shows just how important proper training and procedures are in preventing mistakes.”

Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately disclosed to others.

South Tees Hospitals NHS Foundation Trust should now implement new standard operating procedures and provide further staff training to ensure data is protected and reduce possibility of future disclosures in error.