ICO statement - conclusion of criminal investigation

The Information Commissioner’s Office (ICO) has concluded its criminal investigation into the unlawful obtaining and disclosure of medical information to a third party without the consent of the data controller, related to a breach reported by the London Clinic in March 2024. 

Following a full assessment under the Code for Crown Prosecutors and the ICO’s Prosecution Policy, the ICO issued a now former healthcare professional from London with a formal caution in relation to an offence under section 170(5) of the Data Protection Act 2018. The conduct involved the deliberate misuse of highly sensitive personal information and an offer to disclose it for financial gain, representing a clear breach of trust. 

The ICO considers the available evidence and the public interest in every criminal investigation. In this instance, we concluded that a caution was the appropriate and proportionate enforcement response.

We also considered whether there were any wider organisational issues arising from the healthcare provision in this matter. Based on the evidence available, we did not identify any failings that would meet the threshold for regulatory enforcement. 

Ian Hulme, Executive Director for Regulatory Supervision, said:

People should be able to trust that the personal information they're giving to healthcare settings is safe and protected from exploitation. When this trust is broken, it's right that the law allows us to take action.  

We will not hesitate to pursue criminal prosecution where it is necessary and proportionate to do so.