A GP practice that revealed confidential details about a woman and her family to her estranged ex-partner has been fined £40,000 by the Information Commissioner.

Regal Chambers, in Hitchin, Hertfordshire, gave out the information despite express warnings from the woman that staff should take particular care to protect her details.

The information was provided after the ex-partner made a request for the medical records of the former couple’s son. Staff at the GP practice responded with 62 pages of information that included the woman’s contact details as well as those of her parents and an older child the man was not related to.

An ICO investigation found that the GP practice had insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it. This was a breach of the Data Protection Act.

Steve Eckersley, the ICO’s Head of Enforcement, said:

“Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded.

“When that information could have devastating consequences if released incorrectly, it is even more important that measures are robust.

”There is no doubt that releasing this information would have caused great distress to the woman, her children and the rest of her family.”

The information was released in July 2014 in response to a Subject Access Request, a formal way of requesting information under the Data Protection Act.

The person responsible for handling the request advised the child’s GP about it, but in the absence of a sufficient written procedure, went ahead and released everything. The ICO’s investigation found staff did not receive adequate guidance or supervision about what could be disclosed or should be withheld.

Mr Eckersley said:

“In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line.

“It was unfair to expect this person to deal with the potentially devastating fall-out created by sharing personal data wrongly. GPs could have protected staff by providing proper support, training and guidance. They did not do this.”

The ICO has issued a fine of £40,000 because the practice’s partners would be individually liable but because of the serious nature of the breach, most organisations would expect to receive a much larger fine.

Notes to editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act (FOIA) 2000, Environmental Information Regulations (EIR) 2004 and Privacy and Electronic Communications Regulations 2003.
  3. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
  4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
    • fairly and lawfully processed;
    • processed for limited purposes;
    • adequate, relevant and not excessive;
    • accurate and up to date;
    • not kept for longer than is necessary;
    • processed in line with your rights;
    • secure; and
    • not transferred to other countries without adequate protection.
  5. The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.
    • There are specific rules on:
      • marketing calls, emails, texts and faxes;
      • cookies (and similar technologies);
      • keeping communications services secure; and
      • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
    • We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.
  6. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
  7. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
  8. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.