The Information Commissioner’s Office (ICO) has issued a reprimand to Derby and Burton NHS Foundation Trust (UHDB) in accordance with Article 58(2)(b) of the UK GDPR. Article 58(2)(b) gives the ICO power as the supervisory authority to issue reprimands to a controller or a processor where their processing has infringed the UK GDPR.
The reprimand was issued in relation to UHDB’s infringement of Article 5(1)(f) of the UK GDPR, which states that personal data should be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
This is known as the integrity and confidentiality principle.
UHDB routinely processes referrals for outpatient appointments. These referrals contain personal data, including health data, which is classed as special category data. The referrals are then received by GPs via an electronic referral system.
On 6 September 2019, NHS England informed UHDB that there was an issue with the national platform for referrals. This issue was causing referrals to drop off the work list after 180 days. Staff were still able to retrieve the referral and could re-add it to the worklist, but this would have to be done manually. If the referral was not re-added to the worklist manually, after 550 days, the information would be lost to the hospital.
The NHS provided staff with guidance on how to identify unactioned appointments more than 180 days old. Staff were also provided with guidance on how to manage their drop-offs using an internally generated report. This process involved staff manually reinstating referrals back onto the worklist. UHDB did not have any formal process to check that staff had been effectively managing and reinstating referrals.
A total of 4,768 patients were affected by this incident. 569 of those patient referrals were not actioned for so long that their data completely disappeared from the system. In some cases, patients had to wait over 2 years for an appointment to be arranged.
The ICO carried out an investigation and found that UHDB had failed to implement a formal process or apply a suitable level of security when processing special category data. By relying on the use of email and on staff to manually reinstate referrals, UHDB had failed to adequately prevent the loss of personal data.
Within the reprimand, the ICO set out a number of recommendations for UHDB to follow, including:
- Continuing to provide any necessary support to help mitigate any potential detriment to the affected patients;
- Assessing any new processes and procedures that have been put in place as a result of the above and continue to monitor these to ensure they wok effectively going forward; and
- Ensuring that the learning from the breach is shared across the organisation to try and prevent and similar incident from occurring elsewhere.
Head of Investigations, Natasha Longson made the following comment about the reprimand:
“This mishandling of data has caused unnecessary distress and disruption to patients, who should be able to trust their healthcare providers to look after their personal information properly.
Trusts have a responsibility to their patients, and we cannot see any more mistakes of this kind. We are pleased to see the Trust has taken remedial steps towards patients impacted, as well as sharing learning throughout the organisation to ensure that these mistakes are not repeated.”
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us