The Information Commissioner’s Office (ICO) has recently issued a reprimand to South Tees Hospitals NHS Foundation Trust for breaches of Article 5(1)(f) and Article 5(1)(d) of the UK GDPR.
The law
Article 5(1)(d) of the UK GDPR is known as the accuracy principle. In accordance with this article, personal data should be:
“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”.
Article 5(1)(f) of the UK GDPR is known as the integrity and confidentiality principle. This article confirms that data must be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures”.
Background
In November 2022, an employee of the hospital sent a standard letter to inform the father of a patient of an upcoming appointment. Unfortunately, the letter was accidentally sent to the child’s mother.
The ICO carried out an investigation following this incident. The ICO found that the hospital did not have any procedures in place to ensure that the patient’s personal details on their internal system (e-Camis) were regularly being updated using the NHS central system (NHS Spine).
Patient details would only be updated if a patient had recently attended the hospital for an appointment. The hospital encouraged staff to do a three-point check which involved checking personal data against e-Camis before sending out any correspondence. However, by the hospital’s own admission, this would not have prevented the breach on this occasion as the issue stemmed from the data on e-Camis being outdated.
Following this incident, the hospital developed a new Standard Operating Procedure (SOP) for the checking and updating of personal information held on their systems.
ICO’s decision
The ICO found that the hospital had failed to ensure the integrity and confidentiality of the child’s data in contravention of Article 5(1)(f) of the UK GDPR. They had also failed to ensure that the data that they were processing was accurate and up to date in contravention of Article 5(1)(d).
The ICO did however acknowledge that whilst the hospital did not have appropriate measures in place for checking that the data they processed was accurate, they did provide sufficient data protection training to their staff in accordance with the national standard for the NHS.
The ICO issued the hospital with a reprimand recommending some further action to be taken by the hospital, including:
- The new SOP being implemented as soon as possible;
- Administration and secretarial staff to repeat their data security and protection training;
- Training for staff who deal with correspondence to ensure that they know how to carry out full and proper checks against NHS Spine; and
- Ensuring that the e-Camis system is regularly updated and checked against NHS Spine.
The Group Manager at the ICO commented as follows about the above:
“This breach resulted in extremely sensitive information being passed to the wrong person. This was a serious, harmful incident that has understandably caused upset to the individuals involved and such an error must never be repeated. This breach highlights how even seemingly minor errors can have very serious consequences. To other organisations handling similarly sensitive data, this shows just how important proper training and procedures are in preventing mistakes.”
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us