The Information Commissioner’s Office (ICO) has recently fined Tavistock & Portman NHS Foundation Trust £78,400 following the accidental disclosure of 1,781 email addresses belonging to adult gender identity patients.
Tavistock & Portman NHS Foundation Trust data leak
Background
Tavistock & Portman NHS Foundation Trust (Trust) is primarily based in North West London and specialises solely in mental health and the emotional well-being of its patients. The Trust offers a range of services to children and adults and has been described as the organisation at the forefront of exploring mental health and well-being for decades.
In particular, the Trust runs a national and highly specialised Gender Identity Development Service (GIDS) in London and Leeds and is the only one of its kind in Great Britain. The GIDS service is for children and young people, and their families, who experience difficulties in the development of their gender identity (known as gender dysphoria).
The work conducted at the Gender Identity Clinic (GIC) is unique, ground-breaking, and covers services of a very sensitive and confidential nature.
Accidental disclosure
In 2019, the Trust became involved in the promotion of an artwork competition, the aim of which was to engage users in the clinic’s refurbishment.
The Trust intended to send a bulk email relating to the art competition to approximately 5,000 patients. The distribution list was taken from the Trust’s electronic patient record system, specifically extracting active patients of the GIC who had consented to be contacted by email in certain circumstances. The list was then split into batches of around 1,000 email addresses.
On 6 September 2019, a member of staff used Microsoft Outlook to generate an email that was sent to 1,781 GIC patients across two emails. Unfortunately, the email addresses were entered into the “To” field rather than the “Blind carbon copy” (“Bcc”) field. This meant that every recipient could see the email addresses of all of the other recipients included in that email.
The content of the emails itself made clear that it was an advertisement for the art competition and welcomed submissions from the Trust’s GIC patients.
The staff member noticed the error straight away, reported the incident internally, and attempted unsuccessfully to recall the emails. The Trust then promptly took the following steps within hours of the breach:
- All affected patients were emailed about the incident. The Trust issued an apology and provided contact details to seek support or make a formal complaint;
- Within two hours of the breach, a notification message was posted on the Trust’s website; and
- The ICO was formally notified of the breach.
Breaches of GDPR
It was found that the Trust infringed two key provisions of the General Data Protection Regulation (GDPR). Article 5 (1)(f) GDPR states that:
“Personal data shall be…
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”
Whilst at the time of the breach, the Trust did have some measures in place to secure the data of its patients, they were deemed to be insufficient in the circumstances, particularly in the context of the Trust sending bulk emails that contained special category data which involved a high-risk group of patients.
Article 32 GDPR requires the Trust, as a data controller and processor, to take a number of steps to secure the processing of data, including:
- Implementing the appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved in securing data, taking into account “the state of the art”;
- Ensuring the confidentiality, integrity, availability, and resilience of its processing systems; and
- Having a process for regular testing, assessing, and evaluation of the effectiveness of its technical and organisational measures to secure processed data.
It was found that the Trust failed to comply with these requirements.
The ICO found that the infringements amounted to a serious failure to comply with the GDPR and therefore issued a monetary penalty notice to Tavistock & Portman NHS Foundation Trust. The notice referred to the Trust having previously experienced two similar incidents in 2017, involving a separate but not dissimilar service.
The Trust initially faced a potential fine of £784,000. However, this was reduced by 90% to £78,400 on the basis that the Trust had taken prompt action following the breach.
This decision follows an active discussion between the ICO and various relevant stakeholders about how effective fines levied on the public sector actually are, given that when public bodies are fined, it is the users of those services who will in reality bear the brunt of the financial punishment, rather than the organisation itself. You can read more about this in our recent blog.
How can we help?
Shrdha Kapoor is a Trainee Solicitor in our Dispute Resolution team.
If you have any questions concerning the subjects discussed in this article, please contact Shrdha or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online form.
Contact us