The ICO took enforcement action on a GP surgery in Hertfordshire, and fined them £40,000.

A GP practice revealed confidential details about a woman and her family to her estranged ex-partner, as a result the ICO fined the practice £40,000. The woman asked her practice to keep her information confidential and not to inform her former partner of her and her child’s whereabouts.

This was recorded against her youngest child’s medical file. The former partner submitted a request for a copy of his child’s data under section 7 of the Data Protection Act and in his request was supported by a court order proving he had parental responsibility of the child to whom the data related to.

The GP practice gave out information pertaining to the youngest child despite express warnings from the mother of the couple’s son. The practice supplied a set of 62 pages of information which included the son’s data, and his mother’s, (former partner of the data subject requesting the data) contact details. Data regarding her parents and older child which was not related to the data subject requesting the information.

Paula Tighe, Information Governance Director: This situation could have been easily avoided if the practice had a step by step guide and check list. If you're interested in protecting your practice from data protection breaches and the fines associated with them we have created a set of practical subject access request workshops covering health, education, housing and employee data for this very reason. Assessing who has the right of access and defining who is a third party is complex. Learning how to get it right in the first place as part of class room workshop is far safer than making a mistake in real life.

Our six stage subject access request procedure, toolkit, letters and exemption assessment guide helps our clients ensure they comply with people’s rights and keep data safe at all times.

Want to know more, get involved and contact us today to attend one of our Subject Access Request Workshops coming up soon. They are designed around the group and takes you through legal obligations step by step and you go away with a toolkit. This will be far cheaper than receiving a £40,000 fine.

About the author

Paula Tighe Partner

Paula is a qualified data protection professional and leads the trusted advisor information governance service.