On Thursday last week the Information Commissioner’s Office published a Monetary Penalty Notice that it had served upon a GP Surgery in England for breaches of the Data Protection Act 1998. The Notice cited the all too familiar seventh data protection principle. This data protection principle broadly requires a data controller to have in place adequate technical and organisational measures to protect personal data. It is the data protection principle which features in almost all of the Information Commissioner’s enforcement in relation to the Data Protection Act.
The Monetary Penalty Notice served on the GP Practice arose out of the practice’s handling of a Subject Access Request which it had received. The request was received in respect of a child patient from one of the patient’s parents (the child’s father). The child’s parents had separated sometime before and that separation had not been amicable. The child’s mother had moved and did not want the father knowing where she was currently living. The mother’s new address was contained within the child’s medical records.
The practice handled the Subject Access request and sent the father everything that was contained within the child’s medical records. These records were subsequently lodged in court as part of ongoing court proceedings between the parents. The records were then forwarded onto the mother who discovered that her personal data had been disclosed to the father in response to the subject access request concerning the child as well as personal data relating to another child not related to the father and other personal information that should not have been disclosed to the child’s father.
The Monetary Penalty Notice records that there had been no training given in respect of the handling of Subject Access Requests and that there were no procedures within the practice for the handling of these requests. In this case the disclosure was not checked before it was sent out to ensure that there was nothing within the records that ought to be excluded.
The handling of Subject Access Requests are not straight forward. It is not simply a matter of printing out all of the records held and posting them or downloading them and E-mailing them to the data subject. The information has to be carefully gone through to identify any third party personal data so that decisions can be taken about whether or not that third party personal data can or should be disclosed. Furthermore, there are a range of exemptions that can be applied to information that is held – some of which may well apply to medical records – which enable the data controller to refuse to provide that information in response to a Subject Access Request. That is in addition to the other (often forgotten) rights contained in Section 7 of the Data Protection Act 1998.
Given the complexity of handling such requests it is important that there are proper procedures in place as to how such requests should be handled. This should cover everything from the recording of the request having come in through to identifying the data subject’s personal data, considering it for disclosure, compiling the disclosure, checking and recording that the response has been sent (and everything else not mentioned in that list).
It’s not just a case of having in place a procedure; everyone who is involved in the process needs to have training appropriate to the functions that they are performing. Those who are responsible for identifying what should be disclosed should have proper training to enable them to identify third party information as well as the information which could potentially be withheld. That training must also be regular to ensure that persons involved in the process are kept up-to-date with the procedures and any changes in the relevant law – regular training is especially important for people who rarely handle Subject Access Requests.
Having in place good quality, detailed procedures together with a comprehensive training programme can substantially reduce the risk of experiencing a data breach. If things do go wrong, having in place good quality, detailed procedures (compliance with which is being regularly monitored) and a comprehensive training programme can substantially mitigate any regulatory action taken by the Information Commissioner.
prout de jure 