ICO action against NHS Organisations

Here are just some examples in which the Information Commissioners Office (ICO) has taken action against NHS organisations.

If you are interested in reading about other cases please go to https://ico.org.uk/ and at the bottom of the Home Page click on ‘ACTION WE’VE TAKEN’ then use the filter to simply look for those relating to health SECTOR to narrow down your search, or leave it as ALL SECTORS

Case Study 1

A GP practice that revealed confidential details about a woman and her family to her estranged ex-partner has been fined £40,000 by the Information Commissioner.

Mr A was acrimoniously divorced from the mother of his 5 year old son (child B).  In January 2013 child B’s mother warned the Practice of the family’s problems and specifically asked the Practice not to inform Mr A of their whereabouts.  This information was placed on child B’s medical record.

Mr A subsequently made a subject access request to the Practice under Section 7 of the DPA for child B’s medical records.  He provided the Practice with a court order proving he had parental responsibility for child B.

In response the Practice sent all of child B’s records to Mr A.

Child B’s records contained confidential and personal data including the telephone contact details of child B’s mother, her parents and elder child C who was not blood related to Mr A.  It also included a number of child protection reports compiled by the Police and correspondence with Social Services.

Mr A then filed child B’s medical record with the court in ongoing proceedings between the parties.  Subsequently child B’s mother received the documents that had been filed at court including all of child B’s medical record.

The Practice should have had written procedures for how requests should be managed.  All records should be trawled for 3rd party information before disclosure.  All at Practice should have been aware of how the requests were managed so that the warning about issues between the parents was recorded correctly. 


Case Study 2

A nursing home in County Antrim has been fined £15,000 for breaking the law by not looking after the sensitive personal details in its care.

The nursing home issued an unencrypted laptop to the manager.  In August 2014 she took the laptop home.  It was left in a bag in her living room and her home was burgled during the night.  The burglary was reported to the Police but the laptop has still not been recovered. 

The laptop held confidential and sensitive personal data on 29 residents of the nursing home including their name, date of birth, mental and physical health and their “do not attempt to resuscitate” status.

The laptop also held confidential and sensitive personal data on 46 staff including reasons for sickness absence, medical certificates and disciplinary matters.

The laptop was usually kept in the office but the office was left unlocked so it could be used by the nurses at the home.  The manager regularly took the laptop home to complete outstanding work.

The home did not have any policies governing the use of encryption, home working and the storage of mobile devices or provide any training on data security.

Any device used for the storage of personal information should be encrypted.  Policies should have been on place to govern the use of mobile devices.


Case Study 3

Hampshire County Council has been hit with a £100,000 fine by the Information Commissioner’s Office after documents containing personal details of over 100 people were found in a disused building.

Hampshire County Council sold Town End House to a private company.  This property was the first one to be de-commissioned as part of the workstyle project.  It was subsequently vacated by Adult and Children’s Services.

During the following 2 years a number of individuals had independent access to the property including the Agent, who was responsible for selling the building, and prospective buyers.

In late 2014 the company contacted the Council to report that it had found files containing Social Care cases and complaints in an unlocked cupboard/room.  It had also found 45 bags of confidential waste in a locked room.

The documents contained confidential and sensitive personal data relating to in excess of 100 data subjects.

In the absence of a specific written procedure it was not clear who was ultimately responsible for ensuring that the property was completely vacated by the Council Department.  This was exacerbated by a breakdown in communication between the different departments involved in the long process of de-commissioning the property.

Leaving documents in a de-commissioned building or when moving sites are 2 very common ways that information is breached.  The person managing the project of the department manager should be tasked with ensuring all information not moving is disposed of correctly.


Contact IHRIM

Office open Monday to Friday
9AM to 2PM

Connect with IHRIM

We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of this site have already been set. To find out more about the cookies we use and how to delete them, see our privacy policy.

  I accept cookies from this site.
EU Cookie Directive Module Information