In August, the UK’s data protection regulator, the ICO, fined a Hertfordshire GP practice £40,000 under the Data Protection Act 1998 (“DPA”) after a subject access request (“SAR”) went badly wrong. A lack of process, training and supervision resulted in confidential details about a patient being sent to her estranged ex-partner, who then used them in ongoing court proceedings between them. Considerable distress was caused to those affected.
The ICO took the view that this was a serious breach of the DPA (specifically of Principle 7 relating to security) and that a fine was justified under section 55A because of (a) the highly sensitive nature of the information, (b) the substantial distress caused by the breach, and (c) the fact that the GP practice knew or should have known substantial distress or damage would occur and failed to take reasonable steps to prevent it.
The SAR was made by the father of Child A, who proved to the GP practice that he had parental responsibility (and therefore was entitled to make an SAR on behalf of the child); however, Child A’s entire medical file was released. This included telephone contact details for the mother (who was in vulnerable circumstances), as well as information about her parents and details of another child unrelated to the requester; child protection reports by the police and correspondence with social services were also disclosed.
The ICO published a blog highlighting this case and reminding organisations of the importance of being ready to respond to SARs efficiently and effectively. Last year, 46% of all complaints received by the ICO were in relation to SARs. Typically, SAR-related complaints arise from a lack of – or an inadequate – response, but, as this case illustrates, a lack of process around handling SARs can lead to a serious security breach.