A CITY medical practice has been ruled to have breached its data protection obligation after posting personal information about a former patient online.
Severn Valley Medical Practice posted its response to Andrew Brown’s Freedom of Information (FoI) request to WhatDoTheyKnow.com (WDTK), which has been deemed to identify him alongside information about its plan to remove him as a patient.
This was deemed as a breach of confidentiality by the Information Commissioner’s Office (ICO), which has ordered the surgery to take action to ensure it doesn’t happen again.
In a letter to Mr Brown on October 23, Catherine Hey, ICO lead case officer, said: “The medical practice has not complied with their data protection obligations.”
She said his personal data was “inappropriately disclosed” online, and, although the information was taken down on the same day (June 8) after a complaint by Mr Brown, it was still a breach.
Ms Hey went on to say that the ICO had contacted Severn Valley “about their information rights practices” to “ensure that such an incident does not occur again”.
The authority has asked for details of the steps the practice is taking when responding to FoI requests via WDTK.
And to ensure all future data processed by it is “subject to appropriate technical and organisational security measures to prevent personal data being accidentally or deliberately compromised”.
However, NHS England has said it does not consider the practice, which has surgeries in Henwick Halt and Lyppard Grange, as having breached confidentiality, despite the ICO ruling.
In a letter to Mr Brown on November 21, Professor Kiran Patel, Medical Director NHS England, said his Information Governance team “have concluded that your confidentiality has not been breached”.
Referring to the General Data Protection Regulation, Prof Patel said the release of information which means an “individual is directly identifiable” only “may constitute” a breach of personal data – but in this case “your confidentiality has not been breached”.
We reported last month how the practice’s data protection officer (DPO), Paul Couldrey, had been warned by the Solicitors Regulation Authority (SRA) to stop claiming to be a qualified solicitor or he could face two years in prison.
Speaking to the Worcester News about the apparent breach, Mr Couldrey, also managing director of PCIG, said: “The ICO decision was based on an error of disclosure after an FoI request for which PCIG did not offer advice.
“When the disclosure of the patients data was identified by the practice, PCIG advice was sought and the patient was written to by the practice offering a full apology for the breach.”
In a letter to Mr Brown, practice manager Nicky Redshaw said she did not believe there had been a breach but apologised for “any inconvenience” having consulted the DPO.
“It was not clear to us that the information would be published,” she continued. “In addition, you did choose to communicate with us this way.”
Mr Brown said NHS England and Severn Valley “are in denial”.
“My name and my surgery and the plan to remove me was disclosed online. “That is wrong, and the ICO decision makes that clear as well as it specified the surgery was to advise what steps were being taken to avoid it.
“It is disturbing that NHS England information leaders and a GP surgery, having ‘consulted our data protection officer’ do not think it to be a breach of confidentiality.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel