A consultant dermatologist – Dr P – is sending out correspondence to his private patients as email attachments. Just as he is about to send an email to Ms J he realises that he has mistakenly attached her letter to a previous email to another patient.
Dr P immediately contacts the mistaken recipient with their correct letter and receives confirmation that the letter addressed to Ms J has been deleted without being read. The dermatologist contacts Ms J to inform her of the error and also notifies the Information Commissioner’s Office (ICO), which advises that this is not a matter requiring formal notification. Dr P is directed to advice on the ICO website on how to avoid future confidentiality breaches.
A week later Ms J sends a formal letter of complaint to Dr P in which she expresses her distress at having personal and private information mistakenly disclosed in this manner. Despite reassurances she is now worried that private and intimate treatment details could be shared more widely on social media or by other means. She also worries other personal details may have been shared.
Dr P contacts MDDUS for advice on preparing his response to the complaint.
An MDDUS adviser reviews and comments on the draft response to Ms J. She suggests that the letter begins with a conciliatory opening paragraph, stating that Dr P is sorry Ms J has had cause to complain and reassuring her that he has taken the complaint very seriously and thoroughly reviewed the incident.
A chronological account of what happened and how the error came to light should then be provided, confirming exactly what data was released in error. The letter should provide full details of the actions taken to remedy the error, including confirmation from the patient mistakenly sent the letter that it was not accessed or read and has been fully deleted from his email account. This could also include details of Dr P’s conversation with the ICO and steps taken to prevent any future breach
The letter should include any new procedures implemented to prevent similar breaches in future and also to further demonstrate how seriously the complaint has been taken.
The adviser recommends that Dr P end his response with the offer of a meeting if this would help resolve the complaint.
Ms J emails back to say she is satisfied with the response.
- Checking email recipients is vital, and it’s worth noting that some email software will suggest similar addresses you have used before. Ensure you check addresses before sending in case they have been auto-populated in error.
- Double check that you are using the correct attachment before pressing send.
- In the event of a data breach, consider whether to notify the ICO and/or the affected individuals in line with guidance on personal data breaches, taking account of whether or not the breach is likely to result in a high risk to the rights and freedoms of those individuals.
- Check with ICO/MDDUS for further advice, and consider other sources of advice, such as your data protection officer.
This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.