GP practice fined £40K by ICO

A GP practice has been fined £40,000 by the Information Commissioner for revealing confidential details about a woman and her family to her estranged ex-partner.

The practice in Hertfordshire released the information when the patient’s ex-partner made a request for the medical records of the former couple’s son. Staff at the practice responded with 62 pages of information that included the woman’s contact details as well as those of her parents and an older child the man was not related to. The information was provided despite express warnings from the woman that staff should take particular care to protect her details.

An ICO investigation found that the GP practice had insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it. It found that staff had not received adequate guidance or supervision about what could be disclosed or should be withheld.

Steve Eckersley, the ICO’s Head of Enforcement, said: "There is no doubt that releasing this information would have caused great distress to the woman, her children and the rest of her family.

"In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line.

"It was unfair to expect this person to deal with the potentially devastating fall-out created by sharing personal data wrongly. GPs could have protected staff by providing proper support, training and guidance. They did not do this."

The ICO says it issued a fine of £40,000 because the practice’s partners would be individually liable, but because of the serious nature of the breach most organisations would expect to receive a much larger fine.