GP reprimand from ICO

Posted by: Sarah - Posted on:

The ICO have taken action against Staines Health Goup GP surgery after excessive medical history of a terminally ill patient was sent to an insurer. Instead of five years of medical history being sent, Staines Health Group sent 23 years’ worth to the insurer. The patient believed this led to a smaller payout. 

Failures of Staines Health Group that led to the incident included a lack of written process for staff to follow when handling insurance requests and a lack of regular refresher data protection training for staff.  

The ICO stated that lessons learned include:

  • The need for written processes to be in place to support staff when handling personal data.
  • Consider the need for a quality assurance process when sharing personal data externally.
  • Provide up-to-date and regular data protection training for staff.

After reading the reprimand, we would also add that practices should have sufficient members of staff who are able to log on to their DSPT to be able to report a data breach – having the only people who have access to the DSPT on annual leave will delay the reporting time for data breaches and consequently infringe Article 33 of UK GDPR.