Data Protection and how to avoid a £40,000 fine

Data Protection policies and procedures abound in organisations. They are usually lengthy documents full of jargon but often with very little practical advice for employees on what they should actually do if, for example, a customer or client asks to see the information held about them.

A breach of the Data Protection Act led to a huge fine for a GP surgery that failed to protect its patients’ personal data – and the fault was laid firmly on the practice’s lack of systems and staff training.

The fallout, in this case, was huge distress to the family concerned, damage to the GP practice’s reputation and a £40,000 fine. It’s easy to imagine how upset the person responsible for dealing with the subject access request must have been and yet such a devastating data breach could so easily have been avoided.

data protection - folder of files with classified written on one peeking out

So what went wrong with their data protection?

This data breach was the direct result of a subject access request gone wrong. The practice revealed confidential details about a patient and her family to an estranged ex-partner because there were insufficient systems in place for staff to deal with subject access requests (SAR).

The practice gave out the information despite express warnings from the woman that staff should take particular care to protect her details. The information was provided after the ex-partner made a request for the medical records of the former couple’s son. Staff at the GP practice responded with 62 pages of information that included the woman’s contact details as well as those of her parents and an older child the man was not related to.

The Information Commissioner’s Office (ICO) investigation found that the GP practice had insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it. This was a breach of the Data Protection Act.

What is subject access?

Subject access is a fundamental right of individuals under the Data Protection Act, so whatever business you’re in, if you hold personal data, it’s likely you will have to respond to a request at some point.

The ICO’s figures show that 46% of all complaints made to them last year were about SARs and the difficulties people face when trying to get hold of their personal information.

As these figures and the recent case show, it’s incredibly important to make sure staff are fully equipped to deal with requests.

The ICO’s Subject Access Code of Practice is a comprehensive guide to SARs and what you need to do as a business.

Key actions:

  • Take a positive approach to subject access; it’s good for customer service, PR and employee relations
  • Ensure all your employees are trained to recognise a SAR as part of general data protection training
  • Provide more detailed training on handling SARs to relevant staff who will be dealing with the requests
  •  Include a dedicated data protection page on your company intranet with links to SAR policies and procedures
  • Identify a specific person or central team who will be responsible for responding to requests
  • Make sure that more than one member of staff is aware of how to process a SAR; to cover the absence
  • Appoint a senior manager to review responses where the requesters are dissatisfied with the initial response
  • If you have data protection experts or ‘information champions’ in your business, make sure employees know who they are and how to contact them for expert advice
  • Implement a system for monitoring compliance with SARs
  • Record the number of SARs received
  • Keep on top of any requests that have not been actioned within the statutory time limit and ensure they are escalated to and dealt with at a senior level

Subject Access Requests – Checklist

The ICO’s Checklist takes you through 10 simple steps to understanding subject access requests by helping you answer the following questions:

  • Is it a subject access request?
  • Do you have enough information to be sure about the requester’s identity?
  • Do you need more information from the requester to find what they want?
  • Are you charging a fee?
  • Do you have the information the requester wants?
  • Will the information be changed between receiving the request and sending the response?
  • Does it include information about other people?
  • Are you obliged to supply the information?
  • Does the information include any complex terms or codes?
  • Do you know how to prepare the response?

Make sure your business doesn’t get caught out by subject access requests by having a clear policy and procedures in place and that staff receive adequate guidance or supervision about what could be disclosed or should be withheld.

Data Protection in the health sector

The ICO’s provides guidance specific to the health sector, along with excellent guidance. The NHS also provides a brilliant Data Security and Protection Toolkit.

If you would like practical support and advice on Data Protection and Subject Access Requests, please contact us to discuss how we can help.