Is this a GDPR breach?

[DorisParchment]

So my job involves a lot of travel and my employer has outsourced the healthcare side of things to an external provider - so they sort out an air ambulance to get you home in an emergency, and will also book you NHS appointments if you are on a long term contract, to coincide with your leave.

I’ve recently booked a couple of appointments with them for routine stuff - like moving a mammogram appointment because I knew I was going to miss it. When I was in London recently, there was an NHS bowel cancer screening kit waiting for me at home. I did it and popped it in the post. They sent my results to my office healthcare provider, who have forwarded them to me. Surely this is a breach of GDPR? What if it had been test results from the clap clinic or something I didn’t want my office to know about, or that I would choose to tell them about later?

It depends on the consent form you have signed about the use of your data.

It sounds to me like you have an agreement for this to happen so not a GDPR breach.

Regardless, even if it was a GDPR breach, the ICO are utterly useless and powerless to do anything in individual cases!

Do they tell your employer though, or just manage your healthcare with you. Agree you need to check the terms you agreed to regarding information sharing.

I can understand your employer sorting out healthcare if you are abroad, but why do they need to sort NHS appointments - this would normally be something you did yourself with results and correspondence being to your home address / email.

Check the provider’s privacy notice - it should tell you how they use your personal data. It’s not a GDPR breach if they’ve told you when you signed up or booked with them that they would do this. I’d you can’t find any sign of it anywhere, contact their data protection officer