What to do re GDPR breech?

[MammaKel]

Hi all,

I checked my NHS app today and saw a letter I didn't recognise from the Mental Health Team ( I've recently been discharged, so I thought it was something to do with that) so I read it and it was detailed with sensitive information such as a recent sexual assault, self harm, drug and alcohol abuse, evidence etc really heavy, private sensitive information and I was really confused until I checked the name and details.

I actually know the girl it's referring to, we share a last name and live in the same area and under the same service, so I can see how the mistake happened, but it's not acceptable.

I called the number on the letter to let them know of the mistake, and she was very dismissive and told me to make a complaint by email ( so it's not going to be dealt with until the new year ).

I'm happy to make the complaint but I have to send an email with the details, further passing information on, it's a GDPR breech that absolutely needs to be reported straight away (which hasn't happened) and I just want to make sure this is the right process before I do anything.

I'd be so upset if this happened to me, so I just want to make it right.

Thank you.

Definitely report this to the ICO, this is awful. Also complain via the NHS process.

https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/

They won’t necessarily self report to the ICO. OP could report to the ICO or let the other woman know about the issue so she can report to the ICO.

Of course its serious but what do you expect to happen at 5.30 on Christmas eve ?

The breach has happened and nothing will change between now and 2nd Jan. But of course do make sure its followed up.

You should report it to Data Controller at the organisation which issued the letter(contact details should be on the website under Privacy Policy and complaints). It may not even be their direct fault it has appeared on the app, but the Gp surgery, for example, uploading a copy of the letter sent to them in error from them

A Data Breach shouod self-report to the DPO in the organisation. DPO will then decide if it’s severe enough to be reported externally (I would imagine this meets the threshold)

They shouod report within 72 hours, though this can be longer, we are in the middle of various bank holidays.

It them becomes an issue between the agency and ICO.

The Angency shouold inform the person whose information has been compromised, of the breach.

That's what I thought and why I've asked here for clarification because it's not really a complaint. It's a breech that needs dealing with.

I don't want to go directly to the person for a few different reasons, but mostly, I don't want to upset her further. She's obviously going through a lot, and I'd be motified if someone I knew (not well if might add) knew the things I've said to the CMHT - I'm assuming they'll have to tell her they sent it to someone else but not who so she won't know it's someone who knows her.

Do I just report to the ICO then?

I wouldn't tell the other woman. That's not going to help.
Inform the Data Controller for the organisation who sent the latter, and copy to the ICO if you wish. I don't expect you will hear any more about it.

*letter

Thank you everyone.

I know realistically nothing can be done today. I just feel really bad and wanted to make sure I followed the right procedure.

As others have said, data controller at the NHS Trust, and I’d cc in the ICO (or send it to them separately). Explain that you notified the number in the letter and got a dismissive response, so you are escalating it. Anyone likely to be answering the phone should have had GDPR training and should know how unacceptable it is that this has happened - doesn’t matter if it’s Christmas Eve!

It being Xmas eve isn't an excuse. The DPO should be informed so they can remove the info from your account and confirm that you will not disclose what you have learnt. Then they assess the risk and report to the ICO if necessary.

That staff member that told you to raise a complaint is so wrong! If you got their name I'd include that too to complain about them specifically.

I do not work in the NHS but I do work in data protection and any member of staff in my organisation who becomes aware of a breach has a duty to inform the DPO of it so it can be investigated.

Unreal what that staff member said and some of the replies in this thread!

The other woman will be told, she has to be informed of any breaches with her information by law.

But better it come from a trained official than a random stranger at Christmas.

Not quite - data subject notification is only required by law where there is a high risk to the rights and freedoms of the data subject - not for every breach.

A very similar thing happened to me after a home visit, I was left with my neighbour's notes. I called the doctor as soon as I realised and he came rushing back in a fluster. I told him I hadn't looked at them, I didn't even open the cover, but he said he'd need to do a formal incident report (or something along those lines) and inform the patient. Neighbour's MH was extremely precarious so I knew she'd be very upset about the breach. I did think about telling her it was me they'd been left with, and reassuring her I hadn't read anything, but I decided it was best to keep out of it.

It's a serious breach and it's appalling they've been dismissive of you. After one of my MH-related letters arrived opened I've asked them not to put anything in the post and email clinic letters to me instead. I'd actually rather they didn't send them at all because they contain extremely sensitive information.

@Agix really? Can you point out exactly where it says this in law?

@kitteninabasket he might have said that to you but upon investigating they hopefully would have come to the conclusion not to tell the patient. The threshold for reporting to the affected person is even higher than reporting to the ICO and the risk of upset to mental health by knowing about the breach should be considered too.

Were you expecting a letter as it may have been put in the envelope to the other woman if you got her letter....

That's absolutely not the case. It's a judgement call whether to tell someone or not based on all the facts. If it will cause someone more harm /distress to tell them then they do t have to.

This would be judged as fairly low risk as op is clearly aware she shouldn't have the letter.

Op, I would either send the letter back to them or destroy it and email them to confirm you have destroyed it. Email their DPO.

It is for the DPO to decide whether to report to the ICO. The ICO are likely to feel this doesn't meet the threshold for investigation.

Yes, and it's balanced against the risk of harm caused by telling them about the breach

Advice re reporting data breaches

Personal data breaches: a guide | ICO

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.

A ‘high risk’ means the requirement to inform individuals is higher than for notifying the ICO. Again, you will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effect of a breach.

If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. You should also remember that the ICO has the power to compel you to inform affected individuals if we consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the accountability principle.

What breaches do we need to notify the ICO about?

When a personal data breach has occurred, you need to establish the likelihood of the risk to people’s rights and freedoms. If a risk is likely, you must notify the ICO; if a risk is unlikely, you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.

So the question is: is it likely to result in a high risk to the data subjects rights and freedoms?

What do the GDPR experts think?

Would you report to the ICO?
Would you tell the data subject?

You can't report on behalf of someone else. I recently called the ICO after being sent some information about someone else and they said they couldn't do anything unless the person reported it or the company that made the breach.