Active discussions

Meet the Other Phone. Only the apps you allow.

Meet the Other Phone.
Only the apps you allow.

Buy now

Please or to access all these features

Talk
AIBU?

Share your dilemmas and get honest opinions from other Mumsnetters.

Original poster

What to do re GDPR breech?

26 replies

MammaKel · 24/12/2024 17:56

Hi all,

I checked my NHS app today and saw a letter I didn't recognise from the Mental Health Team ( I've recently been discharged, so I thought it was something to do with that) so I read it and it was detailed with sensitive information such as a recent sexual assault, self harm, drug and alcohol abuse, evidence etc really heavy, private sensitive information and I was really confused until I checked the name and details.

I actually know the girl it's referring to, we share a last name and live in the same area and under the same service, so I can see how the mistake happened, but it's not acceptable.

I called the number on the letter to let them know of the mistake, and she was very dismissive and told me to make a complaint by email ( so it's not going to be dealt with until the new year ).

I'm happy to make the complaint but I have to send an email with the details, further passing information on, it's a GDPR breech that absolutely needs to be reported straight away (which hasn't happened) and I just want to make sure this is the right process before I do anything.

I'd be so upset if this happened to me, so I just want to make it right.

Thank you.

OP posts:
JustAnotherSod · 24/12/2024 19:17

cakeorwine · 24/12/2024 19:09

So the question is: is it likely to result in a high risk to the data subjects rights and freedoms?

What do the GDPR experts think?

Would you report to the ICO?
Would you tell the data subject?

To be honest, there simply isn't sufficient detail known here for these questions to be answered. My first priority would be to make arrangements to remove access to the letter from the App, thereby containing the breach, and also asking the OP to confirm no copy of it has been made / retained.

Thereafter, in investigating it the first thing I would be establishing is what happened, was it human error or a system issue, then assessing the information included and, likely in conjunction with the relevant clinicians, considering the impact on the data subject and whether, in the interests of their ongoing relationship as medic and patient notifying, even if not required by law, would be a good thing. "Rights and freedoms" has a specific legal meaning also - so my assessment would be based on that.

The breach must be recorded internally with any lessons learned applied promptly to seek to prevent a repeat - what these will be will depend on the reason the breach happened.

Ultimately, having handled similar issues, they very often do not reach the threshold for ICO reporting, and although not notifiable by law, are discussed with the affected data subject so that an apology can be given along with assurance about the steps taken to contain the breach so that their privacy is protected - this is particularly the case if there is any concern that gossip locally will alert the data subject to the breach, so as to prevent the distress that would cause.

New posts on this thread. Refresh page