What would you do if you got a copy of someone else’s confidential GP records

[Twinkletoesandspaghettios]

No poll just wondering exactly what you would do?

The summary care report was in with mine and had name, address, DOB, full medical history including details on social services and CAMHS involvement

The ICO is useless and I dont even see the point of them. I reported a major breach of my father's data - the NHS "lost" the last 6 months of his medical notes before he died and I reported it to ICO. They did nothing. All they did was give me a reference number and I never heard anything from them again, despite me badgering them about it.

Ive also reported other things- never heard anything back.

I really dont see the point of them if they arent going to act.

I agree it needs to be reported to the surgery to prevent it happening again.

But massive fines? ICO investigation? It is all hyperbole.

18 fines were issued last year, do you really think any of those fines were because of a situation like this.

These things happen. Return it to the GP. ICO recommends returning rather than destroying

Report to the ICO if you wish. But where the documents have been returned (which is the right thing to do) it is unlikely they will take further action

Exactly - by all means report it to the practice manager of the surgery but this idea that ICO are going to swoop in and help you and fine them is BS I'm afraid, they dont have the resources.

They did nothing whatsoever about my father's medical notes being lost

I worked in data protection for a long time

Of course we take it seriously

But a breach where some papers go to one person. Who returns them. It is almost certain the ICO will say this isn't reportable. And 100% certain they won't take any further action

Human error happens. We try and design it out as much as possible but it's still going to happen

The ICO focus on large data breaches resulting from corporates not securing their systems and hackers gaining access to sensitive personal information . They focus on systematic flaws and security leaks. Fines of 4% of turnover can be significant and act as a warning to all organisations who collect and process personal data.

they are not going to investigate or fine a doctor's surgery for a single error, it is however incumbent on us all to hold medical practices to account as they need to take the required actions as the Data Controller under DPA 2018.

That isn’t what is said in data protection training. It has to be reported. Also NHS staff must complete, pass, and technically record or "sign off" their data protection training, which is mandatory and usually required annually.

This exactly. ICO will send an email to the registered Data Protection Officer notifying them of the report and reminding them of their obligations under GDPR but unless there are a pattern of other reports about the same practice there will be no enforcement and that will be the end of the matter.

Fines and formal action are reserved for mass breaches or repeated demonstrations of lack of data governance and legal compliance.

Report it to the NHS Trust as a GDPR breach

This is very serious and must be reported to the practice manager

The papers are being returned by Op. So it's not likely to be reportable

Regardless of whether fines are involved it’s classed as a serious breach and needs to be reported.

Of course it can be. It happened.

Indeed. Because my goal when I train people is to emphasise the seriousness of it all!

But the reality is even ICO recognises that people are human

Report to Daily Mail and seek compensation for distress

Not sure what there is to do because it seems the NHS can have any data breach they like and the adoring public will just applaud them and make out like the victim is the bad player. It's nauseating. There may be a reporting site for data breach under GDPR NHS. Have a look online.

That’s by the by. It’s a serious breach and needs to be reported. The reporting and seriousness of it hopefully will ensure the practice gets its arse into gear.

Some patients have hugely sensitive and personal info in their records. Knowing others have read your records could be catastrophic for some patients.

I also worked in NHS at one point and yes whilst this is true, the fact is, ICO dont do anything, are hugely understaffed and overburdened and thats the point.

We all get told how wonderful and great it is that finally, the ICO is going to uphold everyone's privacy and confidentiality and that they WILL come down hard on people for data breaches but that fact is, they dont and they cant. Its all utter bullshit.

I posted up thread- my father's medical notes for 6 entire months up to date he died were apparently "lost" in continuing health care's "archive room". They admitted they could be anywhere and anyone could have seen them. This was also highly suspicious because I was taking legal action about his access to continuing healthcare funding and mysteriously his notes just disappeared.

The last 6 months of his life were appalling - his medical notes had distressing and embarrassing details of how his dementia and Parkinson's was affecting him.

I reported all of this to the ICO- of course they told me they'd take it incredibly seriously and I was so right to report it to them. Do you know what they did?- they gave me a reference number and I never heard from them ever again. Even when I rung up for updates they kept saying they were dealing with it. Nothing happened and I know that because I submitted a SAR request to the trust where it happened.

Of course we've all been warned that there will be serious consequences about data breaches, but in reality?- the ICO is about as useful and effective as a chocolate teapot.

I know!!

Can you imagine if a school made a serious breach. 😆

This actually happenned to me , i found the parent named on the documents, she also had my childs with all of their condidential info on too. We both complained to the local CAMHS department, this waz some 15 years ago but i dont believe either family received a reply.

Yes if someone became aware of it in the course of their work they would have a duty to report to the ICO.

I would return it with a note explaining why.
I wouldn’t read it on purpose.
Clearly a clerical error.

This kinda happened to me with a report from DS OT.

Had another child’s name and school on top. Mentioned that child in the first paragraph and then mine further down.

(I then went and read personal info at top and saw that said different info - I wouldn’t have read further if I’d have studies that first!)

I called the OT office and returned the report and asked for a reassessment as I now couldn’t trust what was about my child and what wasn’t. (Despite knowing it was likely a cut and paste job). Plus his OT had gone on maternity so they couldn’t access her assessments to check.

It would be exactly the same if a school made a breach of this nature. If all the paperwork was returned then the ICO are going to do precisely nothing

Happened to me once with highly sensitive records added to mine. The surgery said ‘well what do you want do you want it removed ?’ Well YES obviously plus I told them they needed to notify the person they said no they didn’t and that I was bound by confidentiality to not tell anyone ? I called the practice manager who told me they’d resolved it by removing it ( the person just had the same dob as me ! It was highly sensitive). I wrote to their address and said that they should contact the GP about a data breach.