What would you do if you got a copy of someone else’s confidential GP records

[Twinkletoesandspaghettios]

No poll just wondering exactly what you would do?

The summary care report was in with mine and had name, address, DOB, full medical history including details on social services and CAMHS involvement

If you work in the NHS, this is completely unethical behaviour. There is a Duty of Candour and the patient absolutely has a right to know.

They legally have to report this as an information breach, and part of that involves informing the patient whose data was wrongly shared.

Not quite accurate. They are legally required to assess the risk to the data subject, and based on the outcome of that risk assessment, they must determine whether or not the breach is reportable to the ICO. They must also consider whether or not the data subject should be informed of the breach, but there may be circumstances in which the data subject is not informed because an assessment has been made that it would not be in the data subjects best interests to do so.

ETA Obviously, if the risk assessment found that the risk to the individual was high, then the data subject would need to be informed so that they could take appropriate action to protect themselves. The judgement is more nuanced when the actual risk to the data subject is deemed to be low.

As a doctor, I would say you should contact the surgery and tell them what has happened. They will need the details to report the data breach to the ICO and conduct an investigation as to how that happened. They should also contact the trusts Data Protection Officer (who may contact the Caldecott Guardian)- usually they report through the trusts DATIX process. The surgery will need to contact the patient (or their guardian, if more appropriate due to age/competencey concerns) to let them know there has been a breach.

They are legally obliged to report a data breach, and must do so within 72 hours of being aware that a breach has occurred. If you are concerned that they might not, you can report to the ICO, but they do normally have expected you to raise it with the organisation responsible for the breach, and to have been dissatisfied with their response to your complaint. I.e. if you go to them before the surgery, they likely will redirect you to the surgery in the first instance. You can still report directly to ICO but you will need to contact the surgery too. Alternatively, you can report it to the trusts dpo/Caldecott guardian (again, they will tell you to notify the practice if you haven’t already done so).

In this context they will need to tell the patient.

Quite possibly, but it would depend on their assessment of the risk.

Where I work we would have to report ourselves to the ICO and we would also have to notify the person whose record had been shared. There would be a full significant event investigation, report and learning session.

Not necessarily no. The ICO guidance is clear that it should be an assessment balancing the harms before deciding whether or not to disclose.

I don't work in the NHS. I am very familiar with the ICO guidance though

No. They would need to tell the patient. It's a requirement in this specific situation.

It might be an NHS policy requirement, but it’s not an absolute requirement under GDPR law/regulation - it’s as @Snorerephron and @MrsBennetsPoorNervesAreBack say.

In this context, in an NHS GP surgery, they would have to tell the patient.

That may well be NHS policy. The legal requirement to notify the data subject would depend on the risk assessment though.

That's interesting. I know there are ICO decisions that make it clear, for instance, that a pharmacy wouldn't have to in these circumstances

It is an NHS requirement. It's obligatory to consider duty of candour. The example IS an NHS situation.

That may well be NHS policy. However, a pp mentioned that it was a legal requirement to report the breach to the ICO and to inform the data subject. Some of us are merely clarifying that the legal position is more nuanced than this, and it would depend on the risk assessment in this particular case.

Of course, if NHS policy specifies requirements which are over and above what is required by the law, then NHS staff should obviously adhere to their employer's policies.

It's not just an NHS policy! It's a legal requirement under the Health and Social Care Act. GDPR is not the only legislation that's relevant here.

Can you quote the relevant legislation which states that all data breaches must be reported to the data subject regardless of the risk assessment? Because my quick Google states that the duty of candour would apply when a "notifiable safety incident" occurs, which includes serious data breaches causing or potentially causing significant harm. Which seems to imply that it would be dependant on the risk assessment, as previously stated.

Happy to be corrected if you can point to the relevant section in the legislation.

It's regulation 20 of the Health and Social Care Act. It's not specific to data breaches and I didn't say it was. It's about responsibility to patients when things go wrong and it includes data and confidentiality breaches. If you have any more questions, please feel free to do some research of your own because I've done more than enough explaining.

That's the section I was looking at. I think you've misunderstood it tbh.

Well ideally I'd like to think once I saw someone else's name I'd not read any further, thus avoiding colluding with a GDPR breech. However, I'm human and in reality I suppose I'd have read more than I should have.
I'd contact the surgery straight away and tell them what had happened. They should then make arrangements to have the paperwork returned to them. As there is special category data they'd need to report to the OIC and there's a remote possibility you could be contacted as part of an investigation.

I had this once. It was important test results for someone else enclosed in a letter that was for me. I phoned the surgery to let them know I had received it and so they still needed to tell the correct person their test results (relating to cancer pathway so important). I shredded the letter. I don’t know if they reported themselves for gdpr breach or not.

Thanks, I haven't.

We can agree to differ.

Also if this really was in “pre-digital days” (which the reference to emails suggests was not the case!), if it was before the GDPR came into force the maximum fine was pocket change to the banks.