The mix-up, by an NHS Trust in the West Country, occurred when they sent a medical assessment to the child’s primary school, where our client previously worked, as opposed to the child’s secondary school, where they now attend.
Despite being notified the child was in secondary school, and without consent from the parent, the NHS Trust sent information to the child’s former primary school (and our clients former place of work), where it was opened by the school receptionist and then passed to the headteacher.
Having previously worked at the school, our client was naturally distressed that private medical information regarding her child, and sensitive details relating to the family, were disclosed to former colleagues who were well known to her and wouldn’t normally be privy to this information.
Commenting on the data breach, Jamie Mitchell, a trainee solicitor in CEL Solicitors’ data breach team, said: “Data breaches, especially those concerning private medical and sensitive personal information, can be devastating for those affected. In this case, our client was naturally distressed that her former colleagues had been made aware of her child’s medical assessment, which also contained personal information about her and her family”.
The Information Commissioners Office (ICO), the UK’s independent authority set up to uphold information rights for individuals, confirmed that there had been a data breach but that they were not going to take further regulatory action. The NHS Trust has since apologised for the “administrative error”, that led to the data breach, and subsequently awarded our client compensation.
Commenting on the case, the client said: “I’d like to thank CEL Solicitors for all their help and support. I really appreciated the great communication and efficiency with which they dealt with my case. I hope I won’t be in need of these services again, but I would definitely use CEL Solicitors in the future”.
UK General Data Protection Regulation (GDPR) places a duty on all organisations to report personal data breaches to the relevant supervisory authority. It also stipulates, that if the breach is likely to adversely affect individuals, whose data has been compromised, then they must be notified without delay.