The following case is fictitious but based on the types of calls we receive to the MDU advice line.
The scene
A GP received a telephone call from a patient asking for confirmation of her diagnoses and treatments as she was making an application for benefits. The GP arranged for her to collect a printed summary of her medical history from the practice reception desk to help with the application.
The next day the patient called in and collected a sealed envelope with her name on it. Half an hour later she returned and explained that she had opened the envelope at home to find it contained a summary health record for a different person. She returned the summary to the receptionist, who apologised for the error and immediately printed out the correct summary for her.
The receptionist then told the practice manager what had happened. The practice manager discovered that the two patients had very similar names and human error had led to the wrong record being printed.
The practice manager recognised that this was a personal data breach which needed to be reported to the Information Commissioner's Office (ICO), but was not sure if he needed to inform the patient whose data had been disclosed, and how best to do this if that was in fact the case. He decided to call the MDU for advice.
MDU advice
The MDU adviser agreed that the data breach needed to be reported to the ICO and also advised that the patient should be notified.
The adviser explained that the UK GDPR imposes a duty to report personal data breaches to the ICO within 72 hours of becoming aware of the breach, where feasible. The MDU adviser explained that general practices in England can report a breach using the NHS Digital Data Protection and Security Toolkit. In Scotland, Wales and Northern Ireland GP practices would report a breach using the ICO website.
The GDPR also states that if the breach is likely to result in a "high risk" of adversely affecting an individual's rights and freedoms, there is an additional requirement to inform the individual without undue delay.
The ICO website states that when a breach involves health data, it should be considered likely to represent a high risk to the rights and freedoms of individuals. Being open and honest about the incident with the patient would also be consistent with the GMC guidance on the professional duty of candour.
The MDU adviser and the practice manager discussed the need to notify the patient promptly and provide an apology and full explanation. The practice manager could do this by phone, or in writing, and it would be important to be clear what information had been disclosed, the circumstances leading to the breach occurring and being recognised, and what steps the practice had taken since.
The MDU adviser suggested that it was often helpful to offer a meeting to discuss things in person, along with the practice data protection officer (DPO), and to assure the patient that the matter had been investigated and reported to the ICO.
The adviser said that while it is the MDU's experience that a prompt apology and explanation about what has happened is often appreciated and well received, the data breach might lead to a formal complaint from the patient. If this were to happen, then the MDU could help the practice provide a response.
The outcome
The practice manager discussed the MDU advice with his GP partners, and the data breach was notified to the ICO within the required 72 hours using the NHS Digital Toolkit. The practice manager phoned the patient the same day and explained what had happened, providing an apology and offering to meet with her.
The patient was initially very upset but met with the practice manager and his GP colleague the following week. They showed her a copy of the information that had been disclosed and offered a further explanation and unreserved apology.
The patient didn't make a complaint following the meeting, while the ICO acknowledged the report of the data breach and was satisfied that the practice had taken the appropriate steps.