The Royal Cornwall Hospitals Trust has been reprimanded by the Information Commisioner’s Office (ICO) after it breached Data Protection rules twice in the last year. The first occurred in July 2010, when an individual received information relating to a different person when they submitted a subject access request. The second was in December 2010, when the very same person submitted a second subject access request, and again received information for a completely different person.
The ICO found that both events breached the Data Protection Act, and forced the chief executive of Royal Cornwall Hospitals to sign an undertaking to ensure that procedures for dealing with subject access requests are clearly defined and managed and that all staff receive the appropriate training and support in how to follow them.
Acting head of enforcement at the ICO, Sally-Anne Poole, said:
“More and more people today want to find out exactly what information their GP or hospital holds about them, making subject access requests an increasingly popular tool. However, just because staff are busy with requests, this does not mean they can stop doing adequate checks before information is sent out. I am pleased that Royal Cornwall Hospitals NHS Trust has agreed to take the necessary steps to make sure this sort of incident doesn't happen again.”
It is absolutely shocking that this NHS Trust managed to make an identical mistake to the same person twice. We hope they take the undertaking to improve their approach to data protection very seriously, and avoid making similar mistakes again. People have a right to expect their private medical histories to be kept secure.